Skip to content

CWIQ.IO Wiki

Nexus Artifacts

Nexus Artifacts in CI/CD¶

CI/CD pipelines publish and consume artifacts from Nexus automatically.

Docker Images¶

Publishing (CI/CD)¶

Docker images are built using Kaniko and pushed to the Nexus Docker registry:

build:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context .
      --dockerfile Dockerfile
      --destination nexus.shared.cwiq.io:8443/orchestrator/server:$IMAGE_TAG
  tags:
    - medium

Pulling (Local Development)¶

# Login to Nexus Docker registry
docker login nexus.shared.cwiq.io:8443

# Pull an image
docker pull nexus.shared.cwiq.io:8443/orchestrator/server:latest

Python Packages¶

Publishing (CI/CD)¶

Python packages are built and uploaded using twine:

publish-pypi:
  stage: build
  script:
    - pip install build twine
    - python -m build
    - twine upload --repository-url https://nexus.shared.cwiq.io/repository/pypi-hosted/
      -u $NEXUS_USERNAME -p $NEXUS_PASSWORD dist/*

Consuming (Local Development)¶

# Install from Nexus PyPI proxy (includes pypi.org packages)
pip install --index-url https://nexus.shared.cwiq.io/repository/pypi-group/simple/ package-name

npm Packages¶

Publishing (CI/CD)¶

publish-npm:
  stage: build
  script:
    - echo "//nexus.shared.cwiq.io/repository/npm-hosted/:_authToken=$NEXUS_NPM_TOKEN" > .npmrc
    - npm publish --registry https://nexus.shared.cwiq.io/repository/npm-hosted/

Consuming (Local Development)¶

# Use Nexus as npm registry (includes npmjs.com packages)
npm config set registry https://nexus.shared.cwiq.io/repository/npm-group/
npm install

RPM Packages¶

The executor CLI is built as an RPM and uploaded to the raw repository:

build-rpm:
  stage: build
  script:
    - rpmbuild -ba orchestrator-executor.spec
    - curl -u $NEXUS_USERNAME:$NEXUS_PASSWORD
      --upload-file RPMS/x86_64/orchestrator-executor-*.rpm
      https://nexus.shared.cwiq.io/repository/raw-hosted/executor/
  tags:
    - large

Authentication¶

CI/CD jobs authenticate to Nexus using:

Vault JWT: Pipeline fetches Nexus credentials from Vault (see Vault Secrets in CI)
Service account: svc-orchestrator with publish permissions