From 006cd2e4407ba005f08b9bb74147101e769beb31 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 28 Sep 2024 00:57:49 +0000 Subject: [PATCH] Added chart versions: linkerd/linkerd-control-plane: - 2024.9.3 linkerd/linkerd-crds: - 2024.9.3 nats/nats: - 1.2.5 redpanda/redpanda: - 5.9.5 speedscale/speedscale-operator: - 2.2.476 traefik/traefik: - 32.0.0 --- .../linkerd-control-plane-2024.9.2.tgz | Bin 31572 -> 31564 bytes .../linkerd-control-plane-2024.9.3.tgz | Bin 0 -> 31572 bytes assets/linkerd/linkerd-crds-2024.9.3.tgz | Bin 0 -> 113052 bytes assets/nats/nats-1.2.5.tgz | Bin 0 -> 20135 bytes assets/redpanda/redpanda-5.9.5.tgz | Bin 0 -> 410765 bytes .../speedscale-operator-2.2.476.tgz | Bin 0 -> 17062 bytes assets/traefik/traefik-32.0.0.tgz | Bin 0 -> 247261 bytes .../linkerd-control-plane/2024.9.2/Chart.yaml | 1 - .../2024.9.3/.helmignore | 22 + .../linkerd-control-plane/2024.9.3/Chart.lock | 6 + .../linkerd-control-plane/2024.9.3/Chart.yaml | 29 + .../linkerd-control-plane/2024.9.3/README.md | 321 + .../2024.9.3/README.md.gotmpl | 133 + .../2024.9.3/app-readme.md | 14 + .../2024.9.3/charts/partials/.helmignore | 21 + .../2024.9.3/charts/partials/Chart.yaml | 5 + .../2024.9.3/charts/partials/README.md | 9 + .../2024.9.3/charts/partials/README.md.gotmpl | 14 + .../charts/partials/templates/NOTES.txt | 0 .../charts/partials/templates/_affinity.tpl | 38 + .../partials/templates/_capabilities.tpl | 16 + .../charts/partials/templates/_debug.tpl | 15 + .../charts/partials/templates/_helpers.tpl | 14 + .../charts/partials/templates/_metadata.tpl | 17 + .../partials/templates/_network-validator.tpl | 45 + .../partials/templates/_nodeselector.tpl | 4 + .../partials/templates/_proxy-config-ann.tpl | 18 + .../charts/partials/templates/_proxy-init.tpl | 98 + .../charts/partials/templates/_proxy.tpl | 267 + .../partials/templates/_pull-secrets.tpl | 6 + .../charts/partials/templates/_resources.tpl | 28 + .../partials/templates/_tolerations.tpl | 4 + .../charts/partials/templates/_trace.tpl | 5 + .../charts/partials/templates/_validate.tpl | 19 + .../charts/partials/templates/_volumes.tpl | 20 + .../2024.9.3/charts/partials/values.yaml | 0 .../2024.9.3/questions.yaml | 19 + .../2024.9.3/templates/NOTES.txt | 19 + .../2024.9.3/templates/config-rbac.yaml | 16 + .../2024.9.3/templates/config.yaml | 39 + .../2024.9.3/templates/destination-rbac.yaml | 327 + .../2024.9.3/templates/destination.yaml | 435 + .../2024.9.3/templates/heartbeat-rbac.yaml | 78 + .../2024.9.3/templates/heartbeat.yaml | 94 + .../2024.9.3/templates/identity-rbac.yaml | 49 + .../2024.9.3/templates/identity.yaml | 272 + .../2024.9.3/templates/namespace.yaml | 18 + .../2024.9.3/templates/podmonitor.yaml | 128 + .../templates/proxy-injector-rbac.yaml | 120 + .../2024.9.3/templates/proxy-injector.yaml | 222 + .../2024.9.3/templates/psp.yaml | 119 + .../2024.9.3/values-ha.yaml | 63 + .../2024.9.3/values.yaml | 664 + .../linkerd/linkerd-crds/2024.9.3/.helmignore | 22 + .../linkerd/linkerd-crds/2024.9.3/Chart.lock | 6 + .../linkerd/linkerd-crds/2024.9.3/Chart.yaml | 26 + .../linkerd/linkerd-crds/2024.9.3/README.md | 71 + .../linkerd-crds/2024.9.3/README.md.gotmpl | 59 + .../linkerd-crds/2024.9.3/app-readme.md | 9 + .../2024.9.3/charts/partials/.helmignore | 21 + .../2024.9.3/charts/partials/Chart.yaml | 5 + .../2024.9.3/charts/partials/README.md | 9 + .../2024.9.3/charts/partials/README.md.gotmpl | 14 + .../charts/partials/templates/NOTES.txt | 0 .../charts/partials/templates/_affinity.tpl | 38 + .../partials/templates/_capabilities.tpl | 16 + .../charts/partials/templates/_debug.tpl | 15 + .../charts/partials/templates/_helpers.tpl | 14 + .../charts/partials/templates/_metadata.tpl | 17 + .../partials/templates/_network-validator.tpl | 45 + .../partials/templates/_nodeselector.tpl | 4 + .../partials/templates/_proxy-config-ann.tpl | 18 + .../charts/partials/templates/_proxy-init.tpl | 98 + .../charts/partials/templates/_proxy.tpl | 267 + .../partials/templates/_pull-secrets.tpl | 6 + .../charts/partials/templates/_resources.tpl | 28 + .../partials/templates/_tolerations.tpl | 4 + .../charts/partials/templates/_trace.tpl | 5 + .../charts/partials/templates/_validate.tpl | 19 + .../charts/partials/templates/_volumes.tpl | 20 + .../2024.9.3/charts/partials/values.yaml | 0 .../linkerd-crds/2024.9.3/templates/NOTES.txt | 6 + .../gateway.networking.k8s.io_grpcroutes.yaml | 1507 + .../gateway.networking.k8s.io_httproutes.yaml | 3881 +++ .../policy/authorization-policy.yaml | 99 + .../2024.9.3/templates/policy/httproute.yaml | 5328 ++++ .../policy/meshtls-authentication.yaml | 87 + .../policy/network-authentication.yaml | 53 + .../policy/server-authorization.yaml | 266 + .../2024.9.3/templates/policy/server.yaml | 319 + .../2024.9.3/templates/serviceprofile.yaml | 274 + .../templates/workload/external-workload.yaml | 303 + .../linkerd/linkerd-crds/2024.9.3/values.yaml | 1 + charts/nats/nats/1.2.5/.helmignore | 26 + charts/nats/nats/1.2.5/Chart.yaml | 22 + charts/nats/nats/1.2.5/README.md | 329 + charts/nats/nats/1.2.5/UPGRADING.md | 155 + charts/nats/nats/1.2.5/app-readme.md | 3 + charts/nats/nats/1.2.5/files/config-map.yaml | 10 + .../nats/nats/1.2.5/files/config/cluster.yaml | 32 + .../nats/nats/1.2.5/files/config/config.yaml | 114 + .../nats/nats/1.2.5/files/config/gateway.yaml | 11 + .../nats/1.2.5/files/config/jetstream.yaml | 23 + .../nats/1.2.5/files/config/leafnodes.yaml | 11 + charts/nats/nats/1.2.5/files/config/mqtt.yaml | 10 + .../nats/1.2.5/files/config/protocol.yaml | 10 + .../nats/1.2.5/files/config/resolver.yaml | 3 + charts/nats/nats/1.2.5/files/config/tls.yaml | 16 + .../nats/1.2.5/files/config/websocket.yaml | 12 + .../nats/1.2.5/files/headless-service.yaml | 24 + charts/nats/nats/1.2.5/files/ingress.yaml | 34 + .../1.2.5/files/nats-box/contents-secret.yaml | 17 + .../nats-box/contexts-secret/context.yaml | 51 + .../contexts-secret/contexts-secret.yaml | 13 + .../files/nats-box/deployment/container.yaml | 46 + .../files/nats-box/deployment/deployment.yaml | 16 + .../nats-box/deployment/pod-template.yaml | 44 + .../1.2.5/files/nats-box/service-account.yaml | 7 + .../1.2.5/files/pod-disruption-budget.yaml | 12 + charts/nats/nats/1.2.5/files/pod-monitor.yaml | 13 + .../nats/1.2.5/files/service-account.yaml | 7 + charts/nats/nats/1.2.5/files/service.yaml | 23 + .../files/stateful-set/jetstream-pvc.yaml | 13 + .../files/stateful-set/nats-container.yaml | 106 + .../files/stateful-set/pod-template.yaml | 71 + .../stateful-set/prom-exporter-container.yaml | 30 + .../stateful-set/reloader-container.yaml | 27 + .../files/stateful-set/resolver-pvc.yaml | 13 + .../files/stateful-set/stateful-set.yaml | 37 + charts/nats/nats/1.2.5/questions.yaml | 12 + charts/nats/nats/1.2.5/templates/_helpers.tpl | 281 + .../nats/nats/1.2.5/templates/_jsonpatch.tpl | 219 + .../nats/1.2.5/templates/_toPrettyRawJson.tpl | 28 + charts/nats/nats/1.2.5/templates/_tplYaml.tpl | 114 + .../nats/nats/1.2.5/templates/config-map.yaml | 4 + .../nats/1.2.5/templates/extra-resources.yaml | 5 + .../1.2.5/templates/headless-service.yaml | 4 + charts/nats/nats/1.2.5/templates/ingress.yaml | 6 + .../templates/nats-box/contents-secret.yaml | 10 + .../templates/nats-box/contexts-secret.yaml | 8 + .../1.2.5/templates/nats-box/deployment.yaml | 8 + .../templates/nats-box/service-account.yaml | 8 + .../templates/pod-disruption-budget.yaml | 6 + .../nats/1.2.5/templates/pod-monitor.yaml | 8 + .../nats/1.2.5/templates/service-account.yaml | 6 + charts/nats/nats/1.2.5/templates/service.yaml | 6 + .../nats/1.2.5/templates/stateful-set.yaml | 4 + .../1.2.5/templates/tests/request-reply.yaml | 37 + charts/nats/nats/1.2.5/values.yaml | 669 + charts/redpanda/redpanda/5.9.5/.helmignore | 28 + charts/redpanda/redpanda/5.9.5/Chart.lock | 9 + charts/redpanda/redpanda/5.9.5/Chart.yaml | 40 + charts/redpanda/redpanda/5.9.5/LICENSE | 201 + charts/redpanda/redpanda/5.9.5/README.md | 1244 + .../5.9.5/charts/connectors/.helmignore | 29 + .../5.9.5/charts/connectors/Chart.yaml | 25 + .../redpanda/5.9.5/charts/connectors/LICENSE | 201 + .../5.9.5/charts/connectors/README.md | 574 + .../connectors/templates/_deployment.go.tpl | 136 + .../connectors/templates/_helpers.go.tpl | 131 + .../charts/connectors/templates/_helpers.tpl | 79 + .../connectors/templates/_pod-monitor.go.tpl | 18 + .../connectors/templates/_service.go.tpl | 20 + .../templates/_serviceaccount.go.tpl | 18 + .../charts/connectors/templates/_shims.tpl | 289 + .../connectors/templates/_values.go.tpl | 15 + .../connectors/templates/deployment.yaml | 17 + .../connectors/templates/pod-monitor.yaml | 17 + .../charts/connectors/templates/service.yaml | 17 + .../connectors/templates/serviceaccount.yaml | 17 + .../templates/tests/01-mm2-values.yaml | 176 + .../5.9.5/charts/connectors/values.yaml | 311 + .../redpanda/5.9.5/charts/console/.helmignore | 24 + .../redpanda/5.9.5/charts/console/Chart.yaml | 23 + .../redpanda/5.9.5/charts/console/README.md | 353 + .../5.9.5/charts/console/chart_test.go | 158 + .../5.9.5/charts/console/configmap.go | 61 + .../5.9.5/charts/console/deployment.go | 535 + .../console/examples/console-enterprise.yaml | 94 + .../redpanda/5.9.5/charts/console/helpers.go | 84 + .../redpanda/5.9.5/charts/console/hpa.go | 82 + .../redpanda/5.9.5/charts/console/ingress.go | 88 + .../redpanda/5.9.5/charts/console/notes.go | 67 + .../redpanda/5.9.5/charts/console/secret.go | 84 + .../redpanda/5.9.5/charts/console/service.go | 60 + .../5.9.5/charts/console/serviceaccount.go | 60 + .../5.9.5/charts/console/templates/NOTES.txt | 20 + .../console/templates/_configmap.go.tpl | 25 + .../console/templates/_deployment.go.tpl | 133 + .../charts/console/templates/_helpers.go.tpl | 82 + .../charts/console/templates/_helpers.tpl | 25 + .../charts/console/templates/_hpa.go.tpl | 25 + .../charts/console/templates/_ingress.go.tpl | 46 + .../charts/console/templates/_notes.go.tpl | 40 + .../charts/console/templates/_secret.go.tpl | 22 + .../charts/console/templates/_service.go.tpl | 20 + .../console/templates/_serviceaccount.go.tpl | 39 + .../5.9.5/charts/console/templates/_shims.tpl | 289 + .../charts/console/templates/configmap.yaml | 17 + .../charts/console/templates/deployment.yaml | 17 + .../5.9.5/charts/console/templates/hpa.yaml | 17 + .../charts/console/templates/ingress.yaml | 17 + .../charts/console/templates/secret.yaml | 17 + .../charts/console/templates/service.yaml | 17 + .../console/templates/serviceaccount.yaml | 17 + .../templates/tests/test-connection.yaml | 22 + .../testdata/template-cases-generated.txtar | 22208 ++++++++++++++ .../testdata/template-cases.golden.txtar | 24705 ++++++++++++++++ .../console/testdata/template-cases.txtar | 136 + .../redpanda/5.9.5/charts/console/values.go | 215 + .../5.9.5/charts/console/values.schema.json | 323 + .../redpanda/5.9.5/charts/console/values.yaml | 279 + .../charts/console/values_partial.gen.go | 206 + .../redpanda/5.9.5/templates/NOTES.txt | 26 + .../5.9.5/templates/_cert-issuers.go.tpl | 57 + .../redpanda/5.9.5/templates/_certs.go.tpl | 71 + .../5.9.5/templates/_configmap.go.tpl | 494 + .../redpanda/5.9.5/templates/_console.go.tpl | 60 + .../5.9.5/templates/_example-commands.tpl | 58 + .../redpanda/5.9.5/templates/_helpers.go.tpl | 535 + .../redpanda/5.9.5/templates/_helpers.tpl | 368 + .../redpanda/5.9.5/templates/_memory.go.tpl | 63 + .../redpanda/5.9.5/templates/_notes.go.tpl | 167 + .../templates/_poddisruptionbudget.go.tpl | 21 + .../_post-install-upgrade-job.go.tpl | 233 + .../redpanda/5.9.5/templates/_secrets.go.tpl | 422 + .../5.9.5/templates/_service.internal.go.tpl | 38 + .../templates/_service.loadbalancer.go.tpl | 101 + .../5.9.5/templates/_service.nodeport.go.tpl | 80 + .../5.9.5/templates/_serviceaccount.go.tpl | 18 + .../5.9.5/templates/_servicemonitor.go.tpl | 26 + .../redpanda/5.9.5/templates/_shims.tpl | 289 + .../5.9.5/templates/_statefulset.go.tpl | 711 + .../redpanda/5.9.5/templates/_values.go.tpl | 1313 + .../5.9.5/templates/cert-issuers.yaml | 18 + .../redpanda/5.9.5/templates/certs.yaml | 17 + .../redpanda/5.9.5/templates/configmap.yaml | 17 + .../templates/connectors/connectors.yaml | 109 + .../console/configmap-and-deployment.yaml | 234 + .../5.9.5/templates/poddisruptionbudget.yaml | 17 + .../templates/post-install-upgrade-job.yaml | 17 + .../5.9.5/templates/post-upgrade.yaml | 17 + .../5.9.5/templates/post_upgrade_job.yaml | 87 + .../redpanda/5.9.5/templates/rbac.go.tpl | 116 + .../redpanda/5.9.5/templates/rbac.yaml | 20 + .../redpanda/5.9.5/templates/secrets.yaml | 17 + .../5.9.5/templates/service.internal.yaml | 17 + .../5.9.5/templates/service.loadbalancer.yaml | 17 + .../5.9.5/templates/service.nodeport.yaml | 17 + .../5.9.5/templates/serviceaccount.yaml | 17 + .../5.9.5/templates/servicemonitor.yaml | 17 + .../redpanda/5.9.5/templates/statefulset.yaml | 21 + .../templates/tests/test-api-status.yaml | 52 + .../templates/tests/test-auditLogging.yaml | 86 + .../tests/test-connector-via-console.yaml | 166 + .../5.9.5/templates/tests/test-console.yaml | 49 + .../test-internal-external-tls-secrets.yaml | 122 + .../tests/test-kafka-internal-tls-status.yaml | 62 + .../templates/tests/test-kafka-nodelete.yaml | 100 + .../tests/test-kafka-produce-consume.yaml | 83 + .../tests/test-kafka-sasl-status.yaml | 79 + .../tests/test-license-with-console.yaml | 61 + .../tests/test-lifecycle-scripts.yaml | 66 + .../tests/test-loadbalancer-tls.yaml | 173 + .../templates/tests/test-nodeport-tls.yaml | 173 + .../test-pandaproxy-internal-tls-status.yaml | 81 + .../tests/test-pandaproxy-status.yaml | 72 + .../tests/test-prometheus-targets.yaml | 84 + .../templates/tests/test-rack-awareness.yaml | 61 + .../tests/test-rpk-debug-bundle.yaml | 104 + .../templates/tests/test-sasl-updated.yaml | 71 + .../redpanda/5.9.5/values.schema.json | 5854 ++++ charts/redpanda/redpanda/5.9.5/values.yaml | 1174 + .../speedscale-operator/2.2.476/.helmignore | 23 + .../speedscale-operator/2.2.476/Chart.yaml | 27 + .../speedscale-operator/2.2.476/LICENSE | 201 + .../speedscale-operator/2.2.476/README.md | 111 + .../speedscale-operator/2.2.476/app-readme.md | 111 + .../2.2.476/questions.yaml | 9 + .../2.2.476/templates/NOTES.txt | 12 + .../2.2.476/templates/admission.yaml | 209 + .../2.2.476/templates/configmap.yaml | 43 + .../templates/crds/trafficreplays.yaml | 525 + .../2.2.476/templates/deployments.yaml | 132 + .../2.2.476/templates/hooks.yaml | 73 + .../2.2.476/templates/rbac.yaml | 244 + .../2.2.476/templates/secrets.yaml | 18 + .../2.2.476/templates/services.yaml | 22 + .../2.2.476/templates/tls.yaml | 183 + .../speedscale-operator/2.2.476/values.yaml | 138 + charts/traefik/traefik/32.0.0/.helmignore | 2 + charts/traefik/traefik/32.0.0/Changelog.md | 10261 +++++++ charts/traefik/traefik/32.0.0/Chart.yaml | 33 + charts/traefik/traefik/32.0.0/EXAMPLES.md | 1007 + charts/traefik/traefik/32.0.0/Guidelines.md | 34 + charts/traefik/traefik/32.0.0/LICENSE | 202 + charts/traefik/traefik/32.0.0/README.md | 158 + charts/traefik/traefik/32.0.0/VALUES.md | 316 + charts/traefik/traefik/32.0.0/app-readme.md | 5 + .../crds/gateway-standard-install-v1.1.0.yaml | 13478 +++++++++ .../hub.traefik.io_accesscontrolpolicies.yaml | 368 + .../crds/hub.traefik.io_apiaccesses.yaml | 188 + .../crds/hub.traefik.io_apibundles.yaml | 125 + .../32.0.0/crds/hub.traefik.io_apiplans.yaml | 103 + .../crds/hub.traefik.io_apiportals.yaml | 139 + .../crds/hub.traefik.io_apiratelimits.yaml | 166 + .../32.0.0/crds/hub.traefik.io_apis.yaml | 190 + .../crds/hub.traefik.io_apiversions.yaml | 194 + .../32.0.0/crds/traefik.io_ingressroutes.yaml | 366 + .../crds/traefik.io_ingressroutetcps.yaml | 247 + .../crds/traefik.io_ingressrouteudps.yaml | 111 + .../32.0.0/crds/traefik.io_middlewares.yaml | 1098 + .../crds/traefik.io_middlewaretcps.yaml | 87 + .../crds/traefik.io_serverstransports.yaml | 139 + .../crds/traefik.io_serverstransporttcps.yaml | 120 + .../32.0.0/crds/traefik.io_tlsoptions.yaml | 114 + .../32.0.0/crds/traefik.io_tlsstores.yaml | 97 + .../crds/traefik.io_traefikservices.yaml | 639 + .../traefik/32.0.0/templates/NOTES.txt | 36 + .../traefik/32.0.0/templates/_helpers.tpl | 161 + .../traefik/32.0.0/templates/_podtemplate.tpl | 837 + .../32.0.0/templates/_service-metrics.tpl | 25 + .../traefik/32.0.0/templates/_service.tpl | 84 + .../traefik/32.0.0/templates/daemonset.yaml | 58 + .../traefik/32.0.0/templates/deployment.yaml | 58 + .../32.0.0/templates/extra-objects.yaml | 4 + .../traefik/32.0.0/templates/gateway.yaml | 58 + .../32.0.0/templates/gatewayclass.yaml | 14 + .../traefik/traefik/32.0.0/templates/hpa.yaml | 35 + .../templates/hub-admission-controller.yaml | 198 + .../32.0.0/templates/hub-apiportal.yaml | 19 + .../32.0.0/templates/ingressclass.yaml | 12 + .../32.0.0/templates/ingressroute.yaml | 43 + .../32.0.0/templates/poddisruptionbudget.yaml | 23 + .../32.0.0/templates/prometheusrules.yaml | 28 + .../32.0.0/templates/provider-file-cm.yaml | 12 + .../traefik/traefik/32.0.0/templates/pvc.yaml | 26 + .../32.0.0/templates/rbac/clusterrole.yaml | 256 + .../templates/rbac/clusterrolebinding.yaml | 17 + .../templates/rbac/podsecuritypolicy.yaml | 68 + .../traefik/32.0.0/templates/rbac/role.yaml | 143 + .../32.0.0/templates/rbac/rolebinding.yaml | 25 + .../32.0.0/templates/rbac/serviceaccount.yaml | 14 + .../32.0.0/templates/requirements.yaml | 29 + .../32.0.0/templates/service-metrics.yaml | 33 + .../traefik/32.0.0/templates/service.yaml | 83 + .../32.0.0/templates/servicemonitor.yaml | 69 + .../traefik/32.0.0/templates/tlsoption.yaml | 39 + .../traefik/32.0.0/templates/tlsstore.yaml | 12 + .../traefik/traefik/32.0.0/values.schema.json | 1663 ++ charts/traefik/traefik/32.0.0/values.yaml | 944 + index.yaml | 204 +- 352 files changed, 126160 insertions(+), 3 deletions(-) create mode 100644 assets/linkerd/linkerd-control-plane-2024.9.3.tgz create mode 100644 assets/linkerd/linkerd-crds-2024.9.3.tgz create mode 100644 assets/nats/nats-1.2.5.tgz create mode 100644 assets/redpanda/redpanda-5.9.5.tgz create mode 100644 assets/speedscale/speedscale-operator-2.2.476.tgz create mode 100644 assets/traefik/traefik-32.0.0.tgz create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/.helmignore create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/Chart.lock create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/Chart.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/README.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/app-readme.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/.helmignore create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/Chart.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_affinity.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_capabilities.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_debug.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_helpers.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_metadata.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_network-validator.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_nodeselector.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-init.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_pull-secrets.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_resources.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_tolerations.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_trace.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_validate.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_volumes.tpl create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/values.