Merge pull request #22 from testifysec/feat/customer-bucket-names

colek42 · web-flow · commit 7ee9f7d3fd23 · 2025-10-31T04:56:57.000-05:00
feat(helm): add customer-configurable S3 bucket names
diff --git a/charts/judge/README.md b/charts/judge/README.md
@@ -234,6 +234,41 @@ judge-api:
 
 **IMPORTANT**: You must create these IAM roles with appropriate S3, SNS, and SQS permissions. See [examples/terraform/aws/complete/](../../examples/terraform/aws/complete/) for complete infrastructure setup with Terraform.
 
+#### Custom S3 Bucket Names
+
+If you need to use existing S3 buckets or prefer custom bucket names instead of the default `{prefix}-{service}` pattern, you can override them using `global.buckets`:
+
+```yaml
+global:
+  aws:
+    prefix: "demo-judge"  # Still used for IAM roles, SNS/SQS
+
+  # Override S3 bucket names (optional)
+  buckets:
+    judgeApi: "my-company-artifacts"       # Instead of demo-judge-judge
+    archivista: "my-company-attestations"  # Instead of demo-judge-archivista
+```
+
+**When to use custom bucket names:**
+- Using existing S3 buckets from prior deployments
+- Corporate naming standards require specific bucket names
+- Sharing buckets across multiple Judge deployments
+- Bucket names must meet specific compliance requirements
+
+**Backward Compatibility:**
+- If `global.buckets.judgeApi` is empty or not defined, defaults to `{prefix}-judge`
+- If `global.buckets.archivista` is empty or not defined, defaults to `{prefix}-archivista`
+
+**Example with mixed naming:**
+```yaml
+global:
+  aws:
+    prefix: "prod-judge"
+  buckets:
+    judgeApi: "corporate-compliance-artifacts-2024"  # Custom name
+    archivista: ""  # Empty = use default: prod-judge-archivista
+```
+
 ### Database Architecture
 
 **CRITICAL REQUIREMENT: Separate Databases Per Service**
diff --git a/charts/judge/templates/_helpers.tpl b/charts/judge/templates/_helpers.tpl
@@ -414,15 +414,24 @@ arn:aws:iam::{{ include "judge.aws.accountId" . }}:role/{{ include "judge.aws.pr
 
 {{/*
 AWS S3 Bucket Helpers
-Constructs: {prefix}-{service}
+Constructs: {prefix}-{service} or uses custom bucket name if provided
+Priority: global.buckets.{service} → {prefix}-{service}
 */}}
 {{- define "judge.aws.s3.judgeApiBucket" -}}
+{{- if and .Values.global.buckets .Values.global.buckets.judgeApi -}}
+{{ .Values.global.buckets.judgeApi }}
+{{- else -}}
 {{ include "judge.aws.prefix" . }}-judge
 {{- end -}}
+{{- end -}}
 
 {{- define "judge.aws.s3.archivistaBucket" -}}
+{{- if and .Values.global.buckets .Values.global.buckets.archivista -}}
+{{ .Values.global.buckets.archivista }}
+{{- else -}}
 {{ include "judge.aws.prefix" . }}-archivista
 {{- end -}}
+{{- end -}}
 
 {{/*
 AWS SNS/SQS Helpers
diff --git a/charts/judge/tests/custom-bucket-names_test.yaml b/charts/judge/tests/custom-bucket-names_test.yaml
@@ -0,0 +1,74 @@
+suite: Custom S3 Bucket Names
+templates:
+  - ../charts/judge-api/templates/deployment.yaml
+  - ../charts/archivista/templates/deployment.yaml
+
+tests:
+  # ============================================================================
+  # JUDGE-API BUCKET OVERRIDE TESTS
+  # ============================================================================
+
+  - it: should use default judge-api bucket name when no override provided
+    template: ../charts/judge-api/templates/deployment.yaml
+    set:
+      global.aws.enabled: true
+      global.aws.prefix: demo-judge
+      global.mode: aws
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name=="BLOB_STORE_BUCKET_NAME")].value
+          value: demo-judge-judge
+
+  - it: should use custom judge-api bucket name when override provided
+    template: ../charts/judge-api/templates/deployment.yaml
+    set:
+      global.aws.enabled: true
+      global.aws.prefix: demo-judge
+      global.mode: aws
+      global.buckets.judgeApi: my-company-artifacts
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name=="BLOB_STORE_BUCKET_NAME")].value
+          value: my-company-artifacts
+
+  # ============================================================================
+  # ARCHIVISTA BUCKET OVERRIDE TESTS
+  # ============================================================================
+
+  - it: should use default archivista bucket name when no override provided
+    template: ../charts/archivista/templates/deployment.yaml
+    set:
+      global.aws.enabled: true
+      global.aws.prefix: demo-judge
+      global.mode: aws
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name=="ARCHIVISTA_BLOB_STORE_BUCKET_NAME")].value
+          value: demo-judge-archivista
+
+  - it: should use custom archivista bucket name when override provided
+    template: ../charts/archivista/templates/deployment.yaml
+    set:
+      global.aws.enabled: true
+      global.aws.prefix: demo-judge
+      global.mode: aws
+      global.buckets.archivista: my-company-attestations
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name=="ARCHIVISTA_BLOB_STORE_BUCKET_NAME")].value
+          value: my-company-attestations
+
+  # ============================================================================
+  # BACKWARD COMPATIBILITY TEST
+  # ============================================================================
+
+  - it: should work when global.buckets is not defined at all
+    template: ../charts/judge-api/templates/deployment.yaml
+    set:
+      global.aws.enabled: true
+      global.aws.prefix: demo-judge
+      global.mode: aws
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name=="BLOB_STORE_BUCKET_NAME")].value
+          value: demo-judge-judge
diff --git a/charts/judge/values.yaml b/charts/judge/values.yaml
@@ -209,6 +209,22 @@ global:
         archivista: ""    # Leave empty to use computed name from release
         kratos: ""        # Leave empty to use computed name from release
 
+  # S3 Bucket Name Overrides
+  # Allows customers to specify custom bucket names instead of the default {prefix}-{service} pattern
+  #
+  # Precedence order (highest to lowest):
+  #   1. Custom bucket name (e.g., global.buckets.judgeApi)
+  #   2. Default pattern (e.g., {aws.prefix}-judge)
+  #
+  # Example with custom buckets:
+  #   buckets:
+  #     judgeApi: "my-company-artifacts"
+  #     archivista: "my-company-attestations"
+  #
+  # If empty, uses default pattern: {aws.prefix}-judge and {aws.prefix}-archivista
+  buckets:
+    judgeApi: ""      # Override default: {aws.prefix}-judge
+    archivista: ""    # Override default: {aws.prefix}-archivista
     # Manual secret configuration (when provider is not "vault")
     manual:
       judgeApi:
