Artifact Repository ADR
How will we integrate Nexus into the pipeline once it is deployed?
How will we update Nexus to have the most recent packages?
Which package repositories do we need to add to the Nexus server?
What repo types do we plan to support?
- RPM
- deb
- pypi
- npm
- ruby gems
- nuget
Alternatives to nexus:
- Artifactory (unhardened)
- Open Source repo tools (Tons of separate tools, not well integrated)
- S3 (sync repos to s3, not all repo types support this)
ADR
Other notes:
- Iron Bank has a requirement to not retain vendor provided files (downloaded from HTTP/S3/Docker). We cannot put them in the repository.
- We could perhaps still mirror open source/public files in HTTP and Docker repositories, but not vendor files
-
❌ Go cannot be easily mirrored. There is no central repository. All tools appear to use pull through mirrors.- How to deal with this? Still use import-artifacts with deps in hardening_manifest?
- It isn't easy to override in Go with files on disk.
Nexus
-
✔ IB team has experience (and existing licenses) with Nexus -
✔ Supports all required repos -
✔ Supports merging multiple repos at runtime -
✔ ✔ ✔ Nexus 3.29.0 is hardened
Artifactory
-
✔ Supports all required repos -
✔ Supports merging multiple repos at runtime -
❌ ❌ ❌ Not hardened, and likely will not be hardened soon
Multiple open source repo tools
-
✔ Open source tools - TODO: list individual tools we would use to support repo types
-
❌ Would be one tool per repo type, very difficult to manage -
❌ Would probably be one s3 bucket or PV per repo, also difficult to manage -
❌ individual tools don't support merging repos like Nexus and Artifactory do: you can't merge RPM repos at runtime -
❌ ❌ Many individual tools would have to be hardened.