fix: allow automq.zone.cidr.blocks to be set via static server.properties

[manmohak07]

Fixes #3115

Problem

The automq.zone.cidr.blocks config option cannot be set via static server.properties. It can only be configured dynamically via kafka-configs.sh.

This is a blocker for Kubernetes operators like Strimzi, which assemble config maps and mount them as static properties files. Users following the AutoMQ documentation expect to set this config in spec.kafka.config, but it gets ignored on startup.

Root Cause

In DefaultClientRackProvider.java, the static initializer adds automq.zone.cidr.blocks to DynamicBrokerConfig.AllDynamicConfigs():

static {
    RECONFIGURABLE_CONFIGS = Set.of(
        ZONE_CIDR_BLOCKS_CONFIG_KEY
    );
    RECONFIGURABLE_CONFIGS.forEach(DynamicBrokerConfig.AllDynamicConfigs()::add);
}

When a config is in AllDynamicConfigs, Kafka treats it as "dynamic-only" and ignores it in static server.properties.

Solution

I removed the line that adds the config to AllDynamicConfigs. The config will still be reconfigurable (via the Reconfigurable interface) but can now also be set statically.

This preserves the expected priority order (per DynamicBrokerConfig.scala lines 570-580):

1. DYNAMIC_BROKER_CONFIG (per-broker dynamic)
2. DYNAMIC_DEFAULT_BROKER_CONFIG (cluster-wide dynamic)
3. STATIC_BROKER_CONFIG (server.properties) - now works
4. DEFAULT_CONFIG

Dynamic config still takes priority over static config when set:

private def updateCurrentConfig(doLog: Boolean): Unit = {
  val newProps = mutable.Map[String, String]()
  newProps ++= staticBrokerConfigs                // 1. Start with static
  overrideProps(newProps, dynamicDefaultConfigs)  // 2. Override with dynamic defaults
  overrideProps(newProps, dynamicBrokerConfigs)   // 3. Override with per-broker dynamic
  ...
}

Testing

Verified:

• Static config now loads on startup
• Dynamic config still works
• Dynamic config takes priority over static when set

Before Fix (static config ignored)

Add static config:

docker exec automq-single-server bash -c "echo 'automq.zone.cidr.blocks=static-zone-a@192.168.1.0/24<>static-zone-b@192.168.2.0/24' >> /opt/automq/kafka/config/kraft/server.properties"
docker restart automq-single-server

Check if loaded:

docker exec automq-single-server bash -c "/opt/automq/kafka/bin/kafka-configs.sh --broker-defaults --describe --bootstrap-server localhost:9092"

Default configs for brokers in the cluster are:
  automq.zone.cidr.blocks=null sensitive=true synonyms={DYNAMIC_DEFAULT_BROKER_CONFIG:automq.zone.cidr.blocks=null}

Static config was ignored (shows null).

---

After Fix (static config works)

Add static config:

docker exec automq-single-server bash -c "echo 'automq.zone.cidr.blocks=proof-zone-a@172.16.0.0/16<>proof-zone-b@172.17.0.0/16' >> /opt/automq/kafka/config/kraft/server.properties"
docker restart automq-single-server

Check logs:

docker exec automq-single-server bash -c "grep -i 'zone.*cidr' /opt/automq/kafka/logs/server.log"

[2026-01-02 07:45:26,116] INFO apply new zone CIDR blocks proof-zone-a@172.16.0.0/16<>proof-zone-b@172.17.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)

Static config loaded on startup.

---

Dynamic config still works (and takes priority)

docker exec automq-single-server bash -c "/opt/automq/kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --entity-default --alter --add-config 'automq.zone.cidr.blocks=dynamic-test@10.99.0.0/16'"

Completed updating default config for brokers in the cluster.

docker exec automq-single-server bash -c "grep -i 'zone.*cidr' /opt/automq/kafka/logs/server.log"

[2026-01-02 07:41:08,600] INFO apply new zone CIDR blocks dynamic-test@10.99.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)

Dynamic config applied and overrides static.

---

Committer Checklist (excluded from commit message)

• [] Verify design and implementation
• [] Verify test coverage and CI build status (
• [] Verify documentation (including upgrade notes)

[CLAassistant]

All committers have signed the CLA.

[superhx]

@manmohak07 The all dynamic configs which aren't added to DynamicBrokerConfig.AllDynamicConfigs() need to be configured in a bundle. It means the config cannot change alone.

Maybe we can pass KafkaConfig into DefaultClientRackProvider and then obtain the static config of automq.zone.cidr.blocks from KafkaConfig.

[manmohak07]

Static Config Loads on Startup

Setup:

# Add static config to server.properties
docker exec automq-single-server bash -c "echo 'automq.zone.cidr.blocks=static-zone-a@172.16.0.0/16<>static-zone-b@172.17.0.0/16' >> /opt/automq/kafka/config/kraft/server.properties"

# Verify config was added
docker exec automq-single-server bash -c "grep 'automq.zone.cidr.blocks' /opt/automq/kafka/config/kraft/server.properties"

Output:

automq.zone.cidr.blocks=static-zone-a@172.16.0.0/16<>static-zone-b@172.17.0.0/16

Delete any existing dynamic config to test static only:

docker exec automq-single-server bash -c "/opt/automq/kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --entity-default --alter --delete-config 'automq.zone.cidr.blocks'"

Output:

Completed updating default config for brokers in the cluster.

Restart broker:

docker restart automq-single-server

Verify static config was loaded:

docker exec automq-single-server bash -c "grep -h 'Initialized with static zone CIDR blocks' /opt/automq/kafka/logs/server.log*"

Output:

[2026-01-20 03:46:49,988] INFO Initialized with static zone CIDR blocks: static-zone-a@172.16.0.0/16<>static-zone-b@172.17.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)
[2026-01-20 03:51:18,021] INFO Initialized with static zone CIDR blocks: static-zone-a@172.16.0.0/16<>static-zone-b@172.17.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)
[2026-01-20 03:53:55,171] INFO Initialized with static zone CIDR blocks: static-zone-a@172.16.0.0/16<>static-zone-b@172.17.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)

Result: Static config successfully loaded from server.properties on startup.

---

Dynamic Config Still Works

Set dynamic config:

docker exec automq-single-server bash -c "/opt/automq/kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092 --entity-type brokers --entity-default --alter --add-config 'automq.zone.cidr.blocks=dynamic-test@10.99.0.0/16'"

Output:

Completed updating default config for brokers in the cluster.

Verify dynamic config was applied:

docker exec automq-single-server bash -c "grep 'apply new zone CIDR blocks dynamic-test' /opt/automq/kafka/logs/server.log*"

Output:

[2026-01-20 03:52:34,837] INFO apply new zone CIDR blocks dynamic-test@10.99.0.0/16 (kafka.automq.zerozone.DefaultClientRackProvider)

[manmohak07]

There was an unused import (import kafka.server.DynamicBrokerConfig;), I removed it, and fixed the order by running ./gradlew :core:spotlessApply

[z0rc]

Thanks for implementing the fix. Would it be possible to backport this change to 1.6 branch and release as a new patch version? Or should I wait for the next minor automq release?

[manmohak07]

Thanks for implementing the fix. Would it be possible to backport this change to 1.6 branch and release as a new patch version? Or should I wait for the next minor automq release?

cc: @superhx

[superhx]

Thanks for implementing the fix. Would it be possible to backport this change to 1.6 branch and release as a new patch version? Or should I wait for the next minor automq release?

Hi, the fix will be included in 1.6.4

#3191