Nexus Docker Registry¶
Push Docker images to port 8443, pull from port 8444. All images follow the
orchestrator/{project}naming pattern.
Registry Endpoints¶
| Operation | Registry | CI Variable |
|---|---|---|
| Push (CI builds write here) | nexus.shared.cwiq.io:8443 |
NEXUS_REGISTRY |
| Pull (deployments read here) | nexus.shared.cwiq.io:8444 |
NEXUS_REGISTRY_PULL |
Port 8444 is the group repository. Its search order is: prod → uat → dev → docker-proxy-dockerhub. This means pulling a Docker Hub image through port 8444 uses the proxy cache and avoids Docker Hub rate limits.
Image Naming¶
Never use a cwiq- prefix on Docker image names
The correct format is orchestrator/{project}, not cwiq-{project}.
# Push path (full):
nexus.shared.cwiq.io:8443/orchestrator/server:main-a1b2c3d
# Pull path (full):
nexus.shared.cwiq.io:8444/orchestrator/server:latest
All Docker Images¶
| Service | Image Name | GitLab ID |
|---|---|---|
| server | orchestrator/server |
5 |
| ui | orchestrator/ui |
4 |
| agent | orchestrator/agent |
6 |
| agent-runner (mcp) | orchestrator/mcp |
8 |
| runner-api | orchestrator/runner-service |
22 |
| audit-consumer | orchestrator/audit-consumer |
23 |
| audit-api | orchestrator/audit-service |
24 |
| ai-catalogue-api | orchestrator/ai-catalogue-service |
25 |
| monitoring-api | orchestrator/monitoring-service |
26 |
| notification-api | orchestrator/notification-service |
27 |
| iam-api | orchestrator/iam-service |
28 |
| notification-worker | orchestrator/notification-worker |
31 |
| monitoring-worker | orchestrator/monitoring-worker |
32 |
| runner-worker | orchestrator/runner-worker |
33 |
Tag Strategy¶
| Trigger | Tags Applied |
|---|---|
Push to main |
main-{short-sha}, latest |
| Push to feature branch | branch-{slug}-{short-sha} |
Push to version tag (v*) |
{version}, stable |
CI/CD Variables¶
All platform services inherit these from ci-templates/.gitlab-ci-common.yml:
| Variable | Value |
|---|---|
NEXUS_REGISTRY |
nexus.shared.cwiq.io:8443 |
NEXUS_REGISTRY_PULL |
nexus.shared.cwiq.io:8444 |
NEXUS_IMAGE_NAME |
orchestrator-$CI_PROJECT_NAME |
NEXUS_IMAGE |
$NEXUS_REGISTRY/$NEXUS_IMAGE_NAME |
Per-project pipelines (Kaniko builds) also define:
variables:
NEXUS_HOST: nexus.shared.cwiq.io
NEXUS_REGISTRY_PUSH: ${NEXUS_HOST}:8443
NEXUS_REGISTRY_PULL: ${NEXUS_HOST}:8444
IMAGE_NAME: orchestrator/server # example
Pulling Docker Hub Images Through Cache¶
To avoid Docker Hub rate limits, pull all base and tool images through the Nexus proxy:
# In .gitlab-ci.yml — use Nexus pull endpoint, not Docker Hub directly
image: nexus.shared.cwiq.io:8444/library/python:3.12-slim
# From a workstation
docker pull nexus.shared.cwiq.io:8444/library/python:3.12-slim
docker pull nexus.shared.cwiq.io:8444/library/node:20-alpine
Authentication¶
Docker login uses credentials fetched from Vault:
# In CI pipeline (after Vault JWT auth):
docker login nexus.shared.cwiq.io:8443 \
-u "${NEXUS_USER}" -p "${NEXUS_PASSWORD}"
docker login nexus.shared.cwiq.io:8444 \
-u "${NEXUS_USER}" -p "${NEXUS_PASSWORD}"
See Service Accounts for the Vault auth flow.
Repository Matrix¶
Shared Environment (nexus.shared.cwiq.io)¶
| Repository | Type | Port | Write Policy |
|---|---|---|---|
docker-hosted-dev |
Hosted | 8443 | ALLOW (mutable) |
docker-hosted-uat |
Hosted | — | ALLOW_ONCE |
docker-hosted-prod |
Hosted | — | ALLOW_ONCE |
docker-proxy-dockerhub |
Proxy | — | Cache only |
docker-group |
Group | 8444 | Read-only |
Dev Environment (nexus.dev.cwiq.io)¶
| Repository | Type | Port |
|---|---|---|
docker-hosted |
Hosted | 8443 |
docker-proxy |
Proxy | — |
docker-group |
Group | 8444 |
Image Promotion¶
To promote a dev image to UAT (using skopeo):
skopeo copy \
docker://nexus.shared.cwiq.io:8443/orchestrator/server:1.0.0 \
docker://nexus.shared.cwiq.io:8443/orchestrator/server:1.0.0-uat
Related Documentation¶
- Overview — Port architecture, environment reference
- Service Accounts — Vault JWT authentication flow
- Artifact Naming — Naming conventions