diff --git a/.gitignore b/.gitignore
index 88f15a1..0fe6554 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,8 +13,6 @@ cover*
 .config/
 */venv
 
-# local binary
-./katenary
 
 # will be treated later
 /examples/*
@@ -29,4 +27,6 @@ __pycache__
 .rpmmacros
 *.gpg
 
+# local binaries
 katenary
+!cmd/katenary
diff --git a/Makefile b/Makefile
index 991ea7a..713f2d4 100644
--- a/Makefile
+++ b/Makefile
@@ -21,48 +21,10 @@ GOARCH=amd64
 CGO_ENABLED=0
 PREFIX=~/.local
 
-warn-docker:
-	@echo -e "\033[1;31mWarning: Docker is not recommended, use Podman instead.\033[0m"
-	sleep 5
-
-# Get the container (Podman is preferred, but docker can be used too. It may failed with Docker.)
-# TODO: propose nerdctl
-CTN:=$(shell which podman 2>&1 1>/dev/null && echo "podman" || echo "docker")
-ifeq ($(CTN),podman)
-	CTN_USERMAP=--userns=keep-id
-else
-	$(MAKE) warn-docker
-	CTN_USERMAP=--user=$(shell id -u):$(shell id -g) -e HOME=/tmp
-endif
-
-
-# Packaging OCI image, to build rpm, deb, pacman, tar packages
-# We changes the keep-id uid/gid for Podman, so that the user inside the container is the same as the user outside.
-# For Docker, as it doesn't support userns, we use common options, but it may fail...
-PKG_OCI_IMAGE=packaging:fedora
-ifeq ($(CTN),podman)
-	# podman
-	PKG_OCI_OPTS:=--rm -it \
-		-v ./:/opt/katenary:z \
-		--userns keep-id:uid=1001,gid=1001 \
-		$(PKG_OCI_IMAGE)
-else
-	# docker
-	PKG_OCI_OPTS:=--rm -it \
-		-v ./:/opt/katenary:z \
-		-e HOME=/tmp \
-		$(CTN_USERMAP) \
-		$(PKG_OCI_IMAGE)
-endif
-GO_BUILD=go build -ldflags="-X 'katenary/generator.Version=$(VERSION)'" -o $(OUTPUT)  ./cmd/katenary
-
-
 # UPX compression
 UPX_OPTS =
 UPX ?= upx $(UPX_OPTS)
 
-BUILD_IMAGE=docker.io/golang:$(GOVERSION)
-
 # List of source files
 SOURCES=$(shell find -name "*.go" -or -name "*.tpl" -type f | grep -v -P "^./example|^./vendor")
 # List of binaries to build and sign
@@ -84,8 +46,20 @@ SIGNER=metal3d@gmail.com
 # Browser command to see coverage report after tests
 BROWSER=$(shell command -v epiphany || echo xdg-open)
 
+include makefiles/build.mk
+include makefiles/containers.mk
+include makefiles/doc.mk
+include makefiles/gpg.mk
+include makefiles/packager.mk
+include makefiles/test.mk
+
 all: build
 
+# if docker is used instead of podman, we warn the user
+warn-docker:
+	@echo -e "\033[1;31mWarning: Docker is not recommended, use Podman instead.\033[0m"
+	sleep 5
+
 help:
 	@cat <<EOF | fold -s -w 80
 	=== HELP ===
@@ -123,273 +97,6 @@ help:
 	EOF
 
