[MOSIP-43615] updated kafka image tag and zookeeper

[Ivanmeneges]

Summary by CodeRabbit

• Chores
  • Updated Kafka container image to version 3.6.1 and Zookeeper to version 3.9.1, incorporating latest stable releases with performance improvements and enhanced compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request updates Helm chart image tags in the Kafka deployment configuration. The Kafka image tag is bumped from 3.2.1-debian-11-r9 to 3.6.1-debian-12-r12, and the Zookeeper image tag is updated from 3.8.0-debian-11-r30 to 3.9.1-debian-12-r13.

Changes

Cohort / File(s)	Summary
Kafka and Zookeeper Version Bumps deployment/v3/external/kafka/install.sh	Updated Helm chart image tags: Kafka from 3.2.1-debian-11-r9 to 3.6.1-debian-12-r12 and Zookeeper from 3.8.0-debian-11-r30 to 3.9.1-debian-12-r13

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Simple version bump with no logic or control flow changes
• Single file modification with straightforward configuration updates
• Verify image tags are correctly formatted and available in the registry

Possibly related PRs

• [MOSIP-43615] Update Helm installation commands for IAM, Kafka and Postgres with new image repositories and tags #1672: Modifies the same Kafka deployment configuration file to change Helm chart image repository and tag settings
• [MOSIP-43615] Update Helm installation commands for IAM, Kafka, Minio and Postgres with new image repositories and tags #1671: Updates Kafka and Zookeeper image repositories and tags in the same deployment script

Suggested reviewers

• ckm007

Poem

🐰 Kafka hops from 3.2 to 3.6,
Zookeeper climbs to 3.9 fix,
Debian-12 brings the cheer,
Message streams flow crystal clear! 📬✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: updating Kafka and Zookeeper image tags in the Helm chart configuration.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e48cd27 and b98f5bf.

📒 Files selected for processing (1)

• deployment/v3/external/kafka/install.sh (1 hunks)

🔇 Additional comments (1)

deployment/v3/external/kafka/install.sh (1)

27-32: Good: Image tags are properly parameterized in Helm values.

The use of --set flags for image repository and tag is a clean approach that maintains flexibility for future updates. This is appropriate for a deployment script.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify compatibility and security for Kafka and Zookeeper version bumps.

The Kafka (3.2.1→3.6.1) and Zookeeper (3.8.0→3.9.1) versions are being bumped with a concurrent Debian OS upgrade (11→12). Ensure these changes are compatible and secure before deployment.

Please verify the following:

1. Version existence: Confirm that the image tags exist in the registry
2. Compatibility: Verify that Kafka 3.6.1 and Zookeeper 3.9.1 are compatible with each other and with Helm chart version 18.3.1
3. Security: Check for any CVEs or security advisories in these versions
4. Breaking changes: Review release notes for breaking changes between the old and new versions

You can verify this by searching the official Kafka and Zookeeper release notes or checking the image availability:

Alternatively, search the web for:

and

Also applies to: 31-31

---

🏁 Script executed:

#!/bin/bash
# Description: Verify image availability and check release notes for breaking changes

# Check image availability (if registry is accessible)
# docker pull mosipid/kafka:3.6.1-debian-12-r12
# docker pull mosipid/zookeeper:3.9.1-debian-12-r13

# Search for Kafka release notes mentioning breaking changes
echo "Checking Kafka 3.6.1 release information..."
echo "Checking Zookeeper 3.9.1 release information..."

# Search for CVE/security advisories (if applicable)
echo "Verify no critical CVEs in these versions"

Length of output: 133

---

🌐 Web query:

Kafka 3.6.1 breaking changes and compatibility with Zookeeper 3.9.1

💡 Result:

Short answer

• Kafka 3.6.1 is a bugfix release (no major breaking changes in the Kafka project itself); the release primarily contains fixes and dependency upgrades — notably ZooKeeper was upgraded in the Kafka 3.6.1 distribution to ZooKeeper 3.8.3. [1][2]
• Running Kafka 3.6.1 with an external ZooKeeper 3.9.1 is generally possible: the ZooKeeper project documents that ZooKeeper 3.9.x servers are compatible with ZooKeeper clients from 3.5.x onward, and 3.9.x clients are compatible with 3.5–3.8 servers (so client-server compatibility is maintained). Kafka 3.6.1 ships with ZK 3.8.3 but should interoperate with a 3.9.1 server; however, test in your environment and watch for transitive-dependency or logging-library differences introduced by ZK 3.9.1. [3][1][4]

Notes / pointers

• See Kafka 3.6.1 release notes (bugfix list and note about ZK 3.8.3). [1]
• Kafka 3.6.1 release announcement / blog. [2]
• ZooKeeper releases page: compatibility statements for 3.9.x. [3]
• Practical issues: users have reported that upgrading ZK can bring in different transient dependencies (logging, netty, etc.) that may change runtime behavior (example: logging config changes). Verify dependency tree and run integration tests. [4]

If you want, I can:

• check a specific Kafka distribution/package (Confluent, MSK, your build) for its bundled ZK and known compatibility notes, or
• run a quick dependency diff (pom/gradle) between Kafka's bundled ZK and 3.9.1 to show possible transitive changes.

---

🌐 Web query:

Zookeeper 3.9.1 Debian 12 security vulnerabilities

💡 Result:

Short answer: Yes — Zookeeper 3.9.1 is mixed: it fixes the SASL quorum auth bypass (CVE-2023-44981) but is known to be vulnerable to at least one later issue (information-disclosure in persistent watchers, CVE-2024-23944) that affects 3.9.0–3.9.1 and was fixed in later releases. Debian 12 (bookworm) ships zookeeper as 3.8.x with Debian security fixes applied; Debian’s trackers list which CVEs are fixed or still relevant for each release. [1][2][3]

Details and recommended actions

• CVE-2023-44981 (authorization bypass in SASL quorum peer auth): fixed by upstream in 3.9.1 and backported in Debian packages — upgrade zookeeper if you are on an affected older release or ensure quorum traffic is firewall‑protected if you cannot upgrade. [1][3]
• CVE-2024-23944 (missing ACL check → persistent-watcher info disclosure): affects 3.9.0–3.9.1 (and some 3.8.x); fixed upstream in 3.9.2/3.8.4 and in Debian package updates — do not run unpatched 3.9.1 in production if you rely on persistent watchers. [2][3]
• Debian bookworm package status: Debian’s zookeeper package for bookworm is 3.8.0-11+deb12u2 (with security fixes). If you installed upstream 3.9.1 manually on Debian 12, you should treat it as vulnerable to the watcher ACL issue and upgrade to an upstream version that contains the fixes (or use the patched Debian package). [3]

References

• Debian security tracker — CVE-2023-44981. [1]
• Debian security tracker — CVE-2024-23944. [2]
• Debian zookeeper package tracker / available versions and security notes. [3]

If you want, I can: (a) check whether your installed zookeeper package on Debian 12 is the Debian-provided 3.8.x or a manually installed 3.9.1, and give exact upgrade/mitigation steps.

---

Upgrade ZooKeeper to 3.9.2+ to fix CVE-2024-23944 vulnerability in 3.9.1.

ZooKeeper 3.9.1 is vulnerable to CVE-2024-23944 (a persistent-watcher information-disclosure issue), which was fixed in 3.9.2. Update line 31 to use 3.9.2-debian-12-r* or later.

Additionally, Kafka 3.6.1 with external ZooKeeper 3.9.1 is generally compatible, but users have reported transitive dependency and logging-library differences. Test the upgrade in a staging environment to verify no behavioral changes.

🤖 Prompt for AI Agents

In deployment/v3/external/kafka/install.sh around lines 29-31, the manifest pins
ZooKeeper to 3.9.1 which is vulnerable to CVE-2024-23944; change the ZooKeeper
image tag to 3.9.2-debian-12-r* (or later) by updating the version string to
3.9.2-debian-12-rX, rebuild/redeploy the chart, and run validation in a staging
environment to confirm compatibility with Kafka 3.6.1 (check transitive
dependencies and logging behavior).