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/questions.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/config-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/config.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/namespace.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/podmonitor.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector-rbac.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/templates/psp.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/values-ha.yaml create mode 100644 charts/linkerd/linkerd-control-plane/2024.9.3/values.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/.helmignore create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/Chart.lock create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/Chart.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/README.md create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/app-readme.md create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/.helmignore create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/Chart.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md.gotmpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_affinity.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_capabilities.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_debug.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_helpers.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_metadata.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_network-validator.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_nodeselector.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-init.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_pull-secrets.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_resources.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_tolerations.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_trace.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_validate.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_volumes.tpl create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/charts/partials/values.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/NOTES.txt create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_grpcroutes.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_httproutes.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/authorization-policy.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/httproute.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/meshtls-authentication.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/network-authentication.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server-authorization.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/serviceprofile.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/templates/workload/external-workload.yaml create mode 100644 charts/linkerd/linkerd-crds/2024.9.3/values.yaml create mode 100644 charts/nats/nats/1.2.5/.helmignore create mode 100644 charts/nats/nats/1.2.5/Chart.yaml create mode 100644 charts/nats/nats/1.2.5/README.md create mode 100644 charts/nats/nats/1.2.5/UPGRADING.md create mode 100644 charts/nats/nats/1.2.5/app-readme.md create mode 100644 charts/nats/nats/1.2.5/files/config-map.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/cluster.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/config.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/gateway.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/jetstream.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/leafnodes.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/mqtt.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/protocol.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/resolver.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/tls.yaml create mode 100644 charts/nats/nats/1.2.5/files/config/websocket.yaml create mode 100644 charts/nats/nats/1.2.5/files/headless-service.yaml create mode 100644 charts/nats/nats/1.2.5/files/ingress.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/contents-secret.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/contexts-secret/context.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/contexts-secret/contexts-secret.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/deployment/container.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/deployment/deployment.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/deployment/pod-template.yaml create mode 100644 charts/nats/nats/1.2.5/files/nats-box/service-account.yaml create mode 100644 charts/nats/nats/1.2.5/files/pod-disruption-budget.yaml create mode 100644 charts/nats/nats/1.2.5/files/pod-monitor.yaml create mode 100644 charts/nats/nats/1.2.5/files/service-account.yaml create mode 100644 charts/nats/nats/1.2.5/files/service.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/jetstream-pvc.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/nats-container.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/pod-template.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/prom-exporter-container.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/reloader-container.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/resolver-pvc.yaml create mode 100644 charts/nats/nats/1.2.5/files/stateful-set/stateful-set.yaml create mode 100644 charts/nats/nats/1.2.5/questions.yaml create mode 100644 charts/nats/nats/1.2.5/templates/_helpers.tpl create mode 100644 charts/nats/nats/1.2.5/templates/_jsonpatch.tpl create mode 100644 charts/nats/nats/1.2.5/templates/_toPrettyRawJson.tpl create mode 100644 charts/nats/nats/1.2.5/templates/_tplYaml.tpl create mode 100644 charts/nats/nats/1.2.5/templates/config-map.yaml create mode 100644 charts/nats/nats/1.2.5/templates/extra-resources.yaml create mode 100644 charts/nats/nats/1.2.5/templates/headless-service.yaml create mode 100644 charts/nats/nats/1.2.5/templates/ingress.yaml create mode 100644 charts/nats/nats/1.2.5/templates/nats-box/contents-secret.yaml create mode 100644 charts/nats/nats/1.2.5/templates/nats-box/contexts-secret.yaml create mode 100644 charts/nats/nats/1.2.5/templates/nats-box/deployment.yaml create mode 100644 charts/nats/nats/1.2.5/templates/nats-box/service-account.yaml create mode 100644 charts/nats/nats/1.2.5/templates/pod-disruption-budget.yaml create mode 100644 charts/nats/nats/1.2.5/templates/pod-monitor.yaml create mode 100644 charts/nats/nats/1.2.5/templates/service-account.yaml create mode 100644 charts/nats/nats/1.2.5/templates/service.yaml create mode 100644 charts/nats/nats/1.2.5/templates/stateful-set.yaml create mode 100644 charts/nats/nats/1.2.5/templates/tests/request-reply.yaml create mode 100644 charts/nats/nats/1.2.5/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.5/Chart.lock create mode 100644 charts/redpanda/redpanda/5.9.5/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.5/README.md create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/LICENSE create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/README.md create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_pod-monitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/pod-monitor.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/service.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/serviceaccount.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/templates/tests/01-mm2-values.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/connectors/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/.helmignore create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/Chart.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/README.md create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/chart_test.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/configmap.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/deployment.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/examples/console-enterprise.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/helpers.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/hpa.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/ingress.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/notes.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/secret.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/service.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/serviceaccount.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_deployment.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_hpa.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_ingress.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_secret.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_service.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/configmap.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/hpa.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/ingress.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/secret.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/service.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/serviceaccount.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/templates/tests/test-connection.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases-generated.txtar create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.golden.txtar create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.txtar create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/values.go create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/values.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/charts/console/values_partial.gen.go create mode 100644 charts/redpanda/redpanda/5.9.5/templates/NOTES.txt create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_cert-issuers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_certs.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_configmap.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_console.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_example-commands.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_helpers.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_helpers.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_memory.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_notes.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_poddisruptionbudget.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_post-install-upgrade-job.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_secrets.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_service.internal.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_service.loadbalancer.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_service.nodeport.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_serviceaccount.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_servicemonitor.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_shims.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_statefulset.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/_values.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/cert-issuers.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/certs.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/configmap.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/connectors/connectors.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/console/configmap-and-deployment.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/poddisruptionbudget.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/post-install-upgrade-job.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/post-upgrade.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/post_upgrade_job.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/rbac.go.tpl create mode 100644 charts/redpanda/redpanda/5.9.5/templates/rbac.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/secrets.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/service.internal.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/service.loadbalancer.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/service.nodeport.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/serviceaccount.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/servicemonitor.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/statefulset.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-api-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-auditLogging.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-connector-via-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-internal-external-tls-secrets.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-nodelete.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-produce-consume.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-sasl-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-license-with-console.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-lifecycle-scripts.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-loadbalancer-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-nodeport-tls.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-internal-tls-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-status.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-prometheus-targets.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-rack-awareness.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-rpk-debug-bundle.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/templates/tests/test-sasl-updated.yaml create mode 100644 charts/redpanda/redpanda/5.9.5/values.schema.json create mode 100644 charts/redpanda/redpanda/5.9.5/values.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/.helmignore create mode 100644 charts/speedscale/speedscale-operator/2.2.476/Chart.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/LICENSE create mode 100644 charts/speedscale/speedscale-operator/2.2.476/README.md create mode 100644 charts/speedscale/speedscale-operator/2.2.476/app-readme.md create mode 100644 charts/speedscale/speedscale-operator/2.2.476/questions.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/NOTES.txt create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/admission.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/configmap.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/crds/trafficreplays.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/deployments.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/hooks.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/rbac.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/secrets.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/services.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/templates/tls.yaml create mode 100644 charts/speedscale/speedscale-operator/2.2.476/values.yaml create mode 100644 charts/traefik/traefik/32.0.0/.helmignore create mode 100644 charts/traefik/traefik/32.0.0/Changelog.md create mode 100644 charts/traefik/traefik/32.0.0/Chart.yaml create mode 100644 charts/traefik/traefik/32.0.0/EXAMPLES.md create mode 100644 charts/traefik/traefik/32.0.0/Guidelines.md create mode 100644 charts/traefik/traefik/32.0.0/LICENSE create mode 100644 charts/traefik/traefik/32.0.0/README.md create mode 100644 charts/traefik/traefik/32.0.0/VALUES.md create mode 100644 charts/traefik/traefik/32.0.0/app-readme.md create mode 100644 charts/traefik/traefik/32.0.0/crds/gateway-standard-install-v1.1.0.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_accesscontrolpolicies.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiaccesses.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apibundles.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiplans.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiportals.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiratelimits.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apis.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiversions.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutes.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutetcps.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_ingressrouteudps.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_middlewares.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_middlewaretcps.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransports.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransporttcps.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_tlsoptions.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_tlsstores.yaml create mode 100644 charts/traefik/traefik/32.0.0/crds/traefik.io_traefikservices.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/NOTES.txt create mode 100644 charts/traefik/traefik/32.0.0/templates/_helpers.tpl create mode 100644 charts/traefik/traefik/32.0.0/templates/_podtemplate.tpl create mode 100644 charts/traefik/traefik/32.0.0/templates/_service-metrics.tpl create mode 100644 charts/traefik/traefik/32.0.0/templates/_service.tpl create mode 100644 charts/traefik/traefik/32.0.0/templates/daemonset.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/deployment.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/extra-objects.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/gateway.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/gatewayclass.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/hpa.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/hub-admission-controller.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/hub-apiportal.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/ingressclass.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/ingressroute.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/poddisruptionbudget.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/prometheusrules.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/provider-file-cm.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/pvc.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/clusterrole.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/clusterrolebinding.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/podsecuritypolicy.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/role.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/rolebinding.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/rbac/serviceaccount.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/requirements.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/service-metrics.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/service.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/servicemonitor.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/tlsoption.yaml create mode 100644 charts/traefik/traefik/32.0.0/templates/tlsstore.yaml create mode 100644 charts/traefik/traefik/32.0.0/values.schema.json create mode 100644 charts/traefik/traefik/32.0.0/values.yaml diff --git a/assets/linkerd/linkerd-control-plane-2024.9.2.tgz b/assets/linkerd/linkerd-control-plane-2024.9.2.tgz index 558b53becca94ba9feb3cf4f76ebb7918fc01b10..3327056199a6959754c72a5e60bf175f5aafa65b 100644 GIT binary patch delta 30567 zcmV)XK&`*j_5sZH0gya@TYDR~wjg+(`73a!ecDo*RlMk8o4a$m70F3-VmsQFoPEyt zcp|V0BoP%06#zw2mfWN(7ull!tf4G12PyK_Vr-w&} z{iFTCKlS>D2ZP=}q27HUU-!v{#QdLncg9t1-0$Rr)09apDNDt$g;0bgPS_-ju#^c2 zDeK}~vVf*S;v^X&H(huv8jDASOFE_`9-<6$nG)VuET$q$@FGa@j119B4Hcc}Nr=wX zBy6mAosUQ`CtOf}mJZRAfBmu_4hCT_=sjsH&PhVBAO=n2TyNow{$K&l2Q8ds?k9;S zBp4io&%;40CK*X%l17w>VJkoyq-rC@iRueZGA5{Gd@)30nvh|)8+IeLkVMxj=7{fw z{jk@HiHJDOq;8MxhzXq&ffg)BY$OPu;}K1$Tyzj833Weza2g{)qMTE?Kx4*L1=Za% z8gZto(TE82zyIg|LN`=SQOZ!nVuGS6PA3F$@^el(i9__HHD#(XQz~>8*g_N~u zr06ou!9oxzy6TzeHg;y1rIXe*S==xlLoXRBf*BFhmKwYt8pm#iX(};I35Qx_hG{ZH zQ5uZ{izg<3^Z$`hAw{SjE7}k$&mNr1DdVb-bDlJ{rrTOI4+P73q{r4)olrT=M`6Tf z7K;5l=(gk{BSVCCq$q ze~8bm*jl)Xq0tEua)`tf4-Sup&&a`G{5*OdAK*cM96fusKkh#rKR<|%dIty5^QVXX zXAz0}&vD#)J{XJ-o{pY9J?fEzr~UoI{iEk2+?tS-a4gk^(jN2%{h&VxdPkT2{_tQh zJnV%}pB)Sidi#gZgWln=*K7X{*4*dxX*jL)!?BnDof3Y?NC!JMEu<`j<- zB9LTgL{O%rg&5IPGLTDLTN9gU#V}URytsNvX5`j>S1VeI)CE`S|Bv(>@ z2huQTisT}r5l;MmCFz`Umd;2jMQFS8wZS_??S3zW|GLjQ{a!CTI)ESjUZ?+b5cZGs zuR*8(T>W~ce;#$laj!QVcAvHN5S+5;ns7vCctTK?Cke_}LZd|so}A}Nat^F$ebiFEfgBV>k#ld6tP*xQq@B(^CBVqC7Zldb%uzh zV^#pt^M6Z7Uqhv#Dn(Nbi==w3lmSSNBbrWZZBTEXS3bhQlM)e6`o3((h ziy0b|EMW^ZL6MMZpPwvR#j^|ZNU5f(J83$3o5ffX^#Gw6{_r-%b4(M}n?p1>{1^ND zBIgtHq}1VR)N(=89D9+*8KbFxyhzmgR^!ZPgbO#gF%gocAlh3l@YmLkfmEt&S%~6$ zf=D$glIH}mG+7{8#q`}XfyM;O9M<+ku>vX(OIuBlhXASE2F;ozMR+`>sZ#zTPBfh? z^?Fn{WlASgWI72HM}y~_#mA|n#|B1ef;IG3mT@*l#1N~-J2~YnpG+04tsOJ-ccHcg1;g#8BfuF1YP(yF*rJ1(11sYm_wi_0I6PhXwAMiI`; z1cl9PO3?Ymd20u{3pV7UBUPt>wE*2rNs4Itlj2DL+>}!b)fhN`G#;#T&6{YkA%%!+Ab1r!b=SQF|}g{B{tXWeHI;50>@&-3F^lu@Q8mgpyPS6V@FiY}B3i2Ow_bk|y18 z!fwn$=o&&uIAMD&gmksPonNR8zh~R_RnCQxXps{8iej#R3KSWlLC=T@$7bE*1bH@5 zm?Uv*qz+gQtxPe_!fJ|s`LzZi!6T9^tNapP7WG~hg|jSK*y2jW1B+BEVzU`btJOR) zFXNPPDihyp&syem>7Y^?pr02)>2ly6 zR{=6ib$`WG1X?JOdGc+$UEsXLlRM!m3sX?QSz1)T8#Hz4wyD>WvN&riE9I$BnmC&o zttsPdL_qoQbR|^@Dpr-6LXY7@%jTY<0u#Rgr){)<^dA}?ym0CWv@t+dCFz;p?cuQ7 zD;iwyOS@2j;S(VR`Y)OfY4eq{>nd)OPR`$=Jk{G1mdl0@1A8`* z60LBU(KnEfw}WVDHz3SU2Xsbej4#%Zt_$6f?%RM}Lp;f*WJWkn0;Qk1g})S`E00Y1 zdmD;>tst*xm0D7CPEsPoxthbeL5e%FTwaifrLj<=kE(@Zy0)AXC@Y*(J#%uO7D}8! zLJ89}F&3MYrGd90Sm#d*S#{-uBs|5*xv69&o5~o#9$=TSV<N zIO0U)iPVyfKx9rMFoP+s3F-@uro?OcsjYaTUc3dcj-vLVXm3Z5ZTHsnn2M{(dEP7N z`MVOSJuS9V=uBojKtI*98OkYEJu0X-Fe zM79>PD8Dyg&JEI2!0G5N&EdP!ZF>sf-Hq(CbQ7vKlYtcS)pCz3v0T=%yya8LHygrV zBh!@loG2ha5vVJsxs2IOs!a>d4&fNwg?VqSCzZ+3ASRh^D@3Ck%+rn`@k=Eqb*41B zW_% z37aSY-|G59)Mn#x8;lrS3UA#U!;DZ*mrY103lnFE4*JjgMO_@5aP0xnaEyC@Az9e58Z8i46sh@?e)E=1wHR|wihtIJZ6);p?5$86 zOpNk0Cf3X6)z4E10HW~_4f?%-TzQ7Umvl^`MU-e}FlFpo6!yQu=m(L2 zEE3&_r4h*_d@*rg#n&LQ&;o$e-6>wdgFV2anCDD2T5a9dJ)z|h2SAge2))5neg&QM z;sY&Iv0izcI?#GA#>+Q7t3gpappckLl&6v=-gKc_;{f||3n8q35E`RCvZm=XW3&A} zwGtz2ZQg9R&UrOw*ch=4|C|%O1L`8^;??Cj+8rEr4xc^UGY*$vOu3Mzz^nhb_}fdg zyT9K%YJC3?$Q3!=Z)`QBv?oqT@cKp zDcXI$-|IC~OJ<;dxx{F<-yih*d&XQVP|UQ$U5H$5Q41v%;n^r59kWzNoZxFw$oEPa zgZ{F;synHpdZMFR+fl9QD3Uvho(>>%T@N$dt|v9QChEaBPwaX%5~miow18w33XHgByq=^IWV#8QiH_~Xp=>M2So`JYBj6ob27s;Rlhv2 zYHC};yd~;SsY`He>S?7t=|)@7K^NMkk}`C40i$z;1W8CF1;UCAgb00~D#>Ap+Biu9 zoXe@2#1WPxZg&6)yvWnaE7Ud)i)x+XMMIsKqzm;I=P{MK4ZcRvh)OA9x`x6q}n9$CaU!3x-J%`JiS7csCO3%>^Hj^E!E4^+3Sq>-cqZW_BoVHV;dlUZnC8{Vje6-Y&v5d08M%3Z*RIj zLSsymoRiBbCt}Kyc!>G~y=$Bpa*04XXc0I?M!2Lzl#B^as(~Md$7%UjD;h>e@PKNY zw%XZ_&(D-_oUv38B&6blP#4)BC816&c-y&F!vL0xa)_nyY(_p&p@CsKs4y1oi}o_` zBO-5qh-P$3O@!H~k%)Cz;)HnSu~`kp%!sD3nGf1ORqY0}OG6S`#!ICY(Ht~ROnc}* zNW2$1v2{#T8-}RepSBCDneIouP1!zGV$8t)@CZ~Y6QAQmNo9INIzM~;jdpv$rWNZb zrkPT%m15f+_~WiW*MwxpYJr^@Xb`03I=rEO%WtTh($rv7)dMXfYUEC(i>_04laP2q zVl{)TInmNl-a#s~REOTFqW9iA5ZPCfw|?u6a)!)X^pv&gyP$=tY5y#x(wX;vz?@>O zCech<6Bu?=SjPiM<^T~JcoL$MoO6=OWT7`;AFGbr;CYG&l~biVrRYgImQN7V-xD%_ z!O`Lgnz5K@w5lt~)INBlzozT^%Oqfszk!MO&1u#&Z%n2{R z+eWGNW?KA;#cC01nwCky)HAw(RZ3jb49zKaV5*|+;nCC1!Qs&}r76%!$~dVA+^)n@ z$=f&7+!m=bXK#viIkI{zlo>1=52ZbSutY295u45OR0piUSs=xSJpn~+C|cZWA!H&( z^lwM%!G7oH;9%cTdctNi90;NW3Z=v*Q~=2$AEiWs7CXlYjnT>3=^JY>)i%WZ+ z8Hv$oQ8JmT#}^umFSstT;lezx35MY3_N}{RIGY-9n}J(Hu4mf?@S9uoD{)MJ>ka&t zkabr6YJk)yG4(G;GA~Zjg$H3DqHUNUf5+7NKQ2h*>)Gd=&S^pvw*|fc8i{anf`*@Q z77-zIY&lJ*gi{?^U{Am4xo-o=l(?m&$k8IhLV&X5j>&-#Wnz0s3c8h>e`?|+p*5a16R2n-k7y zY)wYc>enn)4cD!sEazzVzio0v4)%4?eY)R!_OFTwdRJI``kv(x+>}o zRQjv#h8rpjbzl&*+ey!&QBQ~H=bbKT((G zskhK=L}Ia`f)ARv2MLR=mGodDYcwOpl2s$Cj7AEUNtPn4w_aefxtbh>9H9hHB`vsk z9~;){+yNQ^#5aqaTiL^ZL7+-y;hey{wgIm$;KshdK?X`z2vq#j$=*)^k`uqu7TC_1WQR~nKUw+5*tegPK>MNOb0SJ zL%2Q7LIoHZz(TB#)PQ{gh7w0pFx6u1H=@!r7IY8^Ct*ju%SQ=+jVuC)*Vj)B3Ul(r z9Y{Gl*Gd)T!34v`>-7tR#w?SIjX~NMi*ASruy99z-wbr?|&tYkkm|kGf6=KrBaY&yozuWe>Obm zALv-^cf;X({cAmc#Tsvw;7g|-!!oIpJH}K;fSO0dv%1>_Yc-F#-tVMSHTqug#+f;e zgx!vJ!cs{-Nb6OoR4wGW13lgw2>M5fK6cm9D2}IP5pBKV6&?jv~cFMRA;e=t9>YqId5VRfeC=7J-?_ zfu<}llr4gUO=ucuw5B0?w^O{AYW`>f9Ti_pMTV6+Wp%zhn{ceQM03XA+re9SLP}k8 z9ILf-esNv|B!Un^)7V6e)K3gu=r$gkCTh=nYX_iAvEr))4s>t=wn`*u8WD8;OrUu` z9Q5s(hl_K6yQ7*>(l)B*Fc9r_V!U-jMpMSFO<{LN3p5o4s0f8S0|9oKKjkW8*SK-kDLD!T3)^#WQC0K=33Zoobn)%+o?({7nYqegElWdKCF%!1 zyjI&&-9ZSh&!TCy3)pXYATt(w;LOQ2;Z8q*jB<8=y3M(A>6o&9-jL zf~s#6RRIJn`omroOO*QRy!VbAk$G$fW{MP6RB-;^f}a8$Gi$>#w3tZ6F~c$$Z(JFr zpPs+%pjX;Ou5i6@uICHmdM-fPR2WJT@SC-(@LyF3xB?19J_^Q^B(d0Q?KIIaEYk*O z=kA4nKz|k61GYZVil5(t@G^nJR?B-=j@_RTF(vW0Qf7k_Fv~%l+bADviT9e2>_;%I z4V?wqnCP6rOjLXX#dcONvTq*UOld-Xq;W!=8}+_pa6z1`OlEj?V)@O+XBQl(4HSGU z#jeopE8y;3t=|;>x>E_3_YXZkx_|u2z7HgS&xH(>5-g05;}ys^-Z=v|0`EI1qE}PE>`!{3c*X~q!}Dcd$SU=dY^t_WZAaZfQ-Zl15nS~K?byiiZ&iV> zRDmEs7v52F$-G!2u<{k4I7@$GqgE9}>GZ1Rv2NnkYkS09L{k#yYM*WQP!D~7q5dnp zSx$jy_GsyM!>Z~_Q@f)VCrXLucR-O^;)wv4E-36)W3pa>9fw#4+*rT@kq;4Qnc5_4 z)S9uc)>xJhwi;%#vqhikKGu7VR-w5k$d>ge+fs|qnG~c660rf;YWS`+Y1;UBRjMCG z_^UjP6LRI2yCB--V5NABMo>b37jQEaY%+><1T&oC3G`txIJwZAVyB8vmpH*+b2ifk zvgPl!rhTQS{)i;(23+QLFV?TC`>{(fVIqfs7`?`DJflKD){>&vTsDgfQ`{zZkkRzT zhl~@b;m!wMlf}?Xz0lj@9O%G+wlSnEBOFYRO1VBu%~PH2#xi}E7a;b3k(5P*8Id@~ z5{HW3tzg56YOxTK%-l17++5FnKT=)4VYe|TyhWdRomI;A6gb7O)~ZuR#A_yBe4s)u z1C`Riu8`IBo#)Wo?V3#!u)x()bQ_;yg=jP)UluCCN-{v^H}XVmi#E zv>n$dxhBgDC7*_x(r#^k4z0r?XJd47?281#OSR%?vfQRbR|+ouW$dBTL{=^|C-y}U zmvRjdSJ@Tx;*}$y^193#t~^Gl&tysGgy|rk({zwA#@E@8&lfug3rJ+?k!#Htj_e{3 z*|yAa$ag2l$Z_sd7I|UGez}IgWE|MO-z$e2D*kP)w7#mgK|@zm z0)fKJsv<*!8+{zdg&DcDCtpqp@@EpbXbo9r%?Zgk$b5zhtfu)D@C3EiRSmm%>NJA# z6vUJ(N=?tQv_xcoNf!9+Mpt*=Ee6(Z^q=PF^Ig@5idd?ImDbJ%f_jN_`Fg~Cs}T*x z_nmDtiV~p>YDMKp_)>qdd0+R&ZXx-W06Yr6cM*O+JK1-Ygtl~!{noFtj!y}5Kmx_LK(t;L&yjfj15x4iV}}guWq1(gDiGQp!v@F)}fv1J0aA+gwPE;h$^$F=F*ch4?bJ1AyR z-jLCCO-6@8y69pd=p=>6ij>8qyQBWKJK$ccnf6xd(Ka;B?E)VY;E>2an3i0eFBNV? zRuXJJH$zr`iSmujSYD&bW+6q+B})i5=Uu9!+S-9}z0If!?IKn)5;D)Jv6YynGQepZ zNQbn$bWC@OLIt&I65531pPJmpsTkOl>dWa)JsO8*%H=$P^fp#-$T*u3IVHK!F&b$^ z&~7Ov#W~yeT1DZvJh3bCynyh%5zf##i(j#nHp%RN_C+OGWIeNb6Wn(N;G#PVssbw= zhB2Azjj3udyoA~FN?%P%N=qp#Ep3kBxaU%etW&~Hxv(eTt=z7a7|-=KH6|9JoNgM5M@DBXYz18r|< z(3XSiXP{Bd`>ku5#zXXmC8TAeA%}%L4C2w!AVat*<(InnXr#wqehIXVGyFl{J?US1 ze}aDf^_O3eWdDI@2@26iBsra-k0_;SOj3yspg^Dmd@YSuZnak6-A#RMdv|H*l?u&4 zlVG%Hqfi6U$92dD88|^Xu+0vLKRFdw!4 z^|E%Su*x^0_e)E?c7gWhlYc`#;qu>%U9YgY*R8Tl-e-92R zbEqFnti=AQ5?U``UZ88TD6*q*GGlWSBtIowpBq-fUC!{E2n23Gd$Vxst)oI=S@0|j_wGyy;{~sLeSM5K8{!#yN z|9_B=+W&WUcGUmq)XO4J9Qn6~Rw!mf1-<-05!hIHST061@7;kn^==_Nf0S!~9@0az z{Essu=a+Nvja1|cw$+LxTg(+f;$7T+ig;2+&O^9Xi zT4MAN=p4%GTjs{qY_xV-e>PrA{p+t)n%wbsm0;z7x52E-G%O0hV)F)nJypuB0$F zc2hAwDu6fEPFG;OHx>1BoDjemY8okIbP2LNNleg?Xgg%p%xZRhe}d!-IVFc*Dh)A} zW8`d2em1A@UqmS8QF}?h0-OjdC=-%ikYs#8Cno~mbO55#b8JZt=B1=r6+AQSPYnm+ep;*g7sR1eUrjJ`LVZGd9ic~=tx#oUhAIg3hKrxN+4W%B_-dH#pZ-)<#+=^ zOhJFSHLYPgD{Ks8kv*ur6t)85&v_U6ZIU83oAyn0noj<%ah;Unj5b^~hR(t~XjU-e zXm@E}_`!*L8y2Jv6%w-mOX%%;9(8wjsTTZQ4VEt~SJ{hE* zZg<P%^#0tsxv%j6 zQv)MtE_ZKIUj_V9p|82zy~unOugt@We6>Zhk=VE5e;noBX2rG<`c{Csjm)eU*OxWHMis;7=#_tzM9u7ycAd-;#si8}Rzyt<0xeQuR&L zM87X;a-KQ)U9$NCFiM1ZHM#NMmqWPu1^sj`h{7T%i{Sz$7 z4PJzXe>9p-d`HFR{ZMP`glCa^&@BCK83*ZG(ARB~6%LEDEG!F2O1ui#cxXe?f7guI zTLH!3x-hOKM;fXt%EKjCci?xr&mVa{Eq#YvnbM)#IcT5P+rL4AHaRvm^K^F`p25UOcQt zhCjSb@f_1cjaMlYp*XZ3X7ynT%QZD&qMpok!}1P;M}l zU%|DBFFsJ4bhM3nrZ%jhl*y`FeChShdqsdA^a-6PN;wgwfbtIu$mb~5!*k%)^aWt} zOXP}kReVPHglvGLOc~z}w=3ROe^^ZwGe=56Q&}bo!{MnL?h+@tm-I5LZH1ayRT;^K zHpO}|msg?)b|_!vY&g#Em%H8d?3ZP2+}+(@bXEOke?ZB}oT|S2mI}%E;w7C?=~rud z|7jTBnp$fH!o&yFCa_*;dY-nMR#h<^M@YB#4#Xzu~hVu}Zc zMvmf@}hRuLe| zvRh4NTY=K%5I5u8j8RQTOjE+ea5)VXAqFcsuxa*$@MdLmDxlPCe}>dLI#BX!&SowF zSX*B?z6G?5#bTZEu5sonhO$}MBZ)GJ``I4H4JGr%;&u-P?JkbeJ8Y+bWRc zYA!?_h`hZaD8lIze~CCr7Ko)tPO(Ic(+NzhbYgC+C|If1*lpxjXkL8L-J*?#`MS|j zthe3FdbjDi2xoXi6Dp~asCQ!;Nz{%x%i88NPy6`g%l6)0jTtB{rD6W+U(CK2XE zrC=2|EtZ#Kd72BJb26qM&@Lw#!4f@1ZPead!KVU*`J|NSf4pfc2~dFJn14BR266MW zkPeGPkzcOaBmxv@TSqV*1bH^$IEFeUJIJ?#xB5-FV!|dtLgpm-vPnXH$tEw=%X%Gs zhrzN+U&Gr*5^YA1K&J$$(OFJ9QU+n>a1cYPE+2Umedp?_ z*8sR4p(;>}i^DPA%0VS{tdBpc=9a)SOK&;`K&Hwg5(gdoEl z&r}~E$^K2Sv`HN=kZp#mK{!;8I8G;IZEJ8GQ}qldf5&_x%1r?A&&+wQYKl&bJ~=mG@ARbUv($h})sBw7?T23kfn<-|~$xuV~6$a5oJ^ZL4r1CC3qI zuRsDxP@1*=Gxh4%Ux!QI86!#q7izS!ICSTElGKl(R9=--lG=qu`lA-}H$?i6>=~eL zrtdlQf1ZOKUI}8}VEgj7~_e^)UEL86>fxlnyUK9u^}mt)IgpoH1- zlK>sReCa(={rP>GEZ#6CzorQh3n9tOySB#^%hO}=nx(2(^UJq_@MgyI_UyFQ>2!?L zwnkIg;B)!r>~s(H$|D6hOn_z+l5ZN2RC*90xDxN2(>YDZguD!l@14XpUoP-&YFjD|l*-&*23UdWlkEJPl6{Z+ z{hx5detOFdyLp%%W}|Lg#%p(K8#%BRQqzw8^fTPCpKdWQ54}@2-5`0pow^ay<4*mD z+Nlwmvm~F9S1eDmR(wQTSn~pQlUTZ>Y~sJ-9Lv!8KWY*)&>RlOtzYy@+rrme-89EO)Ij1R7(usG9;`n>Uq?e|6Tt z`?mw$$~x(+huV)>vl}*9+$#{8Bv=j2SEG#}>ov)Gn7*Xxn00P2PumTUx0iG8Vi0Z2 za^p24Q(KrF+NvoMUN%jMHDErXpBPP1yVI`kCyiFXrEu@f&bSoAoehjNIk$!aN07O^ zlZIFoe?mto)fZ~}(KyR|_hz>*RQcQc@wKoUtcuR?Ovm1Raz(&K#L|>Re^PywQ-Z#8 zQM2gy{0xmC<{IAUzy~UjYNtaXnR&s<&p8oNbdX@^h9I2W;Dtcqnr5oHAQlq@^_lux zL~@*^RH8PWq>PjAO)!j!wW*bZ*x%#xvkMT`q0|QB0@VXG+;z~fzvUs1I7u98u_ zT5~zlr8~)TrniFSiBk55*DDi0SoY}U5^1zEm;{<-e#}V)`jU$ve7FrL8`hYmh#S%%9~Q|{>Ab*U9xMEo^$q-W_X*@f9&Wr&;qQ%1yaGg z7wR{|Z=1Cp%HKMd!)-q6@_$ST=5j=^yu%gXYwrI&=` zts3~R)C3RAF*=(j(3`K0PvG(WWZSZH(apL0J)rrUU-b7WF8cmt*|7cqgHU9s zYREm+)Xq&3S#5psf7#NGyszAKo8_VP$@uI>YQyE?y07V4!h60)@>WZ0t2~pR^@vp0 z&Z_K=pWza^+s%QWi1&GC)qD(}$A~wJ#oOK*=mGq#C7Z|3CZCPv|66DOTPy!R?bYP} z-hRLTDE~ji=PvSpP4tILr@h^fv-IEC=#w$pWmyx-%=NR#f0^+4@%#HtImOZ_=bWU` z!g`3`kSxIwX;pm%t|u;{DT(vM8X<-GIYjNEziWkm{k7eyTK-ElQH&)yOaBj+64dS; zp#CBHLjBi9yD7UtAJHrq@)S$*ip6xiK<)q9@6FnKsQvcxq+LLFHY1To5fNgXC;!Gq zqMYfW*Fxwge>S=-9JJ?b@oe=7343eD^Kfur5gZ6n@M^=yLQ zw3lbEzkBiK^vBb)i{r0ezBsLn!dw9#qPCopq8EI(ZOn)OVI>!ySGL{E8g^^D$cmE? zX!+TM{-82Xm#m#Ns8<|{xEJK*AX(k(ZHK>IeY4H6^?Kz^&)_uI+$=(|KCI;nlxIXv zNiN>mW|0%!b`=@zgG+U{3!Lig^?+4JREw?>+A| zAa0&fO~O-im_FJjY^VWNWrN&=z?D3ARqPOIj2}V`F+^zdI3lzzmI!ShPlRq8Q-p32 zSG1z1w}~%8Yd5?lTi&Dn=1=xnXa8~0_qTWdf3CCt?DzV;s{gm&>pj|k9^&I0cFxRL zH(dTuxO(gEfQ@}5%k4nTVuw5WaSH>xSM~F-w>0~>%D4IXS6!CeRS^He;qK9juS#pl z?f0!6bou@1_q%h#_s|<6B&U%?a!Q2_Z8XNN!p;_=3qo2u5R5H`-R^|SX+BbIbfKf> zfA646g~*BMKHoojy53Dk<|LKPbas?XBBQBsuPybOJkqCd$6$6*!;#qL-2p7^e{l5;`Voel}pSHbGnVrIRW&G!~qRCIU=ep-`9l z+xf*xAfucMxgN|{lXNsFe+S9EULgAfiP!&xS=RmZfwxI8=qCEZWRk40{td1{`Bb?i zA2_M{hU4(i2_7xtJ0?@FgL%y7_?XYpg=BP{XWM?t{2-{j-w>+jf$Y{`m)(7!Rl`?dt-UD1w3fGbLwz~PUl)136Rh0~s4U&TuFJg1^s5bsnf8w%7YMnUe1W~D( zn%O`FTpH>LJ7dNpf-YZP=nF+Xbmq+3=X7hRao=CQy!bwC7>ozFf%Nxr%j_q~4*5Gz z3Qh8h zHc17K8BBkN8BBlq#p3#{<5C|#5A#_U|6QCG`egZ^`n|(i{P+Ij`M-zxn7x(!TsWTX zk-zrI%d>VZ6x<#ob0&T7RABLJZFJmlb+Ac4pSNz$0aC7TSy(F<0T%Cre0 zo{$*LSWF6mFJp0F1(ixPg;5Qmry)q0>+ljd7^w8Nc4jRbal2`k)^R?M`@tXkvyT5~ zES|BHO2%)$e*vuK|NY+4(^~$&!^21Z{~#Yw7&8{X(u1rtM=yB5KJ~)(6m#+_7#Cyt znHNn-3U1=>BIhn^3i>`H94jQ}1->!kZlfv9%v#DpGdXEGf$%>DL0Uy*TmiFT4{BE? zzwznad$#MPFz!3VtT_V2j!N>I2jIG%y|5u>usdZ*e-pXhB&yXbxiAmb#p9x1euaSV z_!UvRpLmhR8KchPu9PWB_#7udjz5t_#BoN>%ck){BfGFak8KTyqY- zotF(s00Z>nk80NbSnTXSW-R{E`R0Di7?(e)-toN_k@its6OxrYHxu$<$^CD4Az=x2 z?$STne~*r%2P8w}f@P{f&l_?Wqh7zFoU{92GFIl*0MYI&Pb9V1gYJDAu47FEGr;-C zc^;PY06?4;m!182_y>Ub(M+8mDf`h(ogZQ9{8+5bPtA;)SHfQl9`%>sHIvd7x!W-( z%a|1J_>`iLOQ873dmeeugUT+IHF;YOb89x2e~OLy)c;vpEq`^Pf{IW5b=gc`%Dd3J z27=urLGQO`RIc(?C{-V+nzzB2v3P4-wef)7{P8C?x(x-_&xES#QDG|ro|vHb$GF zf4xl;0KmQH=Ui+5Gw%GKV1K$@7Ra^szurN`{x=vL4j%1)5Amspq#qXO%#8JKlk%}V z-)?b)y$0a(IRCln6=xgfPTbPro4gXN<{=f2H=9kXVv&p1|*0G^tF_$P}tx)W})-6B|Jh z_`4CJ-zLN5A9V?BoqDp?j`ayB{Y0AW_IB6cZ8{vAr0TqTBFxo|zqgDbpXpq=pQM;J zDaT)?Oh`2R5@npGa$K>VxYmdNB0@2b+DkfDr?9{Z&V-~FBpF}ONlM}q!lgk0f04_3 zCV&|p?V&MiYFgb(WCL_}g*h9BYomY|hio41GR8#0)Y(P3Bv>chC`qFm1 zNqtv}(%7}x?ts3(L^xD4WN)wXqInYNJbJ2dIkie-DU*ai=fGP-!*^t{AqhI4-Z~OY zDOAq1R$IGvCYY$4&;*-PmewMce~s8$&6HvTdpMa;Nbk^eaqFvG4PiR@yGCqVk1IyYc?atu)!ZA`dSDv5ZJZ^U#_$iwmv+r7pl2=PfJSH4!uSkvPIVKXUH8zZFk$Q4L0BHDjru^ z-J2FIt#O1RtPjB5<0fGsuH7bVIp5LZ7LPg6TR*66rsLQCd(E#bFMb1885kZ7D%8BM zG^crgL?rHO{Yz`i2nC2`e>T6z5WPd~lQ%DpFJH8c)wr&o!m|o+{k*QZDg{!{8)3?b zh^alh?PdYwm=QE4FUDigKWzTNrlZ1*{a86~TpWkjH`x7__Mh$Sf47SPT$BI1zkjq} zz5iwZ@G<}QgM60T|4d@<&npjMc{+aDY=osXd@m^pS3tbSyo9T;fBXrP6E^JppGAto z&s3JY7dz7LE?r@*m4BFgfzgyi*CL;FwNg6t*V!)Ev(R5cdxdrQ6&B zfNn9xgTo_{&&r8N{_x2OS%!bkNuYD=p!TzagZ=i3;t!R}uu;Ex%xL(S(eR!!8a4@D zE3n=&ui?hYWa_U%f1SAPbILDsaIoKb{`~o2du4u@jKxJF3mioxlgMb$NOIMYQ3p&7 zHv~mEeIgMj$wH@l!4fe}Co~1)C8Cf5rr<`}S%plZj?XC*%pW;>i>FaEOw&^Spii9g zrN)u!c|(`%8xNX2)QXzhqz=7P!pn7L`D)h2Wu;c6TP&raORT4+TZyhh>HQ>$+?@2g z;CxITdFVa9P4dXHiRS7N_LQK**QZ-W$k70%nhjz3){zo3E3ZkBU! zX&51TOp|XtD>nXRi<>ly*>@keX+BQKKl06*4b$vi4^I9;K5OH@M0SVFpZc>V|L5WU zQ6>Ld|7ri|G5_0xlh8d+e=w)s42vy%7Il3(N|+#j$5dWAD`PF_jLHyfR&N+HUee{( zCu2DQD%|xJ>y1^V-DQm-&*q&iMckFMj~bLDKB?Ff1N8dE<&Vdwug+e(UvG~8UQl2N zfb^;HDQ8(7g0?zNnUJrwDW_4|~C3;juVQ7cJlX z*lJL6t8KIZUgbi*@vNGzF7YlHso|=2dSR8k6>j|urxW7x%gksxMEzdRdM#%70~pGm zKYxBJ5=EY63DJ%x6Sut)C2O1Fk=plZJvuzxKWrq`)>u*6#k%{w`gxP;85lgP0Q`d0 zc1k(?&?>#QZ>wnCX!9N;*(ctm?&x3q+&^eZp@D!YiddShu zl%!~s(?s!ol;P+aPlyOxJLqys1&DCqv=dX3BxsVbk+#y%bkc!Tfs)P%1Y3B|aT>RF zP)a7i>dpVkBJru1kLUEI| zz6eM7y7fgUXIblu|Eslwe!!fvT%fbl7ors!v8ff(nBcB1$JtN6D-P4V{@=VfK7I8f zoW=KoWA*xfdUVvUuK$ClNBfWK{~5HWGx-wI02Ibxz$6 zxU$3uv8^%Vsscwd8gXWi*P{RZKmV6r>nTGKiwTORN@;S6df00H^E)S;4tj%w@Oe0R zzdMyO6T@zo&L*LlQj)|VqmFPqAzf2Gu*CzK>Ht)Tru^?hE)w$PIKeUyKj)Z}z1BZ} zzqGSdJo`BA%x%0WnMA0zxmo z#D^i57<^8VdKKMsU`{2mgr zPuWe_YJJT(nyH;AVzZ2ssnVV1q)cuH>2|=Bl2d{#zE;d4@&28Yuhp**T7S+7Og2HK z?_KAyP;-&XR!bifMKl!>Cy63jsvQsBc2EX_rF{!XuY4$1w&2Z_M$?vdmk4Bk%bvVB z)%Ul;FXyWeXw2D6Kg&5+ItqZX3!{nl;?_yRB^^TqzG$^77g8DoY5^5D>d18LSh!1t zgc+1PLs+~05l*8i<1G)QUf4KA`r1Gro9=fi1-d2+h&K`hqLY*yF@o5lIgLr&k_>%I zk{KE;pozI49PQ?5La&XWkqh0=MQ7R`f4)K|FVA#ms(IO(kd$zRTi?ZrbIH`Ah;WiD z_CjQ*uR*PO5W7h`2(tYr3A;h>plVAY;JLnnvsja!K04@1EUrb@q73|w?(V5ZI%-mK z(_*O-kXpwHBxq3bPqOHs5mR&1>s;thH$wGZ6=;SRXhd2u;dD-7JvC@*uOcWce+MCY z@qr2$!jogP>m%7K&x$X;nB_u#@dZRW>s5Q@4!T@9h@eHq#e{B(7P$&rXALwrVbDn| zt~AtE9jb2oRfxV)eN>!87E_idF(RsQHZ-lYH9Zk6y8w&J>Cjn<7>@~81Cy({k!ldS ze>!gdyZE^gv0$tSdgUTLY$mOff8#GD&&gGYF6&UuO`4_EVzHP;j2y2pI9de`T|E@h zl+4JNwG2^LYBDwQKq4Ye!G(&bus!t7t%cGW<;GLengGjfoakZS&h^rI3Uu9cQWgvX znTR0b1e$>p(cQs8$|MO`8ptVC+BxQO5qP+0%igvC^8NK93OhACo7 zw~VMgUCB*q7ZJnO)KUyJe=P5_W2D~tVIHco!UL^8^EW7BcQ3^Nq2DYAgm-?gD)w_t z7Q#%U5sB>#$~cJ#bg9r0O`Vo1tX>H`BZz#+s6LX2Vl}mtM3@WB?tQ+D>I}l`A84{& zzKxP63R2e<|Jgz)2n3OV(#jm)ghPAB!0N>Li&tMpIE=VlR@$yKf0JrWRWMIBtfVuQ z*-F=B0hMe-a0C)Qg2qGu278$1YOalk3p`7%KyhRSdAkyAMa@59y?=-(Jky*lqe@SR}_Ogo`M z7AlH*CEjNy4(CAdu}BjmiAImdfAZG-Y|JQ`d_nkZl>D=xZYa{}1!_{X2O> zmHPHxX?d6WyCdCKsnA7&qwDwY1pEnGt(x*SM2$jprC7IB^ife`Lgh3c!RvIEDfHhD2UW57j!g(5f(L<|-W%bgmcwt0rPP{7@t!ipiSv27|g>9_mnSDxD zA2cRd=3FTz-%G_{$9WoQgN0UgP!Z)Pr<~=JX{+#xhGv}^QaBMA1Fxgf`E^SOj;3H8 zhC?dEe<*ZnjTB&pYQ=u<+o^^vwaCe7PfPaop<-huvpD1uXt@HVD0_^y)SyS`^zX2Wq)y zgpV1YkvKG7AFUs!!Ttpa0E%4DfZs`gBqkOHBv7FKHPfSK&P>E-Tf6*{N zK!T7@!&sK~3K6zA(h{Sz6`BDRQ6Z(dUgk3}cMEL@w23rsKt!M^9;zkb=H;GfmxIsS z!#?zlAX328j$Lgu($zD}@r zqdkN5ZmIYUO%g?%S`cb=(lJWd4N)*~ih6q$x*)qlg>UjOIRuf)JA-VmWLAWqvgn#{ zo#4Td=S9wx?W!K74XBI65*`I@zk8B}4n0NK@|MV3u$qWVJVCpRql<5kfA@^ZyWm5W z4z!rV3OOzxN|}}{!88SeUa|?&o}cw&QUeY7S;~-UI%WT4@gtJZk9pCRTFHKPrQ*|iYs%8 zMSP5voFnKXQa?rQ1)lv3MexorX>DW z%4~1~8N<&xlWdfa!)rpaAF;v`+B-BuQ3Kz*5BP@oI{5wjfPOQje+l`K#;~8*-5LBA ztAUr(mu%9*)i}cjVc>%3lmtA7{aT5C+D)tGq6;=e<~}7KEXZ{A2AH=3ah8LC1m#R( zH1IW<+(`-@h>!N2(K5YE2fI+$0%ED+^KLuE0(RU&M4J!7{jdi+i!Xf5`{6-oHZ?8! z*gIJ-5~_2kRNG)Be^^F>HydgQ%9bjE0~(JQW!R)55oxm*?F9$^nX%|B7Qp4KwCA zju8ei*?A&Wmyf90(OrIvGXF0Jh>8$_sa?UCVxfIEG08ZAf5dc1&@>|G`k7E;H|YB$ zvG_QZ^w?x8TqWIVT}M)6QyU_1?}PZ1mc&2^W1y2MD%rP7NE_tRrHG;R4%N6>G8M+Z zwPKSjr$$?e&dgCru7-%caagr;35F*^r*49&s;03**x*iWLVPwZ={HSoXXM<~Fuo-p zojH?Q#%OKHe+i4OFRsZAOkJE-wT(efz~+ApDQ7?ordl!A;ve*>f`P;}xd9I@IJcdh z%&62&xYZwp@g*G-fLg|UFzwBnu@`DNc+)De0%o;q@7kged7DVkzU4**%XpdFj<+}1 z*elY2Hq*C=bB} zN7qCme{l7J(+uQEdz`BrN#|J^3lXrZ2@EDoTN>y60obc@Nt5n4VK;`qbPWL{oUpxe zQ@0fhUB#`%oedLz)Hlkvf}nS1i$bOr(mkk8P}u`lr4B2HfW#~kCM+W|mr;=*W7=y4 zlDzl4l1rq!)0kW&&?m!!0{I?HY_*{j*J{CJeFq#0{S<}NZyL5EiM9F1OM@MKto36qC|58E@iTVNH_^Q>Rmoce`utDL$mcS1Kt?&oqgXF!juOSoMj{~3PM1h z!32?_gI=%K50$V8hgdt7FF}v=L-=n9g|u^AyFdEx%`=4ultcAWYk_XvB#W?lM6^hJ zQO+0E!0%0<8N$`vV%7&xA1B3g75-+#2^_cGbSBiH>-s{E+s`=>HpZArL6Y&Ze{M8> zrr|;VK&!p)hQs&z*RA?5X)duO>U^ zhCq#YQ1!%ViP@xCu>7nJa*V0=u9!#8UG_xS(spUmx!sde7W-G~`LcIeHejMXRBS2# zpvCXkenlI-XT$K(yYHS|lq2U?f65#YOCyrWLhOJlT`UBhq#%JPI=egSUz?~$57$gb z&byNe(5T8S9Cc6Bu}gjJXZ8RcERL;T3j81j+)|&G2PrAsTg^aTv6LF7Yt3P#=J&Jf z`^6GX{M^B*nyF3H)N*7^cPM%j4NlGJW8VLn>Wps92ded3FEXM0K)ccYe^WaX94hdm zsqdD7xXa?94KE6XUms-#vBUa?ZA^NlZS~%B3jWgW<7`Icl;i?^4;TC~j@}i0TFlbS z6%3du7{+9-=c|3v#To7H%yeBPT11Q!21moY^L|*s-K&zGZ0RIbyxY{R%_p5>?_Q=- zj3sWKM zGPOXKB6dZoY&wsT3r_(qQoyl!Bov@V+P5}cG(adayqAo6S>7K0(gt-)oA!*r2)4aW zn`BcmBOE7zkc{IASy@`gRIexkY_&dM&hYP~)&F9HvRAhzjIun0k`02gRZ6k5ub!O0 zMR}^DcI@Gk`ZUL>e~ZgngV~VVB&2VL)3tjI(%Nur(Rf!EnY#DT33Yll>5{D|*|cl) z+}ol*bcK891cP~b%Ws3bq1m3Pz}(B+fXlp46R&(~$}>Z_+kBNCm@-)y-%`fSTYD(Z zzmpvfh@|?U6&M=q@dMwuXU_s@quW)Dbg=7R0qWXI>nO5ke+Q}XeVQE|b_Zsv4)QO| zh6A1rx4&ECq9BSZLo)pG3057q^(?VQtw z5mnML`ZD!De-!pBeeqeSy@FJDQ$S0H`jC<~Rn{k$Sr=FS$Rn$oVKmZ<170ql=BlI} zHq&V}O#Wokc8gUd?0nu8grE^g*v(#Z$NH6;d|&WdpCv!GtpV8tms{XXlutOPyE`sy zHHdHk3X7s9!2W6Jzz+I0OQ2yfZ`U2V63io5{cuXEf7&vQMbQpq3o}fG9m25)eG=4I zwcRAW1O=pEHE@E|kYgCJ+Tn^rmRI^z)D^lW`t*dWQKJoH#vrC#QE2*^r6uA@3*)yL zXWeDD8seo6SD(vWlbZVTpq#GBPE(E`meKUZhl~>e2TcfYi+$)Y`M*Aunlct)XE zU}lhLe|Or}e$gJbUo&}@wmWToa;-gl*EYdVar^zR@3pDV*?z3;O*^-JlsWyUcI>OeH-&|?yP7!mG19TDyh+45=*LY|EzLJb1!Wum{@P5f%1vh?dl=B zlZa9Qy{(K=x-#w)N+=~f4f4s-_sgY|YN!5rf5nqkJ@F`?{4wN{>KJb=p!~KR?++lV zSU1mGo-}lO&J(a6*`6xO>u8}gB51c1dg$WK_bdW;Pk4hD-&=`ZvN!*vo*IcFqCHO~ zO}yxGDv*v#EpQowPADWNcqT#`C(VwP!uh=!oAaFx0(nzyV6Bspih3(#r zQw5(WJ_g5NH4JmmG+Ef~eY8NF<@z{#f1VZH2xNrlMK}o&9izgQO$B<=KkW5pPdZ39 zq#$qLx3cMWcE7Ki?`hXPVFUYgsIyV7%$a03lbSMgrLSnbGD}!MNKPCg^gW!zA8G_; z@SSF?9b`{O*UQ@%4RvCYE&ya6Q`z>LZcdGurgJ7)#FA4YNhFI|UX%L%u3AwmOxN%i!(1&rVq=3W)C-2Y$Q9kuG0vNZ72PnRpSisxdQ%b4AyHa1~hoB`B*B2ZVDispO* zarGU735{=aOqRwbnNi{W*1gE{fAm%dWHmKgc&Onj&gEWdAf^iVPVQ%b*ysiJFl_B- zUI$gLw@`9%T4kZ3wo?EsGO8Is(#5?!b4CL!^JK>k(Bax8Twa17F>)F?dBZLgGQfnu^PlbB}~N0jD;J#0ie3okaxN%ls$@rVr;L+1 z1a3PN(3uIFOdzS;<>k2&rxlLS2jOsZN@YwMQ>ag3xXJ`eIx`3L!0&0d8Ze=hKtT*V zQ<4cw2@?5uOe1Qd$`e*5=C2;bE_4JI5>5p3PDMgQXjtyJhCq`Wf6UX4VOU=(9kDZ| z(KX|XFA3+2FN;B`3`+U>=;eFjcQ4L^r-%DUmxnDm!d&QRZ7Q^4m=R9(eM$E0CY+pb z*+IPh^IyM2{c!MH2l(pnstz(iX-e(U>5X4}pe}f%h~b9x62irxKplOxsJ@}Qe17e) zbNK9OXMewU)Hygfe>mtI9_$Y~NBd8ocb@O}dYyiM(C_Qb$%vU?=NcmoQC}g70(9}} z@*M4IXnW@LV4#(b0KNK;i@&`@y9!C|-8VQP9HU)@y!P^(2|3{eYAeEO1>TUD3bd=} zt-X7ZU?FLAK`@V|Xje6-P8pd2i;2-Lv~B_ zr+jcgoYk~8e}z|$x!Xi$7%USR-jqRYE;ASwZ_faKpE^aq#*mAXyteB7g~;hX@`Iro zP~0{aPU}piXr~JFPZjjGwpsTd-L}55cMoG*+pPPDS6kK)t8Rb8aYW7urz~zj0B=#I zU#q1!Q4hv>VgOqxqVTcVMMDyt2_hViOcKO0Z6&pPe}i^f*j(Rn$D$T6xyEmtrijIWGw#AtYWP zEeU|#e^;V}V4*=xl%8ehh#758B0}djOWwuVHuKddp-ULN4m7}&&2Av)1{iWOV-iP9+$d7dId ze<8&%P0^EdET8Bw8}vk@e}ZN#CfaqQzG;kBYSj!cmpUuYh^Ck?98HnF&jG4VnJ{j1 zbKjk=O6G)nU~NOnJ!DSIYwt^wuA-*(^`JdwSIP zdc5)Y{0wR0Dumzl$ZlmG)qvM5F2L=Uf0|U9pk($6a_{6A*j3buDc->lfkq{q&r(n6 zjI)Rcp>tUM|Lk3RbKAC--@o}OaOrk!Wkl*>+39LGyW`qQtBGQHEhW93wBy1gB(b3g zmZ1E&j`y?g;6;KYC{m82zQoR?G6@_UybgeK4$jXD7AW%gm7FA$wWGj=^I%l>e<37< z?G2JdY>OsttD=ByC0q$|MEl=IvCYjjY=E$C*iRtXIS~4OGsl}4Q)~x=?w}L<_W%;$ z&6w2_5<2?X#)SUFII-%`!D@rI@E#!Izz_k48y`|=13(Z0m`$6s0r(Mwn_M!KvQ3`C zil^(!@zK#?kDv3U^IH=7M+P5De*xz`!u#kyISaQQK?+!TGL_o8f*Ao_;4o&m6bJ`$ zQxGW->bxO6yo$iVf7OY8&2%KB_42U&&41_DiUigD*_(h7Eo%WP1SYHN0BH|=r+B%9 z7C|B8&W-F+8=e6oa(DrELIJ14vr9R5x%M@^1^Urru@}V9&8adO6L;}je|i$Qfbqg! z%3oP_TG1*nHCqieYjL5?Bl>!=b;o6$4UVze}yraEq(`98%A^4h$UR6Xsyb zmES_nX{MZ1IJ1yw4vWawRAr*j`U+)@*!J_PN9e|*4f4H5W#auvf9UcvJWm8x06(0j zh!5Czfrzm`L9qzoMGuE*RN4sp{xx(&J4dU4vbyem*CkH^SQ?Pr>XNX;Nn9inrk7l@ z!!jcx%>IMM(A6}veXLK#M$+UWb&c29zC;7R&NOf~KqFHgvbu>>dSA6|_j0HI-Nv)0IIr=IG21ptmqe1fo=99O zb~}z=U;X}syV@Fi;2nW;)Hn730GX|oH3PX#iLnPP3!HKv866g8suwANkiNyyM;}Ai zD8YoW0O;X6&hIbhXm*^`+Y8tQuNM zq8jzs?1&auprJEmC-3Xy~ z4&5L!#eu5a5Od~P@B}rdG?Y6P#2tX zjjDXX<4>&oID)|U=8L!