joejulian
diff --git a/‎apis/redpanda/v1alpha1/cluster_types.go
+17-1 b/‎apis/redpanda/v1alpha1/cluster_types.go
+17-1
diff --git a/‎apis/redpanda/v1alpha1/cluster_webhook.go
+61 b/‎apis/redpanda/v1alpha1/cluster_webhook.go
+61
diff --git a/‎apis/redpanda/v1alpha1/cluster_webhook_test.go
+112 b/‎apis/redpanda/v1alpha1/cluster_webhook_test.go
+112
diff --git a/‎cmd/configurator/main.go
+56-24 b/‎cmd/configurator/main.go
+56-24
@@ -257,17 +257,33 @@ type StorageSpec struct {
 // used as a external listener. This port is tight to the autogenerated
 // host port. The collision between Kafka external, Kafka internal,
 // Admin, Pandaproxy, Schema Registry and RPC port is checked in the webhook.
+// An optional endpointTemplate can be used to configure advertised addresses
+// for Kafka API and Pandaproxy, while it is disallowed for other listeners.
 type ExternalConnectivityConfig struct {
 	// Enabled enables the external connectivity feature
 	Enabled bool `json:"enabled,omitempty"`
 	// Subdomain can be used to change the behavior of an advertised
 	// KafkaAPI. Each broker advertises Kafka API as follows
-	// BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT.
+	// ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT.
 	// If Subdomain is empty then each broker advertises Kafka
 	// API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT.
 	// If TLS is enabled then this subdomain will be requested
 	// as a subject alternative name.
 	Subdomain string `json:"subdomain,omitempty"`
+	// EndpointTemplate is a Golang template string that allows customizing each
+	// broker advertised address.
+	// Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by
+	// default for advertised addresses. When an EndpointTemplate is
+	// provided, then the BROKER_ID part is replaced with the endpoint
+	// computed from the template.
+	// The following variables are available to the template:
+	// - Index: the Redpanda broker progressive number
+	// - HostIP: the ip address of the Node, as reported in pod status
+	//
+	// Common template functions from Sprig (http://masterminds.github.io/sprig/)
+	// are also available. The set of available functions is limited to hermetic
+	// functions because template application needs to be deterministic.
+	EndpointTemplate string `json:"endpointTemplate,omitempty"`
 	// The preferred address type to be assigned to the external
 	// advertised addresses. The valid types are ExternalDNS,
 	// ExternalIP, InternalDNS, InternalIP, and Hostname.
 
@@ -15,6 +15,7 @@ import (
 	"strconv"
 
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+	"github.com/redpanda-data/redpanda/src/go/k8s/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -277,6 +278,12 @@ func (r *Cluster) validateAdminListeners() field.ErrorList {
 				r.Spec.Configuration.AdminAPI,
 				"bootstrap loadbalancer not available for http admin api"))
 	}
+	if externalAdmin != nil && externalAdmin.External.EndpointTemplate != "" {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec").Child("configuration").Child("adminApi"),
+				r.Spec.Configuration.AdminAPI,
+				"cannot provide an endpoint template for admin listener"))
+	}
 
 	// for now only one listener can have TLS to be backward compatible with v1alpha1 API
 	foundListenerWithTLS := false
@@ -306,6 +313,7 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 	}
 
 	var external *KafkaAPI
+	var externalIdx int
 	for i, p := range r.Spec.Configuration.KafkaAPI {
 		if p.External.Enabled {
 			if external != nil {
@@ -315,6 +323,7 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 						"only one kafka api listener can be marked as external"))
 			}
 			external = &r.Spec.Configuration.KafkaAPI[i]
+			externalIdx = i
 		}
 	}
 