 
-## BUILD
-
-# Simply build the binary for the current OS and architecture
-build: pull katenary
-
-pull:
-ifneq ($(GO),local)
-	@echo -e "\033[1;32mPulling $(BUILD_IMAGE) docker image\033[0m"
-	@$(CTN) pull $(BUILD_IMAGE)
-endif
-
-katenary: $(SOURCES) go.mod go.sum
-ifeq ($(GO),local)
-	@echo "=> Build on host using go"
-	$(GO_BUILD)
-else
-	@echo "=> Build in container using" $(CTN)
-	@$(CTN) run \
-		-e CGO_ENABLED=$(CGO_ENABLED) \
-		-e GOOS=$(GOOS) \
-		-e GOARCH=$(GOARCH) \
-		--rm -v $(PWD):/go/src/katenary:z \
-		-w /go/src/katenary \
-		-v go-cache:/go/pkg/mod:z \
-		$(CTN_USERMAP) \
-		$(BUILD_IMAGE) $(GO_BUILD)
-endif
-
-
-# Make dist, build executables for all platforms, sign them, and compress them with upx if possible.
-# Also generate the windows installer.
-binaries: prepare $(BINARIES)
-dist: binaries upx packages
-dist-full: clean-dist dist gpg-sign check-sign rpm-sign check-dist-all
-
-prepare: pull packager-oci-image
-	mkdir -p dist
-
-dist/katenary-linux-amd64: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for linux-amd64...\033[0m"
-	$(MAKE) katenary GOOS=linux GOARCH=amd64 OUTPUT=$@
-	strip $@
-
-dist/katenary-linux-arm64: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for linux-arm...\033[0m"
-	$(MAKE) katenary GOOS=linux GOARCH=arm64 OUTPUT=$@
-
-dist/katenary.exe: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for windows...\033[0m"
-	$(MAKE) katenary GOOS=windows GOARCH=amd64 OUTPUT=$@
-
-dist/katenary-darwin-amd64: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for darwin...\033[0m"
-	$(MAKE) katenary GOOS=darwin GOARCH=amd64 OUTPUT=$@
-
-dist/katenary-freebsd-amd64: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for freebsd...\033[0m"
-	$(MAKE) katenary GOOS=freebsd GOARCH=amd64 OUTPUT=$@
-	strip $@
-
-dist/katenary-freebsd-arm64: $(SOURCES) go.mod go.sum
-	@echo
-	@echo -e "\033[1;32mBuilding katenary $(VERSION) for freebsd-arm64...\033[0m"
-	$(MAKE) katenary GOOS=freebsd GOARCH=arm64 OUTPUT=$@
-
-dist/katenary-windows-setup.exe: nsis/EnVar.dll dist/katenary.exe
-	@$(CTN) run -w /opt/katenary $(PKG_OCI_OPTS) \
-		makensis -DAPP_VERSION=$(VERSION) nsis/katenary.nsi
-	mv nsis/katenary-windows-setup.exe dist/katenary-windows-setup.exe
-
-# Download the EnVar plugin for NSIS, put it in the nsis directory, and clean up
-nsis/EnVar.dll:
-	curl https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip -o nsis/EnVar_plugin.zip
-	cd nsis
-	unzip -o EnVar_plugin.zip Plugins/x86-unicode/EnVar.dll
-	mv Plugins/x86-unicode/EnVar.dll EnVar.dll
-	rm -rf EnVar_plugin.zip Plugins
-
-# UPX compression
-upx: upx-linux upx-darwin
-
-upx-linux: dist/katenary-linux-amd64 dist/katenary-linux-arm64 
-	$(UPX) $^
-
-upx-darwin: dist/katenary-darwin-amd64
-	$(UPX) --force-macos $^
-
-## Linux / FreeBSD packages with fpm
-
-DESCRIPTION := $(shell cat packaging/description | sed ':a;N;$$!ba;s/\n/\\n/g')
-
-FPM_OPTS=--name katenary \
-	--url https://katenary.org \
-	--vendor "Katenary Project" \
-	--maintainer "Patrice Ferlet <metal3d@gmail.com>" \
-	--license "MIT" \
-	--description="$$(printf "$(DESCRIPTION)" | fold -s)"
-
-# base files (doc...)
-FPM_BASES=../LICENSE=/usr/local/share/doc/katenary/LICENSE \
-	../README.md=/usr/local/share/doc/katenary/README.md
-
-FPM_COMMON_FILES=$(FPM_BASES) ../doc/share/man/man1/katenary.1=/usr/local/share/man/man1/katenary.1
-
-# ArchLinux has got inconsistent /usr/local/man directory
-FPM_COMMON_FILES_ARCHLINUX=$(FPM_BASES) ../doc/share/man/man1/katenary.1=/usr/local/man/man1/katenary.1 \
-
-# Pacman refuses dashes in version, and should start with a number
-PACMAN_VERSION=$(shell echo $(VERSION) | sed 's/-/./g; s/^v//')
-
-define RPM_MACROS
-%_signature gpg
-%_gpg_path /home/builder/.gnupg
-%_gpg_name $(SIGNER)
-%_gpgbin /usr/bin/gpg2
-%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
-endef
-
-rpm: dist/katenary-linux-$(GOARCH)
-	@echo "==> Building RPM packages for $(GOARCH)..."
-	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
-		fpm -s dir -t rpm -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION) \
-			$(FPM_COMMON_FILES) \
-			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
-rpm-sign:
-	[ -f .rpmmacros ]  || echo "$(RPM_MACROS)" > .rpmmacros
-	[ -f .secret.gpg ] || gpg --export-secret-keys -a $(SIGNER) > .secret.gpg
-	$(CTN) run -w /opt/katenary/dist \
-		-v ./.secret.gpg:/home/builder/signer.gpg \
-		-v packager-gpg:/home/builder/.gnupg \
-		$(PKG_OCI_OPTS) \
-		gpg --import /home/builder/signer.gpg
-	$(CTN) run -w /opt/katenary/dist \
-		-v .rpmmacros:/home/builder/.rpmmacros:z \
-		-v packager-gpg:/home/builder/.gnupg \
-		$(PKG_OCI_OPTS) \
-		bash -c 'for rpm in $$(find . -iname "*.rpm"); do echo signing: $$rpm; rpm --addsign $$rpm; done'
-
-deb:
-	@echo "==> Building DEB packages for $(GOARCH)..."
-	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
-		fpm -s dir -t deb -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION) \
-			$(FPM_COMMON_FILES) \
-			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
-
-pacman:
-	@echo "==> Building Pacman packages for $(GOARCH)..."
-	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
-		fpm -s dir -t pacman -a $(GOARCH) -f $(FPM_OPTS) --version=$(PACMAN_VERSION) \
-			$(FPM_COMMON_FILES_ARCHLINUX) \
-			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
-
-freebsd:
-	@echo "==> Building FreeBSD packages for $(GOARCH)..."
-	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
-		fpm -s dir -t freebsd -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION)\
-			$(FPM_COMMON_FILES) \
-			./katenary-freebsd-$(GOARCH)=/usr/local/bin/katenary
-	mv dist/katenary-$(VERSION).txz dist/katenary-freebsd-$(VERSION).$(GOARCH).txz
-
-tar:
-	@echo "==> Building TAR packages for $(GOOS) $(GOARCH)..."
-	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
-		fpm -s dir -t tar -a $(GOARCH) -f $(FPM_OPTS) \
-			$(FPM_COMMON_FILES) \
-			./katenary-$(GOOS)-$(GOARCH)=/usr/local/bin/katenary
-	mv dist/katenary.tar dist/katenary-$(GOOS)-$(VERSION).$(GOARCH).tar
-
-packages: manpage packager-oci-image
-	for arch in amd64 arm64; do \
-		$(MAKE) rpm GOARCH=$$arch; \
-		$(MAKE) deb GOARCH=$$arch; \
-		$(MAKE) pacman GOARCH=$$arch; \
-		$(MAKE) freebsd GOARCH=$$arch; \
-		$(MAKE) tar GOARCH=$$arch GOOS=linux; \
-		$(MAKE) tar GOARCH=$$arch GOOS=freebsd; \
-	done
-
-packager-oci-image:
-	@$(CTN) build -t packaging:fedora ./packaging/oci 1>/dev/null
-
-## GPG signing
-
-gpg-sign:
-	rm -f dist/*.asc
-	$(MAKE) $(ASC_BINARIES)
-
-check-sign:
-	@echo "=> Checking signatures..."
-	@for f in $(ASC_BINARIES); do \
-		if gpg --verify $$f &>/dev/null; then \
-			echo "Signature for $$f is valid"; \
-		else \
-			echo "Signature for $$f is invalid"; \
-			exit 1; \
-		fi; \
-	done
-	@echo "=> checking in blank environment..."
-	keyid=$(shell gpg -k --with-colons $(SIGNER)| grep '^pub' | cut -d: -f5);
-	$(CTN) run --rm -it -e GPGKEY=$${keyid} -v ./dist:/opt/dist:z \
-		packaging:fedora \
-		bash -c '
-		gpg --recv-key $$GPGKEY || exit 1;
-		echo "Trusting $(SIGNER) key...";
-		echo "trusted-key 483493B2DD0845DA8F21A26DF3702E3FAD8F76DC" >> ~/.gnupg/gpg.conf;
-		gpg --update-trustdb;
-		rm -f ~/.gnupg/gpg.conf;
-		for f in /opt/dist/*.asc; do echo "==> $${f}"; gpg --verify $${f}; done;
-		echo "=> Listing imported keys...";
-		gpg -k
-		'
-
-dist/%.asc: dist/%
-	gpg --armor --detach-sign  --default-key $(SIGNER) $< &>/dev/null || exit 1
-
-
-check-dist-rocky:
-	@echo "=> Checking Rocky Linux package..."
-	p=$(wildcard dist/*x86_64.rpm);
-	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/rockylinux/rockylinux:latest bash -c "
-		rpm -ivh /opt/$$(basename $$p);
-		katenary version;
-	"
-
-check-dist-fedora:
-	@echo "=> Checking Fedora package..."
-	p=$(wildcard dist/*x86_64.rpm);
-	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/fedora/fedora:latest bash -c "
-		rpm -ivh /opt/$$(basename $$p);
-		katenary version;
-	"
-
-check-dist-archlinux:
-	echo "=> Checking ArchLinux package..."
-	p=$(wildcard dist/*x86_64.pkg.tar.zst);
-	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/archlinux/archlinux bash -c "
-		pacman -U /opt/$$(basename $$p) --noconfirm;
-		katenary version;
-	"
-
-check-dist-debian:
-	@echo "=> Checking Debian package..."
-	p=$(wildcard dist/*amd64.deb);
-	$(CTN) run --rm -it -v ./dist:/opt:z debian:latest bash -c "
-		dpkg -i /opt/$$(basename $$p);
-		katenary version;
-	"
-check-dist-ubuntu:
-	@echo "=> Checking Ubuntu package..."
-	p=$(wildcard dist/*amd64.deb);
-	$(CTN) run --rm -it -v ./dist:/opt:z ubuntu:latest bash -c "
-		dpkg -i /opt/$$(basename $$p);
-		katenary version;
-	"
-
-check-dist-all:
-	$(MAKE) check-dist-fedora
-	$(MAKE) check-dist-rocky
-	$(MAKE) check-dist-debian
-	$(MAKE) check-dist-ubuntu
-	$(MAKE) check-dist-archlinux
-
 ## installation and uninstallation
 
 install: build
@@ -398,93 +105,6 @@ install: build
 uninstall:
 	rm -f $(PREFIX)/bin/katenary
 
-serve-doc: doc
-	@cd doc && \
-		[ -d venv ] || python -m venv venv; \
-		source venv/bin/activate && \
-		echo "==> Installing requirements in the virtual env..."
-		pip install -qq -r requirements.txt && \
-		echo "==> Serving doc with mkdocs..." && \
-		mkdocs serve
-
-## Documentation generation
-
-doc:
-	@echo "=> Generating documentation..."
-	# generate the labels doc and code doc
-	$(MAKE) __label_doc
-
-manpage:
-	@echo "=> Generating manpage from documentation"
-	@cd doc && \
-		[ -d venv ] || python -m venv venv; \
-		source venv/bin/activate && \
-		echo "==> Installing requirements in the virtual env..." && \
-		pip install -qq -r requirements.txt && \
-		echo "==> Generating manpage..." && \
-		MANPAGE=true mkdocs build && \
-		rm -rf site &&
-		echo "==> Manpage generated in doc/share/man/man1/katenary.1"
-
-install-gomarkdoc:
-	go install github.com/princjef/gomarkdoc/cmd/gomarkdoc@latest
-
-__label_doc:
-	@command -v gomarkdoc || (echo "==> We need to install gomarkdoc..." && \
-		$(MAKE) install-gomarkdoc)
-	@echo "=> Generating labels doc..."
-	# short label doc
-	go run ./cmd/katenary help-labels -m | \
-		sed -i '
-			/START_LABEL_DOC/,/STOP_LABEL_DOC/{/<!--/!d};
-			/START_LABEL_DOC/,/STOP_LABEL_DOC/r/dev/stdin
-		' doc/docs/labels.md
-	# detailed label doc
-	go run ./cmd/katenary help-labels -am | sed 's/^##/###/' | \
-		sed -i '
-			/START_DETAILED_DOC/,/STOP_DETAILED_DOC/{/<!--/!d}; 
-			/START_DETAILED_DOC/,/STOP_DETAILED_DOC/r/dev/stdin
-		' doc/docs/labels.md
-	
-	echo "=> Generating Code documentation..."
-	PACKAGES=$$(for f in $$(find . -name "*.go" -type f); do dirname $$f; done | sort -u)
-	for pack in $$PACKAGES; do
-		echo "-> Generating doc for $$pack"
-		gomarkdoc --repository.default-branch $(shell git branch --show-current) -o doc/docs/packages/$$pack.md $$pack
-		sed -i  '/^## Index/,/^##/ { /## Index/d; /^##/! d }' doc/docs/packages/$$pack.md
-	done
-
-
-## TESTS, security analysis, and code quality
-
-# Scan the source code. 
-# - we don't need detection of text/template as it's not a web application, and
-# - we don't need sha1 detection as it is not used for cryptographic purposes.
-# Note: metrics are actually not sent to anyone - it's a thing that is removed from the code in the future.
-sast:
-	opengrep \
-		--config auto \
-		--exclude-rule go.lang.security.audit.xss.import-text-template.import-text-template \
-		--exclude-rule go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1  \
-		--metrics=on  \
-		.
-test:
-	@echo -e "\033[1;33mTesting katenary $(VERSION)...\033[0m"
-	go test -coverprofile=cover.out ./...
-	$(MAKE) cover
-
-cover:
-	@go tool cover -func=cover.out | grep "total:"
-	go tool cover -html=cover.out -o cover.html
-
-show-cover:
-	@[ -f cover.html ] || (echo "cover.html is not present, run make test before"; exit 1)
-	if [ "$(BROWSER)" = "xdg-open" ]; then
-		xdg-open cover.html
-	else
-		$(BROWSER) -i --new-window cover.html
-	fi
-
 ## Miscellaneous
 
 clean-all: clean-dist clean-package-signer clean-go-cache
diff --git a/cmd/katenary/main_test.go b/cmd/katenary/main_test.go
index 679fee7..758806b 100644
--- a/cmd/katenary/main_test.go
+++ b/cmd/katenary/main_test.go
@@ -13,8 +13,7 @@ func TestBuildCommand(t *testing.T) {
 	rootCmd := buildRootCmd()
 	if rootCmd == nil {
 		t.Errorf("Expected rootCmd to be defined")
-	}
-	if rootCmd.Use != "katenary" {
+	} else if rootCmd.Use != "katenary" {
 		t.Errorf("Expected rootCmd.Use to be katenary, got %s", rootCmd.Use)
 	}
 	numCommands := 6
@@ -53,18 +52,27 @@ func TestSchemaCommand(t *testing.T) {
 	}
 	schema := generateSchemaCommand()
 	old := os.Stdout
-	r, w, _ := os.Pipe()
+	r, w, err := os.Pipe()
+	if err != nil {
+		t.Fatalf("Failed to create pipe: %v", err)
+	}
 	os.Stdout = w
-	schema.Run(cmd, nil)
-	w.Close()
-	os.Stdout = old
 	var buf bytes.Buffer
+
+	done := make(chan struct{})
+	go func() {
+		schema.Run(cmd, nil)
+		w.Close()
+		close(done)
+	}()
 	io.Copy(&buf, r)
-	output := buf.String()
+	<-done
+
+	os.Stdout = old
 
 	// try to parse json
-	schemaContent := make(map[string]interface{})
-	if err := json.Unmarshal([]byte(output), &schemaContent); err != nil {
-		t.Errorf("Expected valid json, got %s", output)
+	schemaContent := make(map[string]any)
+	if err := json.Unmarshal(buf.Bytes(), &schemaContent); err != nil {
+		t.Errorf("Expected valid json")
 	}
 }
diff --git a/generator/service.go b/generator/service.go
index 730577f..2070641 100644
--- a/generator/service.go
+++ b/generator/service.go
@@ -51,11 +51,7 @@ func NewService(service types.ServiceConfig, appName string) *Service {
 
 // AddPort adds a port to the service.
 func (s *Service) AddPort(port types.ServicePortConfig, serviceName ...string) {
-	name := s.service.Name
-	if len(serviceName) > 0 {
-		name = serviceName[0]
-	}
-
+	var name string
 	var finalport intstr.IntOrString
 
 	if targetPort := utils.GetServiceNameByPort(int(port.Target)); targetPort == "" {
@@ -88,7 +84,7 @@ func (s *Service) Yaml() ([]byte, error) {
 	}
 
 	lines := []string{}
-	for _, line := range strings.Split(string(y), "\n") {
+	for line := range strings.SplitSeq(string(y), "\n") {
 		if regexp.MustCompile(`^\s*loadBalancer:\s*`).MatchString(line) {
 			continue
 		}
diff --git a/go.mod b/go.mod
index 54a12c0..5bffa26 100644
--- a/go.mod
+++ b/go.mod
@@ -11,9 +11,9 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/thediveo/netdb v1.1.2
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.33.2
-	k8s.io/apimachinery v0.33.2
-	sigs.k8s.io/yaml v1.5.0
+	k8s.io/api v0.33.3
+	k8s.io/apimachinery v0.33.3
+	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
@@ -22,7 +22,7 @@ require (
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -38,22 +38,22 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
 )
diff --git a/go.sum b/go.sum
index c896504..eeda066 100644
--- a/go.sum
+++ b/go.sum
@@ -15,8 +15,8 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
-github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -73,8 +73,9 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -102,37 +103,37 @@ go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -147,21 +148,21 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
-k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
-k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
-k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8=
+k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE=
+k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
+k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
 sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
-sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
diff --git a/makefiles/build.mk b/makefiles/build.mk
new file mode 100644
index 0000000..21720b4
--- /dev/null
+++ b/makefiles/build.mk
@@ -0,0 +1,88 @@
+## BUILD
+
+# Simply build the binary for the current OS and architecture
+build: pull katenary
+
+pull:
+ifneq ($(GO),local)
+	@echo -e "\033[1;32mPulling $(BUILD_IMAGE) docker image\033[0m"
+	@$(CTN) pull $(BUILD_IMAGE)
+endif
+
+katenary: $(SOURCES) go.mod go.sum builder-oci-image
+ifeq ($(GO),local)
+	@echo "=> Build on host using go"
+	$(GO_BUILD)
+else
+	@echo "=> Build in container using" $(CTN)
+	@$(GO_OCI) $(GO_BUILD)
+endif
+
+
+# Make dist, build executables for all platforms, sign them, and compress them with upx if possible.
+# Also generate the windows installer.
+binaries: prepare $(BINARIES)
+dist: binaries upx packages
+dist-full: clean-dist dist gpg-sign check-sign rpm-sign check-dist-all
+
+prepare: pull packager-oci-image
+	mkdir -p dist
+
+dist/katenary-linux-amd64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for linux amd64...\033[0m"
+	$(MAKE) katenary GOOS=linux GOARCH=amd64 OUTPUT=$@
+	strip $@
+
+dist/katenary-linux-arm64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for linux arm64...\033[0m"
+	$(MAKE) katenary GOOS=linux GOARCH=arm64 OUTPUT=$@
+
+dist/katenary.exe: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for windows...\033[0m"
+	$(MAKE) katenary GOOS=windows GOARCH=amd64 OUTPUT=$@
+
+dist/katenary-darwin-amd64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for darwin amd64...\033[0m"
+	$(MAKE) katenary GOOS=darwin GOARCH=amd64 OUTPUT=$@
+
+dist/katenary-darwin-arm64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for darwin arm64...\033[0m"
+	$(MAKE) katenary GOOS=darwin GOARCH=arm64 OUTPUT=$@
+
+dist/katenary-freebsd-amd64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for freebsd amd64...\033[0m"
+	$(MAKE) katenary GOOS=freebsd GOARCH=amd64 OUTPUT=$@
+	strip $@
+
+dist/katenary-freebsd-arm64: $(SOURCES) go.mod go.sum
+	@echo
+	@echo -e "\033[1;32mBuilding katenary $(VERSION) for freebsd arm64...\033[0m"
+	$(MAKE) katenary GOOS=freebsd GOARCH=arm64 OUTPUT=$@
+
+dist/katenary-windows-setup.exe: nsis/EnVar.dll dist/katenary.exe
+	@$(CTN) run -w /opt/katenary $(PKG_OCI_OPTS) \
+		makensis -DAPP_VERSION=$(VERSION) nsis/katenary.nsi
+	mv nsis/katenary-windows-setup.exe dist/katenary-windows-setup.exe
+
+# Download the EnVar plugin for NSIS, put it in the nsis directory, and clean up
+nsis/EnVar.dll:
+	curl https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip -o nsis/EnVar_plugin.zip
+	cd nsis
+	unzip -o EnVar_plugin.zip Plugins/x86-unicode/EnVar.dll
+	mv Plugins/x86-unicode/EnVar.dll EnVar.dll
+	rm -rf EnVar_plugin.zip Plugins
+
+# UPX compression
+upx: upx-linux upx-darwin
+
+upx-linux: dist/katenary-linux-amd64 dist/katenary-linux-arm64
+	$(UPX) $^
+
+upx-darwin: dist/katenary-darwin-amd64
+	$(UPX) --force-macos $^
diff --git a/makefiles/containers.mk b/makefiles/containers.mk
new file mode 100644
index 0000000..22ee75f
--- /dev/null
+++ b/makefiles/containers.mk
@@ -0,0 +1,47 @@
+
+# Get the container (Podman is preferred, but docker can be used too. It may failed with Docker.)
+# TODO: propose nerdctl
+CTN:=$(shell which podman 2>&1 1>/dev/null && echo "podman" || echo "docker")
+ifeq ($(CTN),podman)
+	CTN_USERMAP=--userns=keep-id
+else
+	$(MAKE) warn-docker
+	CTN_USERMAP=--user=$(shell id -u):$(shell id -g) -e HOME=/tmp
+endif
+
+# Packaging OCI image, to build rpm, deb, pacman, tar packages
+# We changes the keep-id uid/gid for Podman, so that the user inside the container is the same as the user outside.
+# For Docker, as it doesn't support userns, we use common options, but it may fail...
+PKG_OCI_IMAGE=packaging:fedora
+ifeq ($(CTN),podman)
+	# podman
+	PKG_OCI_OPTS:=--rm -it \
+		-v ./:/opt/katenary:z \
+		--userns keep-id:uid=1001,gid=1001 \
+		$(PKG_OCI_IMAGE)
+else
+	# docker
+	PKG_OCI_OPTS:=--rm -it \
+		-v ./:/opt/katenary:z \
+		-e HOME=/tmp \
+		$(CTN_USERMAP) \
+		$(PKG_OCI_IMAGE)
+endif
+GO_BUILD=go build -ldflags="-X 'katenary/generator.Version=$(VERSION)'" -o $(OUTPUT)  ./cmd/katenary
+BUILD_IMAGE=docker.io/golang:$(GOVERSION)
+	
+GO_OCI:=$(CTN) run --rm -it \
+	-v $(PWD):/go/src/katenary:z \
+	-w /go/src/katenary \
+	-e CGO_ENABLED=$(CGO_ENABLED) \
+	-e GOOS=$(GOOS) \
+	-e GOARCH=$(GOARCH) \
+	$(CTN_USERMAP) \
+	go-builder:$(GOVERSION)
+
+packager-oci-image:
+	@$(CTN) build -t packaging:fedora ./oci/packager 1>/dev/null
+
+builder-oci-image:
+	@$(CTN) build -t go-builder:$(GOVERSION) ./oci/builder \
+		--build-arg GOVERSION=$(GOVERSION) 1>/dev/null
diff --git a/makefiles/doc.mk b/makefiles/doc.mk
new file mode 100644
index 0000000..b3aab22
--- /dev/null
+++ b/makefiles/doc.mk
@@ -0,0 +1,56 @@
+
+## Documentation generation
+serve-doc: doc
+	@cd doc && \
+		[ -d venv ] || python -m venv venv; \
+		source venv/bin/activate && \
+		echo "==> Installing requirements in the virtual env..."
+		pip install -qq -r requirements.txt && \
+		echo "==> Serving doc with mkdocs..." && \
+		mkdocs serve
+
+
+doc:
+	@echo "=> Generating documentation..."
+	# generate the labels doc and code doc
+	$(MAKE) __label_doc
+
+manpage:
+	@echo "=> Generating manpage from documentation"
+	@cd doc && \
+		[ -d venv ] || python -m venv venv; \
+		source venv/bin/activate && \
+		echo "==> Installing requirements in the virtual env..." && \
+		pip install -qq -r requirements.txt && \
+		echo "==> Generating manpage..." && \
+		MANPAGE=true mkdocs build && \
+		rm -rf site &&
+		echo "==> Manpage generated in doc/share/man/man1/katenary.1"
+
+install-gomarkdoc:
+	go install github.com/princjef/gomarkdoc/cmd/gomarkdoc@latest
+
+__label_doc:
+	@command -v gomarkdoc || (echo "==> We need to install gomarkdoc..." && \
+		$(MAKE) install-gomarkdoc)
+	@echo "=> Generating labels doc..."
+	# short label doc
+	go run ./cmd/katenary help-labels -m | \
+		sed -i '
+			/START_LABEL_DOC/,/STOP_LABEL_DOC/{/<!--/!d};
+			/START_LABEL_DOC/,/STOP_LABEL_DOC/r/dev/stdin
+		' doc/docs/labels.md
+	# detailed label doc
+	go run ./cmd/katenary help-labels -am | sed 's/^##/###/' | \
+		sed -i '
+			/START_DETAILED_DOC/,/STOP_DETAILED_DOC/{/<!--/!d}; 
+			/START_DETAILED_DOC/,/STOP_DETAILED_DOC/r/dev/stdin
+		' doc/docs/labels.md
+	
+	echo "=> Generating Code documentation..."
+	PACKAGES=$$(for f in $$(find . -name "*.go" -type f); do dirname $$f; done | sort -u)
+	for pack in $$PACKAGES; do
+		echo "-> Generating doc for $$pack"
+		gomarkdoc --repository.default-branch $(shell git branch --show-current) -o doc/docs/packages/$$pack.md $$pack
+		sed -i  '/^## Index/,/^##/ { /## Index/d; /^##/! d }' doc/docs/packages/$$pack.md
+	done
diff --git a/makefiles/gpg.mk b/makefiles/gpg.mk
new file mode 100644
index 0000000..ba5b9fa
--- /dev/null
+++ b/makefiles/gpg.mk
@@ -0,0 +1,33 @@
+## GPG signing
+
+gpg-sign:
+	rm -f dist/*.asc
+	$(MAKE) $(ASC_BINARIES)
+
+check-sign:
+	@echo "=> Checking signatures..."
+	@for f in $(ASC_BINARIES); do \
+		if gpg --verify $$f &>/dev/null; then \
+			echo "Signature for $$f is valid"; \
+		else \
+			echo "Signature for $$f is invalid"; \
+			exit 1; \
+		fi; \
+	done
+	@echo "=> checking in blank environment..."
+	keyid=$(shell gpg -k --with-colons $(SIGNER)| grep '^pub' | cut -d: -f5);
+	$(CTN) run --rm -it -e GPGKEY=$${keyid} -v ./dist:/opt/dist:z \
+		packaging:fedora \
+		bash -c '
+		gpg --recv-key $$GPGKEY || exit 1;
+		echo "Trusting $(SIGNER) key...";
+		echo "trusted-key 483493B2DD0845DA8F21A26DF3702E3FAD8F76DC" >> ~/.gnupg/gpg.conf;
+		gpg --update-trustdb;
+		rm -f ~/.gnupg/gpg.conf;
+		for f in /opt/dist/*.asc; do echo "==> $${f}"; gpg --verify $${f}; done;
+		echo "=> Listing imported keys...";
+		gpg -k
+		'
+
+dist/%.asc: dist/%
+	gpg --armor --detach-sign  --default-key $(SIGNER) $< &>/dev/null || exit 1
diff --git a/makefiles/packager.mk b/makefiles/packager.mk
new file mode 100644
index 0000000..9079456
--- /dev/null
+++ b/makefiles/packager.mk
@@ -0,0 +1,138 @@
+## Linux / FreeBSD packages with fpm
+
+DESCRIPTION := $(shell cat oci/description | sed ':a;N;$$!ba;s/\n/\\n/g')
+
+FPM_OPTS=--name katenary \
+	--url https://katenary.org \
+	--vendor "Katenary Project" \
+	--maintainer "Patrice Ferlet <metal3d@gmail.com>" \
+	--license "MIT" \
+	--description="$$(printf "$(DESCRIPTION)" | fold -s)"
+
+# base files (doc...)
+FPM_BASES=../LICENSE=/usr/local/share/doc/katenary/LICENSE \
+	../README.md=/usr/local/share/doc/katenary/README.md
+
+FPM_COMMON_FILES=$(FPM_BASES) ../doc/share/man/man1/katenary.1=/usr/local/share/man/man1/katenary.1
+
+# ArchLinux has got inconsistent /usr/local/man directory
+FPM_COMMON_FILES_ARCHLINUX=$(FPM_BASES) ../doc/share/man/man1/katenary.1=/usr/local/man/man1/katenary.1 \
+
+# Pacman refuses dashes in version, and should start with a number
+PACMAN_VERSION=$(shell echo $(VERSION) | sed 's/-/./g; s/^v//')
+
+define RPM_MACROS
+%_signature gpg
+%_gpg_path /home/builder/.gnupg
+%_gpg_name $(SIGNER)
+%_gpgbin /usr/bin/gpg2
+%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
+endef
+
+rpm: dist/katenary-linux-$(GOARCH)
+	@echo "==> Building RPM packages for $(GOARCH)..."
+	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
+		fpm -s dir -t rpm -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION) \
+			$(FPM_COMMON_FILES) \
+			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
+rpm-sign:
+	[ -f .rpmmacros ]  || echo "$(RPM_MACROS)" > .rpmmacros
+	[ -f .secret.gpg ] || gpg --export-secret-keys -a $(SIGNER) > .secret.gpg
+	$(CTN) run -w /opt/katenary/dist \
+		-v ./.secret.gpg:/home/builder/signer.gpg \
+		-v packager-gpg:/home/builder/.gnupg \
+		$(PKG_OCI_OPTS) \
+		gpg --import /home/builder/signer.gpg
+	$(CTN) run -w /opt/katenary/dist \
+		-v .rpmmacros:/home/builder/.rpmmacros:z \
+		-v packager-gpg:/home/builder/.gnupg \
+		$(PKG_OCI_OPTS) \
+		bash -c 'for rpm in $$(find . -iname "*.rpm"); do echo signing: $$rpm; rpm --addsign $$rpm; done'
+
+deb:
+	@echo "==> Building DEB packages for $(GOARCH)..."
+	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
+		fpm -s dir -t deb -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION) \
+			$(FPM_COMMON_FILES) \
+			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
+
+pacman:
+	@echo "==> Building Pacman packages for $(GOARCH)..."
+	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
+		fpm -s dir -t pacman -a $(GOARCH) -f $(FPM_OPTS) --version=$(PACMAN_VERSION) \
+			$(FPM_COMMON_FILES_ARCHLINUX) \
+			./katenary-linux-$(GOARCH)=/usr/local/bin/katenary
+
+freebsd:
+	@echo "==> Building FreeBSD packages for $(GOARCH)..."
+	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
+		fpm -s dir -t freebsd -a $(GOARCH) -f $(FPM_OPTS) --version=$(VERSION)\
+			$(FPM_COMMON_FILES) \
+			./katenary-freebsd-$(GOARCH)=/usr/local/bin/katenary
+	mv dist/katenary-$(VERSION).txz dist/katenary-freebsd-$(VERSION).$(GOARCH).txz
+
+tar:
+	@echo "==> Building TAR packages for $(GOOS) $(GOARCH)..."
+	$(CTN) run -w /opt/katenary/dist $(PKG_OCI_OPTS) \
+		fpm -s dir -t tar -a $(GOARCH) -f $(FPM_OPTS) \
+			$(FPM_COMMON_FILES) \
+			./katenary-$(GOOS)-$(GOARCH)=/usr/local/bin/katenary
+	mv dist/katenary.tar dist/katenary-$(GOOS)-$(VERSION).$(GOARCH).tar
+
+packages: manpage packager-oci-image
+	for arch in amd64 arm64; do \
+		$(MAKE) rpm GOARCH=$$arch; \
+		$(MAKE) deb GOARCH=$$arch; \
+		$(MAKE) pacman GOARCH=$$arch; \
+		$(MAKE) freebsd GOARCH=$$arch; \
+		$(MAKE) tar GOARCH=$$arch GOOS=linux; \
+		$(MAKE) tar GOARCH=$$arch GOOS=freebsd; \
+	done
+
+
+
+check-dist-rocky:
+	@echo "=> Checking Rocky Linux package..."
+	p=$(wildcard dist/*x86_64.rpm);
+	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/rockylinux/rockylinux:latest bash -c "
+		rpm -ivh /opt/$$(basename $$p);
+		katenary version;
+	"
+
+check-dist-fedora:
+	@echo "=> Checking Fedora package..."
+	p=$(wildcard dist/*x86_64.rpm);
+	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/fedora/fedora:latest bash -c "
+		rpm -ivh /opt/$$(basename $$p);
+		katenary version;
+	"
+
+check-dist-archlinux:
+	echo "=> Checking ArchLinux package..."
+	p=$(wildcard dist/*x86_64.pkg.tar.zst);
+	$(CTN) run --rm -it -v ./dist:/opt:z quay.io/archlinux/archlinux bash -c "
+		pacman -U /opt/$$(basename $$p) --noconfirm;
+		katenary version;
+	"
+
+check-dist-debian:
+	@echo "=> Checking Debian package..."
+	p=$(wildcard dist/*amd64.deb);
+	$(CTN) run --rm -it -v ./dist:/opt:z debian:latest bash -c "
+		dpkg -i /opt/$$(basename $$p);
+		katenary version;
+	"
+check-dist-ubuntu:
+	@echo "=> Checking Ubuntu package..."
+	p=$(wildcard dist/*amd64.deb);
+	$(CTN) run --rm -it -v ./dist:/opt:z ubuntu:latest bash -c "
+		dpkg -i /opt/$$(basename $$p);
+		katenary version;
+	"
+
+check-dist-all:
+	$(MAKE) check-dist-fedora
+	$(MAKE) check-dist-rocky
+	$(MAKE) check-dist-debian
+	$(MAKE) check-dist-ubuntu
+	$(MAKE) check-dist-archlinux
diff --git a/makefiles/test.mk b/makefiles/test.mk
new file mode 100644
index 0000000..01fb8c8
--- /dev/null
+++ b/makefiles/test.mk
@@ -0,0 +1,32 @@
+
+## TESTS, security analysis, and code quality
+
+# Scan the source code. 
+# - we don't need detection of text/template as it's not a web application, and
+# - we don't need sha1 detection as it is not used for cryptographic purposes.
+# Note: metrics are actually not sent to anyone - it's a thing that is removed from the code in the future.
+sast:
+	opengrep \
+		--config auto \
+		--exclude-rule go.lang.security.audit.xss.import-text-template.import-text-template \
+		--exclude-rule go.lang.security.audit.crypto.use_of_weak_crypto.use-of-sha1  \
+		--metrics=on  \
+		.
+test: builder-oci-image
+	@echo -e "\033[1;33mTesting katenary $(VERSION)...\033[0m"
+	$(GO_OCI) go test -v -coverprofile=cover.out ./... || exit 1
+	$(MAKE) cover
+
+cover: builder-oci-image
+	$(GO_OCI) \
+		go tool cover -func=cover.out | grep "total:"
+	$(GO_OCI) \
+		go tool cover -html=cover.out -o cover.html
+
+show-cover:
+	@[ -f cover.html ] || (echo "cover.html is not present, run make test before"; exit 1)
+	if [ "$(BROWSER)" = "xdg-open" ]; then
+		xdg-open cover.html
+	else
+		$(BROWSER) -i --new-window cover.html
+	fi
diff --git a/oci/builder/Containerfile b/oci/builder/Containerfile
new file mode 100644
index 0000000..825dc4e
--- /dev/null
+++ b/oci/builder/Containerfile
@@ -0,0 +1,8 @@
+ARG GOVERSION=1.24
+FROM docker.io/golang:${GOVERSION}
+# install helm
+RUN set -xe; \
+  apt-get update && apt-get install -y curl; \
+  curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+
+
diff --git a/packaging/description b/oci/description
similarity index 100%
rename from packaging/description
rename to oci/description
diff --git a/packaging/oci/Containerfile b/oci/packager/Containerfile
similarity index 100%
rename from packaging/oci/Containerfile
rename to oci/packager/Containerfile