chore(nifi): Bump to 2.6.0

.github/ISSUE_TEMPLATE/update-base-java.md

@@ -42,6 +42,7 @@ we should also make new versions of Java available for use.
 ## Update tasks
 
 - [ ] Add any new versions of java to both `java-base/boil-config.toml` and `java-devel/boil-config.toml`
+- [ ] Check for and upload new Maven versions (updated directly in the `java-devel/Dockerfile`)
 - [ ] Remove versions when there are no long any references (eg: `grep java- **/boil-config.toml | grep "1.8.0"`)
 
 ## Related Pull Requests

.github/ISSUE_TEMPLATE/update-product-nifi.md

@@ -27,13 +27,17 @@ Add/Change/Remove anything that isn't applicable anymore
 
 ## Update tasks
 
+- [ ] Release a new version of [nifi-iceberg-bundle] for any new NiFi versions added (also add version with Patchable).
+- [ ] Release a new version of [nifi-opa-authorizer-plugin] for any new NiFi versions added (also add version with Patchable).
 - [ ] Update `boil-config.toml` to reflect the agreed upon versions in the spreadsheet (including the removal of old versions).
-- [ ] Upload new version (see `nifi/upload_new_nifi_version.sh`).
 - [ ] Update `boil-config.toml` to the latest supported version of JVM (base and devel).
 - [ ] Update other dependencies if applicable (eg: jmx_exporter, kcat, scala, etc).
 - [ ] Check other operators (getting_started / kuttl / supported-versions) for usage of the versions. Add the PR(s) to the list below.
 - [ ] Update the version in demos. Add the PR(s) to the list below.
 
+[nifi-iceberg-bundle]: https://github.com/stackabletech/nifi-iceberg-bundle
+[nifi-opa-authorizer-plugin]: https://github.com/DavidGitter/nifi-opa-plugin
+
 ## Related Pull Requests
 
 > [!TIP]

.scripts/upload_new_jmx_exporter_version.sh

@@ -39,7 +39,8 @@ curl --fail -LO --progress-bar "https://github.com/prometheus/jmx_exporter/relea
 curl --fail -LO --progress-bar "https://github.com/prometheus/jmx_exporter/releases/download/$VERSION/$SUM_FILE"
 
 # Check that sha256 sum matches before uploading
-sha256sum --check --status "$SUM_FILE" && echo "SHA256 Sum matches"
+sha256sum --strict --check --status "$SUM_FILE"
+echo "SHA256 Sum matches"
 
 echo "Uploading to Nexus"
 curl --fail -o /dev/null --progress-bar -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$JAR_FILE" 'https://repo.stackable.tech/repository/packages/jmx-exporter/'

.scripts/upload_new_maven_version.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+VERSION=${1:?"Missing version number argument (arg 1)"}
+MAJOR=$(echo "$VERSION" | grep -oE '^[0-9]+')
+NEXUS_USER=${2:?"Missing Nexus username argument (arg 2)"}
+
+read -r -s -p "Nexus Password: " NEXUS_PASSWORD
+echo
+
+# https://stackoverflow.com/questions/4632028/how-to-create-a-temporary-directory
+# Find the directory name of the script
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# the temp directory used, within $DIR
+WORK_DIR=$(mktemp -d -p "$DIR")
+
+# check if tmp dir was created
+if [[ ! "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
+  echo "Could not create temp dir"
+  exit 1
+fi
+
+# deletes the temp directory
+function cleanup {
+  rm -rf "$WORK_DIR"
+}
+
+# register the cleanup function to be called on the EXIT signal
+trap cleanup EXIT
+
+cd "$WORK_DIR" || exit
+
+# Example download URLs found at https://maven.apache.org/download.cgi
+# https://dlcdn.apache.org/maven/maven-3/3.9.11/binaries/apache-maven-3.9.11-bin.tar.gz
+# https://downloads.apache.org/maven/maven-3/3.9.11/binaries/apache-maven-3.9.11-bin.tar.gz.sha512
+# https://downloads.apache.org/maven/maven-3/3.9.11/binaries/apache-maven-3.9.11-bin.tar.gz.asc
+# https://downloads.apache.org/maven/KEYS
+# Preferring downloads.apache.org over dlcdn.apache.org (for no real reason, but wanted consistency)
+
+BASE_URL="https://downloads.apache.org/maven/maven-$MAJOR/$VERSION/binaries"
+ARCHIVE_FILE="apache-maven-$VERSION-bin.tar.gz"
+SUM_FILE="$ARCHIVE_FILE.sha512"
+SIG_FILE="$ARCHIVE_FILE.asc"
+
+echo "Downloading Maven $VERSION"
+curl --fail -LO --progress-bar "$BASE_URL/$ARCHIVE_FILE"
+curl --fail -LO --progress-bar "$BASE_URL/$SUM_FILE"
+curl --fail -LO --progress-bar "$BASE_URL/$SIG_FILE"
+
+# Maven maintainers produce sum files that are incompatible with sha*sum, so we
+# need to append the archive name to the end to make it work.
+echo -n "  $ARCHIVE_FILE" >> "$SUM_FILE"
+
+# Check that sha512 sum matches before uploading
+sha512sum --strict --check --status "$SUM_FILE" # do not put && here
+echo "SHA512 Sum matches"
+
+if ! gpg --verify "$SIG_FILE" "$ARCHIVE_FILE"; then
+  echo "You might need to download the public keys and try again:"
+  echo "curl https://downloads.apache.org/maven/KEYS | gpg --import"
+  exit 1
+fi
+
+echo "Uploading to Nexus"
+
+curl --fail -o /dev/null --progress-bar -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$ARCHIVE_FILE" 'https://repo.stackable.tech/repository/packages/maven/'
+curl --fail -o /dev/null --progress-bar -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$SUM_FILE" 'https://repo.stackable.tech/repository/packages/maven/'
+curl --fail -o /dev/null --progress-bar -u "$NEXUS_USER:$NEXUS_PASSWORD" --upload-file "$SIG_FILE" 'https://repo.stackable.tech/repository/packages/maven/'
+
+echo "Successfully uploaded Maven $VERSION to Nexus"
+echo "https://repo.stackable.tech/service/rest/repository/browse/packages/maven/"
+echo "https://github.com/prometheus/maven/releases/tag/$VERSION"

