Merge pull request 'Injection de la redirect_uri dans les requêtes d'authentification' (#5) from issue-4 into master

Reviewed-on: #5
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>

.dockerignore

@@ -3,3 +3,5 @@
 /vendor
 /bin
 /release
+/misc/compose
+/tools

.gitignore

@@ -4,3 +4,5 @@
 /.vscode
 /tools
 /.mktools
+.mktools/
+/release

Jenkinsfile

@@ -0,0 +1,29 @@
+@Library('cadoles') _
+
+// Utilisation du pipeline "standard"
+// Voir https://forge.cadoles.com/Cadoles/Jenkins/src/branch/master/doc/tutorials/standard-make-pipeline.md
+standardMakePipeline([
+    'dockerfileExtension': '''
+    RUN apt-get update \
+        && apt-get install -y zip jq
+
+    RUN wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz \
+        && rm -rf /usr/local/go \
+        && tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
+
+    ENV PATH="${PATH}:/usr/local/go/bin"
+    ''',
+    'hooks': [
+        'pre-release': {
+            // Login into docker registry
+            sh '''
+            make .mktools
+            echo "$MKT_GITEA_RELEASE_PASSWORD" | docker login --username "$MKT_GITEA_RELEASE_USERNAME" --password-stdin reg.cadoles.com
+            '''
+        }
+    ],
+    // Use credentials to push images to registry and pubish gitea release
+    'credentials': [
+        usernamePassword(credentialsId: 'kipp-credentials', usernameVariable: 'MKT_GITEA_RELEASE_USERNAME', passwordVariable: 'MKT_GITEA_RELEASE_PASSWORD')
+    ]
+])

Makefile

@@ -1,7 +1,19 @@
-DOKKU_HOST := dokku@dev.lookingfora.name
 SHELL := /bin/bash
-DOCKER_IMAGE_NAME ?= reg.cadoles.com/cadoles/oidc-test
-DOCKER_IMAGE_TAG ?= $(MKT_PROJECT_VERSION)
+
+IMAGE_NAME ?= reg.cadoles.com/cadoles/oidc-test
+
+MKT_GITEA_RELEASE_ORG ?= Cadoles
+MKT_GITEA_RELEASE_PROJECT ?= goweb-oidc
+MKT_GITEA_RELEASE_VERSION ?= $(MKT_PROJECT_VERSION)
+
+define MKT_GITEA_RELEASE_BODY
+## Docker usage
+
+```
+docker pull $(IMAGE_NAME):$(MKT_PROJECT_VERSION)
+```
+endef
+export MKT_GITEA_RELEASE_BODY
 
 build:
 	CGO_ENABLED=0 go build -v -o ./bin/server ./cmd/server
@@ -9,14 +21,11 @@ build:
 test:
 	go test -v -race ./...
 
-release:
-	@$(SHELL) ./misc/script/release.sh
-
 tidy:
 	go mod tidy
 
-watch:
-	modd
+watch: tools/modd/bin/modd
+	tools/modd/bin/modd
 
 lint:
 	golangci-lint run --enable-all
@@ -26,32 +35,44 @@ clean:
 	rm -rf data
 	rm -rf bin
 
-dokku-build:
+build-image:
 	docker build \
-		-f ./misc/dokku/Dockerfile \
-		-t goweb-oidc-dokku:latest \
+		-t "${IMAGE_NAME}:latest" \
+		-f ./misc/docker/Dockerfile	\
 		.
 
