Build and Image Publish¶

Deployment-agnostic variables¶

ENTITY_NAMESPACE=<entity-namespace>   # ex: france-titres
APP_SLUG=<app-slug>                   # ex: hello-world
REGISTRY_HOST=<registry-host>         # ex: tools.playground.france-identite.gouv.fr
IMAGE_REPO="$REGISTRY_HOST/$ENTITY_NAMESPACE/$APP_SLUG"
IMAGE_TAG=<tag>                       # current CI default: latest

Current implementation source: - IMAGE is ${HARBOR_HOST}/${HARBOR_PROJECT}/hello-world - TAG is latest Source: hello-world-main/.gitlab-ci.yml

Docker build steps (from implementation)¶

Two-stage Docker build:

node:21-alpine build stage
nginxinc/nginx-unprivileged:alpine runtime stage

Build sequence:

npm ci
npm run build
copy /app/dist to Nginx html root
runtime listens on port 80

Source: hello-world-main/dockerfile

How image tagging and push works¶

CI performs:

echo "$HARBOR_PASSWORD" | docker login $HARBOR_REGISTRY -u "$HARBOR_USERNAME" --password-stdin
docker build -t $IMAGE:$TAG .
docker push $IMAGE:$TAG

Source: hello-world-main/.gitlab-ci.yml (build.before_script, build.script)

Tag behavior as implemented:

All successful main builds publish :latest.
No immutable tag strategy exists in CI file.

Source: hello-world-main/.gitlab-ci.yml

Required environment variables and secrets¶

Variable	Required	Type	Purpose	Source
`HARBOR_HOST`	Yes	config	Registry host	`.gitlab-ci.yml`
`HARBOR_PROJECT`	Yes	config	Registry namespace/project (maps to entity namespace model)	`.gitlab-ci.yml`
`HARBOR_USERNAME`	Yes	secret	Docker login username	`build.before_script`
`HARBOR_PASSWORD`	Yes	secret	Docker login password/token	`build.before_script`
`TAG`	Yes	config	Image tag (`latest` default)	`.gitlab-ci.yml`

Practical commands¶

Local build (matches repo reality)¶

cd hello-world-main
docker build -f dockerfile -t "$IMAGE_REPO:$IMAGE_TAG" .

Why -f dockerfile: file is lowercase in repo. Source: hello-world-main/dockerfile

Manual publish¶

docker login "$REGISTRY_HOST"
docker push "$IMAGE_REPO:$IMAGE_TAG"

Troubleshooting¶

`Cannot locate Dockerfile`¶

Cause: build command expects Dockerfile but repo file is dockerfile.

Fix:

rename to Dockerfile, or
update CI build command to docker build -f dockerfile ...

Source: hello-world-main/dockerfile, hello-world-main/.gitlab-ci.yml

`unauthorized` on push¶

Cause: invalid/missing Harbor credentials or host/project values.

Fix: verify CI variable scope/protection and value correctness. Source: hello-world-main/.gitlab-ci.yml

Image runs but service is unreachable on expected port¶

Cause: runtime listens on 80; some local mappings use 5173.

Check mappings across Compose/K8s service definitions. Sources: - hello-world-main/dockerfile - hello-world-main/docker-compose.yml - helm-hello-world-main/templates/service.yaml