~{vZsMQT`R;TNKS!eljVRh%D@rDq^wr(>)3NvlUQOfEOUWm7~G4y7cL4>;G)3s5V4IRyVoJYohUg8U+8(t`)0zI7xRdG zv;{DjLzA>(GXk&Zlj&j|e@DH%{O`4ock+K5PtwzU!vZ%j^7zKTM8jmwtZk;=2J>Tn!H`PoQ@`$Yy2_*DqT;I%T80K0i;dI6}un+;`7tlBC z?pr^>&eztgsEt=DR}L~?tQZT+vqY{(Q)MjUv~ffPH+^$9(?;;-e_Z=47hk$t^$^(y zr<2PsRBLWdP-Au(k65LvKVplUF+Csb`cuPOALcjN1`71tp`7bn}Y=Z@T(qcQq zC$9w+^1t2f<>Y_2ebm{>|E)YQ^n`b1AKY||%*5V5QTNqCBd9o_05Luitu<-NU2Afk zbbnuru>E}luTwbMyaYue+Q7+j#2re=@;a=i}*MV#jy!24!sC|K09x|G%AQ)Be8_-a_|wT>Dx` zMgMm@-JJced)PhN_5W6$hX>%InHM0C+zbq{Ysp?Vf%W)ke}p-kjR8Oyp&5!I&mZzaqsLt^eD2=)9G3Pj}MHSs(MU$>M*~9i$wT?AxgfSg3?heSGX!q)LO4 z%H60;o<#_f#iqefD;dayRLxV*5u=+&rf*C=->+A5Lx~9d77;?TBwjx};Kme>@SKc; zK@{Q0*y9&~P;lc#IN%o&kDPG{%;yOrnR zq4fgXc*{P!v^Mj66yJyF)si-gvp{|DqQ%yj)(c}2`s~UW9a|9Of=+q?!;4D-Q1W0c zLT}7s8;Cnt!0dFI-EQ;fsM+g(nKJB{L#Kw>>6lHk+clf!(UI9Sdp*+-#cPBVq3ldp zIU|q6nM2w<1_wS0z(I_83Sc)Hpq(W7iU-;4zXE9j@Ch)Ilo&9ZDZQ_JNMf3ntgbm( zp1lD&Nty@-a|FKfn(PxzEQ+8B%!dc|*W;u4@W5_aNB67*(*y?r&Bn`rXyjJ&vft0y z{~OQ$B%Ic>>Hj*tg8lEXd$`m8Z{^WWtu*o;v3Wob*SZ#J5LJJad}1mlx!gLw_r9>w zAB2$?#Ir=Vz^;0OuZal`z(HoAZq(iYQp#EiP7ATb~hQosTb+%g|Y=3*&G{6a$H z*fNNm%@mg-#?3F{+8qO{S}s>H_Ye$RL1hL#AFRT81YNqMlrIbk0^W@gE$Qip2a}y> zBL{kg{ohgNaFfSqC4cbYAyt1T?T}o~FmtM+^op9+Fd&*H#pV|v#=;Ap9$wKMvyYJM zD|%dGK^_wzg8^MWAos^%ai$Fb@@lwLw?z+nC!-NFEkSo2`1h9>$FDsf@tCHGvt1f{ zzYka#d-+a;&d(-%M^KceBgmnWQb0cQV!8942s9}GEmWI;a(^7PKx;*!mhW8`uHtIO z6pZGC=dvsx&n+Hm*O11hvIb9aESSPh=4KERbux3DiX^XaOSPcuMy$Shb4s3s$Z+Di zk)*P&L^b&*@Y@QK9j)r>|R6CH2!P+P2w${a&ZnE~{t1|C0e~B4xMN>Fw74tvu@bpE3K& zK2ELesnbD;wOxs6z0TVHSDQkA>SyEm&ks=inyUqapoR>n)c?Lb%FqAfqn-U{E6+On zFAvXO(3{XK>{g@gge#DFA;YROV{sw6zZg2<%1W+(KRnozh-x=~A0PMf^Z)R8=l`*t zr^01{&v%WSCf%r6sr=?n}In32VM~8 zv@UbcZGbk&5S?p@&I?2{O~QC&H6d1vEsjM?2bI27LN-2sJ~s8=8MOZ6V`|$=22hh3 zI5eHD1K^dW$VP)32H6N+hKft+Is(iXV&=!ndcfVZhs#mp^o^du0$dfBc;6J{;O z1$b3|9=_J-n5wK+C2val+PtZG1aE2QS7(tax8(4Zd!Bawe@_4J?$OIm!TBD&k)WCIAHForWdfi9x{Q6XEPI+ zX6jkS8P4UCI4wLfcOOUs;1gg3iY$G_{JGBX5_$pXzfxS@R8KDPy|~vE{$%`ngY^sw zZu*8L#L`uW-79vHQryaX9bs|3cIF}9y+kwV3C{lJ0x*M&nxjRYPKm*IFYIrs{pAM%#mh-p1K$UN0*(l|EI+}bg z%hS=C)+{YX%V!?MnGP(9Gtwp8lDfQ!;{g~boh2KewUf12M77? zU|Z~lP2vc_C280Ub_x0tzgn@Jn42?lHX1yU3)e@_!oq0ydO$hYta#sln;`~IT~fAg zMH4FgQ|>k=nXj>&osQ4X2d7hAL)9sv_L3`A>h(DszngBzVo4br^LXYF2j8IR{uDY3 z^e&*g>`fRx8%|Eg?+2GZmX5*A%dK4r(N9mTLn4MYtU`@aYu7-S^AdYXgk$Vr{|v<& z4xF>WR6B0W!{Z~@tjUIdl(3s}kqY#>OjO8}(Qq;yoaYu-Gs}6_5-L1HX%SrU_@Uqb zIoV?sJkN8sz0y4xQ;~0r9bro3cD&XLaE8JNIWR_U6OdJiB7#J4#j;VLFggLm3mgH4 zzfZtT*Y0+|vD@H)1A?%_G);iqIkLJvyJsIY_=V4^v8Hd1PWL5$t8}NNc5>#gX>Dyi zo>WA-ZP$7eH$N~>=o(Zi_ULltZ)t=G(Nlw=;l*UL^L7m56|qC?4lhWpbD=6AL7rJx zcLppwT6^R>7^7QwUq{A#cQPIPaPs5T-7+jo;hVPa3=(OAI_Of(D6*fL=NC>HTDnM2ckS;4Qa6#gHlHfRz zCP4PwX6`!lnBM9#kO~wLTi$DzH@8{k-!#RK_e@9UdJfZn4l=5FTd^$Jl*Q%~$oCC7 z#(*q~I5Tk6C9hZG>zG!ZreakFkX`8p*Q>zw5tv1InJLbam9f%m;^Y^BJ+*|P0ICrX zH35zdX*}@)fkWePuNL(pbz#!@7`n_Z@h#(njt?$*-@;H?U(#{o$ggkEy)t}qemNT6 zMM4&TtkQuNuea?)%z-C$BgjsN2P+An3Cs%)aHHZtCunABn<_p(<(KGn?k3e!I2|_Q zH-qylx}4|RHGyHs&Y&s&h=Pj<|H`2+GL=mRGC@v+V$zCf;uM`UZBF`L+g=3{xmX08 z7sz>OrF3dmcLPnbP6wJ)phTVgMb)9Q@O8R>(4?ZH@#)Fv>ik62a0$^$V8c!Yvz=|y zwA=N<(B4?o(I(IGk*`o$QD2C&yk$YpoT7Z*GJlG?{&!1(?;_}+3lw>{o@MU4%ahZ=)y3d)I9_9w(^0R@8gyNc<7f|p8<|Rf z8?-T-vYIlw3sK}TEV4@4`LtQ;Uq0Hw7YlY!h&i{2qF-@ai<91|2>tf^O`Wij&G z7f!7vnY4MbMA&;x3_o2z&{X%&-4WS;qMzOqIXcCz5F4P)Jc!^e^murT7)J3b+ZUupS^6Gm5`6wly72rga^Q3qsl~H|8M7Y$S4PW8d3qf8;E)E6=TeIVtaPTu7H~(l74`OebH)6<9L^8{i=Coi3(-VGZX# z<}K%YGvwSmv;x`=PbM{;s3e}y!Ce`*bX~X@i&0b(CYOg^b(fjfR0OLMSO(93~EB1vPv&CiJw`Q?Tn{$EoDgQIbBKfZ=e?nicU}MPLKU)qi{j&>5h1n+$Z3A!-@<#M^%H-hoA~Db-z(p@M8`c> z{Fj&AeEf&@%boxCRvzvBZ+2p^)Sfn#5t|9ZHsRkh;p^Egnzbk)yAUvclxO4lpX?0l z-vOzZ|D9eZAOGpFcf5=Lu$4zU|CM7w5(FEC3$#QL^d~Wn;2eSeD>lm%?|===h1P_TX}T%e-k-CyV}&4(!^l7pkrkkLB|WE{nBE2 zEC>5M6zHqum#y5nDQ3^uS#KP>a6v~}QTs*n#l54(rE_@7&ObnE{ux?W)X(H33p;lNDMRir(^=ALY)@O6ZjjojZ{E7VBlC%;9n zrV##b`7Ft0e;hBsH39@Fz)l&I7s&@Z2-V<)zIGt@WLwJ^j@I$TSfYhdjN({tkgb=vJh{MXJ-{%_|gjsIfH zj!s-8dDsyuiOxKRJikP)w_5hWTc**;huUxW*m`(3}Y|a1cgl=G`He>-hiCu)#R+ z?^#T(kh26r6j7mwY{NdATuoveA!84m;^h(t;Qi?YxL!mId+vY5E%vVnb8BD!D{8TS z<%`986XY7IZF!JzHh5uYX24T5tYe4o=SA4(z4-q%tb!|8f5OPi4Yx{%_;i1G1A1;{<$< z{3T$WFa4XT02qJqF(OlfrkngfPN!QSwqn1c)v9y*K@Sxnx+y8$^eD9-IGatql`E3Ow z)G!QdqsKT|#dwYa#9^%2EjwO!8O{!@2(AAIy82lzb_jpC>DZmF%JF zqg#yKUt3A?R>bdxke0~T_``{a4d=f-$MJF#-T%MUng6}K{jYPloB!K+9v+hE3{2MT zHji0naz`)CcNY;S@`73a!eXgZkR&mf^oBQV6t4L0w6Wh_Y?b_r3qy{RRCK`oqFdsDYCt4@ty)vB)Z5t%Ye}O;|{1 zdQEs7L@bq@B|(8Bl^^Oh>;BT+jtN!hOAN6|w)IT_S+pr=VnEzAn&bX?L`<;AnnlgzcWvLjp5Q?zG37dowmNFqB zWnG+07SL2koFqf!rVEcnWATV^Nyn7LLzH1IQ^FgI#Z+VoUIZzgks*4np`sH#3DLQl zgpKva1k0Q&=AQDbpV5`qOWgfy;(7S8BT z7T|o)!dd2il6XRb!9n;m9JFGRku)Z0M2Q%-0;EBzUZ6Npy~Rn!1eJ_0hGrb8g5`*f1mSakJfaDeiw@!>q3#DxValeFinOiN~3XL@x)~QKN2dW2-Ran8$#vzg>yM&T=j9zlcv^mTdU@QU^$QU z*xITSDyR7l|EKueifM(b*cF`+A%{pz@!;@i_=FsP48~8Rr||(E#L<%{`{VxO@zaC& zsCRG>J$-!Ge-e?n{}ji)r-Q-x;PL3m3lviku{q%j)s~EK z)ea@tK=Z_uTKIj8Y~`RZ=B8nQ~!kr?rE= zS)f>VZwKKdL1*Xl1C((($FhJ3Xw+LAMI=*wdv-oQLa(163xqjo?I4kn2!v`R7?M+e zEDemzf^Qbe9d%fYX`=qUh;FLwzgd;k`6N0ilNl?ZT8ZBDzq0ks!hk)0ih|MyVsvc^Y7YX6d z+2pyZGek5UvjUKw|64-(7Ag%@DVl0nB-LxB3_x-m(R5;KgBor6 z3`ej~1WDrtIIs|#AicDe3o-W>OeTbD*kwp&a}Uu4A?Td5cMGLYz`Rp^kiipEsAa%4 zDn|g@tOayk%+Q!*30tTMiiA}A{AAH8o?VznN;Os8Nz=*eEXI12vbCxKdM@SL;wIFEM0Q0Rj01vH&CyHF{VPJI=?t??Lc?IhFo-{>J+dApqnX45lw$lJPCk*n{sNQ8uNw5<8?U7 zl6+!!5>9ZuP%SeiE)ut*ls<#G6qjbsCC`OKoH2=vktBaG0h|VOMsS+a~ zVNPQb+b%M&!xoK6Dydumtm8DAGA_=ay%?eoK8{#RLb;Nk)HvE&tsV3~EDKef+Lw;X zpsmEzZi7kX`21{ti2jTEhBMl#jP~EoFVr5Qxz>~ba}IDu_1Z-vGG?5>?3YrFUxcxiAucEmC4%QOs3=B11Ij88PA5 ztb3dw&n60!B#w>L0qdcaDaKh?P0{<`Y7i1UBFVDK&*5cJ?|D%;%aVmHu0%YrH?<-* zo3XT7%@gx7P8p|iagtym)c)@FFl+fb2i(ln+l=Qk9@$RjDcT7*4co?kOsNF!2j;+5$`eq2a*`r;b1y17uZ_ zp84G#4!gag!S%kh3k4WH5mKQ4qWO?EUpcF-0vBbu{!(Frc*gQnsx9y2{58r`y***M zZ1^y+X9FqG3Wphe1NnG6h?aH(!u)hVXJp3sVh!oK&>iW%4cIlrlWa<6gySSo`k7n! zOA)$%^2n6Gx1rby@`_feB}L~XB|@C5IjkF`xFgHu1<13nlufS~#X_%Q=Cv!a3D5 zC--Tg#2F-%FijI;L|i~;Ncb_qL%0+dOHh>%K% z6H|m!#Bw=ec^ae3lXCzQu{71HVGFspC;H)krEW3o(Y=|t16rD{z-nGLAYFsg2svsh zr66{>))j^$PDGwaE!hY}<}?B`nBtnCzTjv|yq2HZiYMyDYXIvgY9EUBb_CgWZ%vP> zxSE`&y@H;_qYwBYOzj=^1+_ttt+nH&vblIgZWG`hh&?HCfj zR&r8jN~3GW7he<38TUaMGvMwOnDnlH5aa0T7s1l2y(ai&`=0@`d&S0MU6ZEZqbFB; z=xl7KFud-d8wvsxnS+Mr`dTe>fRwPwM9sp@J^`=nqg3TRehr8 z{G9L+mUI@PmrRQQg|Tr13fI1$XV zoW*36gOZuBi30Gwu0KR=HXgUZh{2`s*3B`@2=#Q?goLs%afaxi|FmD!wGk(4Ya6)$ z>i3HJW~HyMZ zW8^4Qv*uC%u-BVC>L5VvkvUMK4iAT@cVDu*?#jE$>j34W$mpBWw<)MkD2s33wQHfR zq#l617HWfuQJ%)cdilKic?#h@G#;Wszc+B)mZowK{g@g1Oq2`BW>h$TgR_D#;VjQq zgGReW!Lw7%oJR!AnM(MgW2D44wTN+wdV4K|CW?}v@6=bznL*z8g@DYa;VY3N!dzJE zXN)B_R&Kx}Bwiq_)DFcb03MboAy{Z|6Qz(SeVsBVKXMWgI=7b5i?i=8pS^m41f8f( zaC?ZSIDl`Hp@gLq+YDoW|9K?Pl_Y#-JR;w59FcQCX7rdV&oKC$j!CqL63q;zj9rVu z{#O|NAQF&8q8qU^BAJ9QCd#Y$8YC840Fb&n#VdHQ2UryIoT)~ut=qaMv^?SfXi^lR zH<-$App%}xqlGHgE00qLTJJ@0`KD(zC~5~35_5_2RMNzoE>vrO9AIB=A%qn|W7J31 zG<{}lwm+s;VuY>Do9)&)ujULJBbMP`bE0=ZT?AdcxI9O@gTv0@lgE3;;S!7~7t$1X z@gEm|dyaPZ_j^Z;@4v$d;TY{692^`p7C2`@PB;N5hX?zE#zL=1Oa=!nRd7fk*h6gp`;=_8zrP;mgh>5}XOOnv52gB#31s^^{eCrg*O1R|%0M?szi?CYD`)YOvS=ZL;W~C}BdaX4QO7 zW|*exmj_l&ZA+N9MExms39d~&t+XfIXbU>%Lc3H_hORDPbgqyf35ldYSh0Z+p&wHv zISf%7CrN;FIaQN5!ji=84j_RSd0Kge+Qwl~ty8>cs1uWPq5k4Lrc$@T*C-lMDMd^d zam&i+FH1^)`{tD&o}CAe5BHH`b93UjGL&+`FexJM)XV_yMq<6W-~)1ACy%TC>({6s z4xVZTc{VmGOWZ*rjCk0{jI3a!CjAK9uwXOQbX{n&Dq7CV63up=D)y9T+Spon2u0`= z8sC!T=CG3dVv^vhO{&rIMN=v%PEJ+%!mQO>Y8BIeK8KQNYy-qiwzNjfgQbW~XRHID zDbM`vP1i?gjA@c{ayjKhOj!~SQGcL!jT1vI5l9Cu0;k9bmz0Q-G2u})@Wb#pE&pmo z!{`VeP;JvzJKOR3nG%jOmI{J|RD2NXBKxBx)Tsq;JJ)I$z;aOzu@s)o$R{c^FiZy( z#-e?H(Ow3AMC1+8j83VEFdH=zu?|a|5YId|tD%?~(KI&mLHnnw-GFv!NJ7hask9=R zgT{$z5B&#;_d+MOj)`i+5ViZ$c40Ns{iwGo+owv58Q32lfl6iKbDSutOm9f%XD`3g zZV%YBVjaaaQ_8hcY`X)0-1X<0knC73urmXH4T7{>hc|Tj4V6=x8jPxXpk+jj+^KZY zb;@oM5>H61W{@=}S~|)*NQIW_&^uN1-g^fk`%3cG=k6$H$h<{QS*yMaTBw@#&r&L# zdH*NODb{Kd&7?JfVK;?!Jb+{l5V3(LAv(!9C#g&pdIR>c>bMP_r-)EFRk~A(9;IV{ z`3N!nJs}euEgqp6i-|T4sBeJPTG(N^>W<5$4$&CV6!V3nErQSqU46=g355`OrbJZ$ z1J%i#@B+MTlv;15#V=T_7NMqTnG{StqYGH2#5K*(oMH#2D%u_%J?yPslc{=qp~3iq>k=C-%=4OH2!3wgx?6^`sR6ecxHaT@wp{>!zqv)f z634XOz;6jzXXUR3NPQGj|8gYr;+$M~5cVP3h6(a_Os)Upf<(Taea`8eCPZ;t;0vIU z2q!0K_!(yr5kkk7({xHW)sY4EY@43@Hh@ftTS|%?Eix^eh_nbcl`)5BCr52hDddA~ihlxIpwyzF>JO&#|1E z5M}ohb$On83*AN}7Aq=vr+Isju;^Mz4<@okGg2&BHL}WRq+pq3DZ+Z|1ty!T$x+A= zO7K+Df{XXDVXe*`pb3nHx5OC3l}glaIIlVo9ZVbyD@&;1R&HU{#s5HHo=iz^ZnQ8)u!8qhPSGJqH(6MNg1WcNs?)-yiQ8W?7t>s~py{ zG=x>6e)7X>wLR4xgy8xtnpV4j{gwwZW3dO$oLm!s?(_r5C}*eJoEv+6b_y=c{nnNa z%ni_N>&7go`c6?5K)|9u>{YQusjtp^@5m9E$97<*NMS_<=l?DEDZnwaHY`JniBudj zER*rdl~MZX`RfjPpl3Z``7H=96F6+Oym#f;{TUHc5`QmcHaG#Z9K^Ye^0Ah9 zuL;S12GiQmS&)s1&Kb-^#Ya$VXZ0fc=F!cRCgf)tC&al??>hz;#L3EJhG!?1-)ww# z!GYR9!M9TE3f;Z}?%vh;!GAv z^`Stp5E2u?d~)pex*{S3y)io}GFvIqN0WYHNj?J>@{2awu8cyESX@Kgfi|xO8PjGOu9Rj2LT`t=72mXkZT=8txv-SK}Jf2BsjJ_-1aqqXdx>FnPy$8r{@lT zpp`$6HlZ6MyoeMdaSEnto=ilm)ew&ZF~{yiHJB8Y?uo=Txv>Uw><$qbZ9oTOsd5+B zaCw=P?^wBg=`pr(D*5xC8!YAe-t)EzV>n9C8tRd3La zjU4}875GLK2m*BB9VM5{i!}l(Ujd4<^cOa2RY8lN5>h;_h?1uPJG z7lD?kO|nL<8T)FDWeH)cVJ16U^r`M+z2|5ZntOt5S&y$$B86)!A-;EYo*+0b(CX zSwxr-iDN8rsOa4aHk_yy3n9tOJ@d!S_1upm)%6>88-v1I^qJRLrEE`uQw(dZI%Pz> zWb)ZND&#UyDGlrjSzX_G4!zy3*)#zQTrEYn@hL{G9^@wc%}qhGNR0`Vr09E+%(O;p zGlwCj!%RxsagCB|vdmC_@^Pps?bhbdIxKQFMkmL-4)Qro2N`30oÐv4gOHG?gB? z)_mc}E&`El%N&P%b8?Iv=RReT7nbaoYY0rnf$jUfa;UKqA}LFMVTKu2?vJX*29%r} zTSgA1Xj~@En~Wd10o@&!F(Zg@pqN^qC<<`k^{ZRe4dK;ZoBi=BolIZVa6PbY4!KC{ zt7;oGbVVf)D9o%XGBmi+$8lVkkxP5><&+?QCV`9AkY(1Kkc@-OXQ;qxnqL7=P-|V) zu#2ZoBPdTnOu3?e)buP%OGK7rfzLO(y8CW1uy&*WI7grFszy}AQYEakb~X^yOPtHs zBko&`XfVF-Y@<<>2yIX+Do4VX`isr`x;J(U$+raHLHNCk@cYHdzN;j(rE~0a3u~X4 zu-}#3R$8o$qFcGdgY@`nQn~$`C$R-D9?zNg}Z>1h>L*v{o@G$`niTs^u z$;J6n;YMVCCBf!PGh~%0-`I@hHL7eDQsi8+gm81-r8=su9T?Z!jH=KsVl^Wn^PC!6 ziD@bWoW_B4NV`kNbf+j(P^%`PO-TN+$!(m9flaBtobJ@4acHJo&J##)V+Dtdvl)?7 zk_#Q9kwygVmSR$zvwg2s6n@PUyCTmE2tOL(44t!o_ytR8lgw^kRFXy3GpjejeNzA~ zy0f4vu+m`|lez9#`=pCA+TEGyx-^}H5#xjjI1V)LhXvd{7hPUGc63%d7(64A)2NhF zKjJt8->m*tocZndTw=#Fn?GPIOWAvL6^Ii^V-JXz9@4>Bl8QNFF)|HNMUx^EGeYGA z?dy7fzZk(vjBa4haC-e@q8trO$DHBL2ld^aez3ZM#`mm9(GMPC9cORzMw%3nE*`P0 zRG<$=*ayV|bd(|@GeGa(qwtl!FfS|=nBRW$ir7HEIsHe&Q*+UT3u}8pIcK-*I2-Y& zVW6@TyV{2?lj`<(V7py5I-mRco;!b|Fd^=Sh@e{ zalb!!xc})>lbanS0fdvm9T*$=86*?bhhv9I--y(X8i?oaqD7vkz9qwg`GAx39Uu%X zpaNwO+TB7MUGQj=ARbG9J!kA%(Pu@R|Bim5g36{VF$dj=P68T0@F9u2zkjax@UfqD z{9g;20UzP$*4F{9yZ`g?pmP7;pm#WUxc~W+e1ae--ERy7ZEtDNmV@gjpi#~Ht!tXb zL-dLzq-CQahlM;0;?dF|L%1pBeO-Js(&PL0fwpmmKk2(C{Yy`O&~LxJe~%>l4?Igy zh&~|6=?r~9DNSRNN^}4P0wv&UX|!^ywF2*M>TBD(OGB?zXbzeLqeUBq8i+owL*B{2 z3Ce+OcHpg>F`f7p`r&dhndgbVWff->5(kJOded&dE#x@=@zwFKc%St9;*izqHhA z*JE!!`8VVfPLCT_FaG(%uolNRz033ixCg$txW4qRANImtKw>zOXS{Ntsw>L=VlHkS zevM*6vJ;jqY)du8s!;bUp!M&^uU?+L{O+I8F(l7P1%;!3_TZ2*hx)O^O6;F1q4o0l z1-d4SB0Cx9a~*|9mJaKe2=ltighOe71inkrQ}Y$5bj7X^+MI!0>7oe9*Q z;jC>N5ZZGyp*|HA%0!r2rlCKpHs+}ya%G*icE+_GLN#{l(brTuSHrZzaH%_WY(ySlXpAao>xKR^f01!Lydy|($#lMh-hd>u|V6ai)qHT zu9T2?LW(kmiP+bTtmKPRo!0ID-YM`~D*>zb|G~k2)&4W+AN3yg|4;H!`~S|)j`|;+ zdRYXDBmdUW3dM}5pqC#g0vjt2%f*Q1y*u!x-YtZGhjQ&NLwabI|8ZvI{E`k}Gma2h zQ34VwWV?ev8R($)4VKZg{k95pWFA+b{=!DL0#}EWu~?`I?nYqs!`?flzJq7?Hn@tB zs$(?>?A>R#0e{2zb;58QuEJwIdA9JaFhz{<*vvt*5bBt;39$@bON<@@okLlD%iOq{ zjn+&*l{ViwMO$ zYA@+mfD>T_WkS*ml8i6tBqi|);nE=3Rjg%C|Iv^3(Eib(YtI<%rc64D*PL9~Q}yiZ zff&w>XN}*i;QEOOWFr1l)8}4H9CDG7>H&Jyk+#oeqAE$~Oc*%6K)a)(1CmB)7wG$c zON2u;Klb)2FP2UL9m%T7Yu$5QLETtI34}|pq~r&(*qjip9B)8~Dd;b^rZsG5g^htM zvIn)7!d5{1IqyQhO;W^W)4r)r)5+g8u9H%n(T1zW&{>!V%?f55?Jn&LKR9u3!*bqY zug%(uc(f9Z4PjXwtEyN2=I}~uY8!HYOla#yL>XqjIc+}h8inr1AAynCGY(2bSw34m zHDLKU3(vf>w3BO9mso(1xy(W@t>O+18o7jd%c=DWtly2)Cxg_}?QYw(gN`9CbscZ2 ztj8@%msX`8LVusU-T>W%+uNeZn`3UGkIUIl-@mtTnzEy6K4UrQD>A3##&B4FP><$) zrSHu9BO-BMYgSt0M<_67Y;4h!SI>?wpQ+-n&rj92w?Nw}MHt?e(cvVUVuKXE4@}9m zO0%Fbc{Uz{2#;Q}l&lx{v=R7o3Vkb2rrbg1tG4Vx?)#GEzQzMg4UC|<+`UPC74S=i zzUFfGBJ)+eGM`rDt1X(1#J&}O=P36!E4Gc$w*t&}Nw^@7~I@W+t)mK+4%fY<+SWj@`Ks&Aqu`h8WC^UTTblFb)@ zQ6kK{sgxO90%IST%OJ|PHrSUlBBnAC%`f$(ezM{kgTAdfa6uCrd9MFlljW9Mz41Zcg7@5Vbhlgg4+H;yk+?*OJ=A*n6ETR- z9d!8xeYS}I{YdBk4tj_EgX;OeqsP66_}@?QxmEnHeX@BdmXHs=lx=+}A|ny_Ou(mN z#4EVWRg~u>FObLz?A|4!T zx1J1WK3Ul((!p+IR~X%wr^hdhX+ zcbHK#{O)y%=a?pHyh@=6#i9K$s}ECHuBizV^_TjRQ28WR7l1b&*_XxzgpA#kHhfR)LJtTCO)V( zf%QVu^R(Txs*2$_YKnL(nB|4!Sdz)Y@O$%X*gOq?8mnzL8A?B_G1K(6w~k@0RM)cl zKo&lc&rJHGp})X)AubyICA>6n!*8%4=U7fryE$D#dk=^fQ#?3468X%}n0gz|v3|@v z0Byi+d+JFAK&j(179STC*LC`nYNwm7tKB+bt~3v5I%0Wh1^Xdt<0J|4)C*`JaobMi z(sH3E`z+E02@!^Wv-S7Hu@l*Nu*1z3pb!yG_?cIKv~F zP)U_Uy&Ka=qIS$#);6bk+Q-kIxA*pH%s^==4f9tg@4cWgi7+oJ1*^DevAi71(_HYJ zlQDgVb~(uimgq5RqxRkkJ{2I$C#6Jx=S^ElfC3!H{Oh4Jh?}Q{bXX*c{CdqM5uiZZ zI)dpS$g>H@G1Mv9LB1cn)^Exc6E+DFGAGH`O%m#JHhHdI*6Zjy43<^;7Tz|JXfuKY zIweSr&T`U`G6*w=gBVhE`N(T2yj&fd`YVu%LDj1^qy|GDkeTUd0|ZtgVHy5^H75aB zvpo2EO6r%u&l-D$X7i)3-@o?{sF@40&d%pYja9OYvvIBa&ec<|0dPG+RiGFbhhx0S zS$Jvp!Wj`$5`QmcHaLO92IrhfHp<841pPsv3xWY|5a@FWL54Y=sXjoG{hMHElR91? z+YDEOaHt+}oKDEv*5Ej%>KRUdj`>8Cn*id+eIX+6GQug`CvtmKl~Yb@+w?4*Z$+3Y z@1Z2=d{`F|w?kiPfhR~75@fKxeX+* z4VS(%MwA9F)M#aK=+5&bsUJhByeg?AwF`^%M=j>>i1Z)XGeF%;-*f1HJqJ6y62!d6 zN@ArrIVA~R6t^1nyb>D@cUU5FFD&1b9~|h{0IY6Gyga$ z3L|cHS=Se=XQ^EYsjTXMu3`*=L^-E&q56WnEA_Q6$Ck%H3A5!V0XlyE+^T#w< zykbm#OA{g%LXw$xZI3CIr^n(YOI5Mvm#+ok&5Y;u*=eoQ=@_YPji$1}=kndz=^pBp zM+$J50L>;O-!&kq^dLfTCEhuwbDEF|c_t#9z<3n5IeERU6z6k)oo%4ph1wJON*feT zHLF}Igg4~9_&oCOoy0a@F7R$@TPh8d%G_QCSb^%J?EIUOeUJP7pK!x|e9H~Hd6+)U zM%}oK*Y4Cda$qf_rXBn77r0|T-eO=r^-kS%gXHaY>PAQpJM|xGr$%Vbl6*#9uskg< z;+cAKu9w0b^DfVSQ+I2YPN!o(Zb6qH+kq-VBFt)i3C@;nSy2dnK?HAJG=pyg;cDcP7XM(pjkb6z|;|>a$Z1u1rL5 zO%`7_jaJv>$XQk|B3z2)H6t#|U26=1#+WVYroflxO{HUhoi*_O?SQwkPCDzM_G8xU zhD{dt3WO#JRzvgEXd}paO|l-QuW34Fog2*4b_3+?<=nd%L>sf*c+JSv7G{UGYKnxH zO;chGm=EX|MpM-8wCnpxqZM!|+!dc`K;yB6V#KCukl zIGne!TGj^qQ;XXT1bDHGrAnK~+$+F6NZt>UccbKOR`UkZw_0H*4Y4ZzgpN|GFVyy< zahCb+&2C?)^0)WnYhgE76`kRkj=lTjihzxXr74Mjr1~nS1pVNmX3_Ea85%*%HN4S* z4^$x4PKQD=^MaFKb0VbZAi>ZLK{&a=3xUKn%~W+kEG7u*GxfKKFl?Q!59tzsKii7a*)dsSU;jst0Pg?=m3ufUNNr@gAFmp1>`{c?P`ttj_-1X#eo` z0M7}3r!01$?f~iA$_Cg*gWg9EY-#TQf=bGO$GaH6qG;`1C8Kz?=5nMXa2vSjX0TTz94@%4A6c>$hb5uT8 zRCP@(<((&$H>KSDi{){;WY;7;=j<2F@HV9u+0kpD1z3X%q=I)Z)Nh90HfuYSpF5M_ zE*yV)k00`Xe2Pz<)fmI#_iEt3Q4>5c$LMUDknio3K(D?zK7q&glWoh+MK|Z}_kiYS zzv%B{T=f0XvSIxJ2BFAM)sTCtshyi7vfBFMv!xw*U%Bfx%R}pv@x_hQhReluU(>aO z_k54!t(MkSc_zQ;5vi`7RoNZCz$J9In*)D867TcQs`(hcj1g}Zi?_Ws&;$6nC7XxO zCZCPv|66DOTPy!R?$zY~-hS`kLH_>~pS#HaHPIg~o%VJ^&eDHlqmRaDmt{>TGuJO7 zXTq1q@9#I|6icI=bCO02>mhzcvIIw@RrM9Pp16pnB+e6SgcRoI5Vec`t`+|6w|0N4 zYWXkKL@}1+Ed4)NN>ICZfcl5%EA?L+?WXJoeL%BZ$WtuI3l`Jy0=55Zzc*{|q4w*` zlXd~!*^ERUMMQ{kp8OjdiE^fgUJIdL*yys9U%)?PUCum!8nO?dhO_Rsn^O%nw>h=m zIK4JLY~CLYHtjt=B7W zdIqPt=4KI!^Kp}RNF-4{0r?#FTWx%Z)m&*%AUD*xTV{kKN`8yxobtMXs3 z|M0VE9O;w3)d=c@MUmzp96D$AS-A+{+fQPH8?(b@fyGid%7*E zEH16Ucgw4y>M1d6bNQ1d%D&|lI3N9@my!_}rx6JfIwop0zRn1_6h5BVHjNJiIrw(Y0P4}!}34WW7-$ZidG z**%Fi%8F-hErmW?DMMH4eS#}W;X2aZRySXkG8Z*ASyLeGaIOYOG7SrE7+-;hZ93a_TW)JH31$Xjd>qp%KWo=Q!R;|JXVUjh1s2cNM#rrPTB^A{J=Ypd6+<3>B9o*lULNB_ zMR`sSQCq2u+Gtz%IpTOmg`zjOA)_f{*P?{vZb1ayuZrDN31CJK5{SH$B#lX2vdKUk zy-c}h;u%Y+Wc>Dj8^CJ*-|rnguI2wbJb2*$pX37yW5(hadXSao=mihhr(W2e zVoqKK<6xZ8W8sSxY%+CMQiN5dOy?NUMm9 zD_}P4LG8-qH$J_4&vv~O#(jsFHAjHhQAs{~0IuuV3makvyHl2bG?D8~qFTL@3-e%I zJT7|w8w7mEFNoUx#IrQc77@(hjRVTEK?17-jKr>_4)?S>~1fOMgqW`%AL0=d@y*E^`#{|1AD!w37{r}$Jv(sv7V zX2$ySqzS$I0 z#^NQAmVf}Cmw>}s9n{8|x%;pLv^Zz!(=Ukr8DlbkW2yZmB$i~HC-D0gO)AqfGKH!a zHFB2z!bVU8{%(Zm^JKXEqb{MXQ%}~~u|5H%pGdRa-tHQ_O^0KXRGoKEgt@x$_m(l_ z3!N+XlN8e?<@n2#35kYZqm0v3jw{v^*ZS~ZL@4G_dr9Z&6c$*)nUM5?B;yM@NlAP{ zxHKq#AaZ%n1Te#+J+yyx=-Hii{g^rvCTFnQWMsMld+64w^C~i5aX0y&Y6{(p4M>NC zmLoG%U)qj0sqacr8oM^z9nkle2#0Eh?Cn)vG*1GZM^6i<4dk#M<>D!eubS zDV`8sL{|k74#u3#DxuS>fz@(cY($7|&1U2nmc1cWKIG;3H~t{3%7v`8f|V203wT?9 zZkP5C3O9Ch-5cLXUkf1y0^640%axYG)`!RSLNzz5;xQ+B>j$;Xbo|zTulbeb#joHh z1H+?1g_`%3<}~k*h{S!Ze`$>wp#ZUe%;xtPqBp30^6J^~<+HZ28rStxcvbzV{wtl0!I zpE|8%3Hu#$OD=)+kYMs5lh8bCEVii<=#Z8*U?7NTKG#@79ANgj@hG}-M2Pgj^pSAH{BD+K8 zPyJbw|MPJFsFMG!|G0nnkpJzIlgK?!e`!v=85UdkEb97nlrTa5j;XwKR>oS;8I>W} ztX?r@yrj#mPsVZrRJiLc)*GuzyUQ9wp3OU3inuFhA2ldRd{VI|2I%Fp%b$-=U!1*k zzg`{xy`aDl0O?cXQ_iwF1Z{PkG9h1TQ%=zg_3-Tcr2OFg?6i0w$a9+J@AM?$e|e&n z!((xrE?U0%vDKjDR@-O+yvT)ot+ArCi*@&V^~)yJ zGcb5o0r&;0?UZu(p;h*laRMtbP6;v{2PkGY=?&)b@%fp4tM8#8sr(5*pCp*hU~|~` z471)0;MD92d0b>4BM;T*JKq0DZ;6jO=uvUV{89C6`J;@*cI&eD06p@Lmp{srV?Q$m z?+NDe8wm~(zU0%a|AkYM%(OG-9&oJD|9XdmO8%ez;ZgtL{Ld%(?4WZj zCE+PJ74?v#n<+`rD5r_y`zXWFHJ%U=wsz3vlnM~xz-cF@BuUUDVIys&q3NUpsRAXP z69~5Op5rub?VyxQfYqVh3~bCK)|~vG_d=x91;kRQseedPl80LKBy5GJ7e8M}#!2hP zzrTF;>Y}AIQpNMpPbU{Brd+hb36)*=SGS@Sj{d>B@UML^opjYd_NSPq-2%`EN7s3V zlzJ#yUxnf(Ykd`t@OA5}P|mW}SN~UQ2mOROWw}6Sr_V$yG-6XLq%px=U5>L~epei( zdHuh7c7J^O;#oM0?*+%|_5b)tE%x&IKX`n2^sxRv#b*aK&VW|SCZL_rIT2{Va>Pc0 z@VVBb7qHH$`vF&$7$LSbW?WU^XhtK>?D1OkzyIg|(rZ0sC}J@|(Nrl-PEikAt$%*w zgwsK9a1cHX2XA+$Qf6YU@B?_P|4I< zkFfRCSKqT4$?${>zxoROH;bi^u>ZBy+Sx&W%V~5CVE`~>F^h6g#XM>jPrp!jNsPYBX-wX} zndrxX(2w6jLiQ=U30tji8Amg<6Gd#6aWYl9)0~va?I7I_m{M{|kj2-EStQ=Raq_kL z6+-LJIf2P0sPw(-JQiv$a@lI>W1@(rLVw~UQAA6%uUgFuar z9Se7L(989_x3FuXhr|n!$ zjOjXnm#++8L!c8CwBhDjaH9Hz8z9mgZY@69RNm#vzfyN`9q`=LY zb^Zk@NqHH29eQ;Ll~b-jC}f!rX>3Avz}VW}I~(!+SfXU39Ae@MB3g=$Dr-`@q8LX0 zTpcQOpG0hGLm6Du(>coBkHTkP`+7n1v)xkN6(nWRXx?tChFvD3E`zvwSc=U!sLX2ZFtSGsuNHX6H$IywJkVh5`*k#$a zHgx9TR6!PbR2-TBa0EHYu%obqtA7;!oG5g2erw$0Zbg_eBP?r`u5Zwx$DRw1-^GHF zEbqxH|4EjSfcM;%LV6-2UnD^!CDu>VqJ)Ok^mC)7QAwv@%~M7P!>~0Pga2%`RbNLj zuqsnwG)R~P15GSTh|Q6#jh9ObNT&doh2;Jt!#nhY5rQc-c4s-zQ2I-`9g}UNKC4#W zvN$P3aY+RvN3J9kKQDJD7h~t_+Z7kge*fJQd0sjaH6DfbKV9!!vutaM^0mpz#kR!z3ZA&q!Uyc=JbX4kcTWHvO2vFMAEF-$!fEO@u<-P8L@csOXpNV7w7^lpyEC779`P?D~eJQ;9T0D`)3(19eZN;>JgnU0p1xLVmH7#0+V_PI+$kB zOm|xOn$%;p z*B2yViOq4#9#Ggfc8O4{qU({T$U2m>Kwx~U)yn7GRDSjo0Gw%uw(OQa%jMUCQq4nT zxGpxiKr3psVG(iV>i*R)-WZA8(pnmrP<8M5Ea}|~D$ifDiavucC*HMCbqtW0el}uT zAft^gKXQi>mCX%WhD#N|qwtj$t4+$$_5C3_K+vdMU3DX@L^-?)^R(%g0IjuLN!9^* zOJ@{!boa{>R;!;*ZX1-uLYy{P zuC6>HZpdT(Q@T4cMG6iC9r(?0pIQdvZu{h**>-fAR02u%?4*(>=){qSC$~yk^V|8p z(gR?Pj$s9i+`17#bp}=M|A8iD3oils+|LAl0jK#huzO!#ngpOW4n>b+Ulw1$R+np5 zk^8EUmBfkT9vg8U`iNe@)U4u#jNSvkxu!EN}jzWb|Zax0GsU|y) z2u=E#n1@OBG{;4Tgrb0ZW{)znszx=6Bxhie(appAEb=NDr)C0>F3r3%U}S<+B;-E&Gf8h zIPib1gi1=2+FD#XGZQhT3-uV6qwle!tl*p3+1PLpJy#}09;TT4B6WCJI(eMDCn5EG zq87!|TvHe3JS%KkmnpwCrzw>COQG{Ls0j-~)={A$i%Xg{^APKJ)t;zO5=BuAq)-?9nj?wE&Uh`V_a=d zAD&Zb9f$&I$3l_Z6>+;ac}Z3y=yIwgN8Fht=g-=LR2JactWQM}^O(dTuFvSD&ub-o5TgjWY|cB33|s%FIH zS|PngtY`mqsKxi>_8Xz%{}Ih*iweUSt{~mxvRs|~RJ`6`&DdrrYI>o1^EXIN(;>i% z4%LDiPD*K#LITntaU{ENI`GMI6OUnT%(Vv5je#VER^YNpmELfOK@4bkCRs!Asi}YJ zUFskv3Ncrm%a83$yeG@!`6<(gtRcesp%_}M25SWp*v@xyVB5Jj$eh9IqT0UaXOGdi ze!CLW;wO|(3a{*6p0^o&3|{&dvfE-sOW2oE!V_-oHD(D{)~6b8#LVCeczJCQ{wDaX z^<2%RG0$ugvx{qlnh0c5e{M#Eml3Y-H-EbYIR})$p{1>0MbTidcwi((VMxjSgpwx@ zs>+4qa1ZWMM30PBm5!Bf>Q$euTy&!l|K3On@hA|kXeEsl!VJTco}b{?9?~GpsP_w3 z=Ta#;lTy{_O_%Qbh_iJ=^3ga!=$>`>^4Fj0ys3ts6s{*!X=Q*lK3xd%#XMEN#cqQC z+@8C{q#p9F?#)a(Td7&pVoKI0PPCJ;)-yj~rM`-L2W9&)6z2@nZ&-%q!tf!SON%S@ zBk}9iR*=i;zmX`J^$^{6W!&637Vr|YaoD+y3Ot{@lwi(EbUH(g_J=A4g!twNsB>L= zwVJ5Z)^ksv;Ao(e4B3*+&u7`*V`b%~s;f^Q;zREaNV#{d+nb=^~ICm6nUZ(yU zsx~?nf-ls1dauw7&}?qkK(52Ls{nZP)y$JQ7RC$SZQl|`TomScO6h*47xyI#{fmSY z3_wv3{>?IN|UN ziViWW3pPe+Q)TC4fM|(alj}ZgckSV zHv@I>dm@R`=Ug#feJU!k5n#3Ls9&tLj~Zyc$V!{1-_`Xe%RiCBney^J8Y|mLRSWIu z!AJta(ekpdrz8>W#nmnW5N&T0zl;Ry~d@TSi@~L_XajP*kVjnHa z*TH2d zgQQv!9Z0$H(0TJe)@+#Z`Hn=~`Mf<2-cqpWvbA32M=`?o`6YjIlg#R?ybDy5_&rqkoKTuOO4tV z2_&rj1>3uF8D{#Y2(!x4SH$E22FXR&pZT0KTk}~02k*J1lShlbzjeCr$uLGy8or(j zHnRQAgAmMkvBwK*38AE+>&~}ct4ksBYOw$|57QPw8tYrih{~OyZri! z?=1Jjg&FOD*3N+!#eXxHsKp8T(ar()BnvTT{N%GxFlu`kp!FAcPI{^*eS|~hw7PKA z=bL|6N61f@+aZg!`G~UI+$wD&9Vc2x`Z#CA$7L$63g31ojJ+)&wa^3lqTTb?NqEK@ zk1VRgDQ6pHo!!DM4-jBSnEKTnD1y6zu+55DY})4NbT8&7aQ8WH{%%?Xm#j>nsOS<< zpq-CHs)}ezW2~7pT6BxsdWE?~22GGDDFSX?=w~x04jDq$=QC20x_`d?