-dokku-run:
-	docker run -it --rm -p 3002:3002 goweb-oidc-dokku:latest
+scan: build-image tools/trivy/bin/trivy
+	mkdir -p .trivy
+	tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml $(TRIVY_ARGS) $(IMAGE_NAME):latest
 	
-dokku-deploy:
-	$(if $(shell git config remote.dokku-oidc-test.url),, git remote add dokku-oidc-test $(DOKKU_HOST):oidc-test)
-	git push -f dokku-oidc-test $(shell git rev-parse HEAD):refs/heads/master	
+tools/trivy/bin/trivy:
+	mkdir -p tools/trivy/bin
+	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
 
-docker-build: .mktools
-	docker build \
-		-f ./misc/dokku/Dockerfile \
-		-t $(DOCKER_IMAGE_NAME):latest \
-		.
+tools/modd/bin/modd:
+	mkdir -p tools/modd/bin
+	GOBIN=$(PWD)/tools/modd/bin go install github.com/cortesi/modd/cmd/modd@latest
 
-docker-release: .mktools docker-build
-	docker image tag $(DOCKER_IMAGE_NAME):latest $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)
-	docker login
-	docker push $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)
-	docker push $(DOCKER_IMAGE_NAME):latest
+release: release-image release-gitea
 
-.PHONY: lint watch build vendor tidy release
+release-archive:
+	@$(SHELL) ./misc/script/release.sh
+
+release-gitea: .mktools release-archive
+	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
+	$(MAKE) MKT_GITEA_RELEASE_ATTACHMENTS="$$(find release/* -maxdepth 0 -type f -printf '%p ')" mkt-gitea-release
+
+release-image: .mktools build-image
+	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
+	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
+	
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
+	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
+
+.PHONY: lint watch build tidy release
 
 .PHONY: mktools
 mktools:

README.md

@@ -6,6 +6,6 @@ Middleware [`goweb`](https://forge.cadoles.com/wpetit/goweb) pour authentificati
 
 Une application web de test est disponible dans le répertoire [`cmd/server`](./cmd/server). Voici les principaux exemples d'utilisation de la librairie:
 
-- [Initialisation du service `oidc`](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/cmd/server/container.go#L78-L87)
-- [Ajout du middleware d'authentification dans les routes HTTP](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/internal/route/mount.go#L12-L19)
-- [Récupération de l'`IDToken` dans un handler HTTP](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/internal/route/login.go#L18-L21)
+- [Initialisation du service `oidc`](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/cmd/server/container.go#L78-L87)
+- [Ajout du middleware d'authentification dans les routes HTTP](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/internal/route/mount.go#L12-L19)
+- [Récupération de l'`IDToken` dans un handler HTTP](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/internal/route/login.go#L18-L21)

cmd/server/container.go

@@ -8,8 +8,8 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 	"gitlab.com/wpetit/goweb/template/html"
 
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/service"
@@ -95,6 +95,7 @@ func getServiceContainer(ctx context.Context, conf *config.Config) (*service.Con
 		oidc.WithScopes(conf.OIDC.Scopes...),
 		oidc.WithAcrValues(conf.OIDC.AcrValues),
 		oidc.WithSkipIssuerCheck(conf.OIDC.SkipIssuerVerification),
+		oidc.WithRedirectURL(conf.OIDC.RedirectURL),
 	))
 
 	return ctn, nil

cmd/server/main.go

@@ -8,8 +8,8 @@ import (
 	"net/http"
 	"os"
 
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/route"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/route"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"

docker-compose.yml

@@ -1,17 +1,98 @@
-version: "2.4"
 services:
   oidc-test:
-    image: reg.cadoles.com/cadoles/goweb-oidc-test
+    build:
+      context: .
+      dockerfile: ./misc/docker/Dockerfile
     environment:
       - LOG_LEVEL=0
-      - HTTP_ADDRESS=0.0.0.0:3002
-      - OIDC_CLIENT_ID=local-test
-      - OIDC_CLIENT_SECRET=local-test
-      - OIDC_ISSUER_URL=
-      - OIDC_REDIRECT_URL=http://localhost:3002
-      - OIDC_POST_LOGOUT_REDIRECT_URL=http://localhost:3002
-      - OIDC_ACR_VALUES=
-    ports:
-      - 80:3002
+      - HTTP_ADDRESS=0.0.0.0:8000
+      - OIDC_CLIENT_ID=oidc-test
+      - OIDC_CLIENT_SECRET=oidc-test-123456
+      - OIDC_ISSUER_URL=http://localhost:8081/
+      - OIDC_REDIRECT_URL=http://localhost:8000/oauth2/callback
+      - OIDC_POST_LOGOUT_REDIRECT_URL=http://localhost:8000
+    depends_on:
+      hydra:
+        condition: service_healthy
     network_mode: host
+    restart: unless-stopped
 