@@ -357,10 +366,36 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 				r.Spec.Configuration.KafkaAPI,
 				"bootstrap port cannot be empty"))
 	}
+	// nolint:dupl // not identical
+	if external != nil && external.External.EndpointTemplate != "" {
+		if external.External.Subdomain == "" {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("configuration").Child("kafkaApi").Index(externalIdx).Child("external"),
+					external.External,
+					"endpointTemplate can only be used in combination with subdomain"))
+		}
+
+		err := checkValidEndpointTemplate(external.External.EndpointTemplate)
+		if err != nil {
+			log.Error(err, "Invalid endpoint template received", "template", external.External.EndpointTemplate)
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("configuration").Child("kafkaApi").Index(externalIdx).Child("external").Child("endpointTemplate"),
+					external.External.EndpointTemplate,
+					fmt.Sprintf("template is invalid: %v", err)))
+		}
+	}
 
 	return allErrs
 }
 
+func checkValidEndpointTemplate(tmpl string) error {
+	// Using an example input to ensure that the template expression is allowed
+	data := utils.NewEndpointTemplateData(0, "1.2.3.4")
+	_, err := utils.ComputeEndpoint(tmpl, data)
+	return err
+}
+
+// nolint:funlen,gocyclo // it's a sequence of checks
 func (r *Cluster) validatePandaproxyListeners() field.ErrorList {
 	var allErrs field.ErrorList
 	var proxyExternal *PandaproxyAPI
@@ -412,6 +447,25 @@ func (r *Cluster) validatePandaproxyListeners() field.ErrorList {
 					r.Spec.Configuration.PandaproxyAPI[i],
 					"sudomain of external pandaproxy must be the same as kafka's"))
 		}
+		// nolint:dupl // not identical
+		if kafkaExternal != nil && proxyExternal.External.EndpointTemplate != "" {
+			if proxyExternal.External.Subdomain == "" {
+				allErrs = append(allErrs,
+					field.Invalid(field.NewPath("spec").Child("configuration").Child("pandaproxyApi").Index(i).Child("external"),
+						proxyExternal.External,
+						"endpointTemplate can only be used in combination with subdomain"))
+			}
+
+			err := checkValidEndpointTemplate(proxyExternal.External.EndpointTemplate)
+			if err != nil {
+				log.Error(err, "Invalid endpoint template received", "template", proxyExternal.External.EndpointTemplate)
+				allErrs = append(allErrs,
+					field.Invalid(field.NewPath("spec").Child("configuration").Child("pandaproxyApi").Index(i).
+						Child("external").Child("endpointTemplate"),
+						proxyExternal.External.EndpointTemplate,
+						fmt.Sprintf("template is invalid: %v", err)))
+			}
+		}
 	}
 
 	// for now only one listener can have TLS to be backward compatible with v1alpha1 API
@@ -510,6 +564,13 @@ func (r *Cluster) validateSchemaRegistryListener() field.ErrorList {
 				r.Spec.Configuration.SchemaRegistry.External,
 				"bootstrap loadbalancer not available for schema reigstry"))
 	}
+	if schemaRegistry.External.EndpointTemplate != "" {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec").Child("configuration").Child("schemaRegistry").Child("external").Child("endpointTemplate"),
+				r.Spec.Configuration.SchemaRegistry.External.EndpointTemplate,
+				"cannot provide an endpoint template for schema registry"))
+	}
+
 	return allErrs
 }
 