`n^PVrNIJ9 zqUPLfg(5QnZ<`A~#FRjBcyyMh$XguEu>2m}B@Cdh{J{B|1a!7>7$xnKCfTAURjT~T z_PhVj$RTVrLCKvj=2p=Av4}q&wnjzj$D38PZWFf{W)eBr-Znhn`BR}}u3kFTR(zyL zui$V4`#q0tO_UmUd`#E>>l*UJgBi%wX znDsrXBq3%dwG>oZV{jZfC322c*qaHV!!!RgsiCw^pmn^h!D9XaRPd95rAV+$&UrZ+(68$~-sj9M&VnzSUokTayi1t&<5kE@& zJy>>5bxiq<1iCyBqcDu1FMQ#PCP7`tY;k_oG{;Oa^^a(LI}$b+mi=EMb5ryTXqq~> zxfWS&sq5C^sXRaY7(L{zPo}8%UFF>~oS|xgsG_M2vn)8SfLWq0ugxy1$cGv|#rc?B zyinu7bm9DUE8SOdpJo4%J?)i?hWnAmhb#G2D8YgA=I+jgA_0rn+9uBPEqsQ!;0ycM z5SRt~LCY&g98&N5ou)^-@xIpj{A0DYZpG3<2_I?t(ysUVQOb$VhCD;#&UlznN&RM^ z{O6ehnGEz@6RXVeXiMz3yre7kVQSe;rc{Np?3Y6do+FYXOu zA+=ijoFzW1qlYYNL;gB`^`xa45i7B2dz!oHfy_&7sEeE{7^bdf^iETU4{3f5ba64C z9GMKynSC`9!c?6tR+wxhDTOP!5OxJ1gOKhgn}>ob&tY9hAed$f0{TAcc4D70lAuu< zaR_=B=$SVW{eJ}l5n*`ylFs;IP^E@hm+4>A& zwexE+f`GCwQp{g#+=Jg%bv3K6mVsPj_f8LdbZuzEa5MFe=wv(+p$wS_cO}5`=>(Bm zoV}FrCj((NcYfw?z_~eB<`2C7#?vgNCLk`0OYBIJ>!;v6 z+~^kXgck2`PE1v5GZX$vKZPCuHq2L4ch0$|GQRJ{Pz;bay#MV*aZ>yueLQ8;_pMHXkQQY1L}g! zjRar`CawNk7+$82dcQLWaPyciGZ>xiQ5Dpynx@T(v|==IPh43JadQG-lpf=S^o(dT zZsGeEJm9F&LLYS>$)@IX3F8*#ZMXBn%DGZ~{sgAcZt=F}f*Tj$Ecewk z=6VsTb#90dir~|3JAxH&#$fOmU_gN%Gus5B{%4uQXu=)Fx}~i}NgFFN9doIm*~<+U zt(I{M=N~IILUQ$508-AYGOpQmnIZic5YL(nW3}_?JuFh0Dg{?!-FoOf>BZlSB~W=ZcIB}mEZhu zp&bN-7S2Hb<;%#|Tgc)uGlik2l4zfvb_T11wSMffw@^@>_ z&0laQjky&}eeMH$jC7+KIa5z{n8wy|L#+;e$TyP{%y)cIMunS|vPT@U;@4r6Fl!;F zRV}Vcw&eV5+G#D3kUb-;D?WpIN(%FeF-f?VHDTePC>op1<^n>wqm1suFXJl!9t zOxgKQfdaS93-28=$3d2MqzZTBW0gi7Ye=5IKwhyja`77?j5S7equgf8z}KYwEssrz zNjbi}qu%#F{%I+J0T!vptEkUuD2P3d5o7osvy%-oPCJm%U2wg=4X)C*X4r0na0yY+LalsE8eg86vYHO}#j)LeSe* zml(hbRAs>6TP$QAy2|B?C!s#DX2JHRB*khTlF?RP=6s*Z=U_*hGTIdC}e zATj1O`C16AW8ze9?qMt9X+i!2OM1ZkAkVsHP_OYY_=;qHMSB9h8O?I;lOOsq!6-t- zH7hZa%UrB=Nd(wS8G>pCm3+JcWK9e)*g}uQ4rw%O|53{n3+;LRf(ym$V;7H|t@SPJ zvz;c7{y@v9O|x8zeko$nDOG3d_;FIfN1kEa<;X7nA^=;$W7gX;G2!RYMw^at5!i@K z^BBj?Qr$@{pZIFn?c(}5s%LN3lsiu5_TO@ZpV0;S&4GHp`-@}c-P7yA-CMT8h;mf_ zCGz%UFEvR0`WCQeU27GqpoD*P!<~sHhMLNBMV_#tQ25D?0Or}kHV*cyi#M;F zg3yfXRh3av{BKg4?f(duG<4)K$82bh&kG50s7ND_#cQDUhtxZA{a~5UDTL#l3GOM~ zsgk9)wty`+uq+oxe>8VgQogWcoN?v7YdUV}Z#I&Fh=+emh(x5|R=-k2EMv>BX^4Zb z%Cw;Gg+Fx18fRwOEQ1-X*W?P-xRBhvo5ygn6fJ*&Sr?^#AO@r8$z(03rf|KhkA{Db za57%V3toV6*oGA947!YNQV4HG~D#hm%w3KF;?hvRHD{brWQ7mB60l$^M`+ehv{ znL6npeMF4sOAnp(2zOZk+M{3df}%0pA5pVDMKFhQ4eU$XRv{r6mKQD*D!C22yJCfa z1*ucNaLmQWEspg)aDuW8=+M<3EgT>u8Y-YmP;r?YAPV`fvbP5ybf7}xcsc82?K}~} zhk38rK6sc6Kch#!~iI1~nhpT0va)#q!de<=NW5ac5&p zvozvOz{iFmBW8MSGfrB(5)8_#TD^8{H*{p!%+T->*$kVU4{_rW3D}a9*z5?B<+dny zz4Y|;FVQS+t&%tRf`qAjtX`V%VPA_XH>JK<1uwLdVbXBW+X z71M)vg69JkFupjN5wup+zYLiIJ=qc)^#ze_Au>rwYIFOjAU4k?X~)X>Ql?J|l2-M& z2f?4VtsOi7W;#0oD?|{dGh2BSg7#5Jk{yQ=M*yq@8c?pXE+(60+vkP6T%)7W?=Y*G z;-BXK&|wx+y!5(L<6%CzOUaOam?sMEmfo1f8Cma`7qG1Hi1Ol=;@VYc*%J(4KYtJ^ zUe|a0_*X0GZ$VA0ll-8|l>0|^6VHcx9`er{8LBr5f%%3^Q%`rXLp6py@?_b^ZX*UG za;W$mJK&0?Qm$Gemyp(}tQ3MZsc*^6_MpbmrepQ|B4g*Gfy_Xu9PMrEE*42QJ)K^c z_~`aDrR~QdD(Q`>rZR_@=QF+{he#WJmqMpnTe7sBn{8gq#f=F0(;hW_M@Zd1ocosk z#-RJ7kGX*iY8|=`=fWaYx%R`OO)~rKW%J_fOt)Lt>mdPB2`9@by3F_Qt|I+AS5VKR z`E3i$2MJQL@(0!qFQ$B|KPwG(`1tuADvVw#1#A&j&xvp-@yWuRdK6ZjgOtilpmP@n>qj9y z0jJ9JW%})~yxy!IlwDn^t^BoGt%|_3ON#|N#Uk)WY|*IJpw(_Toc+szZBg{r1km!J z&DiDId_r1>GC8PeP_np|^?SaJXx6V5nxdugq`%5stRd7>^eV;QIMn~L^+wb8?#94U z=pPK?OW}Zfn4&%+?HBAo`!A z8Wsy_JSs=rX5al-dLJHWc9Uk0+Ydy6 z`-AR$B7YG)_1oN!$q7*E&!P6`?&xBD5H&`}Cue;(eh#wP zX1FsPYOD@by91i%CjNoiey;E8fgJX=D+3~n^aF&P*_ivQD1H7xE$$WoXa~06VZe++ zioX4d^O-!;GO>tR`*R7+=FchHak0s^hd?k*kImmJjgNuJfF6m&4-6y5-%x@*x5pjh zL=tg$2i#7sU7oDPKoJ}h@(ECdfW@T}`52;pt9}kzQr&Pw`ndBK7NHy@eYif`MmCfF zFtW(b1cm+!gbCo?n>bk0Nh-(+{B9*`XY$!;t>;K;O23I#n-xok8EqOPNKCtUk6IXo z_~!WMtC+tO%x89rC7lCj_KoEOjnUW8rCCZ>9!wyR>jrxZ1Fj>0h*~&x^Sh3&b(2uW zawbHgnwbEQwYLZ=co<7O53DvSz`d*v)*}9gN{KL(oSMT zCnk8}71({Aa>6`u_&6O0rFy*^JU*3lW`0)322mj8o`pD*{)2j5cvN_#D|;j$R0eKg zXh>hYj2*XhEqZiMJA_2r79XiGAy7_gf$yGxrOnIqWpMuX-JF{(DZIx4jg(z>=e`fp zUhWEYYWUlcBw9=qzdtw}bhCa4q(7g zB{I;JD)BfR-);@dgw5i+RrDm2O$5gkt%yw7G==5LkXQ1dkrSLi1R?t3D!bxm}bqMVNE=}cU0h2s!;j-ip5 z7~zFRf*avFSt9L7E)2oz=d9e@Cw6xaW`KB_z8G#->$L2cf9&mg^;Sg0new+s!|Y<$ z_@v_Bcuh1Wr^%fT;=V`z4UC0wL^a8QSdNCVq?Yd55q9^f7Rmtgg@~e{gc&!Nxuhdb zNGqZo`>K#);SivZKo#^CDX_YO>QxLQlFSmqrO_DR7sx2bYBwX~uR)i?Ab?{3$^;a| z>rRaM3tE62_&|w{I#WfUQv$3r;OF{<0;oG#lDBbo*r)#hod3tEM2WE4yYfv$Y1*Fi z>C?t*uMB`Hp^vJFu@2FGg4{(##RUeN9@?htlRIr`TLY;{r(OcTSwL+*zh<@8rQU>vI42p7N#~!6RxMCBEUF_AZZ1L5IJu2_(U<+Px(Qi7E;@9s?CM(h{tGu z!uGDe!=BdpP^KSp3xQ64Bm-tBwcl~N?tOv&B2$qJjnqLS3K7^Jz$XQcDC9WgOOYP= zhvXU&KHg-E#QD4Gk1u$f-QhMKNEOz#T7zq%%#P5>GF$k~Sy9yqO-IkPqW24N%rZg`_D%*Hg*|*O8A`YbRBI(*^=M-W0>p!!V!NHR?8B$Vv? zaE6w*WUxRN;BB|kj}5U!{#@ZGtSznht4e@aRFl|>*DsbmPEbrXLbs;EaMXrY?y!-S zKuyY;)n-poT0y5Q{{jEj)X$Qz$hH_RAZ+b~{`z+FAco4x`~9_g>CabdwoKKcXJ)t6 zbN%XD7t-YU;yU*msi>eA9QFO<(?vDu_l93hb`J)ZB`))f!Rw{0K)V%6YNJ$Dugz~Cj%dBn zNbFiIX7VrV*s><;!c0wY&f)RgWtu_64!!acnn`nP$w?U_D)muff0EQCl2hYMOH>1X zVbF}ClEk%sR1BAYGfM)D?=#j3!km@cb)m?r^12xyWj5x^e=-{67A!85m`7%8{0h{P zEBd|U+&!#fSFO}z-l)4Ux*gS2UP6QIp9ZG2l`q&Tzz^`YD1CJCybBlK&H0ek4V1c{ z%;Pky!K&tdelD?T{%iAP28|${hN9JNSjmP%D3xS9EC1 z8DxuB5LTdh11TzTKkxcwa)>&$YGP~R-GSc;k&V;MU?Ljv5Z_X9l0rE*3Mq2xkFtIk z1(n)K{F`TCA+)tciElB3($7uLTMM&C4uDr++W)|Q9fLNmma5(gr+8QrAN4(!CJDN) z(~G1U*NH;BDg*d@D`!~LwJT*dlI|M4RBz!nW+$sB$yDt}w&@=E&fh>;ADipDso6oG z$C1y9nJwA+kfQfqSQR@-huhMcjsEi$&xg_3&|bOzI49dg=Kiu1s$QAfAd?4wd`2>J z&In%$TQHdf2i2kW&IFgFgW@B&bd#jMZ;s#qTcxf11Mp{Ueaj)uLUZg{QqFp|rMY9-L?-S65FnAo2k$lg%@v+Vlu6|G3}k09f$k{OJ!J`~qn=N9&YF zA5FPFexy+Maa3ySM5W9mI1g=hXJ*Cvx3pXs09ghxFgS^)9|OnDeIH(4t-Y=0T~T_z zICqeo{k|BfWxpH5ktH|(h#{5{dw~JId-7%K-wvQurXl!jnzx)SqF z1G%674e4}P+006Ve$*SItQDs_Bo{fWj*zz}d=ZRa>)HuWbVo?}K{jfcNUQ(SdQ9`i z@>QnQO3b8Qxwcjk>jTdtGjV)LYjRQo2j{&$qAKqsNy%pA^&%;n=vR$AiPASM`sHqDqIG2V$5hoq6?7p}8cDLI`llo8gC9#n6PwT8#gFQ^F;L z+<}e(>)WK>YO?WY-(0qH>;V^EHp-w9xy!lGQU018_sqFm?bEY{;)Xrx1hc{>8(DI96M1#k!%@5CU2W5?aE))Jp&^Z)Q z7YgF5uew0ea&LGT_F$IqxXO!(dcJU-1#RCAonE&uRl|bDiLUm)=$;kJzjw6`wu!*} zr57pOiF;dD2l%@Dd3iLy1NF2FwU1(Y?<<0|`JawFVPDv(&8 z3T0oFgeApP921->>>EEr^g2}bkj9}ToSw%HDLa+4%a|x(Eun7JRWucXfB)k9o4%t` z7q>CrEN+b@@z(=3!VkKLxbB>ty_0oMXFqSJhxa3E`jA+s2w)v5NI!@bl)t6f2M5oU zY7mc69AESAN$PKDNq@pp`L(=Uxq@mfE#z>OYjCF7)(e~*dB-rO#mK1EF^AJlWKWJx zj}q7dTzCf9P#AlTXJAjBQ;TM#cYGVOl`oQ>dFoTjweS#ZYKMbSNd?n!i__i`=aDd; z0CzV5@+BE5;^*@x6uGqOPIl0f*oJ0W+&3x%VF_`Y0J&DeH4UGUzEbpSO7WS}JG))_ z9#i4x#F0E`Cxh|u*y zP>c~9{1Dn%Uxy|;V_{t=v0^Te3hSFPHK6QPLhqZ+2(XtPIl8*@baZj4bNmo#Kwqv= z{cCHH$$swM$=tw+?ba|-@4H8*rZJDRL+_wH%~t#^w|P7_zY4UjHFqw{<-LSDwK&1v z)<_gv|4{bUMNX-vdo337nTLYoIYJjFsz8tNv7R_i+Lz-#}M`_A!=3!RY&xJ}d~SGG_PFFoe0$lY*eN<_*!)TJv-lH2j3FC-u{Vgb#Cw$DeSFKw2j zzb)E1h{KB$#q~8}ZDskfX@!`3>}=NM)Ied>hX7~REc0&62V!m{)d_lWya$GB*rzzs z3ef6njrAIP-oWHW`BE9s)R!nNPfZ&!r@1bEz<~u`y*L(H z)~a?gKm40{ur{h&RXz19lO-B)9&>PpQgOwsto)9}q8ab*@ef%%6>kO2S-xkkatmso zLWV;jBIzZM8JMn(%oi_*qg}nF?slcnGa&!z$xEX(DJ=M_lT;i74$g! z$S~tHg$3F-YeofuObfW!XNPTzWgXM%nEd=8=Q_`m(J|j^J z#(7x@TuZcLFyYb}!ZC@!p5&h>*$Wn$tu$Pa=q=az9*cCDaznYfM_cFx=+5@5#xX#7 zhB&W5T@ygV7fi@uWm3AO7=1y={(T&bh+jCgIp%lq7&UCjOw$-v9w6u)OASwg|{hzv$Gjnwe-V8noYa!%-%&k`AA}y^#;;k)-mDR)pi`@U zLcrdmJ6Ns?y4#_EDnmCeq;tG)Hgm{iTUxfE$~(3kUWdj_^Z#3K0L}Vd9ZZyO;|SKO)!|fL+E;{@XtdyZkm$n zMqdxdgHV9ETzFtGvxw>?QR|N(P;3~oL?Ecg*g7@LEQA~!}F6j!7d!0&lVCB zHW%3C)L_s3XMTnaV6v|T#M5+N4-Awe-{}m-Ef`*6-xAkgDwC#>T?H6L!~A5UaK5)9 zM&mpnzgc$F?221KIIz@@tciAwT~MqGd4%bZ z)eg++==TIWvpIl3q}Rc*`tp9bx_ix(QA&Nx712byu6Vn62&g}6&703W*Uh+iYbY8% zh>uPzT9*OR|Ar>Cn`}%uOb)iNOgi8(7tHQ}9p#8FS~re}4w=C&3N_jHEYJheP^7#o z2&7^0LA-wsWcRJVZBEwfP|o3{Rjk?()lcrl=x1Cqk}2$k{$R31G*co?ZrQtG$R6Hr z*!hX7P7!GI)FmaG>KudfErgBzF34@9|IZ9G3xYB00b|+e$=@%jr?ZrEdW+8-gHE#n f-5#))IqUU4?usL~AaF1+5D3$!h6C&c0_^_)fIZ3@ diff --git a/assets/linkerd/linkerd-control-plane-2024.9.3.tgz b/assets/linkerd/linkerd-control-plane-2024.9.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..062cb0554f0d6f74595fbc20ea89fe470c606fa9 GIT binary patch literal 31572 zcmV)=K!m>^iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMY4dmFd5D0rUvD{!cNuBBX7anN9!`{vxMNKT>?+tIe<>~q@3 z9f4IKiKtkp04U1bcKW-o{nAhOz5m<&1^pBH!@^Lgfs-T;NyL1y$SPp1g=t|;SV(Ak zO?VtcER~!kL6+c@bWf(3%W#2b$v@r0r`PNCjt&msZ?D&@{_P+2djHfvIC^||bl5-I zAN*6Ve|XUE{S)fl2l92FTu99Ssdr~w)yDl!J~&O8#FDa93|k0ASmK0D!U#*5kdU%2 z&Lss zXyGh#KS?|x!Qdc#8t%7Zl94nfX+((_wgRLq3#DxVakkO@=5+qj6yI#ANNOVrq*;@tLA}VIgj+%+Nu*O zr}-$1*vvw)e+S)`Tx4X3aF!)Bf+f~+Lp$i1N%Oha|0@2Uu;}_eaIE3~z5T(U%K!Ht zA3gB@Pw}}G(+XFyD>@-U4w0DR!Qs*H2{{;ypGHsP13ZYMCr|dr{m0{{2k}ww;2?VX z_^|&ZB60sIj(blBgYm)R(UZqVJ#z54zkj%Y^mK$<6Os~+C9wQKZ_p3=gP?bG+3ybz z2E)T%`1r}e;GnmE_%!Gp4tu@!XJ1jjuTS&(pW`Ga;=TmH)$9Lg|KRcC>iR!=Ja}0D zpW?HFPRSVOi9~wLK}xV2VrvIoPN_gtAdLRw_{H;J%=ipTNn+pys=z6U63hvjV@~lX zAp%K;Mg(O_7Kjl|B?GAgNixe4EQttPtsN8u=!bkncuFJ@==9|UI%R5)2L_}-FPqi=M!~nUR68jvbMBXrdt=n)jrP0(%7bvD8VspY5sx2AesvSzOf#!)R z%agdZgJ>Ehc}$R;5|pvnh))`V1>QlUT%wea7^O^>s-#MGGUdY7PHP8!vp})#-VVY^ zg3iw82Poroj%5K6(5SaKib$sV_UwFqgkC>C76^0F+Cd^C5eU^tFeIl~B2ENLawStB z4TGjgE;1V7#P3&<&M9Zbe)EWkPpgJ{u8^*ch=SMz076P8USNoZ>{uf9e}f5_W?)OOg?euEQ25bE>wW z@2ODx)N?wca)|mpjp8|*poGjx0@FgFF}w}|uR{@=Wh_-a)G{v;!k@Frb5&=EXgX#E zAU*%Lg!C;`8mdw>)v!pa*Gd_HekCbYvx|61p*IA4uQ4bKB;dif7JjXOqy*WgK!+){QFLFLH zPf8uGMlBaa&9P@`oH3fpi$tw&HO_oSxNw6T6Cr5|g1hAce{Jm;NTte_g($u!h*YB@ zc}@^ZlLewxOg}sk$mp@H9W+s_fC|LYRukkQKq|LEvnELq9*=3NRJ({1O(#pe9@R~m z(#aH=P6D;i;5ldUaVqJtfl-=Z4ZW3RoQ)AN#3_20&HhIM;dll!U3DAb!eUe)mf|Ve zFoqV!RPY?sUNp+%2{FxCy5wA|PF=-spk4`MOoc|tSuSZh(Y#i2)s>OrqBxEzAeBtB zYx_=4Im;(gMQdxv%=}%bZ9&0syXlCqfTpN|f$Cy3AB6j157@mEyHeWPLGyli5cc+3 zhByV(jJwB3)Rc!NC>6W8hm_ooXGHCVs;ktV;?0H@QnhNm11kmqzrgS4ET4I7IAgKU z8%~5%HM{d-xuH1cs?`M*jcc;+jkGE*)sD+%RO(TG`RwxN zao*a2?t%@u=t$KmU<*JuQ<5T@{-Ssi05|2-LN(?KjmPV7lqLDZ?j)Sxc%fQmOk5;x zMJas-b15#(oJ*byi8x~t86#JumhSGelhcdiy%3#AG*cx;K*F5HB(_~-V23RllT=c< z09eOqG-X_zKYKAmAAB6KmV|O8KdEuFwOTvqe^?f(IJGYwl|fsHsoe&X%JKQx5d9bR z4QI4f8STHFU#LAqbFC=><{aRR>a~kTWXw2$*)OFU!4Lqb{osvc*F?>|=$c5RI5kSt z-U~Lr9YkkYLe$KIW&L)y!Ddoy1l=g1B$dI0bw>#sb?5y7h#R@2Nq3yE8?z9)h7b}? z*j@`EUF~n@7iz=r*|vR?b73S}q{P0Wn5zOshG@_;V#2Xm_c%eGO%x_c92=MT6^oX%`AGd?KVk z|3&j5ZN73=TLmu4a{Z;k1o4dJsZ?9u$@y!Pr+RzBa@p`K_@x>a_b)h@beH*ZAh$q>U%m~Lxp!74h@RuTV<&i0WZ$q&aaYvTR3lgz37E1I{wQx+=mU9ASg>$NBPVUn}i8DwjVVWk!Vw18o@HPbN z+G!!HuDp|kr#Lw`m8@h_83Wh@>=Jei1t^mY5h0ZjC#DFeh~;v`@-#-5C+7erVri;X z!xnOHPxQk}-D23Idoytdv@~6T)x2y#x(25aa@15xLF{s^D-1`Rh&+*6vJr^PX#{34 z#Wg{F!O@g>EkCstPt=Ro0M=2|J{0Zk2(siF7Uhoy%(+2&3OF6z zr8#_8x@}JZyt|QomTp4zW-^dMzFO{aC6>!NmbZK?`DR1-Yh;=dpA!Y-M*?-lG?y{E zNwsOg*&!T*yD;yq^`tU68pI^iZG~ubgL&F9Bz~>rq|TH^*NiW|CY&?wgED5o-77HZ zT_MKN)h~jjS9?wH%l1D5X7`GX$GRp>!ADQ7_R!hbPGNZ6K{pfxC^82P&Goff<^U;S zlZl#>-(Oyyqbb2L;Ue_GIN+U988pM7_Nw|s&-ppwBP{7GL@${%JENWQptYC4DW;P$ zCE&4?Ad!#9G@@FKw1kxq{?()2_PJJ=aUz&!Ig80C2PHFM69wRVU4Mw$Y&>p*5ra$N zt(#+*5$fr(2?=Fk;tbJ2|7pLdYa>q9);4kh)bADb%}QTi-!K;W*FsxKJpg+x)CLoyJdKI<@_F_16vBIGJVb+j zZ{WBsP30c?F*Ej=C>N5=sBi{n1!2Njo~;Irc8h{%rk; z<2WMcfXwJISDs<;IUSQ|5ha=#Oc}cth5fHE`avWhi$phKX+$y!Urdx&@ij;+v;ZJ= zcZyf=U=Oe;<~dW1R$I4qPiT3>0nnr=0xv+ zx(K>>ae0n*2Zx=*Cy)1x!zCC~E~F{&;y*6__8jf*@Ar-x-+zY_!ZF%CI5;?HEO5?* zoNxkA4iEMRjfGy3mZqRRsMdB=YdVVLj-san z2wm6147ck^O|FT0FwPUZUX8@5#Vsu$8HIu*I1_3$87(eJ5X(sFDXRia@m#yF5+X_5 z@n#N8EW6ZTu>;y<(Lqtdgj&t2`JBu!P1P?CteV=EFmH+aQ|c02n|fMlPrA_-bkK!% zsiX{DUBKvEAwd!nNrA9p10g~`rb==cqBc&F0OxY5CUJx%iQ64O0x$Bk@(Q($!=hTJ zc+pTNCh0=`#d%DnZiBB;G@??9m@eX$mC;|8l=jUlKRi1R9v|)_#pdS3ab+mwf?-lb z-l>@Z-i^e1bHNAXyiOih{nxKiKO8*O4DxJjRF=4dLKyL|kr`RRNKN_?xM9I&s_DAW zWL31BmnE9*JXP!|&$O|%@DPg7DKx$%%gtdW`Nbr`Rhv|!<%_0NQk{2TKu~&R7RPQ=a+To34-07}F%@8_$_D@y20qxR|gqHDAX+<;#jT6%z`VSKCg-&c86V-+xYWJt@!fK}bQEyYWPn8%m zus=KkmCD5DI8joW-jL4EUVf+D9(4bI*|Az+X9gMsX}Jz> z=<*vXr!+MfRrNs2h#I+5>7whD-6SNQkXX$iYfiLuly{H{E!ClSs_4D<4n+2q|@n&8$3@Dp>nEprxZO($MO+k`g=kqI9fbHGZqtV98li?tF^Gha@8G|OC6#yqABJJ zM_UA;6T1482@?t-@=S@U00yd)IpGC(+bFf(Op9NzSS>`k#QM^=x8GJ|E~p|l5^n+N*ldOaL6ktDl-Ps{AX((2 zlt|EG=QyD;IypOiWeuj zQv+@@aBIl*Y`Xw{bBlf@j%mGt-x9LU%3lqT`Y5LU_fB-6XfrhTK~rd ziF`f#oYOf?h~l=u7eFHsPEOG9GtMF+gpMtz>6CD)BMa==Ha+)k0GSfEloUByWLOAL zmfRsY5TZM?6oD#Vf{)691@Eq0uljQ0vG$9LZ#X zut0RIJ#-S?V4>JBXl&{$W6txWIA(}m-~}Qg!Wlu4HZd8APlurs#1#Lw4Bm8zmX`H7 zJ|9|b&RRtwa~)n$9*#j5WOKqfjjhQDTK$rxs^PkIl;s@l{gf<29Ukr<+z*=XU_@$o z;BkTIoqWOaRGwowH6hCGC+hM%^%lB~NGw)V@J{pgAYsw9k{(QCjb@}+vT9_N(MZ8E z$x?*%)(cEFSCgZVBb4B&qy-o6W5ZgVJ3u3V_-2uFD|guus5H;%Ew{TCDv>RC>mO4kF0P*_zi9umbp11=kXXjd}qCA*j*qB{G;DH8PLazxL^m@I1VbGXma?!C? z7wDaS2>%VCARv09&yDoonr8|ZL|ChrI*^(O)nGa&$-?Nus@GJX`x|&|4C?)_q!E&u ziEkz;D4tnJ2vGBgcvg42 zV6Emc*ZZAxsz%=n-Z(SIk+9qGPFO0*J88WNb=(~*bTgG9_RwTw+ zy5VF(h2)fo4)QE(N_nFK4oVR?NrqnOg0LBLB_cvVpwjj942S*3^{0z-!cnAns3?vT zUFiBl^yaOi%J9?KA}|v<(3Ay+vPF=v2~7iy)-*)#c8d2>%^yvmqvDIH$gonUtj?Eb z6OPrEXwDdXKX?sKNU3X%W3`sfFV2gAL=Zw~8k>lb`iY?n-Ns|nMD2NR?EsW1R(zGf zfeucSs)z%CPL{c|#^#WoVX`8*WBY7%q3fK}}pH_kdGN5NoWdk!wDik={$?lO)pzCYeG z%(6H$S2?U@X$Y%C{p5$&YI~|X2*LGPG_7_4`z;S-#$pegIk_g>=?9Qe&Q7;EH}?AM z6kM3*=+x#8%ni_N>&7go`c6?5K)|9u>{YQusjtp^@5m9E$97<*NMS_<=l?DEDZnwa zHY`JniBudjER*rdl~MZX`RfjPp~v6gtR3CVs2)7sEkkd2AX8O%h*M^J2M^&J0~Yd&HrlR?LXcQoL)?Kj zuLc>@c@dyXyyrG$jgd^cJCz3kAP?q%JSdQB9Yn29!v;Y{N`)jiwmjVSHGpU#D+QTm zU8<+&4xp7kkT#(kBfN+dBXJ6*YMx9)tJM&X12M<$L^YTcmF|heHMy|{bLaCw=P?^wBg=`pr(D*5xC8!YAe-t)EzV>n9C8t zRd3LajU4}875GLK2m*BB9VM5{i!}l(Ujd4<^cOa2RY8(^0&{yie!kgt3h-QzLemAVDzBIKvdU2wZczy>IsU@BWaOr}=ZZ#(B71(izb-;}U zED(7YftIOFvPP{L`)ZA431O>YCOcd7sqSOF=V%q0dxC6PkFqVb_?$^WnjjGyfUSn_ zN|UCIk5{GoVT8ZQ(>NhlZn+DhT@F@?$7lp4bOAR*!6u_vM=--FoW@gmZop-3_hS9Jx*xj)6DD#9h|y~d$1^GfWGyLr&1JK= zFvV?h2N_MDy~{X(8t#1HHCYVJ)C;{W&VddLXd6SyGQz?1sFdro)I8PMZY!V{ zNm)dg5s70gaj59s3O1am77HQC%sunR&Gp=mBh~dAb{m7jTlAUNS*2`Gfl~}?tvY2y zykzp(J1XQdP$>=U3Rzv>c@DkZuGusJ3tTNlxA7@Pt{&tj{LM{4vq+5zm89r-4)Qro2N`30oÐv4gOHG?gB? z)_mc}E&`El%N&P%b8?Iv=RReT7nbaoYY0rnf$jUfa;UKqA}LE@h8b4wkE+H7l$;z} zMh>QETqez%j32oH-5r-PBZzRIm|CDH3UJ`{t6S9#;niN7{qZWDOkdS-J+N*Lxk&4) zY8y0kMI{g@%&aOhG`P{naa@>@OMCL=lpud5fs59VW!9XKjDyT)sK9EPUja{0YhBf_ zi>FQ_C{IC5xuVqcEK5s7mSlm?H@dp}ZZWWSqyIQZpYN(hRK!vxth9DE5Y$VY%hx0B zTa9QizVB?KQIrU6P%A1&!k7As&HK7Hb_>b31mHpVy^HYs#mT;_B($Y->~jlipO~=U zmE2ZZtc{{uxx|C?_8`4INN;~+>CL6pO@D<@&dg5Xulfg^WGiqAgHJ=x??@`BuCAI;P$}>r6FkTS4>G|YTP9E&5{upDVsm_VT$|qf@Z_Sk zgJKrt4H;e6WOOK`i!K&|PEv@hNLfs}JL+G%1Man&X>X+-ZA0VSF7Pn{4vGAoY01U; zQsG8qCBf!PGh~%0-`I@hHL7eDQsi8+gm81-r8=su9T?Z!jH=KsVl^Wn^PC!6iD@bW zoW_B4NV`kNbf+j(P^%`PO-TN+$!(m9flaBtobJ@4acHJo&J##)V+Dtdvl)?7k_#Q9 zkwygVmSR$zvwg2s6n@PUyCTmE2tOL(44t$11xsm@%x+&)l10`tt2e=YQvfcyv!E)l z(qR~rx$ao|q>D4!-I?jSG@XPI8LsU0ywQbXGeUJR_3RsFYJb;y44} zto~M<`R(^yV#hO^KVU3N*?V*qh!aR-4~Ul@(!p4giaBF3G7V8hlOhu{LgfVQ>w3Q! z!Agv7V9#)R{bZsX4NS+J;m!y3-JX81x`D>`tVq!h9%3D5Z}Uc)6p=0-v8+^}4@TGr z#R7DcA|f+D@86^FmA)`9EEJgEe)EdhK)*TtN5fNd(S!?YdqFv8x9m6@@uy*+vJ<=7 zhc1)q_IO~sT{b$O`}&?cf12-qa(DG~U;cRc>>`x!2bgR_~HJi zPw~0*lEjyf3*2CVL>@&%2*^HE+>n6&zyJ6D`M+DOONOQ-$>0)7Eyn7Lo-8_STdFBmg}Pq> zt$#m$_44fHcmIrzA$d+JC>*s1hm<+gk0n-O|5ORBm(MTIHCYtd(Kwm0xe1b=60XmV z%^8Ig?jxckN}XaNS%B44smfssp|83qaJ0}dQZw#Mp!N)BZQFp*o|_5vsi;sU!qhSi z{aLj!PX&=H>$J5quI&)2v0IP67TdNCcdf$h5qrl;Ho)qYzAeg%lYTAIO8NC@cOkPz zZJfN@>Gr$|8mEU5wHs;_^p~!_TS7!bJBkI`UR_Kxwsob1#1m4KF-*k1Ze%52oa(f0 z|MyOT-&zS+z5fpm_N(@vLI0@#u>XIOkJ|rtc6QYN=+w(1P#pQUhE^zMLvja1|cw z$+LxTg(+f;$7T+ig;2+&O^9XiT4MAN=p4%GTjs{qY_xV-HeO5p+iz8x-2Guo333Ap zAU0@s2YCcnDTNg736aFnY}SIOcof{^8w%ISJTR4Qm`1TZv=%~j9)63y z6S;OSDsH9$mUCIvV3xbCq%byiQ!zg(fH&4oS75w174=J;5WpB}8YyIS39>v%Owf>M zJ7m?&YIc2sk8_| zDoP++dL<=4kj3VNXyteVLQFw_xizg}J1cAqWRX3ny%e?r;?H>(`fZXTHkY%~aBK+6>R461@;8T9T2tGQ zV?tXuBFZrH&1v(2*C=#9{s@fBo^enj%JSLjsR7H+S$O81rJY=>y2Jv6%w-mOX%%;9 z(8wjsTTZQ4VEt~SJ{hE*Zg<P%^#H}kU`no4ngxx?v+)>2c=VE`WWB(rjliE%=v#R* z6TP|6E)HAtD2l=PJWkcz5t98Vct!p%-|9j`@mcVQNFdozMK&;m5FG6 zsW1I2AuGQUw`~6eOLBu3p&^Z?6W>v>c|X+JI^kL59yCk8TgE~97W8%7WQD`xEDOs* zk`k{1HXhoL^xrij_EtbKxGs%=$w6KjGW8~7u^uk%aB|NlM7D~fM56cs4ya{#aF&T> zm|~J8Y%zm77nUMygj!pm%TO#|i4F5}&4OFASj)?9%?iDjzFoRZm-R+NdrK?wp6J?m zbP9U9LSmUW(vW?mF7Q#7d*ZglG&r@Fkx_GP-(T-HIJ}opq21n1sI^YnNQv%(yRmBP zV&2Ga_~+!__wP_P-B>t{AxTZM+jzAbcT?B#UC%UV8uV?=feV`0$aDSYnk={6>WvTj z7QE+{qr2U@e;D|W#3f4Xq1MZvh(Ubrpvy1lvqk*xM>_v^&^zoORL}n%JwAMh|NRu7 zTgCs{C!2?23Hjhl+18gLG7^E$1biw+yn@SIMafRNeJ8=S@|wr$aZ(Bhz*299=t=L% z5&V>xPl!A(9@e7rwweRMl;Aia;=!?Y>&Xz=X<+PDzthQ3iD`J43|}f|s0E+sNpWzn zUz-!9qIZ}ZPUn7@6~7x6@wC^#BA)i{J`En&#P5Pln8AYdF>BaFsc7RNmU9-LQo(b$ z?D(5Jo@n=VF_#(&l;)L2vHE<-gGhRZ88yT2UZ;4DX`;rf6pBzB+7Gk(FoorsnlMq% zY5m;m@$LJ(a?A)K(Ih9Nd`4c!-1ujYRT(di@ZAEr(_%l+G;X7I;Wui-QRB7s9fj>8 zkj^7@Lnt?x%5UJ>#AolQO*+~}JyRRjP|9T0Exz=6=e;685Bh{o6s4SqQb75;1>|!S z>)|~ZjjwP8a48J$OhRxHU zvD$W%q4dKVGfi)M>loHbbuFt8WZ@I}%%ndW`U`v);-b-C!b<};{00khj^z}!o6{w< z_kd_I#e>5mk&MIk&<5PLr=C;*lsZ0R@o`acU8g^(cDm`h+N~4jO7noG zBbKLDupgo}PLd!`y?_Q1x9wCeEr;7Kh`TI_Qe7(rY*OvcYiZpWZN?xQhR3qFM!-Bz zC7qFz1Ph^>Rg7u%jb@_g1Nt>*(koY+3>9|ZCH!^?XDZ!gyWA^Up1((RbZbCCR&UF2 zR|2aD5M|k|CbO+TX>*91ac;(_rX!{);bOR)hKdk_l^obKdqQ}#vN;t{YBob^9UUn7 zEoU>A0IaRA9Nz+3#^N)*x|NP6+Nk}c_vEPar1!Mfd2(>D-+2oEJbl_z{~W1*9=Eqa zz;X%TPpzx)1V>ZyI?V-%O(O3$Y9ETNfEtFh8s^hp6{yLjr9PK%!Ay)&LSmgZJc>vr z?QIoEay1vC4n*GG5ES9`kwly%3&c_+r&uD!=>#TLIx)9Z6s%Nh>^AZ%G%vpDZqY`= zeBJ0M*4u7oz1wtMgfl#%36)ey)Vnc_Bx=W;Wo>hsr+xhVd3$fK#tf8}(lCE@^4<#? zlL+&oQm~4f7R$@AJk15qIT_P;XqS_WV2K{1Hfry!;8Ov@d{Rnu-n5kjD8O;dzaBb+ zxOrMghee{uuh(o60SdIOBbW|?JezPFL!FWxjmf>G>5`Z+= znB$r110>nM36?gg;{~$Ka5V^r>Ji83gsg21j$^8x;pCW4M7aqde%u!#@-8Es!hIsQ zM^!oHw6;yp()m_|sq!95lFo;95pg^8l@@q{WFbKY>s!7N<`qr33+|?YsBINaq~tgv z?G;EM2}-lpf2Lmj_SaP9NPpB~{*Flhkv#*{ z&GbEo-gB_SD?!YAtRz;7lT(u5MRBW9&nvOvaEB!#_rmf`N&bM?7qA=oCmvw!?dY0Oikjkp=D#jp4lyfQ5TT?3Lz4slh@lyaX#1C z2FhKiJ&~`pLE%)h%B4bhL*9$eBmdq>Z1d#;@20k;(m<)q?PY)!s6NWhzbV=GxZnQ? zH|)o^+_0O6>ChwkfA8NTk_du+`|Zte_*VUbP8&Xb`m|R9Tk#QXVa*Ga8gXZWTp*o=s!#FW zy`erk_29}x1lMHob<=2dO^%#p^&-NhSY9*YvfQ=C5NM3qqHYR&Y2H*i)>#AZ-wt>y z>!h;<5CQFHZa!Y+!_if0m*1eGVhXd z^Lv$jmmtYp;RZbSEHA4{4MJCg%-5v3)EC|-5sO`vdqMJQ)78`7_NJ?Pm4;5KS8Ni# zYZ1Qa6U)$z!+9I4Wo^JewYc3tfEUYHs8y)yS1yb#FC?qp4IQcavLW&L&4BZfflN-DcNLS+S8Faux^yR5 z&h%EWJWnjO6cT7WgUKq`3mLj7j=ZL_vR z`MGmB+~%_`|HqVIE=L5*J6r+2=KkM<{{EnP|KFg0@R0xGQ+(>I#uygAR|Efzn&5#s zMrYH6d~c@&diBlm2|T`^Y+H6Nx;b~h2Q)wXMSmaTqVJEE4eJju2t|gfhTKz4?c5}h z)z%lEE$ztr%3Zfv9$KG_FK(nZTrRHrnyw|h=X)e?wY0X%GxGd)ZFIOdgJuk_^^3@(3}ilNqU9bO}2HUZjrlS8NL4C zp-l|vC9-a9Lr0Cr*&Exr{Fpx4;;24a=EB_Q$UfTo*nYpaX=ArJzh8yA!iT-u<+{e{ zy4nlTvm@D8z)Rt3H^n&lUjTsRjtmMM;%C?(X!)|RCS#c5qEkB#kA5`Y)lC`r2 z^@>9g_kz3}B&&P9?eMp&Z?-wMUa!3A8Jy;tn?)$rhqZix@{GtS$;E4)RJ%gqDGCHR zPs+iJMa?EGCW3Yy#Hp0ou-h%3+Qk&i=|4g-kHV$lq{FAZr@aQm%`>V=cxn#QN85xA zHNdKDked*=lIO099YT%qL#QE!2yGrmgx19pq3z>|&~0Oi&@JMMR`m2X@kMCuhPPzP zd$8a9$v*4sKQ8+I_U_+x_MiP;zgPAD_Itet`_HHN_=cS`Gu924KNPOsx;tQFAIWk% zP_x+Kj(*(2!0uK3GVCqQKCbd@e*RULC3h9Xzi_yFwBoDMT5|hsYX@Eac>3e+obWyL ziU`SRB$1p_VM7~@v8%ANh3JBi)(!+?i($7rp>mp!R2yCBsQEkSQXz68x=;6y9*Z^a!5}*DJ+w=H zt%nWkm!XKJWab%tDeKBawD*7zyCEoEwf#mAXcT{*{or04d$vy_F2jt>6!G?oeolVP zDJL;%pF?9%#@U?4+8*m>knVL95iaQ%5{$N&j=niAe*Wx*Y1|$(2Rv6@pu z^dVT1FyJ_iri_bX=zaQXv*4DO82$Og(J$`iBCm%wxazLy9;+vJy2r{b?T>!>;U9Z0 z+{d+M_cj;aZ*gzc{oPshz)kKngTBC9t6YbByNy-qzoaXxiUV;U^S&yJRa8ACW^FEi(nQ&}yaMN=U-VKk0^>9yK|;qw&Cdob)+T7nJ~u^| zfQ%9rT?gWt+yoGqrK+re3dJw3$<47XyacYcg|C353zTc$DN}iX0wswBIHTq|m|ru| zM1aXF6zWocJHJ>7WR!Cu*Ms>+6>jbw7RJZ4wN+iT-IaN!D2Z2G^i`tXz_xIH~%E=)Iw*8d(K~QgLN*=EBBSRWeXENDfxKh|SHT+W1e2%O0t9;+zvirDkeo0~K&-s3+`< z8IK6Me14%X6!p-VGizVct)a$!fBF34$FyNEKEVy7zmHpHKT3AU-+3a}re$=;EUrkh zLT0)}7T2Y8&G0pxQ$$QoJqB#2mk$K(3WlhBq>nYynG$Vq3N6W$a4aOk=|Th2bbxe+ zri7Ed?U(lNIgRWeHH~RSeqWNqblI-HS;Eog+JV_<54B&pQ5}v3SN(DjC212C$m{ z_j^Z=Yx(~U400d$w|`*g#R%J(kde33YZOhP`fhujZg31vt2KRao-_k z%@H7WRFcmgfa`kp!iJc^?vy1>;g*0QJK!@ooAL9{a+Y~z|I*(QZMpigCfpk9vN75W?QNO>0Pa0M=UV%pap(U6 z`_t{RK(4j_^$sfbzro;e@L>P@6rYMn`fh>F%vgV(l#k{4c8eqIH2`16`Oi(SINLCH z;ubfhbx_-!8dYOcSk;;?J?kL2da#4qH=AP0SiA(%5)k0?5^z|ngW5PVcORC37UwK| z`UTNHV@zf&wZDYKl8o~Ne&3==WqL-YQ1zll&eC7l2#UbpjSzjF43~e@CA4+w$yz(s zC!q8bX|~(jU4ysjaBPyQ^X`c-S2zCNGKPGibLD=LV%nq}f0;5N(eP`Oahl3;#d_je zAO4F7#XM>+>0F({0xLKZl3tKxd_gBEiBAZZ1_eYe@0kE*c(jN1j}AS%)2<&=XTszR zcAJb$H((FlI(1$}<}2UYazYbqPFY%u zST#jP)LHH7Kp?;6dCIe!6#H(x1+NOL=Lk#&Oc;!s+-7j)GV z{4Hm*y-f;vi@P>KYjM)cfLOa;M7RuQIK>mfi|DE#!oircStWFOHLzNai;W1;t=Wtm z!?HJ|%7?r>|HdDLRk@J0R@%l_d*{_junS#JL`iM_w9JcQ-x z_;Irlme%mSq$FGc@gDOMuEO#sOitLa^M4U33cpZU@?Pvnzq@pWwO0ON@&!gy5?zaY z*40Ys&|hb}V9!E-3GEfu;Wt>2b1bK*z0~v9-UGVD6b}xML_RAgBKgB7CuAA^H79}2 zv4h%A4i5I)D~f-rT!xMM%|k}Rhm3~zl+mzB@LGZOmU#^~P9{@-73#!oUs8UVgMPxlnM6i|Mv|+Jj5=UyxFIOQ=_83aNftWY3zmp+I-w~TFA;?l zFa$t6r+Z63*k zgMAPDN?1)9B@b(rKYvEa!z~8qQ>T?IVZUQ;$tAEJ5==fMnCv?Dwf*SDS$VvDI>{Qu zrgy8s>Nu1Nl+rUhfl9ODcb@xh>y&qpnvN65DyMoxu+#yR3}w0Wv*GE)kvDjO*cgiBj2pqFwO4u;N&0Vvo`)q zWOvB?sXuG-e;)21Rr0^}ANP+Q^1pqOPgw^x-1p+VmiF^R&kuC2<_9{zIIpE6aV!