Sharing artifacts between 2 google cloud projects

Hi all

We run kubernetes on google cloud, and we have 2 projects (and 2 k8s clusters), the usual suspects “dev” and “prod”.

I would like to introduce nexus 3 as a library repository: devs will release new versions of shared libraries and cloudbuild (google CI) will use them to build/test our apps.

Problems are

  • developers have zero access to “prod”
  • “prod” and “dev” projects cannot talk to each other

So a developer would push a library to a nexus running in “dev”, but when that app is built in “prod”, the “prod” CI won’t be able to access the instance of nexus running in “dev”

Possible solutions I see are:

  • developers don’t publish libraries directly to a nexus instance, they tag the commit on git, and then 2 CIs running in “prod” and “dev” will build and publish the same library to their respective nexus instance, one for each project
  • developers push to a “dev” nexus instance, and a background task regularly copies the data folder from dev to prod, keeping the “prod” instance in sync
  • use some VPC magic so that prod CI can talk to the nexus instance running in dev

Any better ideas?

All of those will work. If you’re using the “two Nexus instances” approach, one in dev and one in prod you may find that you can get by with bog-standard proxying. As long as prod can see dev, you’re good.

That should work unless you need low-latency response to pull things from prod and/or you’re using very large artifacts. If that’s your situation (e.g. you want to pull large Docker images and they’ll time out if there’s a 10 second delay in fetching from dev), you may be interested in an upcoming Pro feature called repository replication. That would save you from having to figure out the background task completely on your own. We have an upcoming early access program for this.