 
@@ -1022,6 +1022,118 @@ func TestCreation(t *testing.T) {
 		err := rp.ValidateCreate()
 		assert.Error(t, err)
 	})
+	t.Run("endpoint template not allowed for schemaregistry", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+		const commonDomain = "company.org"
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:   true,
+			Subdomain: commonDomain,
+		}})
+		rp.Spec.Configuration.SchemaRegistry = &v1alpha1.SchemaRegistryAPI{External: &v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        commonDomain,
+			EndpointTemplate: "xxx",
+		}}
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	// nolint:dupl // not really a duplicate
+	t.Run("endpoint template not allowed for adminapi", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+		const commonDomain = "company.org"
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:   true,
+			Subdomain: commonDomain,
+		}})
+		rp.Spec.Configuration.AdminAPI = append(rp.Spec.Configuration.AdminAPI, v1alpha1.AdminAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        commonDomain,
+			EndpointTemplate: "xxx",
+		}})
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	t.Run("endpoint template without subdomain is not allowed in kafka API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			EndpointTemplate: "xxx",
+		}})
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	t.Run("endpoint template without subdomain is not allowed in pandaproxy API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled: true,
+		}})
+		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			EndpointTemplate: "xxx",
+		}})
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	t.Run("invalid endpoint template in kafka API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        "example.com",
+			EndpointTemplate: "{{.Inexistent}}",
+		}})
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	t.Run("valid endpoint template in kafka API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        "example.com",
+			EndpointTemplate: "{{.Index}}-broker",
+		}})
+		err := rp.ValidateCreate()
+		assert.NoError(t, err)
+	})
+	// nolint:dupl // not really a duplicate
+	t.Run("invalid endpoint template in pandaproxy API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		const commonDomain = "mydomain"
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:   true,
+			Subdomain: commonDomain,
+		}})
+		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        commonDomain,
+			EndpointTemplate: "{{.Index | nonexistent }}",
+		}})
+		err := rp.ValidateCreate()
+		assert.Error(t, err)
+	})
+	// nolint:dupl // not really a duplicate
+	t.Run("valid endpoint template in pandaproxy API", func(t *testing.T) {
+		rp := redpandaCluster.DeepCopy()
+
+		const commonDomain = "mydomain"
+		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:   true,
+			Subdomain: commonDomain,
+		}})
+		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
+			Enabled:          true,
+			Subdomain:        commonDomain,
+			EndpointTemplate: "{{.Index}}-pp",
+		}})
+		err := rp.ValidateCreate()
+		assert.NoError(t, err)
+	})
 }
 
 func TestSchemaRegistryValidations(t *testing.T) {
 
@@ -21,6 +21,7 @@ import (
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/redpanda-data/redpanda/src/go/k8s/pkg/networking"
+	"github.com/redpanda-data/redpanda/src/go/k8s/pkg/utils"
 	"github.com/redpanda-data/redpanda/src/go/rpk/pkg/config"
 	"github.com/spf13/afero"
 	"gopkg.in/yaml.v3"
@@ -31,33 +32,39 @@ import (
 )
 
 const (
-	hostNameEnvVar                        = "HOSTNAME"
-	svcFQDNEnvVar                         = "SERVICE_FQDN"
-	configSourceDirEnvVar                 = "CONFIG_SOURCE_DIR"
-	configDestinationEnvVar               = "CONFIG_DESTINATION"
-	redpandaRPCPortEnvVar                 = "REDPANDA_RPC_PORT"
-	nodeNameEnvVar                        = "NODE_NAME"
-	externalConnectivityEnvVar            = "EXTERNAL_CONNECTIVITY"
-	externalConnectivitySubDomainEnvVar   = "EXTERNAL_CONNECTIVITY_SUBDOMAIN"
-	externalConnectivityAddressTypeEnvVar = "EXTERNAL_CONNECTIVITY_ADDRESS_TYPE"
-	hostPortEnvVar                        = "HOST_PORT"
-	proxyHostPortEnvVar                   = "PROXY_HOST_PORT"
+	hostNameEnvVar                                       = "HOSTNAME"
+	svcFQDNEnvVar                                        = "SERVICE_FQDN"
+	configSourceDirEnvVar                                = "CONFIG_SOURCE_DIR"
+	configDestinationEnvVar                              = "CONFIG_DESTINATION"
+	redpandaRPCPortEnvVar                                = "REDPANDA_RPC_PORT"
+	nodeNameEnvVar                                       = "NODE_NAME"
+	externalConnectivityEnvVar                           = "EXTERNAL_CONNECTIVITY"
+	externalConnectivitySubDomainEnvVar                  = "EXTERNAL_CONNECTIVITY_SUBDOMAIN"
+	externalConnectivityAddressTypeEnvVar                = "EXTERNAL_CONNECTIVITY_ADDRESS_TYPE"
+	externalConnectivityKafkaEndpointTemplateEnvVar      = "EXTERNAL_CONNECTIVITY_KAFKA_ENDPOINT_TEMPLATE"
+	externalConnectivityPandaProxyEndpointTemplateEnvVar = "EXTERNAL_CONNECTIVITY_PANDA_PROXY_ENDPOINT_TEMPLATE"
+	hostIPEnvVar                                         = "HOST_IP_ADDRESS"
+	hostPortEnvVar                                       = "HOST_PORT"
+	proxyHostPortEnvVar                                  = "PROXY_HOST_PORT"
 )
 
 type brokerID int
 
 type configuratorConfig struct {
-	hostName                        string
-	svcFQDN                         string
-	configSourceDir                 string
-	configDestination               string
-	nodeName                        string
-	subdomain                       string
-	externalConnectivity            bool
-	externalConnectivityAddressType corev1.NodeAddressType
-	redpandaRPCPort                 int
-	hostPort                        int
-	proxyHostPort                   int
+	hostName                                       string
+	svcFQDN                                        string
+	configSourceDir                                string
+	configDestination                              string
+	nodeName                                       string
+	subdomain                                      string
+	externalConnectivity                           bool
+	externalConnectivityAddressType                corev1.NodeAddressType
+	externalConnectivityKafkaEndpointTemplate      string
+	externalConnectivityPandaProxyEndpointTemplate string
+	redpandaRPCPort                                int
+	hostPort                                       int
+	proxyHostPort                                  int
+	hostIP                                         string
 }
 
 func (c *configuratorConfig) String() string {
@@ -205,8 +212,14 @@ func registerAdvertisedKafkaAPI(
 	}
 
 	if len(c.subdomain) > 0 {
+		data := utils.NewEndpointTemplateData(int(index), c.hostIP)
+		ep, err := utils.ComputeEndpoint(c.externalConnectivityKafkaEndpointTemplate, data)
+		if err != nil {
+			return err
+		}
+
 		cfg.Redpanda.AdvertisedKafkaAPI = append(cfg.Redpanda.AdvertisedKafkaAPI, config.NamedSocketAddress{
-			Address: fmt.Sprintf("%d.%s", index, c.subdomain),
+			Address: fmt.Sprintf("%s.%s", ep, c.subdomain),
 			Port:    c.hostPort,
 			Name:    "kafka-external",
 		})
@@ -244,8 +257,14 @@ func registerAdvertisedPandaproxyAPI(
 
 	// Pandaproxy uses the Kafka API subdomain.
 	if len(c.subdomain) > 0 {
+		data := utils.NewEndpointTemplateData(int(index), c.hostIP)
+		ep, err := utils.ComputeEndpoint(c.externalConnectivityPandaProxyEndpointTemplate, data)
+		if err != nil {
+			return err
+		}
+
 		cfg.Pandaproxy.AdvertisedPandaproxyAPI = append(cfg.Pandaproxy.AdvertisedPandaproxyAPI, config.NamedSocketAddress{
-			Address: fmt.Sprintf("%d.%s", index, c.subdomain),
+			Address: fmt.Sprintf("%s.%s", ep, c.subdomain),
 			Port:    c.proxyHostPort,
 			Name:    "proxy-external",
 		})
@@ -278,6 +297,7 @@ func getExternalIP(node *corev1.Node) string {
 	return ""
 }
 
+// nolint:funlen // envs are many
 func checkEnvVars() (configuratorConfig, error) {
 	var result error
 	var extCon string
@@ -326,6 +346,18 @@ func checkEnvVars() (configuratorConfig, error) {
 			value: &hostPort,
 			name:  hostPortEnvVar,
 		},
+		{
+			value: &c.externalConnectivityKafkaEndpointTemplate,
+			name:  externalConnectivityKafkaEndpointTemplateEnvVar,
+		},
+		{
+			value: &c.externalConnectivityPandaProxyEndpointTemplate,
+			name:  externalConnectivityPandaProxyEndpointTemplateEnvVar,
+		},
+		{
+			value: &c.hostIP,
+			name:  hostIPEnvVar,
+		},
 	}
 	for _, envVar := range envVarList {
 		v, exist := os.LookupEnv(envVar.name)