+  hydra:
+    build:
+      context: ./misc/compose/hydra
+      args:
+        - HTTP_PROXY=${HTTP_PROXY:-}
+        - HTTPS_PROXY=${HTTPS_PROXY:-}
+        - http_proxy=${http_proxy:-}
+        - https_proxy=${https_proxy:-}
+    volumes:
+      - ./misc/compose/hydra/config.yml:/etc/hydra/config.yml
+      - ./misc/compose/hydra/clients.d:/etc/hydra/clients.d
+    environment:
+      - LOG_LEAK_SENSITIVE_VALUES=true
+    links:
+      - mariadb
+    depends_on:
+      - mariadb
+    ports:
+      - 8081:4444
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "--spider",
+          "-q",
+          "http://127.0.0.1:4444/.well-known/openid-configuration",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: unless-stopped
+
+  mariadb:
+    image: mariadb:10.2
+    environment:
+      MYSQL_DATABASE: hydra
+      MYSQL_USER: hydra
+      MYSQL_PASSWORD: hydra
+      MYSQL_ROOT_PASSWORD: hydra
+      TZ: Europe/Paris
+    volumes:
+      - ./misc/compose/mariadb/init-db.d:/docker-entrypoint-initdb.d/:ro
+      - mariadb_data:/var/lib/mysql
+      - /etc/localtime:/etc/localtime:ro
+
+  glauth:
+    build:
+      context: ./misc/compose/glauth
+      args:
+        - HTTP_PROXY=${HTTP_PROXY:-}
+        - HTTPS_PROXY=${HTTPS_PROXY:-}
+        - http_proxy=${http_proxy:-}
+        - https_proxy=${https_proxy:-}
+    ports:
+      - 389:389
+
+  hydra-werther:
+    image: icoreru/werther:v1.2.1
+    environment:
+      - WERTHER_LDAP_BASEDN=ou=users,dc=example,dc=com
+      - WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=example,dc=com
+      - WERTHER_DEV_MODE=True
+      - WERTHER_LISTEN=0.0.0.0:8080
+      - WERTHER_IDENTP_HYDRA_URL=http://hydra:4445
+      - WERTHER_LDAP_ENDPOINTS=glauth:389
+      - WERTHER_LDAP_BINDDN=cn=admin,dc=example,dc=com
+      - WERTHER_LDAP_BINDPW=admin
+    volumes:
+      - ./misc/glauth/glauth.cfg:/app/config/config.cfg:ro
+    links:
+      - glauth
+      - hydra
+    ports:
+      - 8082:8080
+
+volumes:
+  mariadb_data:

go.mod

@@ -1,4 +1,4 @@
-module forge.cadoles.com/wpetit/goweb-oidc
+module forge.cadoles.com/cadoles/goweb-oidc
 
 go 1.14
 

internal/route/helper.go

@@ -3,7 +3,7 @@ package route
 import (
 	"net/http"
 
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/middleware/container"
 	"gitlab.com/wpetit/goweb/service"

internal/route/home.go

@@ -3,8 +3,8 @@ package route
 import (
 	"net/http"
 
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/middleware/container"
 	"gitlab.com/wpetit/goweb/service/template"

internal/route/login.go

@@ -3,8 +3,8 @@ package route
 import (
 	"net/http"
 
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 	"gitlab.com/wpetit/goweb/middleware/container"

internal/route/logout.go

@@ -3,8 +3,8 @@ package route
 import (
 	"net/http"
 
