Release for new solr-operator with latest ZooKeeper dependency

[akash-apple]

Hey team, Latest released solr-operator (https://artifacthub.io/packages/helm/apache-solr/solr-operator) v0.8.0 has a dependency on ZooKeeper operator (https://artifacthub.io/packages/helm/banzaicloud-stable/zookeeper-operator) v0.2.15 which in turn depends on older ZooKeeper version exposing log4j 1.x usage for Solr.

Latest ZooKeeper version v0.3.0 mitigated this issue by upgrading underlying ZooKeeper deps. This issue is created to request release of new solr-operator chart that depends on updated ZooKeeper to remediate log4j exposure for downstream Ranger/Solr users.

[HoustonPutman]

I'm not sure where banzaicloud's zookeeper operator comes from, but the one that Solr relies on is https://github.com/pravega/zookeeper-operator. The latest release of the is 0.2.15

The log4j 1.x CVEs were addressed in Zookeeper 3.7.1, which the 0.2.15 version of the Zookeeper Operator uses.

[aloosnetmatch]

Hi.

It looks like the project https://github.com/pravega/zookeeper-operator is still active, but not much work is done on the project.

The last release was 0.2.15 , released this Apr 4, 2023.

Current status seems to be: https://github.com/pravega/zookeeper-operator/issues/617

Our zookeeper-operator image seems to have 364 outdated packages at the moment.

Wondering if we should switch to a more actively maintained zookeeper operator solution. Or does the Solr-operator project has already plans for this?

[janhoy]

I’ve given up on them. It’s dead. Turn off zk operator and instead deploy zk independently with a helm chart. I propose #600

[HoustonPutman]

I agree. Let's push for a 1.0 release with this as the big change.