feat(auto scaling): implement NiFi auto-scaling with graceful node decommissioning

[soenkeliebau]

Summary

Adds HPA-driven auto-scaling for NiFi clusters with graceful node decommissioning via the
NiFi REST API. Scaling is configured per role group through the new ReplicasConfig enum,
and the operator manages StackableScaler and HPA resources as implementation details.

• NifiScalingHooks -- implements the ScalingHooks trait with version-aware
  decommissioning sequences:
  • NiFi 1.x: CONNECTED -> OFFLOADING -> OFFLOADED -> DISCONNECTING -> DISCONNECTED -> DELETE
  • NiFi 2.x: CONNECTED -> DISCONNECTING -> DISCONNECTED -> OFFLOADING -> OFFLOADED -> DELETE
  • Scale-up is a no-op (NiFi nodes self-register on startup)
• NifiApiClient -- authenticated REST API client for NiFi cluster management:
  • SingleUser credential resolution from Kubernetes Secrets
  • Bearer token authentication
  • Endpoints: /controller/cluster (list nodes), /controller/cluster/nodes/{id}
    (set status, delete node)
• ReplicasConfig-based reconcile -- replaces the old integer-based replicas field:
  • Fixed(n): static replica count, no scaler/HPA created
  • Hpa(config): creates StackableScaler + HPA, runs state machine on each reconcile
  • ExternallyScaled: creates StackableScaler without HPA for user-managed scaling
  • Auto: returns explicit "not yet implemented" error
• Replicas preservation -- reads existing StackableScaler's spec.replicas before
  rebuilding to prevent overwriting HPA-managed values with initial defaults
• Watch registration -- .owns() for both StackableScaler and
  HorizontalPodAutoscaler so changes trigger NiFi cluster reconciliation
• RBAC -- full CRUD on stackablescalers and stackablescalers/status in
  autoscaling.stackable.tech, plus full CRUD on horizontalpodautoscalers in autoscaling
• Documentation -- comprehensive auto-scaling guide covering configuration, status
  inspection, scale-down behavior, failure recovery, and current limitations

fixes stackabletech/issues#667

User-facing configuration

apiVersion: nifi.stackable.tech/v1alpha1
kind: NifiCluster
spec:
  nodes:
    roleGroups:
      default:
        replicas:
          hpa:
            maxReplicas: 10
            minReplicas: 3
            metrics:
              - type: Resource
                resource:
                  name: cpu
                  target:
                    type: Utilization
                    averageUtilization: 80

The operator creates the StackableScaler and HPA automatically. Users never interact with
these resources directly.

Authentication

Only SingleUser authentication is currently supported for the NiFi REST API calls during
scaling. LDAP and OIDC configurations return an explicit UnsupportedScalerAuthentication
error. This limitation is documented and will be addressed in a follow-up.

Dependencies

• operator-rs: StackableScaler CRD, ReplicasConfig, ScalingHooks trait,
  reconcile_scaler(), builder helpers
  (see feat(auto scaling): add StackableScaler CRD, state machine, ReplicasConfig, and scaling hooks operator-rs#1181)
• commons-operator: CRD installation and admission webhook
  (see feat (auto scale) : add StackableScaler CRD rollout and admission webhook commons-operator#411 -- needed for testing,
  as it installs the StackableScaler CRD and admission webhook)
• Uses local path patch to ../operator-rs/crates/stackable-operator (development dependency)
• New runtime dependency: reqwest 0.12 (rustls-tls, json) for NiFi REST API calls

Test plan

• cargo test --all-features passes -- unit tests cover pod FQDN construction, API URL
  generation, and NiFi version detection
• cargo clippy --all-targets --all-features -- -D warnings clean
• Manual integration test: deploy NiFi cluster with replicas: { hpa: ... } config,
  verify StackableScaler and HPA are created
• Scale-up: HPA increases replicas -> new pods start -> state machine completes
  (PreScaling no-op -> Scaling -> PostScaling no-op -> Idle)
• Scale-down: HPA decreases replicas -> pre_scale hook offloads/disconnects/deletes nodes
  via REST API -> StatefulSet scaled down -> state machine completes
• NiFi 1.x vs 2.x: verify correct decommission sequence for each version
• Mid-scaling HPA update blocked by admission webhook
• Failed state recovery via retry annotation
• Fixed(n) config: no scaler/HPA created, behaves as before
• Reporting task service selector works with ReplicasConfig-based role groups

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Helm chart can be installed and deployed operator works
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible
• Links to generated (nightly) docs added
• Release note snippet added

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added
• Links to generated (nightly) docs added
• Release note snippet added
• Add type/deprecation label & add to the deprecation schedule
• Add type/experimental label & add to the experimental features tracker