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 	"gitlab.com/wpetit/goweb/logger"
 	"gitlab.com/wpetit/goweb/middleware/container"
 )

internal/route/mount.go

@@ -1,8 +1,8 @@
 package route
 
 import (
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
-	"forge.cadoles.com/wpetit/goweb-oidc/internal/config"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
+	"forge.cadoles.com/cadoles/goweb-oidc/internal/config"
 
 	chi "github.com/go-chi/chi/v5"
 	"gitlab.com/wpetit/goweb/static"

internal/route/profile.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"net/http"
 
-	oidc "forge.cadoles.com/wpetit/goweb-oidc"
+	oidc "forge.cadoles.com/cadoles/goweb-oidc"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/middleware/container"
 	"gitlab.com/wpetit/goweb/service/template"

misc/compose/glauth/Dockerfile

@@ -0,0 +1,3 @@
+FROM glauth/glauth:v2.1.0
+
+COPY glauth.cfg /app/config/config.cfg

misc/compose/glauth/glauth.cfg

@@ -0,0 +1,37 @@
+debug = true
+
+[ldap]
+    enabled = true
+    listen = "0.0.0.0:389"
+
+[ldaps]
+  enabled = false
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=example,dc=com"
+
+[[users]]
+  name = "admin"
+  mail = "admin@localhost"
+  uidnumber = 5001
+  primarygroup = 5501
+  passsha256 = "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"   # admin
+  [[users.capabilities]]
+    action = "search"
+    object = "*"
+  [[users.customattributes]]
+    objectClass = [ "inetOrgPerson" ]
+
+[[users]]
+  name = "jdoe"
+  mail = "jdoe@localhost"
+  uidnumber = 5006
+  primarygroup = 5501
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+  [[users.customattributes]]
+    objectClass = [ "inetOrgPerson" ]
+
+[[groups]]
+  name = "webapps"
+  gidnumber = 5501

misc/compose/hydra/Dockerfile

@@ -0,0 +1,31 @@
+FROM oryd/hydra:v1.11.7
+
+ARG WAIT4X_VERSION="v1.1.0"
+
+USER root
+
+RUN apk add --no-cache gcompat jq
+
+# wait4x - utilisé pour attendre les services externes nécessaires au lancement d'hydra
+RUN /bin/sh -c "wget -q -O /usr/local/bin/wait4x https://github.com/atkrad/wait4x/releases/download/$WAIT4X_VERSION/wait4x-linux-amd64" \
+    && /bin/sh -c "chmod a+x /usr/local/bin/wait4x"
+
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN /bin/sh -c "chmod +x /usr/local/bin/docker-entrypoint.sh"
+
+COPY run-hydra.sh /usr/local/bin/run-hydra
+RUN /bin/sh -c "chmod +x /usr/local/bin/run-hydra"
+
+RUN /bin/sh -c "mkdir -p /home/ory" \
+    && /bin/sh -c "chown -R ory: /home/ory"
+
+COPY clients.d /etc/hydra/clients.d
+
+COPY reload-hydra-clients.sh /usr/local/bin/reload-hydra-clients
+RUN /bin/sh -c "chmod +x /usr/local/bin/reload-hydra-clients"
+
+USER ory
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+
+CMD ["/usr/local/bin/run-hydra"]

misc/compose/hydra/clients.d/oidc-test.json

@@ -0,0 +1,19 @@
+{
+	"client_id": "oidc-test",
+	"client_name": "OIDC Test",
+	"client_secret": "oidc-test-123456",
+	"grant_types": [
+		"authorization_code",
+		"refresh_token"
+	],
+	"jwks": {},
+	"metadata": {},
+	"token_endpoint_auth_method": "client_secret_post",
+	"post_logout_redirect_uris": ["http://localhost:8000"],
+	"redirect_uris": ["http://localhost:8000/oauth2/callback"],
+	"response_types": [
+		"code"
+	],
+	"logo_uri": "https://upload.wikimedia.org/wikipedia/commons/e/e1/Password.svg",
+	"scope": "openid profile email webhook"
+}