@? zI14^~VdQOXc-{UuTRHz*1KTokd*~8j;v}2mO5_fhT1ae!dw@SgZR6UtUi$WS8BRXU zsW-!73!g<@pN#*CMAx%J6dPJjw`y~TQCRcUuwW5~04 zXG;-xFa(FC`(?!cSKeif_+-e&wfET%tuRN=!t4q8K zMrydKonBZaZ-rYw!|8;${4z6|4pG0?vtElCeg}r~r%#{WibRoTSwghq$;54MM9JEw zc%=4yT8|D7_YWIMwKZ0hcCqe$uYTF2dIkp1DgeJ=wVhH9KeWo;GEQJ6CPAj-0LAPk zy}>*_K0niM^*t0Ml|KRKlLXTlYz`ZrVb+@goSI!BkBjVMdeB%d90j-@0#1*f7Oa&$8#DH`Q8 zQG6d|IJ(9YBEr@Vx|~u0A{;pF#FQinnj~zbtu!>9bRborq;mqn7T$B5#;qNck_oUn zw3~sAnZ%lt|MOmml)8Xe3N;l;O7c*Po`kLN^y23W$vA2K`1hC3UR|`5Myhx|`sw5X z#gvOyIH9r&|LRt>!qGo?7yh*mrjxGv$Nm)av|9n$Iwr*c8sX?V&yZ3NMeD0j++?k< z!V$i1eHF@C*81xIYVDw(FsCdR=YK1f=xU0)?_RH^z!!)n|SI>@5UpxzE z@x9`ku{5h9_kB z)mP}hSuBNw{jaUo&JOxpPNQoG1ArlmS(Jk+4$^1qKUj_;oFbm5E&(x1;Q~T0zQl%= z(-dLF-_>_ER>RNIScK?;z+H>2Hx|TqL_&D_g~Cf>^j%J4^7hR{KMsU`{1y_jPuWe_ zYJJN%nyH;AVzZ2ssnVV1q)cuH>2|=Bl2d{#zE;d4@%D|Auhp**T7S+7Og2HK?_KAy zP;-&XR!bifMKl!>Cy63jsvQsBc2EX_rF{!XuY4$1w&2Z_M$?vdmk4Cbp1eBM_qW0? z=c^EC%-Kvo%Q;s%3V^W-qlxz7)=9!89YX}ZXtgRAQW^wmbnIBTONE3PlsrRNyZsSP zqbcJp52Rk$I7Rx}Kp&g#cPa(CCJTr+5(J`?lpHaF*rGX&N!*eQeNU1Z8ZDrSxgZ?v z=4nE&ji8YW-Ooj5+8(|_C(qAxXR3MGnvj%mg{Y+c@Vov zI|#Dg^bg0onYo<2J0N-VBL*P;ykj_&TMMmlOza?@g|5|CQQ2_$Gx z@=vnppb=AZ)9YO5Pd7sKUKMDD7idIUG2wJhVm&ozYOf+FEC(Ta_Kpe|!jogP>m%7K z&x)_Un&m=%^%X=q>s5Q@4!T@9h@eHq#e{B(7P$&rXALwrVbDn|t~AtE9jb2oRfxV( zeN>!87E_idF(RsQHZ-lYH9Zn7y8w&J>Cjn<7>@~81Cy({k!ldSe>!gdyZE^gv0$tS zdgUTLY$mOfrl;2nx)lZv6x1T9Ir4qS_KYWJrvQD%*fZZ3{h8VGBxr* zA|g(~g^H-KJ@m${h0+@3##7Ro0LyKh=waW^_0oC@blr4P77PNJh#=wwnt>D1-N8Z1 zBnem=$SGCYIp%T^c)5HO#|{Kba#(G9VXO6$!5YRc3K2L(WgV#bJR<1X$?3&$>6PY( z$1x};rpF%%&15*qn4psJMXPnDec3VGl?$7T>dAyih^P+)z9tS~0=RB1>|RfC2pVoJA+s6AcDO==er!`9SN z3^gq8vty**`e7cbvcdzcKl3*zVs|ga0HNP32ZVQiuPXL)O%}pTqY;Vi49Yl(2z05? z5lx+zDy&`!JR^v_%cwq*h+;Lhlth>d&F+1^jOq-+>mO*cUA~QyCkj&675~{nCaM>veQTvpnyG?QvgRWMIBtfVuQ*-F=B0hMe-a0C)Qg2qGu z278$1YOalk3p`7%KC|Q-=-5{?GGlzvjj|jibf)AOoW?D4ZWV4}GdrFBsW1{UJUf+U+VOUucP!0t_o=VI&nOv7zbRwpQ##d;Z;0Z)`dyC(W zkQrdbjL18zxL}olKg6O8#+J-Mw>%h|t=OF%rK}*D&RH@iajW$eI+>E_8nIk@Ta6Kz zK#9c?z4?yH@AHvUIRr7?7)`x8Z$R*!VG2w;p+Xiaih3p9cF>!c%t^wsq9Bm% z7mdmMt(MB);521Mijx2`R!Tjm8Suq^rIK)$*-U z*KJriCi7NVfn3r)wZ7(*+!PHngSjChDBLprs_P89UHIuI>vIEDfHhD2UW57j%y}Ap z(L<|-W%bgmcwt0rPP{7@t!ipiSv27|g>9_mnSDxDA2cRd=3FTzKT5@5$9WoQgN0Ug zP!Z)Pr<~=JX{+#xhGv}^QaBMA1Fxgf`E^SOj;3H8hC?dED0FI#6kvvG#s28qsfI1& zW^pj5|0rbO6|=58O4z77!!+&A=|8&AUBdAV^~f1W_gY_}7kMJ7QP4{GX5Nc!5&Lzk z6qMeTNV()VqUoeW#V?plw#Tn)RWX~V9!@pqUTM(=7*VTLn2Ltz>R-R^hl4@b3wl?r z)(7;;$>-<;To;W#Aa~HW^&#*+A4-4Jx7G*P#)jQ)7kmYsyIf=nojJb&-wIXABClf&N<_6jSo_y0Q~iWKAR)P$s2|W(+q?=B7U86Qg+BOp zv(uLs$W(%BcZ{a$fi$5=q71a(3*o=+lTN?a3y%)qN59wUKOThrBmHa8=|5G!p6H)P zopIdj4Ts$)Km{!RayAIPsPyVKCR!BREC*`2W`vI!pOH8;ULUO`*$822QdejmpzB-E zTCDf0BBG42M)sk@Ya!<6&!RPH^ANocRDPU^Ht~MI!>KW#EM${@&i%0dC zcT>d%_^aXW9}rD}mcBy#0>7iPeCBB_8HN5=sL%?%*-gf4HQ zA;hiYlY)JgQlHdQDEqT-1(X>PQxbnKWi~j0jN#{;NjA#I;WZ)I&sbpz?H!t-sDba@ z2Yf?(9sK@%K);#Ng#1in*iY>441SB%z{}}NHtFGNoMD47a6xoR0-nQut;9d=rd4y% z1sfuBpOOz2WV(6-%v*st%RxYbawahv_?k@aB!v#dNBhobnO>%YU8rjTu~hMSx1C}E zJ8mJO%?IIr*n^$L7ry5G@E|msnihTRovarL)j3qEZLkuO@qa2jr8-Fa_X!t`dz%rj z|JsbM@HGjq@1b$Disy$X!s_X0qC{*Z#-?6Vz8}2KCLG62Q|TDCMAbo5%Uec6P#vC% z41;Om`^(Go?f~Tg#maxhv7&|~b5@ele`!9e1g+<*rcoZHS$W>o4X-0F|Q_?(UjKrLfFnD%DP*bB8BylItK0khh* zcWqIKyiFu%-*TgZWxUL7$J-lh>=kK1o9WxbcDvKo)_3(C_WHkTD}qKxh4u?tPF9U} z(C1F9Si1zbaSAlZ=ymrZ+65o+UWm@5a~nISveA-^b{sB6sGHP)@CQ=JY7Jp9TOcpv zHc4q3I*`MRZgClsSLd{xy9a7OjQ zMI#;mq_$2emGGy-x!yo_3N*^2Ya$W2dckQ1@}xb^RgR?dtc-;S*wq9E6Q(VV^Zo$r zRk@@|cbu>r!(Y0F01{5vUb(5;iiNJ?*5b~Fi9hNa4<@$SP>O4{V6qY%Tcd!L z<2C($zf?Sa4NC_~AjQJ(XT1Wvy4|&Ekkx2o{nPQHGOMhqW*+TlU2I`^rnYuM zAgYeL&_O05Q=>U2&J1ftUGKv8z-IpV+@+>L*LO_w4x9=wDaxXdQOk9M^hGKrjz+IB zcrq_M9oD%0lT9EOnuKo0am*W*l6p)8h~0&7P|HH6O>tOCGRvfwC9Z73A3-47*|`^s zYD0PjBJVOd3TkXx+Fu7rAN{xHnZg6g zp?aycK(}s^Mc6zdS|q+G=L>7#_a@K`;c9L%>jS8dlj6Awe>36)j@xcJ6Y9`)eWAzg z*PI9&V@#zW$#_{e8b8zUpnss%-Z#VHTm9=+{g*VEH^I1BHf`=+!NV)WIJ){pu=GlA zO!bB>LsK(#YO7b1opVE=Mm(r`;o1!z>|7LK|n>e!{e_A`5c4i?AOF9m)O18%8L%Y&2@?yY7Z zFIY+q)3xR>QuF)S_5Ey#CVuYVRL#^TYHB&MraKh9i3X?U^fB-MOm#-L<^$FGtrwY4 zexTiG|EZk`4i)&()OX83+-335hG&Jsua7c=*kOIcHYUB&wtDY51%GMxaW*4zN^*gI zgbV%{M{kNgEoN!v3I@y+3}Z6a^VL4-;*558X1cBtEh5GVgQMZyc|R=R?o~-owsevz z-fimE=9A8`cP~>Z#u7KrBN1_&kuzhoZe~&LEw-aPBa+joWG@6baWnYKRSfXVyu@Qk zd~1cS3SvYWH$c_`>I=$w=?Ch&2=dV$o>Zl!i_@q9~aq8l-)?hZ|HVNt5;dJd@gS0jrTQuI)MW*gObV8k; zO}b<&N;d5pJ@>Zg4_)CNI>BIG-tybvZfLe=DlqplH{dca)Wj>Fn)1vL?lxbg2c}FG z#p;YIg;JkQQDrtw!bXpCQKiRb1VpRz{pLYczXhafrv)A0Qex)Yg7rfSI$&YPoKsLeU7I+io zBhKmWjtg52A{>CiqNoY5e_A@QgTBoYXjshKb%(A5^9WWyoRX@xOk+{B1KGk1Q(=d2 zEJB|IHCAmmNiRVGDOe4hAT{I|Myz(Y;*jN)J{5I^u8BT9;cC=q1DP?1DOVJler9Qj zxYEM-Jmajp>{dg()ZyxLxoc8We?BRvYqHanBZy@*efBQnM8E-*_VCU7_BC0whwXZz zb{x+r6bsA@675dg+ArF}_Dd$u(srk_0?X5QTIopr5y=e#6Xn`Db zcY7o>sCF|(gNM5a(W@7?y>DY4&Ycxar_%j>N+mVgOJYg&?VnXHY3`*B1rzIyG*CYB zx?MeFcM?%5ptqG#N>|2xL#EUMc0_nKa0+%u9ghFzHXCkC=((G6{oVjzF(m9vq4FtHdRFEi#2%j8|V)zNe z{2-KY6=r=CT_f^+QA2Kfa7?+72JJ1dCXK7nRc+Vodau(w&ScF$l@XGUwU6Tv~H^d^1Gz&F>QDaxw z?%g<5@QLDMa12(%Fb7SOh27pq3&dHjkF)1l(TzYxh@OR$5YaIzY}r(xNBzTIZ}zBz zbVCaA27W7>ZfE!Vy7``V-4iyjPlq}i<;t8%hBK)tLs$BW#w)Xg1%%|pAwoaGIsBnU zPzK*=#@a#lbacJEebG=SCg}n|<}sCRzv<@Gh-o@!l0_^zC6Yw4nB_I8@9(N*CE?v2 zFfl6`;Gh@)!LbqpjOi`XTnLW@ja@1Nz5YiFmsC%mTfhj;Qo~sQJ%?)KyQ?xk8U6N_ z{JS>5oJBFr*xaikmizy!yQ5b9QkDju`ss3oR`Fa+a~ZRn)W#;Pi!*?_j|A!pQ_-AH zAg;bcFro2nj>*#4Br__!-?|rhp5E$!tfpoQ4>erHx!fxa#8d&_$^8rv8@<3DhOPa~ z>!9lO7U~evPzi?vIQ@2<(D|Am2uO!n3xqg7d-1Dy9l#MjLz3H8qU)61BqW{?$iHe?j-}27jzQX#8ignN?UL|~-b|ESQm{E& z_jGwkBtt|YYwgad~p?kx(b#)FzQQ!O@hwPL)K~NX^sU3R=uwk5iNb1c$!J zQNf8&`xh06%qb|!g@B?^d!&`35-M_W!zKOgVZYaDm)-0(JHYc2C_Au_OjkibrLZ}l zge}f`FAIolTGt7isCn@{!7&`XLRV}&)-@>zjvScdRhx~+?Ly84#Y~m#XzrA8GKauz zhXOh?VUr0YmAkw=SK_q75&9q;j!vnJNn;B2Neow+U`c1@pdR==?N$ROloBY2foDoG zVJSf(ACGB7O;mZp%EbKDqu7Oxz(T@_VBV=nhzJeK9oGGH58N0~ zfBx&&s2>iV>HuFIUe!S+C{3w7I=%6;chm)s6fxY8UP8DS6sV)G7S%U&m(Q;qb`GCB z?(FaPjyeYi2M3+QgZ)A0X#erk&eQ!~uhZ`j`hC4Q88H*=Tw|mm>MKN1fG%EKo}*n2 zZO@z@47Ab_pcnsf@wew_S0Smr`wl0BW3;P~*Iu48At#(bZADnEz$+3{fp!(WwRg`F zEF_IC2R4gXBad6?gfzw}zyTyYD$sb@j$)i>=xD?y&VaLYD4*w#3Gp-{CfUpTmEv%@5XE zsO4WL=pOW+_I1#-dJN|*mPuq)NLKszVS#>a?}*$An%&nuXb1b+da7S+1t!{Y53;2%?`=+_u>agx_oy}uAS-A8^fR0E3J#=>cx zsTA#0f&Q_A-qtqj{-fL0H}>vfY-^i!AMt9-8e-M$?>LUgIpLJW4G7>Z%Jgfs6esGz zI8O{<3q=$@HoIs@f-^yc^%Sf;I{c5l#53!CdZ?syb~s4EGd(bTvq0d2DApeSL+ z7OxsM!!%XDmTWm-0M0WVjyuLQ$vL^4av~rVa1oF@=v9_wsbT{csaPzR)zn?LDgYSj zW_B!t8Zq$L5c`%07$ zEHtQz(zEOwF{8~%MCjaR$-6lF?(*5I7f8@as$^re|9P@7q##t%PCBucmf{fBm7N5X z`E%7Y&^W8!Jf~w4Euw@VaDi-mZc1+^-q#?pkOF|z-6>wdgNkDcmHZA#nGA0tF2DVE z**t<8`U0%wo5{i9(c{j+;n9;O37&fUvd-{*O*1s77|~2>3!EpOTS$A2BslZumNYPb zGrt27+Zo#+EzlZ^TQ$356T&+i;i^a~HZu=ZgEj7|Js*Szq1Mi7mbi^Tn=XFA;%asg zGQp8HO8$g7#d`N}LjwDUHHO;D16&#do0us?Cpu5DV#_{JIt3!nQ$#4F7^W$Dl#b;i z9cF_bY4nfKjKxH|Zqzr8(MqkF;pI|iS5XGYB#&%+Dfa5VtFkky`8kQY;$uB8z8J3_7ezp4urnn%<(416x+d|JLtszJ%9vwGiLRKgpPi;F`+*( zPOLg~u-f1)ya$LlFhs!N#)lNz01$)#X458Z0Dc7FCYKDQY?G(3;_13_d~|f!B6c$%t==iE${Pk&z@(?a{yz4=nnna|>5RoX+J=~9}~ z{ag8ymSp+6Ig_q!xt%BJpWl;I>EO-pxolakZG2@vllzb3cG{G5v)Y*@iXrVt#%UEf z7O;%mlNc?{rm2pbC;7GNnwvMy=B=ePQx=giIRj=ZcZLx;$1y_*HPgmX$pl_9p4a8& z^&WFJpH}J3BN$||m!@y4;h0$bS)L+^G>6o)t^)%H`Gh%`a^<&>bDAk970xUqn!_UU zHC34?w7x=FBewm#>Jhr}XoGz3QJHu@61w~h&l7;sf?wAY$xKP%J`t(ZgXH zl{Uh@e+?bc&e1BMtggG?b;*+emIfrZx+E-d5*LYt=_Qx!u*`@Ev;UwmbT!RvAL~=G zku`vEiYl9R9IJ(8y{k4@OZ%G``mdMvIeh>Wj3jBY2j^kzMe_k2u@&7xW zN-tRE) zcbNBook_XFyx(Eo?=bIonD;x(`|V-gYm`rsf`LEbyUBIhF(#;cOHr`$(IhlQEyMM@x~Z*la|$IvxO@ie)2 zrD3E2m8o=K1wR$t-2gxX=uXKB!k>%Y&M0L8mHVJ0nv0tY?*Y_;C|9*p5$T!ooq>1m zmlQAFGT7%n=pKD77^0{5JbEe}7mJH(xvZ=y&UR+QhpH#y$=pEZzWsc-_y5O3AYAk zRsZqI30H=~qG=ks3aQm8R3=Hx-Y6)-3TH30oEdwn8eOfle0{05Ije@2lBh;KHanul z6=>*8*~$Al{O7E`nxP{-3M#4TjL>~%ZKeg4MtaMYsaVwO@Xt=OGn|}-fkQWlOmUzp zH^iKI7WuDV|6v$f5rXa#*-Q7c%cxlYJKbIqH01=j33a)!CW922KVCbg^NNIxF~QuL~LWo?sbT8CrVDj7kZxZzM1gl z#XKS(Z2=7C&l zbl(Nvh%Q$Tu z5y4I0oXxZmygAoC%f*-ORy{=a!Rh4k3)PyN6O>xlL%J`vfCRTzo!Hfkh_(=K2;S09 ztkCa0SN@8RUj7RWDBEB`pS0M{@X2dIh5T=KdpY^vZ69@Z@_#E23_amp*#|crBQvr0 zPt<+2&+a_NHlBL@pG@%9`FJ{**zsMwK^dF( zf495a|8M8nwEwS!x6r*E*S;1~(f{2}H)sFr9(Ip*{lAsx;Q_d4<^>2OHv>cLTC$f- zU_Cw>Va{e_01!rKhN1|$XUvW@aTds3`Cc&RceBLn!5u@czyZx-(IcFsF-6fbvB=Q# zhrAFeUjmT73z>eg=ux8&IPc8;uFma9z>(g;<6}Yy0D0-L4~BvAnlE^LrHqE6$Hc(4EpT*P|27^vZ>8Lm-7Nyft3Ay{p!$Z2 z{hUxKX0xH|@?`+JuFR2>(=8@?eQ_uJ7 z)!a}b0>4Fs&@7494-dF8#Unf?<6sa)I5PJ51t1jMco7cxg#>xuDU9$nB27RrxJ@qm z@$_CWgTC)w`z#(0F*2bw_+A>_AxG}29lTt^z)d&wW*n`MX=H-kB&1;gMfEqL`!=5;lY;I65e=$`}oNEJgLwZl(&DhXJh#vpqMtDm4cgBE(BHfpI%}A zchouD`G0Ta(axYk9}AUx=G0V3R6Hx@A#F29#HWZ>u>NRRiga6jB7AsA)!#`wB$qSH zoT@0jqNX(rh^9%g`2~ov@Pem@S9HhhBP9EZ9@kiq#{|e=K$j25{c%{FX#;?~8ZOms z(SzQ}Xv9oQ&>aW<{UyfnYtKhKrfK4Am&V@j0~W?!z7wJIvkBi36s741a;T&fkk7nW z?z|@gO$tB@)h3`EM=j7=k*MW+*M+ONnlS~VIpMi1%g1wzhuSryv8k-VQydGXu#>qN z#6+FU9H%15E8J2o=(-WBZ{D1eCm}MNxNan=tSeDX{t5iH!ZDK8GuDVcL27Xl`~2eO zSP(ZmHv6yNr5kE9n^UIwFmv1Oe!uf`A(hmpvUc)FjDq@A<>~9zR7w4`ineX`U%%Js zwae<+@Bf_tuGUb5C9ULDhJckD%fI4&VDt4KyC~VdJ&*mTlaK$|?R9#)^?xgmy8dU( zzOs)~YkTT+P-1OYVp^}Ww*S?p(4YF*c>ePP6u;(b!62w111j~uFOTx`|M+NU|Jlm3 z&i>28^B43cGz+`cXglEwWM0Uy>daVNi0&_jPPnp?>)#I#w%i9WLWmy56@nZGwThg$ zUY;k$#7*HBCoB+6wcM{Mjc0pK{sqN)Rd{|+n1~GoBy9#6jSo=$?=RgiL)6IUFST1ki853}&&(G`4gPKJy}U3w__Z_5v$}@xrix zDd|`=X*L;wH>fl%`zmak;sg=k7#yJAG`z&Kc7Bk)k>JBmwBA3NP4JT_>nHPPvw|(bjcWVRABtpadg0CSE3O_;!~^>h zIC$v=a{;kND`Qv%l}R3oT?!yd0k7gYu1P_GUsp-+oGZ`OWaJpds>JhVV2;3n7sNTO z%iMDtpbaua=USrk0?|y9FdkV=h!tatW6{zO7P=NxXI{>a(bqcQZrdvPn)8r5u3(_1kRi^&x9TJ9HFs_hjD z*sOM|S~;B2b`>?n!VePw3!D$8S0`t0hv&-QmnT2ylzw_oM7B89PM!LKmiu7pGnKhv z<|ECy=BS zLqWU1OOap z?I9AkjKCW(GnCuVtpPB>>80G?V1Knl>=o%39FfHSx=5KXJqbjxUbbt|gjtJm0bZ4d zuQfWRDyvn=o07gZZ)zUFTiW^6S!BvBIeg`wr=9}|$>OIH7Uon5KGrWXe0Q#>Kmp9duOMEZxb%j3}|K4CdgMypBVF|Hx z6=L^_U8EGZGG9knT(6yZ$agQ%OnQQ|zqtU+Afx7Jk*8B)FdjK_*hS}?vd28dlAQXh zJ~%?+yu(Wy4bR^UF3-AG7nkFI{&;mdz8p+sp+!#-p1tI>SS(F=_se)h;~;Z@x60WV zo_{-jcYbztF}|Emt}X}v`)+tSxEh`f&ZooakLCQWFHq%MSvE@fo{lD;%kp%zrZr28 z(K1?6?&SM-)3fmp=U0RCvy1WYe0nuFKlyevI4dt#IM*yzv5RkmLEwg%Z{kuFl(wkR z_`8&7LG>dK;E#{INwo^ayg*4s2^ApC4-Xtmkv#tV3eRTE4-dj{!2cGl@%U)2Ve#tq z`10+^w7mMME~2u=XM@Rfcz!Y+j?b?q?@zBz&dx4X!ijIXj~(bQFp2H{H|=kZ&4T-` z<&xNw{!Gf!E?gB!poAP2j8lL{RK`Z`8ThodhwKm&+G~w^wexiD`y+-2` zW%7OEhg&lsX5akkKr9vwvkA-)yUIJbL=Cf2yqpbQpS&AQMS10eTr7x*SP>eZ_1vG1 z-c6>1%jfO*)A9NAay+`4OfLr~Z?A^u!|Cv3bTu8m9gN>)rs=^!zB||!yJ3?!LU2hM zHiKP)zQnIqEGOpXjGT=IPvpY&(X+5H8onM-4mK;^_hyK}QavRG2a#yp;R#KAWxx<7@^0=*09E_)M(&xVuJ z@%zE$kELU9^KxrfLiE!U>yU_{4XaS2)Y>%==Dft765$v-*gr$@h6CqpFx8G5^YHk{ zHEXgVCG4hLqyoJz6BROLG@MKa=efnz%yOQ!gbL44S_D@-e(3jqPWD&@&-0vZuXGQ_ zROH)YN0<`19k2BQoS`s64vdl81Y{MWh#(PMv1}A5j7|XY0!M)1?-Ov-wY%MK>^3;y zfFSHJO%ot@j;wCa?%78Te&Mrftm&Jh(|yS*-6^S^ocU{7TU(DO6_IY+wcf|MG1=_A9m9A<>=3)d3sUP`s0v7sXV%r70n3io9{CQ&=oa4B zkul$$Ob0)l{CG8a_xknlpV%BCl| zXkImk*L}wQ9;dE&Qqcv39Q;!rxYCL#@}@aB}kPXh6SB$EV|w*xU@q z=W8~%NyrG8ZTAl_7;$=OQ+H&@CEq?Z%N!K)xX&uEYRBUO9M z8mOSmP?~|IXUcJxNh39*sx)8IXF`p7bv9HM-qsC_TG1*(%%=rd6k@ zSd{@}SGvLVDsX)SW)WUyinC;8tn`{V`9)w)Enz5tY6L`0fMY`%PrN|j&^X+yMZHK} zm^40yF0)H~%lM$l<{h44<4|j)r%UkOixBpvCKLI}vl>N!)sR@4{b zEN@xRGp8t@x6GfSuK(Rw)9p(*de;cg*UdD#wVq6}_Nx58BPCQ@@kE5h?7Ij$=mJF^ zu4kG1?(*bxaCI@b9FEsm<#g0*vj$z)<2c%b;6|p>25roytfq|aLKJxni>#7%K5drz zmydSv#ey9aV$Ln%IQ&kc*@kSR*P@B|-#Chk1!weC1^~jAafW<&FFZFiwo0{NTa$&a zTXEtES%*wEH7Ga&vpfdlw{KVy#{@+eYwDF~S&aPlg;T3ZCT*T95%yja!%x=_G}Zlc zcSN@6r}spTPO&S*252)6B6tfu9v&lxQM?Mb-#%)=y4K+ywoIzkqmfC=a?d!l>~s+! zvcSGuK_H*J`d&ajO37yhI1%MMDPBoslwRROy~Y0C=0QhH8T(meS%t7j*Bq%G$_9!b}C(FVTWoBDZg=;K}2zq?R{?4tPi zXheuD0&<$4__y$$X#K>W=qA3o|M$xGEzxn$760XBHy{6@{c`93y_H9M|C^l{EVZXi zWyEHJuub^)O!#_si)JlK$SwrTALZG2{wF)b`gcGo=6|Qx$;W>>>>cmoKWydE&VS`t zkOaX-;Q}pD1pP^jBREH(|BB7>J75Dd`DhXTm1j)oWG~Mi*iN`=h}b9xA{0yVccCQt zg{`^lr?|_SgjvZD6!$NkaFq|IQgTaEkjSzjzVnwG5n9hb0EM=yq+W8BRMc8Vtx0Q; zywR|t#JJ)3V~CVBXC~=qG-!^_^E7FW=w~(R^G4M9b3Gf&{}}ry60yN+t^k$$zvE6} z|JP~n?DODSRE_Wh3`D*9tX~`N?n5t0{#4TRuy2*&oLXaE$;#3b0cK?X%%v7;iQfC?FpwJ1LKFIK<<1|xCW{k?WMxiE~ahs`Vt`SOWV*Qn4yVrR( zm;cPn^qlyAop!qr|FyG||J!*=~AvAW)F0GV1ZW=;a6LDF1T_%6ga4# zcthL%k!ySSZ!Pq8Px920|Mmj;OCCh@31w8B|Bnji|Mtu7?)<-%XAfM!nC_Jr8X)gt za7(vP*DKFw``ZvYAK@Gk+t?HLN_bFg0>}dSKA8LX8ZaO~FPJw$gnZ`3z=WFe9tN(l z2Ld!_LJS;)5t?~-$mKfze>7|`4*Yu-Q!C^wfe=MhC?eai&n8!s7)Qw11E+Yo!~uAJ zIsvX15yPH)af|&c!ra=||B71dU-@D&Z_$6`pX4TJrG&1b^Klh2>|0{Iu*q#`ys)p~ zN8^PZFGJ(S{~3GWJ&ZiOB4BtnAcieuyg}DS*y8CT{Og}lj@Fz1mxGhDw*!0WKBep|r^H4MYr=rK-KF`lCUaTsfM%Z}GwhO+}JLhJv5u6~w_ z9RhATcBiZIJ@?|p>e_bjvK8Ry7Gw9m2Up|8|~-hh#bflXbhzW7e76(M$8)MZ}4`kn06)p$sad5|>=Qr4zZFR(v0# ziX<=$-xq1=QZDckg>a5WUa&5ixHP&%K};sxMRi?0*x__C Xdv?$6DS7@s00960l<`#|0Qv#|fCRZ# literal 0 HcmV?d00001 diff --git a/assets/linkerd/linkerd-crds-2024.9.3.tgz b/assets/linkerd/linkerd-crds-2024.9.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..94861d252c8e836bdf20d2f95fdf580ab03f3612 GIT binary patch literal 113052 zcmV)_K!3jDc zVQyr3R8em|NM&qo0POwSk{ii&KML!bPmzDfHk%ZHKJcVz|7CqG&WwiP84iP_Mqvx` zbfPK&q*6pFV~EKRY{X{{Q)t=TCld{`C2aXV0IV zKY#M%7iZ^Bp1pYX3wCy=z36CLUGm}=XP^A7=HUKD8qaf8@=~f?Up`h6 z%*0fx(?k@dTu6~#vJEfFTokR3rBZJ)zMJHHEiT!&xU1O9w_obk$3JZ6Vsax2EmeNW z9{$sB&Zid_)3eFh!`8JxB6#DYPgy9>e=aOfp zFNN4BElXAGF4;n6;_~!#dYYJxuTO)=eBaKd=hL$XsnAIwHzju04R0xLgl0RnWooWP zal_{_ljUyA3Xw_wA3RT)7Rk1d<&G^>VO}tkxRyzw%xf|cn*Bfj|No2K%5ueW#S)bY zmaKTb6s!<`*~&tsQ}*z|N}0i|%5tMGPfzVMOr?4t6Vop{9Imw}^{M$ypN4Za-Q>#$ zAH?of6)8-P{rF@p^y-0Gk{?=EWX)w>a+!+)-V$prvrCrb$ztNjr{d=Smq}gfsrlJ- ziLv@t;M;Pg3Ny9aB5NDO>4TQl)oNQLxRUOTr7Tz5`7}{$_p5~Wl)kp5XRcqn@nMyv~={E-W|Jjp^i#`7T?8yH=OFM{PPWw2e zTnb%YGQHv#&z@iYT0Fg2e35*SKIIo_^6OteS)9LEeDO4We)jZf^2Lj1=f6%wdj17Z z&%U_0SUi0(|MiRKXX5FL^C!=qJpW?OA1p;K3SOG~XLNCPaXvZw_2m4;`}4EQrx%yc zE~d}V&z?U0;^Nt}$=S2Zv$N6hct^F``M=@WR_Hqy0Ef>1*~N>-`G0DDI-dW}&_vGX znfRtGH*eLp6#9~t#a0{-(f^cIJO8CvZ!%sAefs+Q_g}r6mLJQz_{Pxre|p~3|DIjE zxHz8w&(YqmL`~vmpbD{Du9@B@iO_nn&9WVnxh{E@iIn}n|M&m-e>`~b-e@W7O(sgg z%8CX{R3Y5MAb^kA26Q);t6R1yR3b#mO68t0FF)`dP<6i3*`{ntBlW z^nWJL>p1^QUW!}3o93dtRfU<<>4#tIsZ>8Mi%n9%RY8^$de8rpvnMYu&g$p?;>n9= z$MgSL+D|`Cm|U>w4=DOI#R2y7&krV(NzKZ_H&T2oMQ;8}+ih`rbN=9i%+pKua;rNAM0WAx)-CTChq@`*HpYT#FRUzGfPgt;`@C$CP-@kqH5;mqCrY`@v z{`!Tb{c-xGGA^pUIc%5z?e?dMqDyK9ciW3LWd@drzz}Wp1mn#UW($S z%C_s=clY15%HQyEb;+h?2Bs^eOBf&g-Ob=PjbG7PrOQI*%Y8!bz)bfRrbhH?DQe_W zZl?$Td~?pT&5B>(@ROBT^Go}@+KBw>&8r`tysQ1pSk2lw@{?<>?;Dv4%{aT|J9CS} z46^0hH!s0ZDRil)?EOk=cNnxM%HSSP_{JJW&FgDkCM*9Yo9~#LxG@s77E1eHYf-LL zIu1yxf_?M;{hQMZwh}xQ#gu(5vr-hAB|K+y!L}O34YMk8u?rRwg%NFb1kKixZdalZ*kAL4@A9q8GV>jnh;+(kd9@kYf@fJc0oyzk1q0@pij?W?W}}R- zCCil+bAFH8o?X3pHD!OSeqX38Q@7An=#aH;jvKRktBRD(M&JG6-TT>y$vidB3C+qC zFB#97G!h#yE%UbPfFWByS=iQFU9v>w3stPm9GWjUnyE8P8){=V-?q`uRT+Gv)>o63VY-=2WC`-9?MJw3vz)!E^+1P1y!K1<^B ziJRRl-fZ+W&$O70Ksq+h^2I_VW+e?D6}c#2Fac4{3c$Tp|X%w5}@(U&tIUSHVey5efO8MVu)ZbZS7Oc*ubW69pXe8Wyw z7fHBcP6WBVy`2_|WFk^os$!~&Q0IdwTXujl-HenVvuD*%<-h`X0fZ0Ylgn zQWfk&u5L4tE(JS@?!wbY;n6sFleKQG`fA2+GSb!xdr#V9gF7prh;tsyxLK;kq{9w; zhdsMwUs<+Y4SrLojVMYlwb)ZriORvRjZ5{Rxp%D?ml_!vn6z+Ghq)Z!PB!y{%u;L$ zq1_DB2s85#&zYM4yGY6@dnXD*hUt~sW=12=Z$weDLL_RL%fEWs+VONy`N{@OkaEm5 z2}WV`Vy^j)6~cUlZS#PhwHveVQ2Affg?2AHtMz)D%W{W8shn?1Rp`@H+=%Q{%jJX@ z$x4+7Brg$*Reo)s{XBa=p!!B=q<)kK@0%fL+hJ`Ib}oPC)0>P1~GftfIwFGPWh2&di96nVN)GRK3JWK!hK>DSx&T9&#JG)gsP zFF~IGv1XIP<;Py->?L1|?4^ruZ3nc zVBZ(`On7SjP~0Q6g&((2ZCm3!-J6A5kOItR$L~$q_n=d@P*gDB70=T#yWS^U`(7?e zN88L0l5XFg75hXzw5XUwFH0~_ww-x%(l&)KQY8mgyj?8hM>o3nFtdW^?sJwcFZQ=p z8;gPw;Tte#`?HL)(Dg#8>HgnZNE+SPOi^t{9e;vvbhDh{^AsFEvp0h`>$9G!YMnZk ze{TzVPA8YSf*7=LOEPKLtAELNscox1ZkfS47pz9KKjSSF+c)I6ZIi+vUVje*NmQ<7 zDvH)#njOO3Hli<2@5pP*V~$F0`B0^)CWS0TAvxo7btA0yRhyg^y5XR>)yvGKwy)&j z#oAE(8s-Dn3NE!Uy2L}L>pf&Iy@F@Ysu8%h8hAHod)LlKm#Cr;dSjk%y#rw^Z+Ic{ z@*U8qE@_<2ldDId@a#4M6g2!*6}>ZIMEKzDBL{ZZ)lYWv zJM7F#SiT6|@}F`$xVraI%xXVc!IiOKSMc)hOwV(bPsDmt?t*2fEtS=L#Ydi$+0Naj z2yVyO=#gQO zvymJ4Y&72QL@Qb7SaWK%%$M1oCWaqx+~behjv^e!*Q&HKF4t@$3bU)u&z?L3&S(C8 ze(_|?IC~7#AA47WmaU32n7GWIDOkeIX*TR4->yX=6NnSx2{?UJ!5&T?T4R+V3Beua zKU;~4JoR?Mc9K)}T3PnL+2%>PMOJ4f*6!i9O|a%4zZLniTwSt@XHVK5khy!{yyedu zUY4TBFWJAH%pT9CkAC|nKKbj}8|0FBKLKGrTgtK&5BOg22>Mb|?%{s;Oqb_yL z$q%R9?Qdh=p_y%~W@S`pys_k4D(b2KQkODMN@m5uHuFN@ z>(#)0>w_Kp!CrVdR=bzDpZj(R2z$6uT1#^WgJE&Q3tozB*V|vT#dcal?D{4u%lJm4 zAi3x4ZRmztt(%f;8+}7MSt+HVyK7M_@euJ6hTx7xH5H{=3d4@A+qBi(Vud4fQ;cnJ zqJ~QrW#WdZ&3rr9Yv43#leaSsM;!Wyj{b_P7={qAH25tkl-AWbY%>g~ZJzQ%3hgY5 zMnG~7epYNVp{MMnp)>Jx0)E-n%fcRX+@})G#twcCoagrLGV5s8sf3V*&Qn``+S7tQ zfCO*2Yi;4(lC7*bb%o#Rw6`s!$Wpwq-@1|gzTkNoMw>tqh)i762}Y@by`xKqbBr$O zn!T2bn<#|)g|_DjdC5YWp60+1tw+dRV6C!;Kg^Hpc0uW~GEgw?m_y|Qw0F_~Vc6zY z8t&uz?L5AfXawKi=ko2{Byj$U8+vPiyUto^26GS6-(0wJU{$wlt4mS*BVM_M+HPRq zfhW+s&`NY}HqFv7ph7e$SxGkjb1>a_6e_&nvi?xt0 z7`x?@@Iil#;yB7F`{PRFY@2)IR-0)P+icX?o7o6&VZ$yA*L<&hJVBybt-ILFN@BlG z+!jFV+-&p?L&9bw+}5tckH)y7oh03k2>2j$MX}jvHex4WhOq+iqaiIGTe~iAKR2WU zu$rL%cmMHk_aNl6Awi$DI?Ai&_nSTaq}}B_>yGWz_f;5E@v?6ZoOlKqzETebnfTlC zOL|B;TUF$NSpRwA~nMJso{HtA;tI5CmrLq5h^xK2i24Xl#lm0p|3px8w z=fvONjwZ|;Y0z+6(?^b%doXnkxVIu7v|)-F<#1jtU31A-+%jO<(Y8lU^D{HXJu zIG7Xl@r{OjYz+ml0Z<@dKDf|YYD!)#MX8Ne-M!0EA`acXsa)Vm&UTdp0xYV#ji@BZ zPLfWt1ZMb0=WuC?#b7qIo6#}?+uu&YJj=Y7N!x#!J#M>KIXCS@@DdfuJ_(t*KxwxL zVd_p0P6PsmstJ8$X7VA%auy;{>othv-E>h7yEbce?ZT^r1v7o0ixt0-stChodd|Bu z!a3u5wnKNEXLM-r(M)YNN;_wro3xWw>mIgS(9zB7C;E}MMgTlYYUNb$)569x)AJ7P zFR#0t3e0NCHFj^WP4hnV)N*&6>L7r%U%(6^2dY_f@sTY7&EH-9i#34su9Y>HSxa<7 zO`7(ENp~}R@6&8Ix`FQuqN1}MOI5N3E96Sup2|fhQFru%GYg~s+8RtZ+rq59`5^k& z#$bB)R?besQiqyxm6>YxQ>OBzbKW$MGI~k7&#f#S)k(uH)OYZrNWq?R||G-rthMqf7T^Tm`)#v>h3Y`${bfBjgS6l zo%s&ygK5sb2EEM{rKhe(d%?9;qjWD7*0SdZ*kdup))wMze*E87r@ag_{r;)z5?`od z&C5%(@t<6DU-WXlU0<^2&z?Pb)_v3CL;cdTIbh2UUZgATN4u~CcG=V*xT6*ruDcl( zT#~^h`>L6|6j*lZAMHM%^c9BkzwPgB$ZF(;s%wZ15roFB3GZ*UadBf0(%FsrH^@&T`j9jNSO^BX8+{?UH^A zRw8p5aqrHAR1*Anp~q}tGoQ^3#L)r0zrAQaE+21cK3mJW(PGW>QYL7z^7+v17M3tC zJO~(c!FQUS*r|Io4zsak$xiHG9<{R{GsJ}|Zh4WqG%fcTqgB?uaC6M%ek&HbHDGDT zArrh$lc#=Hy-=GwOUNj(^>p%{+rVaj*<8N4SpaLx{hG^cTL`bFGa!k0e%;(kr zdA?&|KWkzR%&&ipLrxhwwEEc9s|9<^v+S|CYzryOZNK*kOUDO*_gExhuV-2rPVKgK zXov`t$jzA@+pm`eUo2!Ya1mA!kA{fZ{v@wl)8N$z~Xn*P!ec#Y;@Q@kF2S;#Z<=oKF7- z-)FfkaslVf@5df-ke4=x0z%_KxV)9xY*Ue2lmvT5U2Kj$7Tt6EYEi|k%pEX8!+rx+ zF=gd-H@04B-5h&WxbW60&$1dp)p;0;8A10+?HO7B*6No3t9asO+C_P*I%c9fIM+1s zmo3lOt&q!AX)_WacP-cs&(7FJ6p4#Fz{AuPgl@+^aA@|FmMZF}+tv@UcDxMxBXtnX zzVAqc9s1868K{%Abs&?xir{qa2{UmMV1@RIB)o|e-7mj&UdY(?uH`0Y5gO(y%pJ8i zWA_X&#%p(T_t6`=8?jmT-1kWHj&v|BI0i@y1Xi4h8<+P9zIu_EbJa_jfyxD2Ionz9 zl@|x3W^-XN;moA?1j_-E?&!MynX76_*)jukPs~xC7Yb5;y;*nRrf|%*8gCIdLEzpR z8h>7w*ruJ%Z~J`zp2OBI5MsCd)@x$u4A67|g*Ft!h0CTa-4;zj4z3%$QF#xSa4nMy zk?fL8Oq)GL_P7>22j2tFna3_0q-s<26%!vfh0wLphJleO=Kl`*FI{VdMNZi}b8%Vz z?vay%i5R5lCW@_9T7d&q9|945TdpwZwFN<9zv;5zrC366qWRY(lWS=RS=r5A40^>k zGG9)O#63uJx#b1VOCe4zsu0i7-R4f&o=pUOEJ-Eu(*vk{JcHu9Rllntd0@3-m-8?ARB%y_agx1m_GQ4rr1 zq*%^I9f=^#R-2VDgAq`=%#8`~p=N)%ph6N|%REW^xt}v)i`ge^C}gkM>U?!L5RXW< zzUHhuB(F7puD$JHzK!#JJFBW2>^zY znH_jjA36ESo2SJB6TXBsp7+M4?G0=LW>>WT?3nlnsZ|zJOf#;vN+ciFWUJ=kAuLQ3 zy4hwqdzEjtTmUr6ev87J!7fIo*T5a!{uHtzOAl{5XZ~j0g$=Em5I)a3Y zaC1CRes=8b*DoU|zPNaDMi=H{&nmWw@ z%{6+%vp#=$dkZ)QW)@mZ1M`8MOL&i@S#^fhkbwdx_aZ{z#OA?v-fidF@Zr4lv+&8? z3}#^u$0(BOms{bk3$s-w)mD+^4p0E$Tai@l`T(HAYy>=EHu@U>T?{}K^|fjaTJz7k zTTPza&-?FvHD0R37Krj!lYd2Z>wo?7@BaQD9zOonY%=|~A7>w*pZ&*w{`pr_F&bsX_Q3MqnK2(`#A{j@iPC#C7bi2`tK*^zyBI&E)l#2 z_9XjLpxvC$M&nT1c`_UQnW{0H)~Vby2XIf?$^lIGGq5WydeThmtr?A80wn)!Axlw1 zKkkoh*z0hEcUUulQ~xVQKv(iD!yxT-`ua7La5HgtsD$5x0)Bs6`KWmNc2vBNiZ?qd z-bclI;MJqzeN?=UiuY0R_U#b2=6A9v)Zy+-e0|T2NxqmGZcL!2gMxx@U2rypI#cgu zdvR3JE2+>W!0xIXE7rNNIZZbzAeMeb2;H+6JGz{^KgT!1QkMT9t1^v6dy)jl|M?^u?lVreKrMk8R6l%3WC= z0auR4cqJ44PH4@SKIZB=T%7Bm*hME0YaiJQM3E%j!Nr zMLpHUrL-JGb0GDFe!OZp0@Q7Oh;bw;+?ItXhNBq0?A`)(*}VkoGIGFf6v+yS^MIgT zc4(9$`!5RKWrylgF+sd6+>)_Jw+n33Y{h^hL`!lk08QQtB=!Nq0sLy*&Yb1!OB}LB z$khtQ_10|KT9vhE(uOY=B^dR8W6pL6q~sDd=F5K znN~1hD}igi0MW~)(Z$Xv_#t2Z@YUqv?BaZK@$ALZGXxND1xt%HTtAVf+-73wyKlb# z!?#~TR*B243%5oTZM#8rOQPwC`&*nxih*Q{P=$!Tw&L}@`-lY6Iy@5rEbif5g^t#G z7jt_ak_x~MH-X(tN&q|bHi&iJ+)H`@`;^P~z-2giwtDe?+Zq)E_z))T5DE4%(4$>w zP0ZjL8hQu~97XjO(H<(Y9vBsQibpGsqFU=^h^^32jpL>iwQi}sx!Gxi-p+H_S_LI} zctGQ!X6iOa6F$N@#Ze9G15G`q$0tmH!