Docker Registry

Nexus hosts all CWIQ Docker images across two ports: port 8443 for pushing images from CI/CD builds, and port 8444 for pulling images during deployments and base image resolution.

---

Push vs Pull Ports

The Docker registry is split across two ports by design:

Operation	Registry URL	Port	Repository Type	What It Contains
Push (CI builds)	nexus.shared.cwiq.io:8443	8443	Hosted	CWIQ images only
Pull (deployments, base images)	nexus.shared.cwiq.io:8444	8444	Group	CWIQ images + Docker Hub proxy cache

The hosted repo on port 8443 accepts only CWIQ-produced images. The group repo on port 8444 layers that hosted repo on top of a Docker Hub proxy cache. This means pipelines can pull both orchestrator-server:latest and python:3.12-slim through port 8444 without any direct internet access.

Always use port 8444 for pulls

If you pull from port 8443, you will only find CWIQ images. Upstream base images (Python, Node, Alpine, Aquasec Trivy, etc.) are only available through port 8444 via the Docker Hub proxy cache.

---

Full Image Reference

# Push (CI/CD only)
nexus.shared.cwiq.io:8443/orchestrator-server:main-a1b2c3d

# Pull (deployments and base images)
nexus.shared.cwiq.io:8444/orchestrator-server:main-a1b2c3d
nexus.shared.cwiq.io:8444/python:3.12-slim
nexus.shared.cwiq.io:8444/node:20-alpine
nexus.shared.cwiq.io:8444/alpine:latest

---

Tag Strategy

Trigger	Tags Applied	Example
Push to main	main-{short-sha}, latest	orchestrator-server:main-a1b2c3d, orchestrator-server:latest
Push to feature branch	branch-{slug}-{short-sha}	orchestrator-server:branch-feature-search-a1b2c3d
Push to version tag (v*)	{version}, stable	orchestrator-server:1.0.0, orchestrator-server:stable

The build.env artifact produced by the build job contains IMAGE_TAG=main-{sha}. All downstream jobs (push, trivy-image-scan, deploy-dev) read this file to ensure they reference the exact same image tag.

---

Base Images in CI/CD

All CI/CD job images pull through port 8444 so that the pipeline has no direct internet dependency:

# Python services
image: nexus.shared.cwiq.io:8444/python:3.12-slim

# Node.js / frontend
image: nexus.shared.cwiq.io:8444/node:20-alpine

# Utility jobs (curl, jq, etc.)
image: nexus.shared.cwiq.io:8444/alpine:latest

# Trivy scanner
image: nexus.shared.cwiq.io:8444/aquasec/trivy:0.69.3

# Kaniko (Docker builds in Kubernetes)
image:
  name: nexus.shared.cwiq.io:8444/gcr.io/kaniko-project/executor:v1.23.2-debug
  entrypoint: [""]

---

CI/CD Variables

These variables are defined in the shared CI templates and do not need to be repeated in individual project pipelines:

Variable	Value	Used For
NEXUS_REGISTRY	nexus.shared.cwiq.io:8443	Docker push (build jobs)
NEXUS_REGISTRY_PULL	nexus.shared.cwiq.io:8444	Docker pull (deploy jobs, base images)
NEXUS_IMAGE_NAME	orchestrator-$CI_PROJECT_NAME	Image name derived from project name
NEXUS_IMAGE	$NEXUS_REGISTRY/$NEXUS_IMAGE_NAME	Full push path

A typical build job uses these as:

build-push:
  extends: .build-push
  variables:
    IMAGE_NAME: orchestrator-$CI_PROJECT_NAME

---

Authentication

In CI/CD Pipelines

CI/CD jobs authenticate to Nexus via Vault. The pipeline:

1. Authenticates to Vault using GitLab's JWT token (OIDC)
2. Retrieves Nexus credentials from secret/nexus/svc-orchestrator
3. Runs docker login nexus.shared.cwiq.io:8443 and docker login nexus.shared.cwiq.io:8444

This happens transparently inside the shared CI templates. Individual project pipelines do not need to handle Nexus authentication directly.

See Vault JWT Auth for the full authentication pattern.

For Local Development

Log in to both registries separately — they are treated as distinct endpoints by Docker:

# Log in to push registry (for manually pushing images)
docker login nexus.shared.cwiq.io:8443

# Log in to pull registry (for pulling CWIQ images or cached upstream images)
docker login nexus.shared.cwiq.io:8444

Use your Authentik SSO credentials

For the Nexus Web UI and for local Docker logins, authenticate with your Authentik SSO username and password. Service accounts (for CI/CD) are separate and managed through Vault.

---

Pulling a CWIQ Image Locally

# Pull the latest server image
docker pull nexus.shared.cwiq.io:8444/orchestrator-server:latest

# Pull a specific build
docker pull nexus.shared.cwiq.io:8444/orchestrator-server:main-a1b2c3d

# Run locally
docker run --rm nexus.shared.cwiq.io:8444/orchestrator-server:latest

---

Related Documentation

• Nexus Overview — Port architecture, repository types, image naming
• Service Accounts — Vault paths for CI/CD Nexus credentials
• Vault JWT Auth — How CI/CD authenticates to Vault to get Nexus credentials
• CI/CD Pipeline Overview — How the build and push stages use these registries