CHANGELOG.md

@@ -27,11 +27,12 @@ All notable changes to this project will be documented in this file.
 - testing-tools: Add `upload_new_keycloak_version.sh` script ([#1289]).
 - hadoop: Add `3.4.2` ([#1291]).
 - zookeeper: Add `3.9.4` ([#1292]).
+- nifi: Add `2.6.0` ([#1293]).
 
 ### Changed
 
 - all: Use our build-repo to cache NPM dependencies ([#1219]).
-- java: Use a more recent Maven version for all Java based products ([#1220]).
+- java: Use a more recent Maven version for all Java based products ([#1220], [[#1293]]).
 - ubi9-rust-builder: Bump ubi9 base image ([#1253]).
 - stackable-base: Bump ubi9 base image ([#1253]).
 - stackable-devel: Bump ubi9 base image and update cargo-auditable to `0.7.0` ([#1253]).
@@ -82,6 +83,7 @@ All notable changes to this project will be documented in this file.
 [#1290]: https://github.com/stackabletech/docker-images/pull/1290
 [#1291]: https://github.com/stackabletech/docker-images/pull/1291
 [#1292]: https://github.com/stackabletech/docker-images/pull/1292
+[#1293]: https://github.com/stackabletech/docker-images/pull/1293
 
 ## [25.7.0] - 2025-07-23
 

java-devel/Dockerfile

@@ -10,9 +10,9 @@ FROM local-image/stackable-devel
 ARG PRODUCT_VERSION
 ARG STACKABLE_USER_UID
 
-# Find the latest version here: https://github.com/apache/maven
+# Find the latest version here: https://github.com/apache/maven/releases
 # renovate: datasource=github-tags packageName=apache/maven
-ARG MAVEN_VERSION="3.9.10"
+ARG MAVEN_VERSION="3.9.11"
 
 # See: https://adoptium.net/en-gb/installation/linux/#_centosrhelfedora_instructions
 RUN cat <<EOF > /etc/yum.repos.d/adoptium.repo

nifi/boil-config.toml

@@ -4,21 +4,43 @@ java-devel = "11"
 
 [versions."1.27.0".build-arguments]
 git-sync-version = "v4.4.1"
-nifi-opa-authorizer-plugin-version = "0.1.0"
+# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-opa-authorizer-plugin-version = "0.3.0"
 
 [versions."1.28.1".local-images]
 java-base = "11"
 java-devel = "11"
 
 [versions."1.28.1".build-arguments]
 git-sync-version = "v4.4.1"
-nifi-opa-authorizer-plugin-version = "0.1.0"
+# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-opa-authorizer-plugin-version = "0.3.0"
 
 [versions."2.4.0".local-images]
 java-base = "21"
 java-devel = "21"
 
 [versions."2.4.0".build-arguments]
 git-sync-version = "v4.4.1"
-nifi-opa-authorizer-plugin-version = "0.1.0"
-nifi-iceberg-bundle-version = "0.0.4"
+# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-opa-authorizer-plugin-version = "0.3.0"
+# Release a new version here: https://github.com/stackabletech/nifi-iceberg-bundle
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-iceberg-bundle-version = "0.0.5"
+
+[versions."2.6.0".local-images]
+java-base = "21"
+java-devel = "21"
+
+[versions."2.6.0".build-arguments]
+git-sync-version = "v4.4.1"
+# Check for new versions at the upstream: https://github.com/DavidGitter/nifi-opa-plugin/tags
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-opa-authorizer-plugin-version = "0.3.0"
+
+# Release a new version here: https://github.com/stackabletech/nifi-iceberg-bundle
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-iceberg-bundle-version = "0.0.5"

nifi/nifi-iceberg-bundle/stackable/patches/0.0.5/patchable.toml

@@ -0,0 +1 @@
+base = "c305d47c3678d16250374e9dc89bc184b8c36892"

nifi/opa-plugin/stackable/patches/0.3.0/patchable.toml

@@ -0,0 +1,2 @@
+mirror = "https://github.com/stackabletech/nifi-opa-plugin.git"
+base = "728367a22e897479b4d8157b151ff1abca038d3d"

nifi/stackable/patches/2.6.0/0001-no-zip-assembly.patch

@@ -0,0 +1,21 @@
+From e20550884c2d7002013b9427c219128fe416263b Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 17:26:20 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index dc7fe6fff3..911cbc83d3 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>

nifi/stackable/patches/2.6.0/0002-add-cyclonedx-plugin.patch

@@ -0,0 +1,38 @@
+From 0ced60d4c0a49bcf975ce5a3f368a0075988a45f Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 17:31:17 +0100
+Subject: add cyclonedx plugin
+
+---
+ pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pom.xml b/pom.xml
+index b9ebbf44de..52639e1211 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1029,6 +1029,24 @@
+                     </rulesets>
+                 </configuration>
+             </plugin>
++            <plugin>
++                <groupId>org.cyclonedx</groupId>
++                <artifactId>cyclonedx-maven-plugin</artifactId>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                    <skipNotDeployed>false</skipNotDeployed>
++                </configuration>
++                <executions>
++                  <execution>
++                    <phase>package</phase>
++                    <goals>
++                      <goal>makeBom</goal>
++                    </goals>
++                  </execution>
++                </executions>
++            </plugin>
+         </plugins>
+     </build>
+     <profiles>

nifi/stackable/patches/2.6.0/0003-disable-host-port-validation-if-list-of-allowed-host.patch

@@ -0,0 +1,48 @@
+From 081a3a5e2e94d10b43f23f5f1bda7c2db8b4044b Mon Sep 17 00:00:00 2001
+From: Benedikt Labrenz <benedikt@labrenz.org>
+Date: Thu, 22 May 2025 14:47:24 +0200
+Subject: disable host port validation if list of allowed hosts only contains
+ '*'
+
+---
+ .../connector/FrameworkServerConnectorFactory.java  | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+index 1b28722a3f..72986669d5 100644
+--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
++++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+@@ -54,6 +54,8 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+
+     private final String excludeCipherSuites;
+
++    private final boolean disableHostPortValidator;
++
+     private final Set<Integer> validPorts;
+
+     private SslContextFactory.Server sslContextFactory;
+@@ -72,6 +74,11 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+         headerSize = DataUnit.parseDataSize(properties.getWebMaxHeaderSize(), DataUnit.B).intValue();
+         validPorts = getValidPorts(properties);
+
++        // Check if the property for allowed hosts has only the wildcard entry and
++        // if so store this in disableHostPortValidator for later use
++        List<String> configuredHostNames = properties.getAllowedHostsAsList();
++        disableHostPortValidator = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
+         if (properties.isHTTPSConfigured()) {
+             if (properties.isClientAuthRequiredForRestApi()) {
+                 setNeedClientAuth(true);
+@@ -102,8 +109,10 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact
+         // Add HostHeaderCustomizer to set Host Header for HTTP/2 and HostHeaderHandler
+         httpConfiguration.addCustomizer(new HostHeaderCustomizer());
+
+-        final HostPortValidatorCustomizer hostPortValidatorCustomizer = new HostPortValidatorCustomizer(validPorts);
+-        httpConfiguration.addCustomizer(hostPortValidatorCustomizer);
++        if (!disableHostPortValidator) {
++            final HostPortValidatorCustomizer hostPortValidatorCustomizer = new HostPortValidatorCustomizer(validPorts);
++            httpConfiguration.addCustomizer(hostPortValidatorCustomizer);
++        }
+
+         return httpConfiguration;
+     }