$ad90t9u!!Af!6jhdd}+J7l8j)o#`YX|X_ z*om#N6u<^_hrm}HcV^!>SDPV~Z`X6&m0K;sx)BzUE{dYVS@lQi)?pd@Llt3dV<4C8 zn-eU6qtpkOS(@XP4n7L8H-bOW4Q-|waTJon5o^-WK@Ft=V;Dy@H0VRu)^fQ*8?h+l zjkOUU%18n{TDRJYQ$6oApTMgkpeeQ^kgw5<(;lkT@zFJzP}Ez+YHm%2EQ@kB(r z<FI`TbnYSF(85m~oN#!b&az|DA>EyKOgilD^fBp>9b+Glv5y_?82fmPeLTiK z9%CPmv5)TYW9%cgW76R<>F}6zcuYDxCLJD=4v$HPN5y-v9To4Gc2vBNiuY0RJ}TZv z#oIl8RJ^hMcTGBkhogO&?{^!)WGeEqipX$fpV2Ex8fmGpIPsKS*=q+Q2d>_{La)5J zM4>8fU%B+KB^lS+RV9LpqYxqtzr~^!8p>5pNF-mXLR{Js5Uw{^Fi8SNIyzjT_La-J zp@*de66kDH3v5NOcL-3}@Z=&@spEvqY_`xfYFi#;jX2zdra^6tszj(*Aj(wgq2e z(vq7{;WLaXOnnl`NmmH+r7vZIWzP#&P>v?)Kw&5B9L}c?ZN3qCs!R`Enb~c*Er>hT z7Zh7zVcJCHH=M*!EO ziV?4G-GwSJEy2zat)pRWwyk!xTxta$Fy@I}8%Ew;^(t&mkhj^6vszh=*$68}Y;~#D z(L5kLGA+jecc>*!n}OP@TZRI)W6Y}ABvCAuKsPCMR0;_yeV|s!tC&^tC0L(1yh^K# z>%yi*(xd(?ov^Hj{vbCSsJEKyQt)&N08nK&lXwYBMJXhk$*xd`9qd8$wE3!G$$mT zQqxRh6H8;N`ShidcBh995N%d_iA@NN$U^yiNuR_GJe=4WmC6~Fyy+4$hmHg(U9*vb zIY4tDL9;XIa)4}@l6gmImej<`X0qe}*{)Q|-t@=;npN`T-6cdura)F{jYAutKk0EO zkuicgEp?G{H$)^W(o;G9wUePeJQWD;wI&LDJc$Cz8=q$0Cx& zi0NU}gfLqvnNa+mWB1 z=Y{LY-xvH*IHDZq-v}SI?ofxk~VSIdp=oC7;<@bu*eO zfuwSQ>xc#M&(F>XclN6VRv1^gsKCuayQlf6EZK@1eubYLAh|3AFP;2+HZ~pkdncW^ z3d`n@2U~A&p?Fzs$5(FX0cPBp;cr3xW&+IFTm)V493BEp;2SmJh&1ptzydm-HtXhB zoQ>UZh!26n&_hy1?xFa^$I?PmZna1U0wWIKkLPF5XdJTtF&c*)HlYnTdkJPUg28Oa zRA#O4UA?TcX6F{Nw)U!wci<`Fn@uMB_r1p)wZ?-oSy>5Wo1r=PyLQ`P9*A&91)vw&rWCTr+`du9GC+_y6K* zISYmN?oLBLVxRLV#)H}En(SV$no|kA54l3qr>kMFt#fd%oPXbPy~AifsK*~pXtm)= zxfUAkkYI~-Z`GpHM^rOfk@TN|xY@ed+O3#%pu3cE>z*+K)TP+yA#59m#cKqnOqhKX z90C`D9r$NhCKn>vC0Q?GMx%Flc-O+HzZ{}@t1|iotI}pRrSgX<7o3;-dbL|rZukNAfKMq@LTdvGM6DwDh1uw-?8fnn{Ym&*e zEWxtRdrK=kLT2!+LJXtXoqnfu`!ah;( zH=d2Vj@f`rQtdOVG|Wag#@Q%v;>I|5yaqTMt#^gl>-XgiffpH>$+!FBoJ;zb3GKH zH4+-`^P;gvc$aC&tF@(eZnr_aQ^J~zzIp%t4cs*&vp&vkMu10+L*H(g`kv(oldc zL`BUTHulr66cUQiec%U0AO|@_AOh7v%%CO~5P{|(T2KQ}hd`2q6V!tLLnBQ{qK!oU zA*UYFlMZcm2!SRWOgAJa5yqwu#v~4sQU;@k&TvzACJWZm|Hu?SXPV&MCkT>K0}mnG zlN8vN=0~R6NC)go@FUX<5&`>D`^Xf13gA5?^&ODTcTghV0ZCtXp1c>GKNgj+M@-fG zG#(SbL=owE2dq)#l*Zv*60^zZ33yRiV^K+WG3j=nl4wVql*5zjsCYI}NH)Znelmtl zg-t`CI)Gl&ib_KiKHG6?J_jC61QJaM&_bZxk3rLkEko(^9{LOoRfg8-JCv29nA$zD z2@TZsOGWJda_2OYLZcvdf1z`d z2HR1+y1m3XZRCZ;?!D9E=67G#{O${yN0c&mCCUj@2}R8JHvnn;edWtrHULTI?kHT| zUyz(YxmmJ&pcFZQ;(oDmN)d7bVH+DmEk91_YQBpuJRYY=M-&^6Ei-;k1;)vx#UTWZ zNOZ8Mcol|5q!?XJ{D4}fpTC57q_j^j8-7s1@cSqgelJDB@1;CAsW3RAP!K5&VpTNI zD2Qaqm=#P?&ub)h1(mA07Yqy6?x&nLxsW%b6~bfm65i2?C-v5XfN@Ac?)dVr(PoZ& zD8C)aN$KY9dnmSjz||Bz#RtqsL{aTX>#LzfEaHy5g?!nTa9_$+8#$6Z0 zzK2rS1ys&h9N$CTMNk^8Ejw>Kd_mvQx0%Y$8 zHQ9q$BAV<}h%XC$9|fT!OF>i9HSXHre@xjJY{!(1V|);y9pi)A+c7@q7$0T$VPrAZ=A_c3^CTQnbx7vjY_Si_mrym>r}!P=2<(?CAj2j>5A;MP-L( zv;}f_u$=4w&04WpS|QnCig9yEFClv$#be{j#`cti9r#XH!B|2u*a6D*QnA!ButU>= zIM8=n05-bxYqPBD;MVIa`r1*@mEyo{E%!Q9%9Y@7ZWMYQF5)^svsU7jTE2CN>)7J1 z_fWVsvSceQMUYmkwONRDfM{=-*6tFlgH}~?f!5*DtOpfkJ)|6KOd-~Y609Tvl~OaJ zx2WFdsTqMv0I_DoclfYBye{`iSNPQ4RME$;iftwsUvio2(y&^!Hg7E7zIhpB%6`R@ zl`SX%F{fDKM)W1o$*GuD)h9gXw~7vv3-Llqfoq_H#5O;j_@OR0V3&02;} z$v@cQ87j;08nXoJJidDy%yM>peeD;5P1stLE0tcl7&@>mPUpOEQ9YM7_@tZWjVLrM z*+mbz>CFXv*$#=jx$oYQ%C3i7IzQE8CQB>J!Bp+oSFhfG^VQp-c;)g|1-r;f$1Zfx z2=aE|SFgW>oJjLoikIWMntclVa9U#GAz*d1{rie2rb!I$0?>f?^}aL8{J zPucHyW<;KX6>3}Vi_A-rivl8{z-8uVs(a+nu}vXWAxrsJ0b5De>ZAn6Dk)?s3dzT? z6J);aEh3Y%QVKm~--%-BEvNRXhLRC;QQn%Xvg#(tw;oTtN0@zMF3=RjR3})W)4_$D zA@i}(U>Pr#LJ!vQQw!MskJ-x=FL;7tVD2oDW(c{;C$}<76JDfjrF4nmW8GQGos@!? zJ0I$#s$H~jPgjxUm`AKjz;5E+>MXAoux3n`hHpcl-JWodOEa#%wDD`vzsn%nw-m)1 zG#Qy=9U@=(;*)lnUAXrv!Bm!-wMOOEZ{(y9R~cU5gh8Vpv~J% za<*CVxhQ4AGdl)QQGfE;2S1;}zklx2(mQ6`>{%Hmh=b_3;u@t&*yNowtCeV7p6aMT z-4b8N4@TBW)Dwa;wHBiEC7R~yM)>9GG&ILl)fqLIyNk=U_4HDi@X}{@_ehAyYAgBO z=nlvroY(QY`X%AbOg%*F_ruu9I*tU$I>N{WrjKTBi>-i)c|9~GRy+*kIJjhbq#gIY z9-?!Rsax!il@@CE4Oa1!3nokLFJ`IP^+Kt>gnJ_b$g(a4RM-5?`89J+&W1qML$i{N zP)z;`YAkv=$+<+l*fkmS5za=oOU{dHemO@U?)CL`x8_81R=S?h?WD+mb&#S`TZ~o6 zo`(%MjeYB4po^yXGKO+bSleh&v&5bRLW3lNopb(w&ktZc$`lt?hlHZx;h$lPY$qsm`^ZiiAJ7MsLIoz#8OP3J8gBJoW z(U8}zIDCqP2NuE#l2ZiJ^L3;xGFq6#pJg5qX2`*pr*>32P%HXR1zjYf%op1eh<*r9 zH3g(I!TYXisOmNV)pqmc+%gm)+a3?iTU{`XL zPeRZs!sQ)sr1P_jr?d-^#$cR+_9<)TG|&56w0!4HWydum$~%$LPD@14Cks2_=HPjH zstRw-Y@ioWm>b*vVFJd6w-QdaiEU>^{t?EtMY(G-DT0X6MACRGB}v zP=vP&VU7mYHs{I8cFtlkq2m;7{AJ0(zXxVwe5%dE-GGI)_;)#9Is-Kh9^hhmnu19I zLgc{^(2BYX^XB1U0^(>g(ZVI+U`O-RVVrI^DQ_LQc^bdUHRBtz%!QfJ0E7l;se&zC zy>{*3D_Rwu8p4!cV2=U~Kkoml|h8}L%EUVjNsb<(Ux7;wQAfPyX-GLhzJ@+1)&Q;>4} zrhluGZa@vAV?=2ov#$Ub4zRM@!MVGmoJz%HZk>_0D`9~!!_$c;(|*A)+d`Q2?6J|# zci~Fog?GE!S=JK7YS#_m;W)Z?)q?ScY7;I$27O3facdX0*liy1n|+qE_kipU7r4V9 zQwy+rYpe{gH{*TFWmh5uXcZ+((V(93%@tWh_qY~B2zsF2s)dp9%Bm_Xzk(G5|$2!?==eiPjQ>^%n zu;+)B>TZ1X74W)u30r_exLnOfZ{)aqq|w;p_NGMTXV=4V|N+g@D+rYpc` zPi0|xvDJ{vYVI8)fit^0Xdm0~9!AgD)H2VC=S~|y<1-AJW?w61FG=j@Pd!vmPubfl zQ`dAx&5e3k$v2!Wlrl^)oS;5y#_1{h=iFQpEj@<*@dEtnS9lv`Vm2DH+2~E7mY}fZ z%l=G!^gewlmIa3_4D-QXZH$KhohX*#pT+Js@EQN}yRzV=SnhtaHh=H$`LE1f^?tVz zzghE*|KU5n@nnO``%iyfi;~}*PyKH_#IOHdtNd~{s%B%X)@HYF%H3?lYCXN2ji9gY zcQ>%h*~s*vH&}mDs8Y?hi_6()zAJ?upN|W%8JmOqo9f%M5yX6+p4x;bOm^xa`}3!U zEo5Am?+XqtNR_{rLoVprN#B3jxme6!Af(DMq``$St@N~9q@v*!R;mHXP+W7% z5j)FPMDS7Xw3g-W-H5vSFn zN>Qwq8KW)DDYtnn;^U@YJHqCo-N1qm(QUedX$BVT^d_&95h>Q~*V*-$P@k$i6SOVvI$zhB)0Ha=6a>r<#&HH!>gX_pMCW2>LYilM`IiM-fzakRw|Z? zMCFT2V%Y<^Ho85}OJpd8Sc;EKmOjB~P$WG`bA5h(@#Niho~kvM`Pb|6^wDom{<7s6 z81P^7wfK5n_PZ2AQE4Cur{WPOpIAQ1bTi;DfBw^?VlLA^KYsMv;BSxafYng4Klc@z zo`K$2ZlvQQ-dfgLBy=SWm-a$nM zPtfUxmn*xOoShI&yFK}WjUeo%SMat#4*(de(C7|Ve+75ZP1`#@>%+8SgUX%d^<~C2 z8uPzG{@jz_I&v&L7v-sS`%NnPvyn67S|PZ{vxd#blzsXAcUP}ov)Sl$HezqC-hVT; z7GL`ZBaNA#f!{+J)=rv1ISd5GJaHgt)%KW5b(*R~pC&3d8nixDH=?+a;`Y=Q_nVmc zo8TeQr$FfRm+*f*7;1nXyHlkyl`loXa*-JBR@yMK6i^62re#{c-6%kGHr!Ruq=++if%QaR6p<86})f)>F8PahN3Sxd9`Y%E;R%=oAVl*%p(k1F%dlx@u?j+DSRIPR}g_kjiFaggK_Q(d@1P0JX zy+T_CeP9w0K13!ALV6SvIXHN#6620tHp=(+QVohJ#uPogSN?WTSwqrc9^yfb5L#PK z5H<-4FIXP05&>-qzJa8ZSEVyy$-ETBrVyn_tKy&8u8!zpEq?=spIS5|tll4;$FuQA zRHt3!(g1rfJ*bRGvWiEF_2bE4QY> z8;_>!RrwGDXbO?2^%`SJN|Yn7&H7!lZJt3?&45%{Nv9qJFN7F`_#Rwx3?SZYvfU7f zAFr4x44P}EHXDWT7&a{1Ozw$(#BNtgV=>5+)*$SvS?{a&n8UKqRk_0Ymu4E@AvC#H zJ&Cfqzrqa-=&{cQ%E13q1uMcN3;|s*>{d04Xk4yiBidk^@2>uZB`aknVPIC>7DA@i z3=7^5L#|*|d&$~*+2HzW3zY|}gVEuOZ0F&y`mX_Xdny;cDrs=`J#Gk`)@@<-1o+}W zU+iBb?m~*!wo+-}7}Hw_AzN%Sv)3|}FBu=+`b~C$(GQwQh$k;4&$8XL9!*8L1uNEp z_3RCAPD(2!*gG-tqp|YLx_>+E>=`tiV_eotx>ri0r2=MI20Tv+ikP z_`^W-DGSA{wwTarm5kJ4!^2Il`x%t-@w|i{y9??Qx|s^>Sv3hRsI*_<55x$E25f%( z-_{OrDL!sQA>n{#|I{aBPz%74%f6C|z0$%0bj4xm0!7G{8yXXL6fMNm;Ii4;zm)*+ zstE^Il>rX#gMNv)#-%Lps7TtNT)Pb}*|&Bd_R@R}N3wBAorIge+AU*wA1da z{!7*0XK{B{zop9EXa3H@gX)$yOkB;-;C1ccETJI;w@jPtxE0Ho#K^qpZ z@vx)@*)?9vaQROXlXUFX-MP;9#*Y^tmx$uWjwhPkL%~-z=`z?!mT$^$q z_A>yyDMQe4^$(>|hRQTV3+v7iXXRt>)nVMw;0> za>1rQpcIBS&u_|dV=v5~e||8TOdjx!{J|kz@{JS@s9xJ`ae8z905|eWC{f_NIA4l| z%rPgz#aP2J$a7_dJUj$^BPWopeIwFoE#BeM*NR)pab)NGyyAfgFU3+7-c3JY!HNc4(qm)WVe0aq>%SX~sm4gFP9vk1IpA{y ze=uA%QHJOH=|~@V0DI`rgz*$PG0)x;`#?*6-0`5SJ;g{hf=sgn)eeSng#2ZO$*+a=u+{OZlCAD+Cc{oGOx6npR7Ka4xq4kjvx#gbi!noE)mFKlnNnWL=G;D)u%FLHw(X-D7ZNP1rB|m=jGn$;7s8 zn-kl%Z5tEYPIheDwr$&Q?)%ZHI_EugKJC4_y87E*z4q1X_rKtdBuaJ16PJ(4->_wQ zLb@!G3g+Ff0^3=c<9X=?EaAwS`2U0#oiYs(XRR zY4}H~V?-f?SCi|?g6A5jrb2%pj%j`_%vJqv5V19biL+InAo5QH&J3{VtUEcjOozPB zz~ALmf+D#S{y4p1^;NHKYN2u&RzL96C=sMDx`VY}iFS8f0^?!^lq z9t7cdklH^H8CfSWG_v2)u5P+(pmGWo;xVG-R)xuH<{QbSxc%Hj2hv1DW~`|vh5}DM z?0ZWQe*8RBt#-kRn~#>Ds0YK|AhvXC6ds_wRhdB4kL&XCgk*cZneUwgh@rXex3VpJS%vE=nR{&YfenK6qd~ZErMy~lD8wYpW2Qd7y0*oq z>SD=LDFQqBaBL$8UC0O0oQ~w<>FO*p$T2OA^I~ zp+kwD6SEB0%+ijQw%~iFIq6i=ctDYU>HE?`ziv0Cm{)JtA!pwD)WkvqB$e#psP@QR zOY5lfeRqjoaqd%-->{JT*wp{eXyrLT|UT@|5JFKynf;<}CBI>@T16@XN__tR@dF?P9#N1u4M5?9uXCQxNnA zR)t_$nUnce+MDhhsD=`z$oYt3=K5MMyaC|U8h6Zk&%P3?){SM{rh8B$RJ{jKj^XX) z#(|c90dlN{<3M*?78*6iQ)}b}7?p+mt-qN<1Ius`+3s4-B9Ytkp=4XS_B!J5IGroR zUD2(*?pI;&SB>BDxEjXRz|l+X_%usyOL1eQ7ichstc4%BjdofUgtXZTti$6c(RV6> z@}1}~zSXX~^Ps?Zkq4^aR4ta`%>+Nj#tz-B!d2&2uS|W?_NUD}4{nLaVx#7 zN|&(7ih}%}Z--t7xKw@v#yD3}-wAp9)FkOWpoQPYGP4U95)+POh7x1aEgD`lJKX{q zJ|Omo1*+wPWNOQ;E!l!JH<^x$Alhb2pcgHJbHU$>qxID|W5PP(f=hq1@3@25uaWlx zH#ST;6GU`EC1R`6^U@Fk>YYM5EN%w>Rm*({9;~P*&KU_bj>Qah>N}&w43W2+!Jx&s zYgO2>qt#<4;t#Q;WO$gpArHns%eQi3IzzIE!^0>ou?dnQP!9msn(853Y2c z*9-3FP7kk5NIfY?vnU};lRHD~6P4e==azyv)^5=a&!;d)IND`z`sN<%rwL8L?V6z| z^nK(08gCg&_5pZs@1}XBg-(LI8I9geoUQ=>!}@Rsdmn;S!z$EQ6n^Wb`KZ746V5I=!z}b zY$}2*MM>0Rsht6cm*}fmq%pw|!_~p~>asCy-RedNJ}J0vzHhww#p<+F-JW4b4qpoXJviklVXjFS@%`*dHASs}_p;}w^fbqahyH1GQF!=awWM+E=3`hss zAW7Iz{^k__-SqPX^TSwax-6&&^Vkuc0RrobRpR#Cvz-QhEaS{S0qXX%w!&Eh)&*te z^ONaS%<+S#^UD%s0%MqlC7PCQ0@c;U5X$j@S?vbb2Lj_DU-AVf=mBkQ(*Q+njvyKr zM5e0*E^w*5#G%{90|3E7O^Y+(kmY27tca&T{hUs`T$Xl0#LFQ(sWGX0^aph$<#Mi8 zq^0B2In^Z{!I1-U&og+MfdK-}OZd%Ms?h4f=fAh{{i5;D4{`C&0O-%Yk&nRs&wzwi zk2p4X>EkQGLLQ=2T;xYiaS_tnKiwwqAX$Fej`5L@nZHm-$wuBPp`yCBN=23#arFTb_j8fZ^(Rp*snAjxQ6| zeytj;?xIisY<&s|i^wv+dI?T0ud=}4y!rlQMGTy~!2o*I15Za}c$2l)tj!OG6*$G#oeaYK=g%$Vz75_fSTRfSPK8pDHR)JoS`weC(g3 z5+Z#?;a00f=8T6IGGy%h*Zn9LhFmkMqOm#7PS7u0RjSs5HY2=P_&=HLE?$+Pn}x0qZ8aYT}hX9^!>7T2i3DaejC#4O;!a6 z0kLwmaFuqb&@h%mZ&qfel2ZJi8Q6jk87SOA%_z3WYDZvUQ`o^)rzWp~$R$Lr(|`xe zzZ>?h^5Lvm#|h@|m`uSX9|Ovv_8R*v_UjitIM8v)EL}kU{rsEliR!wYj3i^L4kx`% z=kmv!vejrx7-Q=Prz}z&x@3Qp16}e@QMV`LRe~a1D-|fpkrXpSYEqCKvnR9S;H-)} z0~8Y=4*V0F$_(JAduabDn6;tWw@`S*{+e*)FH*6B1w@hkL=W^89fDX6@w!qg3GVy} z_FjRP5uLoFQUG83aome^-k;MR@_^Jt@wCxvLK&qZCm*)!e@?8~g3=zS6BkHo>-QSe zk#ag>wJu_s@<39b-B?~1UYscqjho~dHiitk}yc9v0Xr^I2p+EbLov<;*tCvhE zu2*@DEby9}VC6Nf?vk$)DRVdLX3-O$ZY$dBgOFjQ5DO4PMARt}od09(h(aEPMIU^z z3@(udM#JjvUi8RIx|vn8ZY?9;J{g}6Z@_o|hm{@dZ5Jm=UV)t8k2=EBdvhPF&lhZBqAg z?g87cc+h*4Zsj)O{k7oX+$slyk~Mcn{y@jr_@A`LfPXGXQ@i(e`OX2_KgSC|$lF?} zhA?EwbTr^P`Ne^iis0EreN{haAep&J8{ezZz`cMzWdZcOcm`!=v!!?j^^->5{)X=b zSf~OjoR%i*e)%ko`msVkqGcZt=f9Fq#sDjMC_i@yPe7izYs7J^V`j72HP#@%-Qat= z$*MmpvkAQe{2)=tz@3<Lgf2u}Vty=fvuJZ9Z3jp? z#O&Bvku%EvK(qZ3;pZm?bqLCtOoA(3clx6o_-ua0gdohlBF$y3g~gMt+8o=*o;5&i zIRH4k;PpVc`K;G6QM^IPumx0#?^&5hsf`B+lpYIMHYKWa&MA7av=U3uxk!Ty+JxXcT_HKSw?u(o1{vzdv18 z#Fv(V*I@^OC8$TrxW3HFT4FB}75KUEe=O!c-3vk5ON~luqkShTg-fJ~EA0}eMI0SX zbqL)tN#vc#OHr(R{0@9_P5s)9pKz1^ctXD0@_}PYhSCQ0i2op;ww^S}w=22eN{#xI zT1b&TQ?yP4Z6>uk04jR>wVa3sirQGd7^z1KY07n05zN1OcK={Owqv||DF@vJ3I6`sc>537DRIR`wfT?t@w>}K2j2dDx$se$B#4@T6y6PvMh>TqxRXeYOe>E7}};+%3sdQOK19I#XizUv2vj$#d-~ z3?(>=-Ri0F_txuKzFaD?&#?k8jZG-=L=ef!hNS~sS*k!Or$d7bQV{n)CC~1^k|!Pk z|LI%uJj=z9{-@;85@h|BJRjpqPQtweOBxn>X;GUnm9<#FZuCen8B-bdHL)zcSa&c5 z&aNg)N)3wYb#l+4`v`0kur2+U5*GnkkhOj3R_Vog!_KiY3w%HSkvxaN-;yWzq(%+n zza)>DJ`Evy4bwUj#(Zjas!0}S)F zpetWyhcvZ9A{?;)#$k*Xl{C3k+Ac*&f%n1}=j}7ph3T>|nq`GK{WWsJUCiU|JHSiR zqVr@~`iJwd)Bg|WSq}N%IZxOBKj+E&Z_eYZ{-2!3)Z)K6PtGFD`@fv$ruM%%Pib7O z;GC~|hGTJp8Lf_v*Awd7?E@#DE~SE2;hW*D2wekpgVf&PqD*-JR&c);WT?$0bc^b+ zVfsMoZ{Uti&BaH5dY4MFMPE>~g5~~+BM%_g@p^w?4QS0f@K9}<5ITF29)y?MkZKZi z6ZE5m2ou_@EPQ}3rH*>V&TAOc0gHpeme<_}Zs*6(S_w^St!Cyt(>1uVCp+tv|K>bE zA)zb($$2jR;XEn-&zwiz|C{r$|HFCsU?1b={^2|YJD9=lP-Opbo?N_d&Li{9d4|~j zdmJoz17ixuBlQH7%kP5?Rf7ucEC$XSrHY6# zWd?)xDM*|m?k}3;lTXp9E0!}L(zvgNbP^meMdmF9e3QT ztqCvZ^o4w=^dR!h1IyT^kR?PTB&~Y!A9VYC!{7UQ-S0@2Nat~U*!j3kY7l?W%L5&z z%&6%8z5s*tBB8<1#(=`%ADN)bUTHi4>U?zpa$@hcYlCat>I?D05e0&hjVA%sRyI(+ zJoV=CL?19qABJ3D-;`DcT_RH;)Fa~ttlVHvtbCKOV+HC4Kc8$;cwh)%GF>i9cl~!l z{SxPW!G43kWalwBpIM_-o^}&giDWwZcU-&Ss?x=QaSL@i9yoFD-ebj(I;2SANc_YN zOe;@^v#{L)-nB|ckC9xRO(J-5>Pk&;*?dS4aAviz_1qZ5|%8G%` zckNFJ998m0)s`V>dAy zAtN-RJ@rdAPVnxZvP>!(w?RGN;T472H2B)mRjJV3^Zu4WH9$qWRko>{rB8kp%OkUp zPl9j0g{hbzfb$Qf!gNFt*HEs6xh#XUvU_Bq;flx=bNUEbZxs@TnYmq(KUzDFNdaXw z3r`Jc#|q_o8k5_#k|VMm1@I!tU(h?BUHW^eX3M+`*Jt_LcyQy?%k~F{DnCL;LQSAP zR$rQi=bK7v@C_aOVt2SuZu@g$@neQua0RMD?A~173yR95H#k~GE;TZ3_K_yNYdxGQ z9Z1KZL&+ztvNy4efCK9zv(|+LEvIhMRUjN$dXSt_1Wg7k_6nh^o;xTZ*qbD}|cWCl`iP_L3#)N&oOP^{}w>zRBI;au3?l}D2Qr5e-mXZx_PyEd(q z_S~(0v-cmY^SSF?w)zDy$oe)6lUdwT6iz12SLd=QN4|2xKTedMOPE@1EKlO&Od=iW zKs>J;M=CG68J6xiUNtYTioOiO5CA(8Z zyQTx-5^?fOt~or|^=(m;+&Ru`1T>I+&RZs5zV|&|asrAqw1|pjJ~#t5n7T{ zK+r_fDeEUdkSe;0 zZLStLZ{N(Mz*hwbXM#D3wXKYMzOf-OszlR-oktD-F>-$%6)_NuURi#~I7y6}P=1Lb zOClg8upeockUaoe*MdHt!06RTo#7jK+&3h-BU&@B%Qe)NZlgF(X?$BZG(Tzuk%~M5 zE3)z3J2|A6GKXf6*JVuq{F8fzL=>upmE~mxTnZfVXBq4`mSAR3mm~cjs@MSM0SO86 zR6@8J+AZKLPtj)0l;&Hm&9_LnNnZ=PKYPJLzzc*L&x&_&R_E_RfQFZ2z0^w(#`%DB z?2GpB>M>n#581MU@$sfqCE4?5wPD+WLbn#w(jT=8$&yBBk|jtYaB&!J_{LxF2qq57 zjSxdL0(iG9q$ZRo9Q$U-1ueuCfj$)JCS-n}UH@Fqkm|;(9|<=LNdgWl1E4G({A{ez zuQe`uQx)UZr)Lzm`O>#$vqex3esUwWh+Fv6I%3?JSR1P(cqSZiFqA&ZY9`V{7Y~hH z{ZO&yf^lKCMZ=JeN%wcG_guFgy<;XjycrH#)H!ldJT_AEDR(<87)`V-7TT{6&z@RA zP_Gpv>#`>7ouX*lKcda0gzG5vgzNL)V`qf{?59Z9r%>Zs$kc#z1~QTzEdjgF|MD%u=m1= z`wm?eC3sq3PU_GcqZ^3wj?vnyp_U2leG2wMn@pD8oqZs7NKzSG zMo4=^DDL@5&K5})Sj$S41M9&s_1~+lXSpcFN2v!^76LH+kQ7sIl$_s(#WVN`XzX1J}-oI12p0a5O9Buwe_Dlhxhd2)+o zU_<$clVwE<>U1?T42_Dz-2_lPDl)l(}}Izxt1> z%cg2^2g(>{SP8|Y3?&JY4nw3caF$z(aBJJr*kTXpG;$dnnV1A}zAgBda;?!Pdd%eF z)SB>6NH*?b;ssBTLWhmC3ck~498Z}_+wB!nk(!XDg zU$e?$=Yv9qP6|(hPwn6jKzGU`M~i{V2Bcjc?Z9cpK~4@@vl)_2yx2+wZn%VvO5PxW zmG|b+J?T6{UJuAE_zi=Nyu+>f#fzE-<}y93cw`5$!|=0BNhmT>#Os>`3p|EkM;wfs4-$NH59SbPNs z!%SYxSeV+0a7HUtE!L(c^8Q68`krY+h)@s(g93Z%AL~9fvWjIUPP(gLZLg1O>M*`j zx3Kx6oZ`11KLX7#&N^|qehZDdC~U;!T>Z$l38Zm}4}4zM%#Cswi(17GbnZFv5Tvt& zMHYK&L`E>FT2(95goR5M?ju-3s$B1A5jdNt3h_i}lAE9l?=)QOF& z_r3Fo0Goz*HxMDWACsGJJBk~Ur)o-`L!16KW(0-l=+MiF-kFXp>#eBerQEp%Q!$xS zF@sloYLxgxXnal3)Pla4Y9a&gx_=yg#W(t?9nSOoY3co!7BLL?poq2=1&bR+3ItZK z$$(_M0Bn6~U2sp^Bz`r+gQ-K8v2a+2PgoLmyMcVMA?w^PVEaR@rxi!9(hK zhaLq&=+X5hZ`0clobUBNMJPK4eEg!eaLfrIy4B_XQ{o_Hc{D8F3+EFCU=7H|2 zp)Jj9Pp&r$!X+g3u~KP^od#Vo4+q4wx{TdR)cGg0m=*@MxDD$0gpdLyhf-kr=qvy% z`%+eP5_xW9AuD$IlrkC_QMQqF@`=v9`dl8`57|+RZN2AqvT}!ugsfQL*1VD~X%Y4; znDf6Z91xAOfyVE9izI>jT+pv#dw=gk!~J@DBX)Ghpy-htgTL?o>AA~OK`{y|iFf{9 zpM4%?bQ8CdJw-USn@14LU02aEKe=W8QMQrwj|qL(Vq`emdoRo{0mlH))h(wybKdjU zG%w^73asbyh7Z^rl#~+1WTI^{^yG6~N3NuR#{9^GK_oN`Z=@Lw+W>iew7~>M&W*4=H3p&_9b#g3|=lSRNaKLR&_jfKvBj( zB0isUm3sdvj2D0n5Q+PPi7YMyQJZJrBRr5My5lu~=j8=6h;F9VKS<_~(YQGPTSL>FHy(+o0p0V5t+ z2&}@4Ov}Cz^^qP%-^v!mjhumFjp^mykpb}w#cgN!qi84xRs=A&$pncMPtA^W$s;KREo`C@;t0l{ zMO*{jP4$YoCjDHKd_41sK`{I>uoe<`)P+sHTwi)nhLE5GR62elxJ8jigOElyif~Jl zz(sewSS{AoVOR~8AG>0tN+4R;5-cV$nHrb$epS-@0e_Adh-#%a@`7i^-|{gaMkm3o zwRplyb1lL+RibBQuX35V)!UU1u;eR@)IheI#%`>wfo7izqgR25GSi{MhKg9%+RqeM;kN>9r}v%feSJR}5y~99GojU?&myNhYA(J{Fs1qQ5bjyhBrVdjl0{ zW%+~rB3*ek_^3^!bK}}M@=rlnt|1l3bG|zd&3h!7?P6>Pgy3|j(Au^DNAGkfO1}TX zvYuRCHmhmWfaF{KHZvM5twIM1Fr$EGQ%_C{<~mfIDfVAODCa<#den>paPL4dJH&zl zU_k*QNeIeZkgz({>7NuzPPE&^Rl@!$h^6i&33_x1P>G$$w}JL;NL_OvUOz#tchxm> z$T|DR?S_Dhsj?DgCpKJudyc}lrR5br`@Z1$7B-_nrwOcg^MIy;W!d{~%k@=U0L$lo zbJuy8Us6G0Ubyy!Sc*ZDv1_?1tKCYWOpy4hr+Ab?W!XRjyQ?Ng29N^v&1i1=eh^oqr?S;kvpT5*GhvjI`d2Pjn_#e8O)$vz)tOVPlE97TXnu51in>9+ zmfB3rw9-G{5Ps-~FvQ@7my-^!$A z2`s>l5C?`rA5%#QTu}-Bp`{iiT9fxJsw?@ip@=o;^^}}|KU)z#i3l?yXR?r({)+}* zP{)&s$zf=~;Mm9jenoKu+yGNpx8%ICPEpF@1)X3)FrwcRB1?o88d?5F5yiDYM$RS! zomHXMaeAv7(D%Zy8?y^qpw879uq)*&f50D+VOrKjq0!ZE&?3uorp$a+l4L0c1ZaEh zRbLVVV5^0&7cj6uOUEUI0*R%8tjW+8MUE=<6Fb%CM4%ak7ga{+xyNwrOIRb)w?Lb zw0tEBo~5z!aXr|@_w%|DRzHkE;m8F=zW^JXbFU1L5vtU9;%mpM`UuyLR?8OV&bmz& z>BVMq!O~4s+>Rl4dV99YLqKvc zFd9Ob(Q$h1$dLPc;WH&12F1;_tNI>;N_eQQIE37NGUmeLHomXH(SD?`06c^8S@@(V z%Tsu;G_3)GwtEPW5$*|nK9ihvD7fc$elNdai!fpwPDk+74hNvOyi#=JVR&L5mUeUk zMaYbbWD4RMO04yleajSNR@d~e$UPfd!M!CleQ(k*Phi@Lkq7KnPCtU3b79h$AK4uN zj*nzs8<|wQH@{{V`VxfkemOjbE(vG&#JFE(Wx(ltAkPLD!$KMIa#&x>0&`pD1CEq% zG1QM8wgkEByQd(#aWF|Y&iyN@n5&T@^A71HUiFf?t$z&`TdTqse`0g zos_V)aw+}8X`gQG*7v*V)9_uj6b0HqD1Jpi zR&67A+&{ra3>u&d-Ud02=&s;FWt%d z1PQ;Q=Q`hs86ga8&n3^3*Qky1A!Gzk7w%%w2cFN^)oW~~t`jrj-M|0{#=4Xe* znRKF!Na%i$za+@hTbkJ71LClQr9qc2$!f4rMuiIlRS<~otd#&&XHH>R(LBbM$3!CB3#LQsw#GZ$ehS&v3A|PdL6U zQ^q3 zKsQlt=Dcq))JoQ}yFEstt(iy_F^F_eQAy zm>dNmX0`8`9KJY_PGGopZu#yxlm_T0PIJi@!;0=?>%y~{&e#Q4yXAy3(rcBaRl@G> z`R1^wrqCpTcAuA&bYy70h1=tcZ7B)5iuK+ywio7Z3mI5@wOd&Yy{(QNCgQGQcIuzX@$ojN8_Spes1*eb zf;#?OMjgbc?q5qrgJTtwol8qu<0ZOU?Lkj7J{5te>c);xkW`c``j)#(zmSa)MfL*^ z;hWi&sm5|wrXM(_esYWzb}GOP1QSsOx#pa+kRr1eiU+0RpLh4hX+f(J&GnSaGL;sC zmZBJtBtLV)gbYHucG#=aXg=xa2i~!ZC)F1~2M=V$HC1Te&bRNv&C+jO6_U}GtpA@ z?AJT&9N3s#wd(BUQh`*S!3Fz9ObJEH9otX+j5$=3xGkff>zdX2hz-i}I!HvEKtE`zQ>j(TXY|1hu+Vj&3S7@c1cI{>Z!Q+8+L16@bE71dxhC702A z?B2Ua^9weeRXizg^C+i`h;CbgU#@&nR418g;-`8Dn3(N=v~Mahg~e?56hhy;>RT4{J4Sv^fS@KozMU2nvC;z-g2f3)f1_3Rj;b=mF3a)=!CL)#U*!NEv7lfG z+9~lY!uoh+)BSe-9-|iC4dhdm{tqWvvXb?@;&}l(h?|{ACG{`(UpO-=z(MPabdS*+ zHIfOaWnB0;ZJw($DolT$}p;jp=86U=xpcOIGx48$#A%b z^zvl~YrEU@o#kWi@nkrY(9BjjbSqHndL=P|;g&9`=oZUef#!<=g({%JYj%Fw-uMLX z-ySSb61XN@?q?b+l5y*yyl85g)7$jk_m|VR1d@@G|B~h;aFXo}WyLOJW{v)#Nam#8 z@!Nh{2_dQ|%HO8f)a4BK6%BH!bzq?-h!`w>7_;g5wNcC(v&J!3ekf#VsXZx1J7h;(9wUgM^>?YLd?X-zI)?2OF`Se#TX83@$)5i1RyM>vBOYtL;+so%h zn+mO0!KRM3PP@-j&t2tN`CW47lU9~a*E`4dt!ru!@53UphD|3enZL}tyyJs;+m0n8 zaN|L69mvnk^TLRhg?dG24b!65QaK$VhN8$2I1RF8eJ@LIsyQUZ;=3v;acU|;4w%FlnE(IGHLE*%v! zYY8?KFWW0!N5;=05L@QbSjzk{z)!Tsb6`vzEEmgikfuVl6`wKD zci2fz)Y~1axa}=b*K&TDJ)0KqBm>(6a$NZ!pOauJZK9T?r#-v$9=#!;i|M&OC6RQ! z0F$y(_l?n<(^{mYEQ&!GWLrZ%nA!vFEv|8mKSza8j-AUxw)40)5^MYtGWq__U&OQylmZqNcE?+|{cn;ZowV}XwtUyy9t~-mL#NW)RwVY>%%d^O| zLo|(mqwaBODpU2QET~#9Vy;$`4{<+SSdmm+$ZXKT{(b*74gZ>?kEr2bUM7<$%G+NH z9f5zP&I@njg*cK_RoMRegjqCJzO_?>khgNRaCNsF68GTxkpCtd7ohTm-|@Pr^+W5u zL+i~C+zWE)lQ-Xjw`}=jiF?a-YU2gw==E{tB6oS=t<-J@FrY$c#kBG_$2?-|^vtCp zJ#Wzl+~Cl1=(1r3d)q?#*gn-sqc+?|B3BjLstoQvJ8{);;ec;`+AuT9hQ2{9ue&ru zbD;oGjPlc4ivj;4hb(KxkQ_3E9+UH);7^FrCY5)&WD35yl6*4Pl#>RD`gG9f^1w)d zoy;7{IS-wbk)8#lxM~yUZ`lC0)dti*7%Obk1WJ!1#+kE|se&6Y?TN~PRRb)^`oa?$ zv1qg-0u;|`g|KgJY*zWLDmDP+%$=z=fSO?=D(rS;fRZ#e(wQXM(WS0zm=oqz{b*v> zMGi#?G&uM>m__I2zCJWvfKC>kl5{!zVS$%(8@dZDq*AYmQC$YKK#qD=xlD<^=9Db6 z9`32>@?(z;tjetp~OB6bm`beB(31x?O2gzWVEBU6& zgxz1#YB$o-XyZpkC{>quv_~(|Tdkw1qv|^IGxue;1iKEVkt44;I?4+wCjf~-W`T1P z1m1lC!F`f3`z!4$aoKi}+kkiju--JmM*+cm6`d0_NyH{Fb(x0Q-jriu7=@Xe!pK0E zz5}QGQnlhKgxRRDFR|BbK0d6^{lsSqD!Jhdrx$~9Fd90_QTyunky<=IJ>86xY9|91q53q_f zt#lX|fk`09m32#E1-P0@Nb+o!=vQePvO2OJ!Gd!lVAZ>#r{+!wby~N}y9nW}9&gFl z9|&ZfCO;pwy#IFC`3FBCGiObn1~F`ZR$)qC`rJMtBI}xay3(&rilJcskV}FQR`Tdl z08GEF6>;!wgW|D z<9X*ZHjP*6CZ4}&dVrq1+$<^I78NpzAi(kOeVlcr(ixbF!ta<7Q>NZyQKe+8;zZD~ zLOMq`alQ`iZ{g|jGnG9wm~g|Yp1pW8Vcsj-xE zVuC+{rzn&+F+YOi*^m6mS7G;SLr9TtMS-|ZFz6#=lH^n!qi4xX=6VoEjbHNm>rGtp ze@nT3g;Ps}504~3zZ|G9pV+9i==vD0ZS`8*XYEKrD^Jhj z1r|VQs~B}u>+I%Sd@3@yc9Bc|D*YgbqHI{K?+2%TfpHC*H|JyA4+ZyK;w}i+HU7nx zPGDrznOFlike5`i3UH)yhzMl69?%Bc0u#e4wKLr}&ZzOu7D-T{y_rVkz!4L$`&jR! zJ}>eS39MoLX#;1w;;N-csjTFPoN2zQB9x2_*w5}Au-WxkWZOi69rO zxlK&Sx{g0Dp+u4*_9C~uwjx~dK$@I4dK6X3IiYa`gq%h4iL5`xOr9}`pg+^>41*$? z%uQT{%14~C=oy`X6$LfP4U~%}rNu2DtH&-XbNIGNl%)TCy^{Rmp!)7 z`K5kMb`QYX!SEe0nTYS9Wxb48bK#jGL-5{`%t7?vg{OTA{~0w5G`Rn!40WozJuA|< zBoBy3d!nvjg#9U`ifdrD8;RVRc0A=p#iwdvV^%{fB9-$o(`lz`C@J^LMpHTn_4b^Q za5a#BhRNXPTup|NllWNW0p6WBoVpm%?F-4!V#%I=v8Bo^H?{;HauXH;ZYUmUd&-eo z-l?sd+FYJUutF{Pn^3KK-@U8SY<_)-jEqdS&+@oJXP(-PyOM0y=jCxVR$2h)7q(W- z5~b`-ZY70Vo^P<|?+xT=%^!2Sv|FEUhACsuYbLTjCSH&Cz^c+vmb+DYd(X9sj@Vm# zz^Bh3IHW`9IPgO?vR_(8LE*BOsP9A`L7th65pZ{yT}zyz?w8Tkqpxt746XqrKYtbp zF+;rv9=XO&e&k8KFlrpO&u~7u6Dy7xOt_{!DPNv$MSOG z%|V0*p;u%L1Ga{zldu0Q`BoAC)fF{_!_`W@TX<_aLcc=fiP6l`@!|f9qx0f7J=p&p z1F|*Cb+(l8S%TnquHjWMn=o;MVd5EoTaZT7j)>;Sywg(}7EWgp2^mihGrbFRw3F{+m z90!(~xH=@}+Y-IHFLa3)GDaoUtA&|^HkGP4OcK8d z3BS>)Wt5`zsnQ=(kRADH@N_72Cd5P&Iu59x4hn%qwnxe6_MW2CV^PYrc)A?Vcx*Dg zMW8>d%KUhpVvtR$C|H+^owA74GHs+0nofLwuY6V&Z!R80nR6!>BCP`kHK%mmpHtvW z{T112+WC(Z!uz-XJd4)YP%w2kdIE1TanXb>p?US~P@oh@ zL_o|1n>`dQqa4B!8$qhA0XtvyeEXN&Y@V{wWtK1>&?yyu>}(%2C0@4y!vkuYR9g9Y zL79tgQ~SHk;Fi15Vh4MA3}l0XshipvW#lNV96*szVa~qCTo$!oxKdM9O}@@vi=jdx zcEIVSF${`^+XrVzmJn-J_fb8y>Qs=aSm`i6ggf+QHzTK2&8S%E_6y}Z<@x>`hl~cJ zQfYU6l`5A50Qf5!%Tpen%U#9tJTOP!Qj)C;5~ZXSnmESXg7oGh$RZ4{#*9-rYg*hI zI2EiA@{Y4^FNLRFeOHM99)@WQlTd`ZbH*&%uA7=fjrLUHE^(REu7BN-KS^YHH+)$fQ&CbJ(d9W}(!JpT)RyM5C*y$k986-bKzU>#v(n~uqp)$xRPM=h2pyg6TPQ1hh zgb$>9(DU9`ytgmo_n(f@A2g<)*)+s`;m^D-J%OX`pNzM=W3<^mCyOH25#Ht9$!K!F z;IXRYmMvS1=;ejwo#C&ov0%(3ftyVmkm)NdOvgZ*MAo+z;$1M}8OT*|0vK;avII#d zTx^Lo1Wt!}z+~GDlQh7X-bMpQsG8)Mb7Hd{IOEhoI=1C`#-0 zn6$sQ&Lo)^u!GgNi%xlRYUKI@V60bW=8~!z<=`@(QGl2z&W4uw@ut_`_}uvE(JB{8 zAn>_lx-;d1@7|Q7f=woNAr>LSf~=r?YQM-4GKpjj3M2(_UQr)*cy6a%;69NKc8(rx zy^@R%fRmbNm#?T;9{U%x>P0Kbtd3M1*-H23y482#9|~xtwzxH!!