Nexus Artifact Repository¶
Centralized artifact repository for all CWIQ build artifacts: Docker images, RPM packages, Python packages, npm packages, and raw binaries.
Web UI & REST API: nexus.shared.cwiq.io
All artifacts produced by CWIQ CI/CD pipelines flow through Nexus. Developers and pipelines never pull directly from the public internet — every upstream registry (Docker Hub, PyPI.org, npmjs.org) is proxied through Nexus, so builds are faster, reproducible, and isolated from upstream outages.
Port Architecture¶
Nexus exposes three ports, each serving a distinct purpose:
flowchart TD
subgraph "nexus.shared.cwiq.io"
P443["Port 443 (HTTPS)\nWeb UI + REST API\nRPM + PyPI + npm + Raw"]
P8443["Port 8443 (HTTPS)\nDocker Push\n(hosted repo)"]
P8444["Port 8444 (HTTPS)\nDocker Pull\n(group repo + Docker Hub cache)"]
end
CI[CI/CD Builds] -->|push images| P8443
DEPLOY[Deployments] -->|pull images| P8444
CI -->|push RPM / PyPI| P443
DEV[Developers] -->|browse UI| P443
| Port | Protocol | Purpose |
|---|---|---|
| 443 | HTTPS | Web UI, REST API, RPM uploads/installs, PyPI publish/install, npm publish/install, raw uploads/downloads |
| 8443 | HTTPS | Docker image push (hosted repo — CWIQ images only) |
| 8444 | HTTPS | Docker image pull (group repo — CWIQ images + Docker Hub proxy cache) |
The split between 8443 and 8444 is intentional. Port 8443 is the hosted repo that only accepts CWIQ images. Port 8444 is the group repo that layers the hosted repo on top of a Docker Hub proxy cache, so CI jobs can pull both orchestrator-server:latest and python:3.12-slim through a single authenticated endpoint.
Repository Types¶
Nexus uses three repository types:
| Type | Direction | Description |
|---|---|---|
| Hosted | Inbound (we push) | Stores artifacts we produce: CWIQ Docker images, RPM packages, PyPI wheels, raw binaries |
| Proxy | Outbound (cache) | Transparent cache of upstream registries: Docker Hub, PyPI.org, npmjs.org |
| Group | Inbound (we pull) | Combines hosted + proxy behind a single URL. Pull from here to get our artifacts or any cached upstream artifact |
When a developer or pipeline pulls from a group repository and the artifact is not yet cached, Nexus fetches it from the upstream registry and stores it locally. Subsequent pulls are served from cache.
Image Naming Convention¶
All CWIQ Docker images follow the orchestrator-{project} naming pattern:
| Project | Image Name |
|---|---|
| server | orchestrator-server |
| ui | orchestrator-ui |
| agent | orchestrator-agent |
| mcp (agent-runner) | orchestrator-mcp |
| cli | orchestrator-cli |
| runner-api | orchestrator-runner-api |
| audit-consumer | orchestrator-audit-consumer |
| audit-api | orchestrator-audit-api |
| ai-catalogue-api | orchestrator-ai-catalogue-api |
| monitoring-api | orchestrator-monitoring-api |
| notification-api | orchestrator-notification-api |
| iam-api | orchestrator-iam-api |
| notification-worker | orchestrator-notification-worker |
| monitoring-worker | orchestrator-monitoring-worker |
| runner-worker | orchestrator-runner-worker |
| executor | orchestrator-executor |
Do not prefix image names with cwiq-
Only OS-level identifiers (Linux users, groups, systemd slices, directories such as /etc/cwiq/) use the cwiq- prefix. Application-level names — Nexus repositories, Docker images, Python packages — use orchestrator- as the prefix.
Artifact Types at a Glance¶
| Artifact Type | Format | Repository Path | Primary Consumer |
|---|---|---|---|
| Docker images | OCI | Port 8443/8444 | All services (CI builds + deployments) |
| Python packages | Wheel | pypi-hosted / pypi-group |
Platform services via pip |
| RPM packages | RPM | yum-hosted-dev / yum-group-{env} |
Executor CLI on RHEL 9 hosts |
| Raw binaries | Any | raw-hosted-dev |
Executor standalone binaries |
| npm packages | tarball | npm-hosted / npm-group |
UI dependencies |
Related Documentation¶
- Docker Registry — Push/pull ports, tag strategy, base image pulls, local login
- PyPI & npm — Python package publish/install, npm repository URLs
- RPM & Raw Artifacts — Executor RPM packaging, raw binary uploads
- Service Accounts — Vault-backed credentials for CI/CD and deployments