Nexus Artifact Repository — Overview¶
Nexus Repository Manager hosts all CWIQ artifacts: Docker images, RPM packages, Python packages, raw binaries, and npm packages.
Environments¶
| Environment | Hostname | Purpose | Auth |
|---|---|---|---|
| Shared | nexus.shared.cwiq.io |
Production artifacts, CI/CD push target | Authentik SSO (browser) + Vault JWT (CI/CD) |
| Dev | nexus.dev.cwiq.io |
Development/testing, local npm/PyPI proxies | Basic auth only |
CI/CD pipelines always push to Shared. Dev Nexus is for local development and testing only.
Port Architecture¶
Nexus runs behind an Nginx reverse proxy that terminates SSL. Three external ports map to three internal Nexus connectors.
| External Port | Protocol | Purpose | What Connects Here |
|---|---|---|---|
| 443 | HTTPS | Web UI, REST API, RPM, PyPI, Raw, Maven, npm | Browsers, twine, pip, yum, curl |
| 8443 | HTTPS | Docker push — hosted registry | docker push, CI/CD Kaniko builds |
| 8444 | HTTPS | Docker pull — group registry (includes Docker Hub proxy cache) | docker pull, deployments, K8s |
| 80 | HTTP | Redirect to 443 + /health passthrough |
Health checks |
Port confusion is the most common Nexus mistake
Use 8443 to push and 8444 to pull. They are not interchangeable. Non-Docker artifacts always use port 443 — never 8443 or 8444.
Repository Types¶
| Type | Description | Mutable |
|---|---|---|
| Hosted | We own and write to it | Depends on write policy |
| Proxy | Cache of an upstream (Docker Hub, pypi.org, epel) | Read-only |
| Group | Combines hosted + proxy repos into one endpoint | Read-only |
Promotion Model¶
Artifacts flow through three environments with increasing immutability:
| Environment | Write Policy | Use |
|---|---|---|
dev |
ALLOW (mutable, overwritable) | Every CI build pushes here |
uat |
ALLOW_ONCE (immutable after first write) | Promoted from dev for UAT |
prod |
ALLOW_ONCE (immutable after first write) | Promoted from uat for production |
Health Check¶
# Nexus health via HTTP (bypasses HTTPS redirect)
curl -f http://nexus.shared.cwiq.io:80/health
# Full status via HTTPS
curl -sk https://nexus.shared.cwiq.io/service/rest/v1/status
Quick Reference: Which URL for What?¶
| Task | URL |
|---|---|
| Push a Docker image | nexus.shared.cwiq.io:8443 |
| Pull a Docker image | nexus.shared.cwiq.io:8444 |
| Pull a Docker Hub image (cached) | nexus.shared.cwiq.io:8444/library/{image}:{tag} |
| Upload an RPM | https://nexus.shared.cwiq.io/repository/yum-hosted-dev/ |
| Install an RPM | https://nexus.shared.cwiq.io/repository/yum-group-{env}/ |
| Publish a Python package | https://nexus.shared.cwiq.io/repository/pypi-hosted/ |
| Install a Python package | https://nexus.shared.cwiq.io/repository/pypi-group/simple/ |
| Upload a raw binary | https://nexus.shared.cwiq.io/repository/raw-hosted-dev/ |
| Access Web UI | https://nexus.shared.cwiq.io |
Common Pitfalls¶
| Mistake | Correct Approach |
|---|---|
| Pulling Docker images from port 8443 | Use 8444 for pull |
| Pushing Docker images to port 8444 | Use 8443 for push |
| Using 8443/8444 for RPM or PyPI | Non-Docker always uses port 443 |
Using cwiq- prefix on image names |
Image names are orchestrator/{project} |
Using nexus.dev.cwiq.io for CI builds |
CI pushes to nexus.shared.cwiq.io |
| Hardcoding Nexus credentials in CI | Always use Vault JWT auth (role: nexus-ci) |
| Pulling base images from Docker Hub directly | Pull through nexus.shared.cwiq.io:8444 |
Nexus API Quirks¶
Nexus 3.75+ returns HTTP 500 (not 400) for duplicate users
If automating user creation via API, handle 500 as a potential "already exists" condition and verify before retrying.
PUT user API requires \"source\": \"default\" field
Omitting this field causes silent failures when updating local users.
Related Documentation¶
- Docker Registry — Image push/pull, tag strategy
- RPM and Raw — RPM packages and raw binary uploads
- PyPI and npm — Python and JavaScript packages
- Service Accounts — CI/CD authentication
- Backup and Restore — EBS snapshot strategy