misc/compose/hydra/config.yml

@@ -0,0 +1,37 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+  admin:
+    port: 4445
+    host: 0.0.0.0
+
+  public:
+    port: 4444
+    host: 0.0.0.0
+
+level: debug
+
+urls:
+  self:
+    # Adresse publique du serveur hydra
+    issuer:  http://localhost:8081
+  
+  # Configuration des login/consent/logout apps
+  consent: http://localhost:8082/auth/consent
+  login: http://localhost:8082/auth/login
+  logout: http://localhost:8082/auth/logout
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+dsn: mysql://hydra:hydra@tcp(mariadb:3306)/hydra?parseTime=true
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis

misc/compose/hydra/docker-entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+set -eo pipefail
+
+ # On attend que la base de données MySQL soit disponible
+/usr/local/bin/wait4x -t 60s mysql "hydra:hydra@tcp(mariadb:3306)/hydra"
+
+# Au premier lancement du conteneur...
+if [ ! -f "$HOME/.first-run" ]; then
+    # On exécute les migrations Hydra
+    /usr/bin/hydra migrate sql --read-from-env --yes -c /etc/hydra/config.yml
+
+    # On "marque" l'exécution
+    touch "$HOME/.first-run"
+fi
+
+# Démarrage de l'interface admin d'hydra en tâche de fond
+/usr/bin/hydra serve --dangerous-force-http admin -c /etc/hydra/config.yml &
+
+# On attend que le service hydra soit dispo
+/usr/local/bin/wait4x -t 60s http http://127.0.0.1:4445
+
+# Rechargement des clients OIDC
+/usr/local/bin/reload-hydra-clients
+
+# On stoppe l'interface admin d'hydra
+kill $(jobs -p)
+
+# On attend que le serveur Hydra soit stoppé
+/usr/local/bin/wait4x -v -t 60s http http://127.0.0.1:4445
+
+# On exécute la CMD Docker
+exec $@

misc/compose/hydra/reload-hydra-clients.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -x
+
+HYDRA_CLIENTS_DIR=/etc/hydra/clients.d
+HYDRA_ADMIN_ENDPOINT=http://127.0.0.1:4445
+
+for client_file in $HYDRA_CLIENTS_DIR/*.json; do
+    client_id=$(basename "$client_file" | cut -f 1 -d '.')
+    /usr/bin/hydra clients delete --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_id"
+    /usr/bin/hydra clients import --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_file"
+done

misc/compose/hydra/run-hydra.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -xeo pipefail
+
+REDIRECT_URLS=$(cat /etc/hydra/clients.d/*.json | jq -n --stream 'fromstream(inputs) | (.redirect_uris + .post_logout_redirect_uris)' | jq -r '.[]')
+
+# À NE PAS FAIRE EN PRODUCTION !
+# Voir https://www.ory.sh/docs/hydra/debug#first-aid
+export OAUTH2_EXPOSE_INTERNAL_ERRORS=true
+
+/usr/bin/hydra \
+    serve   \
+    -c /etc/hydra/config.yml \
+    --dangerous-force-http \
+    --dangerous-allow-insecure-redirect-urls "$REDIRECT_URLS" \
+    all

misc/compose/mariadb/init-db.d/create_database_hydra.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -xeo pipefail
+
+echo "CREATE DATABASE IF NOT EXISTS \`hydra\`;" | "${mysql[@]}"
+echo "GRANT ALL ON \`hydra\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"

misc/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19 AS build
+FROM golang:1.24 AS build
 
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
@@ -11,9 +11,9 @@ COPY . /src
 
 WORKDIR /src
 
-RUN make ARCH_TARGETS=amd64 release
+RUN make ARCH_TARGETS=amd64 release-archive
 
-FROM alpine as certs
+FROM alpine AS certs
 
 RUN apk update && apk add ca-certificates