%1i_Jl|;iOi6L@uDv zN+f>gx0jLMGE+{{(th5*3+_!}e>X8h`&%3>cM#N18;){?rsB zGz_F@;V)+X2^^F|6PuF@Q$kf8?}#^7)c?ocJw8{uh5dt%ZL^bfY}>YNqhoh$+eydf zj&0kv)v>L~InPtSnX0Mz3+BAqd*8M8+jTEo-_JF_sj)|Hgn6wU?cu&^AT9yDLZs_e z=+xNm_$OFMcZ8aOj9}n}UGXyrvl$?gI-5VzwcHRbpS9HP)@6S%_%lE#%x43Ab8Jko zj*`Yh%G_&QTCC1!O4c_>RBinFm}IwNv3TV40<1-aZGE8wKt|ba`cgQCL99hK4ltAK zq+AWEsz-+F?6J&KeRc9S&T+1Z#t-Sht+KlGi)d3!wh4r8^vF~Fal2T7xGY9`ssQA$ zS!wN24{p>;xI;b9mPBGI+IFN#5dt>?tg55pw~WIwPZl=oc`aJk1&{Mlj1K zo(I1Z^7nRwrGRNAZDFq`qFqvLiL@S`7Fa-Bya>;!<5NsV|O~`v1bbFDn)Z@ zBt6+lud0STT!bVO<3Jv%Qb=z`5cReBG`P^TU^9Q_T)&%yoV;Y(A=>ogE>od%0H1}Z z@-PVvFCrD{jby=abNSIkhK`Q6|J_~`6p z{mrDZOqPw$f~XSLEOu~Jq^54IR~0^jUllMvt3t%9foZZ+g_(B44mi<;!B6G4NYd=-AtM5>HwwDslsCpAAF+` z_bjx(;t@t=ox;IiAWi}nKMDu6aQMvA(!^j+jnQ=@Eg2D?ZN@<*k&X5eJ$6|EEh0K6 z8)S=n&Rw2BhtIU)`ol)QxWzSk1^?`}X}Dshp7F$8v=e5?>;u!}-mGI8%5O^Q5(vO1mjLXOfLgj;II< zim6tHFdJDM589L2i*l5-Y^Y6Y$J=n-5Zvc{og|Pb#(HyN(83)iSI1EEIH#srJF-4b zp}&PU% zrozkN8*lM>Z5M}9=IBTD?Df||r|@UU{BA;_Al5_xRT3q)IScYO!VW)$Z^8XAq!QD@ z?DZ4h9o(3*uYE+V`VX*S!``pwxuD4QS$G!`X9?ECJQWBQfqaQET=z?$nSF+HT-q^^w7ZQ0F+kO}Mi0Hb8X*&g$v@z{d^=h0?%N-6jn-c`;hM_~QG=w?TN-I);j~JplEReRcCH1$+ z+(x07p2r-d&N#W>GZ9F?jM~MTSNkJSk0TH;&W8HguH)DSX0W1dfuxC7<0~ofRT)hQ zHbWV=Ir^!~)0^>mC4X~8xSn`#NBVeG8FUt%@+1km3?z|b5XLlD0H#rLnMZ%894)$0 zH;!IfkG`JBG%DPZq`AXawLQ7d9WHkLp-Z>TI{`Fh*OC{$D&epsIj`ku+BfD&82#*} zya;$lL~B)8rI^AOdG^>K1tW^X3;<3B$d2|rYn18ebT=z=-Y+(BooPK){qmmhSn9OY z%+qU3J>YWzv=nrb6j*6|EV@^96y;_XO)EB^P6|6NRzNJ3Uuu@Xz^=5ny)BeNEaZhO zScnpXoNIcXZsMv>o)|A=Y`uv<0(52yvl@#$my_FYb%&Rev|I{4HXLF-l<- z7XI*cHP5X`-|SjRJXI2qHl!Y8Hx{JeoUA?Nf-Q@G%Mp$FKF-LH+bi9CNjmrBIai9f zYj%_S_2Rk~1&{Tq_7<`h@|z|5C@-giS*$r9&YqTn9}n3d(le@%ILc?M(yfZ1IGV?+ z{2O8)$HEKa=i1c7_=HoP9?xr2ou^!;7iRRc&*@WUjZ*ZxJswkCV@W=3TUt}uuV}-D zE=vxN%f$1LhG0Du9+E@*pl*xdaa`k5T2jj$ zpjI^Nj=e6#fv42mmK2`9AQsg4l0+Re|V)al@Y8f^k zB6wc}5%ohQW(ek!yZy3fvJl0nJipy|D=qrB0S1J)ZcQ0=+E&r zS$|;MgbX1NssSM;bkuu6QTbT;TfBaTiVXO1$kmI7bm-c%`BNzO=9;Zx*B?_SqX}rn zQ`#TEu?J&9uK9Gc(be}GLlbQWb@A>^=a1L!AOdeOL60+*w5TWz=~B(xqzmQSte6g-79o; z(w%H9O8z)3lnk4wnI&|5NFb$YM`u4D-#4D0VKSAQm`98{VKHMi=I&M^Ma!ed(uUh? zeU+;sY*!&aYow^Sm?=lI@$N5L{L5=0TRRs}Y4T7^V{+8O6^H;Izf{)+lrSK;-7!uT zvPo8}p|&NRTt!?h^yS``mcf$pr+m?-)wxG;s0gOo>`-NAQ1!TI%#D>a*$l$$ngNqB z@N@kn?aviQE1i-s?!-}H*FLY6AF$8kGW_Hy{y4_?8gM>o3M^G8j<_E{^G_)WSO*tV z@79lY;{vV6h~(?~AZISEb-PijiZyy2&VWPs3vzc?k>gZy=^@BrDH)=8!qW z4#(!Cp?g{vaM=~2ctVK^j6jVdNN9IRlM%%j?5;xWo`?i|n^Hd!q;q=NwgN(nrG%59 z@u)`GNKcBb&wdle=Z?2t;UOiMJEd4BW=5|Qi}JM@HI$lOsY*DOzhCS^#e=_P*2teF zs79}@og`7FEJ7IGgqI}CaFP)OStkYv^jm7c?iQ6|NIlNVQ@EDS(Ss~{E7LQovgNY> zKt95+Tm@0W8T^XAwFdVlFO(uDm1r!qvY>VKao;T}%Se|+(eo>4>>GX_&ng;oM8ZiV{x3jp(1_G(MtN(7UL3pI#V!iCBRNq3Yd z@VP#Nc@Nb|PC^0{_U#v5lHYx&KwYKn%tyFapnU}Ql=cn8xHtDgB~^eV-9nHHncKxQ2VYuue7X^j>i?G}g|Wj2YMX zBlj9xQ+XZb#Gi=&K24p%A2dS%--PAu zm1Vz(JB$VzwV^X`bzKwdD59Pd7*vlq(dc~n@&XBYVF^jNoU!#Gao%2rnA33dB$mzC zdHAV$m3NIXNeZ*!QG8YTQRLiFaAt1%K7Q5L#7C`q&XjP*6NTSq4Hq)j@LL+r$Tqc9 zy2MecL2BsoOy*XNj|CN1q)3Tn!SqWRuTk&2i>!YpI3WYg9hne1CxQS?#D(r+16Q?A z8$8;Xy^kYrP7o2f??&?8&dbEac=NqcDgD?VK3qujZrx=B&NIT2yv{m;5Y_IkGWs3W zu5ZrjgoSS}Yv;rkEn%agwEK`qwLd97Pw!j%^_P8&uBiAJg%EObO&%#CMEVkbEj0WI zkdPXtkm=n4V%TN)704U-k%Y^RNX0CeLrgPj*%WS(X?}n{E!EE{LASN zDuV|fA3RIIL|`7;#fRD~8n_kZz+c))Z&@r?f=FWtI5-g@B>I(drWc8HGloK7z`RIK zI7xY}C7-of@=ky7FKPEHL#>J$P*60+@ihzNFyh>&^D{ zWbh{TYkpg%{w-YX=tl6Qk-z;7_1by#GOl-g#ha%8Y|rJ*_6T#h`$eX`b-8YM1@;-N z;`#Kf2EBJXmI?0Kq0hQyYtPbY(`Rp8uQ{hQIMOC^(?_alulY@LB#`>qrle^bG-vk1 zLPj|>-M8}6l0lV^+|f_LU~Xi#HrVbt+NLjkg+&2_rAY2sB9=-zR`QqZSppe>=C6i7 zN#t4uoZb$%LRKvLBEMJ=`Un1AlIL~|pS_oun}|u@T^;XjZ)>MWgH`)8OMY5wvXjsE z&NR7Z%R_F5Xie;$u-dMnx{+9!BK{*qs1EW>DooB#8CHKw5mghG(Ii2s&6rgHryklZ zqD`=|clId4jgeG1;=h2CEa-jNlp$@@e$W$_rDO3P#mDQT;q@O;OiNnds1FFU3=udtz!ANY*N% zl^E_B(@UfR3BzrDSdKG{|^O(5G1`cPm9;@^Qw+_P!zTQrLjvw0VH zFU*w-0Tay%vx`C~i|zVcR{iUU7ojKds#w!1VIP_;%LwBGDxwYG`UniAv=e#PUIDN1 z2)zwgSR0;Sp=9j>QMR8k%c%ezQJ` zhy%N%4(Z3nBBKPiaBmXhYFh%45{?KA@vx=u8?wfZLw7od`uX{^p4=)cUu8&)FeLUhCKTCbBDuH*AHpg|=GJ-CjugQ$+ z+;Wk{rB!j_h$f!gMY<_kPNked(LyMTCMf%`G#lwPo_6`bT-}fF?hq%J{3=)$#?Fj$ zPB}_Ib=|P%ic%mWU2}wNZg&)izz2MNzo%_hJR379dUfR~9IyFgwEQv7f0l@c&a6rF z!^64YDsV)c;tL64)#3buMGSpo5o=gQ@ZB>^(fcWAm6w3IOEXhsOa5sePgB<0Jd9{^ z^xfa!ZP&xe*7}01;FQf+O3I@EZD)I&%VP0QlJv?}Wjfe9=btBBC zUL_z!1znI$U!7L(eIc8GBuS*9KB0G>sS0pY*~bAXkdp_irHmg~xkbal5=V8WU9#2DV}pwQlC1$j?XUaot)L zYE6`Z0WMIdh#ukKBa{7&a$O$GMCPCK4h{xm)o*{3Lt(ZZyWKR~wJT0yral;0kAM+t z7kr!(K-}`S?Sl?m!Y3_e+t9?AipF60x($s>YtifmG8gTmpz{@726P^sjD{`fb1DX2 zW*M2+tO3;~FG;(Q)&1P14hjlDe$3Lp$$u9(S73c^&?wI#H~lyf>}yV!!^T(VbHia~%7t58(CAUG%Y4B?e(n)=nJ zXLtL~w8s#K?>0-8Rh)oZv`>f#dK7CAxf2U^n)cB$>ZH-8L7ZtRN9>CB)|-Y>)INlig>-wwV;RFjv%VyJBr0{O*`m+MSad--gl>EWbQUSQ@cY#P*%U*OD3xzo-Ai;3U6Fegn`1X_ zMF@*BC$y2vZfu!{c<+8f8b7mdFu}#7Vs*3C5|A~UY{^g4su~#EnInwfqArI^M`!DVIB0BH?_RVC$ER(l^>E@rhvE#>EM5AFDE+*l#Yv zTS0Iq>Cx?H-J0?H(g*xo4L|sj^ z$b%ORowmZ2HbS0c74FImvWt>pW(gzX%$GbcyL64^C!T+~A@YFwPTh^C8|urFB*UQf z7g<=}g+=WY6!;XacSf^qrRMo*@{+qujzwmpNh94pg*1^YLEKVeFH>Ylmm3uR299o- zp@mp2H6O6byUCgS4n=gcCW@HfzNq`~5|6y+#wzPj+^-rP#*U00^?im+=dB5RYngcr z54%8zkBkW#6#wQT&cjo42T{N@ZuG@2hxKNM6W(kP0eBY7HAwx6@$`|XK}l%Z$-J{i zP8cU_O`ac=M*UMXgZ8!6bMlP72IQzBcdJNAzIQ!@L=kYM$CE<`@YM7nXU&y@slk}T zc}1juYcGugB)3^8A2nQehszk1V^uL_R4=ZDwVgMYHagROMY*$sc!iYGhrYh&%d+dt zr1C@?WHa4-zBrUFSlnoTNDVp(UiHL-T^auL*{+#NXH)7}Upd?SwS9bzr5kHr^2R4# zdd01m)%Au)Jpgj)#4w6)C->zYGqVQpB(TpRhQR%y9ov349V@(;qd2e_p_=@&-r`zl zlc1qJa*8-701d$6gZz65>ih)U_6D^1J@mV0<@dk7S4dBsSX+$K|E`JtT_q8~**!c2?nX~< zQ#=2*fR+(Ikxr@0XKNuVe+4f{5M-|8%sX@G!cTOfbVc&rf4>EB`V)i{%!GxLMw4{V zP+k*6M=fBV6tzm|N@CtjGn_fAh%}noVPbyJ7}dCE0V82MDV1=ol#eaIRX$J!Uky~t zGINrvxXy=ffb+d8WtHWd6E*NljK(zX*}t$r=EaX1bhQ5;! zk6u&?#`n8ERFOs(X>QH5w7{2!8Alg!Tnj40lrEbu)C||dQ6uqEo)g`nu&TmL`X#Y7 zl>fMM6U>Oe0U6E({WtEmCj4Q^{ijhS+9qLLGeDvhYd3geC3m}EYF=6zcH}e36B4P_R-4*Y*;5RsG0^A_WI5SKLkzrk)UX26!2uuf- ztti@&>>qrdf8@B`X8}^>0j(NKVO;kkPTJ)aB~IiJ~CV@)@GM7bFYJSuEk2?z#v50S>4wwPHIx{2;>kSe-k;EtD|r#-2( zhU++#XzVu`vECXch~{}4OF)BogY1Yze2XX?c?{x&NbD3&KpgvBN;Nan(2IPsU;^U1 zn(Tmir& zBxWi?q49$GVa{E{gu&V1T+wH~&k)%;nH%BPWoy*I4{1pRD4j`UJ}?kW(H8jdC{!AQ z(XQ~W10eQ8F9dsK$d)qDjRjy^nCyQ)%CE#dofiK6dJ4qu;+HWuy^Xq|GO#QhiqEpK z^8^tZ-XG8pJP9hi4nD*NWgTWcecPf1^4R=xht!w>bUD95--mhqlKup~#qS%~Rhr_Z zDEq8p%)6ZoW!b)LS#+Ft@~dHaoo8Bj$+q%I;Nn&Y_nM zHkHL4j8$_EhA?E1nwJEVw4iY=CpOfG@T<5Xv8}Mr5xKf1Hv4yhg-y(U za5@(p+Wc1xxbOS|BlnE3^ALc@0s)a!?m8yK5sl?$;q=7ENZLa92M2CzkwP9z!Dl9v z`z4Cr!Z|91T9JsME9^V(^ZqC!k0IXNMovE0!Fs;uqx^EG6>^4o6~40M4{{Mbiywt} z^9p9p8e8>2)n#xz^uggnQGN zJ&A!sSU()ay;7e5f$(<3t=I{h^DM zb4wq!Sftk9HI*e_6^l4i(dZ)Z@AF2whwb!?M}_aLcQ9ERdfSt520sUd56}m0=RLYw zY2oJl(2V!qAmTE8XjHLmC)yV^E|`joq*c>M5H{hb9hf+d5Z8jHieZCD+f>A0%P1DP ztFDY1>tIx1xynLPE@MEq?_eJa@}Fcn{C%p1c|h;F0#eryP55Kcef|EDLQ*3K{tjLV zsIse&(NE8{`y2$db)`%PSq5qo5nHaBKA(ik7J~=poknb2D+Bd^$OxU3Z!$tXVA-5O z+eL`ayjxosQC=86Y%YP9xCWTfAxjM%Js6%4u-EVuGm!8+aXyV1PwJqF{5eAN%dRn^ zd920K_khJf9ztsgZs4=j?S#-0l;?*TN(SneA0q`yGp=C~5+YXY&l_=0OUl6GA1PZ* zeHEuKF&t^x)ozO5Aj~FXRa6yNWviOSi<*cBPD>BF=>=>iz3HJK>u&`-yFW>xdfpjx z$B6~T(XrftROxlxaYK0giZM$&f)DWpn4t1IKs|V(oPm7wN&dPqoN97x{Q)b6&Xw$t zFzP2IHT_N5Hzwjq%!VFpYkfI@gV5i}F;Dn*3K_Wf(;UV*h{2AB#xKc1e z8a+ya2vG+!{24LE8r%04A^6&cIHbOle;#{=4pW2=o{z6_hzyrwV^9lP>fu+<4O|PF zJZ(F2J`Eg<4;)})EDWjO+OPlArxhCI4*ARlH^XH;gIG!}&e$k!gev$i8sVSH05!4( zQi?!`ZIL~g2Y3ope+pEBjB`P_HH=;DCE-ppsXR7Fz?Z2Dlsxi4Ap7&%88UGq{~ggT zVK7(~N!&Kp9_F(KQjHeQ61$&5KwMn0ymo9pK~o$qQJ+wfivh(Z`5!exN~tW#LGny& zGLWEOQ##PCwAQ}SqWJFEnAJVe-LCEfIbZI`NB~Bo=b~@Zplno4HG?6gO{`#o7)t<+ zsh%Btp^%jdoPl&F(^MF?B%44LUo z*BM5L@&ACdktJCRW|!4$)C0BE#Ua{emB)=Z`GjJKwO`T?Fe*IR+8;j#x8S@swfsI7 z8Y&}BG7`D_-O*)oNL674^sdIbbpeXR@&$m&$kBK{!iB5sv6el4(KCAqn{|K`2TuAqg8o5@*ezAxRO( z5e`lZT{K1j-XX#pPe|sk!nzPnFhSB+coob89dGM@b>hbt4$Q77uai%?Iy`yP16@Lr zofy*IPQdY!bWWb0pXwI-00ktiC{JP`wFA6_J|eh7=}CbAKcNK~CiQpFR-h6runbIT zJ6PugQWe^KWOIgEcZbTKr4xxpHZED9{K?Nqar#@1@Dyq&CBGdCF=5$9h22DH5k)~E z#p@&ecBed`1012d%Gh=y5$8xPf!BKI5iC-#Tg2IcWcUZ9uXVra2t|309eVGu}R!(~>7dnh{rT)piEK!En=CtS-8J zQJR?@VfT;zxB3?DdI~OwNzFp9&{(`IL`v3B`w%E-FgtHKp}9wG(#u1gr#V# zZXbV4?j(zMg^fXg&`1(5$%8S5vG))iJ#rs6pgyvoWIR2^c`#Q&*WEVnos#5Bka%x= z9-ISAvsOVn{03+9nh1&c2cmagXySE#`M9jo@0=ZPIRKX>gPZ#nRHc}vN;sw>>$u>B z^`1_*XJZYtogV7qPtIH$*@803QnT-66YE=pQkY!$N;R*nn{hhS83lk8-mD;KEx4C9 z2n2Q}TsLTIJ*0S5i!9Ds9yEQcm}$34i~DMQQ;saI_!k%Ij0Bmps%ks7FYKS|$zd^O z#0?&@4x0(S(DH6WnF?qb3ePhe^!e3K(zw$uStCABd00DW)LFP87B^@eLUY`-swKMJ z(6&vW;^s2xmXeBY$a6XF)Sc4e0@!n2oK_w&*wmUM+B9|KuHwrk+9%6Fl&v7s?ni1* zcD?Ynaz?(8TsCTC>=Z*7`|+AMKCTON=10qZ9C(c~15Z{C$nqVI;$m+6Uy{RMUUYXW zpcGV)=_iSN$L=xFf5&B~s08S|#ORJ*(ScQZ$@@&W7E28qoZ*-i$Xkuw`GkBxyD$5+ zX6_xph`indqbTQiwiEvMJR!k%K-$NfMtLVs0)!9BSu~Np%Z-nXGCbM=`yW37E@avFQU>5jo!-4nWyy=Pz3OA`Zl)#->1jA)q-;u zmwJ%u*lD$9J2jxuw02Aiy1hNmyr;{TTK)Uj00gg=03pa+FgqhH-V<2z0o>eF}1Pb6ai*C-CZ7NM#>=MvA;WY<{R8cFCTDFUelD{J zP%8WD`^t);<$U?f>x_H%I6>1m>+rB%9DAuJn- zbq5xxkd}A`ov;7Ui|w>oR2-E6Mms)>h=7>?Y}uyi9eq@&^Ksn?<|A!P=-&qDQBM4* ztMyu(oXxI9`+N^1;|0qX5S=#DHZ9oND%an(`N&JQn(?=Dt2rrzj=GiY$%rn~dzO^- zu*8?vuiR^yp%nMi!DbbjhAHZeG@G6M#;wJ9H9V8t zR1MMs)=Jbya5Nq0yCro#0V2FAOjo~USF&e9A zPyBtG!p9#TU3ado$fL5Zld;*GIA^o#`@`e^%!mKXhyTon|ICN~%!mKXhyTon|ICN~ z%!mKXhyTon|ICN~%!mKXhyTon|ICN~%!mKXhyTon|ICN~%!mKqn-AyR)@E8jlzrv& zCy4wX6DGlB>6F(Fd+bDT0uXLh%P+-+t?wn9YSk+TFVokHG#{uCF9 zAn1PHgMGfbxp8>w?tWdoss21Xh{WuEy&X&?r_bj9O5LBIpFgJm494SM15}zTFE+fV z?t6Au@V5HKnX}-0M17kMWww&eS&W9YL^ZGwzsQ@(`TKD{9hDcoiuUyNYu(ihSi{HU zFwcQ-iCJS1GBcx8jopI|%KB?q(2A8Sc%DNEREP+%C9Z^7o4Qy-5bSC2C!0W-FlYit z9xtBXNXOOpEx++u6^RW3AHx0AJ>OvijraTck$2IljCTnsYhxLRZoIhO-=Kw3Vb~`k zWAVtjfze>cue+f)=uHPd&itn3`9EZ8zNMn5wZtk;b!bdHtuLzNv!$Jq<3|)dkYtF! z3mv0_LrvgoX5DQ;oW+DxR!93=^P8fpn|?cAv5`unNq%B2hMf3y)W0bu&e8bcbEL`x zBB|D*(Ybq8YMJ_a?jcaIiQ5+Si2hj(qD*~j0rYnuqp0b>wY=*LEv~SdG1gG5*H_#Q7{#hMHcc<%1 zSGwUO>A9GaxyHW+oGPJKdQcY9L|IeS;10IdLaP$-ey~{!uGw6LlzSaa4_*JN4s-L7 z+mbqfD`=qKXmRH!r+@L#Hj6Zsm5Y^+CAydz^X@O0GrfCtbkB6>AzBx3PL~o0Kv+2u zF1cDxSEVi)k{dsHagQsz<(yOPI0~hfC3Rj^6^qdLI|V@dqIwvTEU3SIocOw?OQOCi zs8!fXihaxc<9BF3RhVObIsW-AEDN#1umo521ZopY{P5{a#ITtu9XfcQ%y=Yl!AQ65 zkUZ*G_ipXCC#q@DJJ!B_6|nVdWG9s-Rljgu!_Lg*+(w&gUn{JhaYS3Np?|s@SNLs! z<;MIs5ZhP6tcbjtDT$SbMjqjC>_e|mfMD);lmzY?zO^2z|F@w&27dYk%7LS2u1Ke! zsT280F#UR02hVdZc%}AE5O25}BF9-Njk!HN`=1tW>8q{CHI3@d3*Y81bIoO|a|xu2 z``RC=U&jacgEu#$lHVydulK$2z^`K`p4g+WS@GkYdqt-$hii)+`In{gPvg5QJ0|QJ z6*_|Ya$5e_&)nfwlQ(CvpyIztB`>DXH(RMZ+kmLyV|sLYx;)@ljR`BjUYL~W0PSbn z!!ka?7GWVUjRCPKqq*w*Vw>Q-&a&OlZ)kIMH`tOZ)k9aBTUVZ;t3=5bTJ@v>3c5@8OhH?S>s;ic33+v+xGa1ZTxZM&Gy_KGI5g zz>LijIJ^ZU@rD;348IPdebCt55sBKlA8(s4Qmr}HLPc4@G!nUjORQCIO(4~9wC4e| z7M*7yaj#HuB^9b>`P-Ygaar+R|YsotkdR7-<|dpRoifFmEVi|KQ-@o)baq zXW$extMO%TFfXZ4QQBctjXbpW_{@C+A-S=mgXXB^hE{Sy)aXfCCT@9!T7hr9mWRMj{y!fm5M3EvYf5>*4CFythb3Kkw{ZMfr z(*b^V22nrPHq?=Af6hiJYn>~coGhd$Z-W&2BM1cfI3aHJ>@>=T#jBK|Eqdn#SKX4l zWo*s?Mt)aXE`l zF3Uk~t^S8AfCA<&gY$SlYnm%;8(5xL;qOn}@Xp}@{)thYxu5t68An=?m@HwK09Ry8 zE2?mL*a9|Ol@Gq7S;2WT^6PcACOT1$Bl*+d<(f;BtPa#oO;?3L+;u*+-)a@KJ2?2T zTcUNpVUeIDXe5kf(Q%bC%L2{Vzx#|!yv0P+TX|QT0#*>ug~ulOTnH4hkV`!~+))IW zdsA7lnMbmW0b1l~yKPk(nDb{m2^VkQ?ut%lVCh2VYug!XbBQ@~+kwBar;-vBhCj8f zfa(~)%v20I>t=n*v{E%bLz8aRSEHynFVn`AO~65I4seP?PCJ4M?(;EVuu=~Di*U*o zi1}Qs2ohHy+}6D%5CvJu1UuxVnw9-oR{`KGP55@IzTI^a6v^Xn!zG29g%6 zjQ|BawT z{T~D+oNxJG1ci-sfgi~pMv#zATB5FyRJJF&Px{v6UIgbkz(iG`J9|$U~XrL5#Sz+<3zUs)Np3K4_rNErTy3Cg<}KIp1aKd0dY-ktQv>M^6+&rd~DVy!D)0EoV*hUec4(+5lg4DA{>ubZrF(U-7LUR)~uG@!*#qYiqxo_Vey|ENN(oBWFG zlAQCGvf4e^Cawp%zL>O9v&$u>nO{&O-9f`=>MpaYB3n+W(s4JU+O@6O)p4v+l^K%o z%Rbx!URhzek0$tZk5A3TLD$2rLP?HYxL-kPoV@oR4kZ8@G^O{OLup^}$;Bw)%-MjC zhKKiN7;s78(-{2ZB2DFkk#}jYPT{J4E!NcgJvz%1Bn{oLvyZ)rm!D_>w!CtPyx9-8 zgL_1WZC7p*lEqTls9wbo&PVL>^*^+U$x2)fF$eAQmM4HFKz9gZ?>Xh0HX$_CUQGCh zHfd}zA1ezwK7~mWszVi;-mj=`W@zncH z;VnV-(Y8OGblSC1LrX@l;pV{2<$92BQ@~-~`ZTj`WI--UuU`6L#K=5Qkh9`MkHzYr zawtw_p=_UL00>Hc0u>n9dBK>YoOP|B(fK`i+fyQW=BJvlkcmRY%;{lCF+}Jk+&oLl z*@O$^4#f)3hO_Rb|0aYG#WnvPMe!*DIV3_q33MKA>lOYPi0#Kc8%sMYy%fp0+nfBC z^t@O9bU5j+`I6i@DJGXNy(HwN5=TnV@jda85=)E-{bJnig+Ebk==Iy10MNEFU)v3y zM?NTG?7RTdSHrkV_}cpvBr!Vo$&Z)xrExySsKA!Ohg+2QD_(ujM_(~A+ux_?J55II z>W623nRs}5n((7KWH>O`qO;tMoNvY+D`#Kg0>#vOcTh5}u+2p3AoR9S39 z@JRn_R;>U2*Q~&WkVDY}sxk5ZM06QDEczD zk^8+UIy7|`tn&g?Ct?P=D|7fF?7q?_6up(21`7vfz=G4Aa)SZ)jl2isIf+ZbBO*`r0MM zSJXoFhQ#TS(vqL+LyFA0fRvqfM6`Bm!TbQRx@y#9iqpPjbaZ92dCo^|9eIw2c<*Ut zO9{dRl&dk}X640A~r;JxYNZzCc;bC-=-HCeQv+J(4 z&M;jqr>DEdRdItq8bCs{-`P?1YJD+<_r;StV}e*_`E%XD;p)w%9Ku*1G|`{qn9hfN zGDXTI#sD0(AsG_Q3%Fc#XCAYe#p{&l(OJkLXGQ5rcfDw4wdvsw9hsB|s+^=d5t^^* zBG6y=US6jbDN7#)FeM0&6_;k^4Kgbm%`8tu=~sLh!=)i=Lz!;9YDLPTb1Z>G(G%-t z9+o7ESre~@%oSh+bTYBco`~~W!C5@J66N|fX(*U`rBM^#g~C90J-KYa_DZ?~*=1PcFp;A~O-j-AiS31L&P<>!V^jur2ISzVCtaLYrZn`ad^*|ZpiSYZSOv_ zesd6-clE|^`uY4OIF)y_FEi}iIe6G_$$!IZvM#^SH~5%l!%wPxv%a&w(3Ch}$KCjm z%`$!|zRbt9;I&!8mqwL?$|*3iZOh?ovy1CvoN-dk2A>2jTZYP~^mn}SJ}qgff$rCB ze6m=Eq7-i}STj=^#zE-hMH!zj&S6qd{Aazpm=U{sfym_ii59drIyhqU|4rRQdtwf7B>{$_mAL*{k~)Yf0GteEPD|=>Tt<>1aHJ9 zG~tKQxc_?LGp17Ti`-)*rqSs~6Aad$P0xLd`{a`bQj^zxG{BOd6-k2Ulj<@`w8p1} z?-rBE2jj#*uRbVcg##p>$3UdZzu&d^#3;lo>jO^hOf)Kd*!p?6Bi16mntjU5)z>* zKwaaksFD{X=796Zk?a#Fn_PxNco(?O#ia1zn97&;#NDa`m$3uumWGp zY<#alk=FIK+4@4N{L-g}X83=z;Nu(oFJ- zy1s%8LySfKit-#s6EvR@o4P^vRu=p{t^2v-*I3lkF#)OZe zh)~+hSaloZt5as5Pbq%ryE>fs4o&G35LpH3-WQaf*2ay3UaETLCp-(=sN5xP=812E z?EU;vK;dl`jqTIW9OLzE&_gh^5QeU>#V>^}w2v`zvMX@%H4WF2-Q?Fl*oFmBVxh3BO?VziG()Y zd#w^?WCx*0B_*i`q(97j%OQN)O%}5h&>kzf^bM~Iyf#b|#$#SN1GrkNJ+Sq?+hE&NDJ zAW^nlz`4R&GY|mIgKf?GkbxX;)02mskrje_S{`N^LU6}F3N(n&_qx&fnR6Z$Uzka> z;Eee0JAJ->W@Z2d3^4=}4qaS^M9t^*@tMJ{U-mzNcEN=56WPn}K>J|vzkznt4l%j? z&9}2_RaxbJ{)kD-Vmog4{FR!Rp=^Pr4Gvn`#diHcdi{wG zKK{~Nl;5;s@-(XB`F8wRKLir$Mm%q~S0M=Uj*x$qc~LEr6sW(?7rT|fQKldeg{`g4{q5`JCF{RK1Nttdd7Hjun^K~zHr5OHJG5pOdhuR|DAge zSlIf`y+i2y-??`bh~xk7+`HGr)Y&F<5A>DKD-ZYP6Q_{(_RZ=2=CKA5hJ8+;y=Z`lG)~)-y0s|%C&V_3-{MMhsp=Gs7|GZDkT#=3jM;zjb7Vd9*~_#u=iEm8`6+7 z0tNkr0fbWeXFLV{*KFaN)x2lG3tq%D!vDqBJH?0=b#1!k+Eu%3+qP}nw!O=?ZQHhO z+qP|2*Z2K7Ih{_Y@8(>|%1YMFn3>}l?=xf?vfm(hr#|wJjOQQs@4Dw_zXAAs0`Td` z_uYZd3&QpHE$~HDPniE#Hc*(x;4DIF^gL<>db9SIzx-Hk+H&UX)BCSPZ>wiRB--p>=$(jHIH#yhii+U@0-Au+7BJ`8~{lmRNFoSr1N8n_QE~Y@x)LlGJ8F zD1|wUStU$&*ua=oAfV0nB#GY9lnfCM$zM<}0a-w*m9cZiK|%;_BY(3!AYJ~RTD8I# zt)bMk3s`OVGl#=e1r3LxKXwC>@mC)0onaB|(38K%zDP{SnG{Vl#!rr;J}yEmel@|z zvzBX6bd*1Gl(!IN2L68=qL;H+-wkxqU>MYOHr^cST+~C4udzn>B_kE0wz@ics&`DrnOhI_f2znQ>Yz12qb)fc zulP=_X;F6Y59pG6Rt`>}#flhTuIV1Y3g_88To(EH_Te;bVKHs_417ymd_!3A8YA*j zMtd=1&+Q)++FZ>2=D1&-U-Z|Bh2~DNIu_G2_9QUfZ&Q^t@6eQy;h&I-W&91~V3idb zDT)3tY%n8L68Z%U71=e$v)W-)4)i4T?gd8>v=e$A@Ign<9OIqX&oZ((mPR?wVU2I$ znHmiq8(hZhY$y1@Z#e~fgayg&7t#=7oE}!6`P}FCimX(T`yd$C^)_ z1amOU&Yprp_Kz9Y3mwyT6lAE1M5i?8q2kh7k4SFZ%{zBCV$)i4&fLwTm|fk? zv&=^I0frMGM3ulb$*1~xD~t-dgzyk+%laKOa|dy$74m%;{rbaU!P%np*>T^FknGn;*?k3kfHc%hW6{sIC zBUFo9ak%XnFTas}4NO`uD&pE?P6SV{6?g3~fks|`F!!=4*U4P2PP*2=1)Tl-hD*4{ zaO$1SmR=|3U-!qN4y_o9B1;V^4lPUZ?5=Ar>rnq&18;P5;6zkWNywXsf>9w5AzWWD ze4jsDkB?zeBoO`dfG0c>LC!R&Ur+F$I`2j}9|o5N%}_oQOJIS|_Rp)dwN-K7t@fX` zGVmmGITCoI(5V(VA4K_~C2$&~UIPq_1+E)LxevQk6VSgkk9*49u)6|SIzZyc&>Q@~ z&#?M4a0ah}aUNIvS0e&^Ppc0nV|s-!JF@qW=Z*sl+r_V%KUL447_HcbUl*w;v&!j8 zO|$meHV%ES)H9Gy4(Vb!Il9`?Yna(oO`?nyYAS^WRng=5*Dc%iWvLv#;GMEu~9DvgbSy`Q>Q_r4E zN5IIXIJ7|73%dxUZO*dDDx^@ZCg(d+8sujzuXXk_+=VNO&*{yCjO_9!GuPQ~_gT6K zZP93sxD(GWsKhgP!UE2%8E>iC=&B!FbiqY( ze^UfUF7LK8iq`rue4h*E{oDg};yB#F4hjX$f;3nf;zV2lM#I!8;g%bI%WQMq zN8V6M(PyJ^z0r<%cKy!17WN4-&uZFfqU*NkXj07R35hClILHWEQXlU;~5BPGwAK z#r%mN6I!3HLt^fenMFU?cgb$}KZ_81l>Li7b`)ihM-5RCLySf!BR(cY^Rr{n08UPr$gfBTaYJs<2 zhFM0ZE+naAb1~R_#mVa4LL`hH8qKisv%y_NLt1T?$`rauZ6rl}(1SW#mN=03D>O}y8#tQm%d4G%T8k__cE&x0oDDWJ+T_VP~nav*@FEQEaC*^7Ik9})CW#eecQ9r z+7AjyPJ9*aJRsJPfqb&lFM|Bys*Ax({=gl-?e zsInmeCuh6q@||iO-s5Z(KK5{Fh=EhP~6Uzby_tIYf*hMmSIh5n^S8B zP%4CHEwv$Z@^NJW#uXFmVVyq3pPU*srs}ru=;4NYu42Q=h&ROyU=tv_Jt4WGL+5?7 zp(Ziwl1~{rOYWMtI7##vI)j-KlOV=x>^!kGX&<&%i*%ugKN2oG#$B`-kTE+B!IKRD zBRg`7(5njJqcX3>s0<>H$qCTx-v4bVZGatyZ`n%-Pcoq16)3tK&#yB#pL>9U%ED(e z9_BxyKH|1^p>B|9fsvG5!ux@t@p0?MrsTeZK%v>p5+|7J6rJ^zPWES9%LT2iu+_;~ zqjvG};iX0$6Dm}vmRxl{BB1ZEDR0j0c`9b|e^=PNXArhr6_~bX{bnQPFn~E2F+V+) z)G3UeC}kP3dgNbBSouBH4_XO9ri-qe3orX(H;T|wM9P#j&E8e8=CDB=w-Ea8S0Z?M zvT&IV3h$J6(=$U}v7vDK1@jcyxW5<*VRE-2v}9za*ur7cCk!dRYKRD*?Ywb6P(h%< zIB9MUu@GA%s?-wh1w}dik3Mzy^8RTFv$#=$f5L7cR4M&#lMgs$6*K@Y46P<5Hc4o6 zn(Jz`+fAW~E5z5N#tZ&Xc{kVDDFOC3szm!FVJnU25r=qXW_W3OK7W|1-iD>yghfG> z2hy7@4=Ygx_v1}|c&fpcn=0?&W2vuNs4EfJa0jxvk9NI9HPO(fDs_>G?k}`xPkr3( z@e)il`U*%_@l@;kmNqhGi>xvxasOurtA1}F#K-g0+X}F5nXWa(aOzEm&b#<*y6{;Ma0Vu50vM{`}yb7><7(EjjqqfEgVM?j3XZ3mM3o8t{EPZ zwa(R5oC>|c#M*Jb5I6j4{ zs(hr$b@bmI=J#YF-@?TlT)xDGbm65rRNCOZgcn;Ao=CC1gt=jtR1dH6x&6KEIbziC z+#S)rTpZDakMe%XPcZko!FA!Wc6i#j5uCzI4=SRdLzuav5(%e@!F!rEZY);1FI)QP zF3Js`*8x;+n@FHqrdKJ1iCK*aD4grdSh!|dg15`gIaaV3^}*MmRx=F+HLUO3q~O!u z4MT)poyZfpeJ_=`)X#^{97JaFN*1Oar;)uYF5G<=n}xNTlgL^uXw+uh)eDzKMjUR!A7=R4?glIEfX2vOPjRuw=(o&V#hm=o|_rWK_gdPz`VzI2R=o&pM)STC^e%z+WATv2HYTcZ0;O^ZTv_9|Wk z{v$!twOTw8G@axZ6E^V263vL^+g;vR?n9!5m23Y;k`D zO>do(ngv!kw_aQb!*(S5-ruoCl)!qO3c$|cVg@;k-MNPA(4hNY$*x|7cIK&0*?AHk zM*X!tY@G%U$=lXm>gwUS(jwQyov(64R6#t{VqmS!#L_yb>bqEW{g{zI3>yd`v{)cM zqt7N2sU|(*kO2vCZDm;EFUR1+l80EbUZB)?sgs z4RdNIlHSxdlG*+kOSE4@8rmDb;Z-W1I#xXxzS3#T-cNwyDlNKIi!)V1PQlu?EBh75 zx)-p(1bY{@Z|j}dJde>|yx+A5%sn3TP8Bc5Gf7m_CWNd)hHVO*`r5VuVrfw-Ia4CD z*K487!@E{23RiNtDfP(@Q~Opd>9&^gQM!?mbvPAKUr8P>R*r}mb^VclIc94gbH1+f zf`Hg-ehs67ELBw14frD-f{2&jt8D&@y17UbWK@@jv4R8R48)-lDP|Mkm7-z9>7_7a zYi0j#5E{u9Y{VVNs-l_(dp8mtyaX+`2EhWI(J=a>L9ApUcl>OM%IeFcp}$3Wgdf^bAvZh{fw9j=bZi1)#gRyXg;9yH))yZwCbo!Ry$feIz9 zAHCS{Mh$I0Zmu#jv7~HWI1mnpCbAWtG3gk&mXeF75I)V@`P%i1%ogX_%F|JW31Wt+ z8}F8JU1_>nqR7BGv8J6<&N9VSD1N-)Bj?)uvvsR8zE16p5ce4A6V@s~fg0YHI>n#i zfi$^cab=nc68S@YqON`KaKSzoECa1$cG)mQB1$o9j;~nf@hca-@PDhV_?3$?kk+dm zsvDel7^y!1g>kBp+YFH=FQNDu%@T2oN1P8uq}1?O9hYg{Rlb@i=kR<@jp?#*fs_7l zb|dUmf`w~%Dw^XdoH`DU0jsMkF>-(158#r@v`P86K0mTB%IMcHD(OL?! z-bOJ*&T!1NQ{4s)^w~YF^;A^S(NA^(6{TEdZ3EoZQL2V_4GwRUFRx7 zv&-e9gLDfy{yfVnalTYyvv<!Kyo+ZNUD*qnzR-OhgsjL(6NSowZ_Qv>)p3;WY;*+FR zyj&5^@tyIthtD1Re(8LUj!cZC{w!6H^CB7rT4*DP*Lap;nPxiXoNhWKDqp-nrG&k@*wdqUL#HF?nl}I$ z>==-q?a2-zAW2g8&+_hsmz(4aYfR@Y6}hjFffGXGCn4nfMIEpl!=MQk!_hf^=gX0G z?1@{eRhp>;5+&Ic@zL1KJCt>;Sb{z0vm?9UVXSAveEtW!docdkoXk86Eb-n&>uFG) z7#0kK`alHaAalER7yPOYA{yMt-5OH0$ev&#xZ|~~?D8?J(VyU7+O1~`cd9;WP{3Cy zWvA+2ZdYsAs($Zoe}TnufQ3%bXAnbXTH7Hw@O5Epn_YGJ2nTIQsX?7xj?orq5Q&3U zwAL0Dgl??DtdvR9@6Z;&giQEuxAN>W9{#*o@!qmWAM{AU9&fTuIV?JzjLqC8Oo4(r zeKJ`*!P!M*XjjNxRN0ctd~g3Zz#_3jiy-`eWYFbnQRzLH&EyVZ7-*}Q?*7U@P#Drj zNn-qvz%uN|V!tH3^B*2x&K)|(bXBS96@`U(2hLW~B}M0+MC5scOvmH2c2V#ct6tb* zFPaPD0MLryJK*FkwTZQ*MwrQNm3;}YMm5VnnJ97Xo>Z!`D2acj9123a=_mIsjs&~8 ze|o6YC7AyJ7g!|2fyHj5#dM@4zkdk&aUz9ee^guPwKA1aily0F3ya9@D{SYO{54q& zZF!-d#=BgWE?Wi(MCjdwmPKGyPw376lVWqR;u4x@QB~FfdoUo`Q$<7Ps#yo6U~&<8 z^42^w!ERMRFY81EC#&4fUdC)tJKZ2@W&8MsTwR-L`-G#EZg?qEPoGc}BJEM9N4sd( z9ce}Cyosyx_sb|gILRALtk%$-^r^VZX+OAJB?LLKkvt+0B?I^za7rpjgsCY&@BY}I zp+gUEG2|!zi@|h%K_d~}YW7oCPy{ULPl%MCAVE)_Ff(O|{ux+MO|m8nBP#-P_4RJ! z9{v?N0IKlcoYnH`Iv*SmP}ZizWo((kY0kxo-AJ#J6@9s5&eixT!Sg}gU;XBEy6=;9ml1@z4;Wt~?20M}UrgEQ+&V}6+==T0}J-n?V`%_ro;@-zS*HgBo%nC%d{ z=B*Ymx=KbHw_l{u!2H`v&ll|zg3X#Xtt1<%&V*+JLy{!o^N9pX3IG+4@>Lqfm*IQh zC(}+d&z3qjG(U^&%q@Wyrbb}!>_5zA5&PzDxS!uf0gXj8CTQqq>sh{5#Qx{~{*I29 zndhdTh`$9tA-i%UV<~ogyH)X!0Z5;mV*Q>pInJ78mi8VW4wb{Vr{&T!n!@`C%AInu zH-3A~zu2|P`+6>g9JS%8j2LpwC4=AFK3lhYd89H>m*+u)%!T}-RTd5sjMI*ivW@_H z&#bSE;0oKy>tQ%v`3Bz|i$oAhS2rh#UZ}No$PA11r0_DRa{*gF@{io*p1%qtzbz=@ z_DGwEOHs;=S2^|R3vE0uwR;P=KDA6* zpsp~jDi&cCTUmZd;|FQ#iE}1o7Xsd@`V9!$1Y?zm!tKQU#F_>OrmkL!P~~^Vj$Z|5 zX%u!)C#J9Yv~O5}T>_Qwo3C@OG{(_V2JFf-(K#J}{brYu9xJFt@9&4CBnsHYh2yG? zRZbUoxHg=slrr9avF{usgK?dWdF@JanLUg{hgKX9pk7TTd0@#5pn~b?;3X~{2Z5&t z%Q&WH35s&4$+E7Bld55y@|+flO%~sP31ynfNH9y~oPt^U5Og!IGd2vYNu(DhJL)Ku zi#tno7V<3fm^4$2?u;(iyL)67jTNc#iWcjCvO|}WDq>_Ndix3WwA9pV5#$}Mm5wk1 zQ?2c!6~eC$5XG9&#hEk0(=s;M(ze+K6j@)0i|v!bsHZLVQh#Bj zc-6JTJoRbsA;I*M*3hHu)FD_;^crfPIA*5@?T>oZKFV%lx+u(5qa&YM<7s_~;Pn$Mi<+}4Kt zQ*MhP?_6rHVmdaw2|KVjm*uC{yKr10$#9NY|B{z*`dq+y!*WFNdrAT4cZvD{wmT$i zX%E|`8&>Je!s&!^5NSn~q3}>r(VRo3Y@-Ftk`qos+_5=x|cDE$Y% zpHh4QYKjJt1Y+1_9Z%G0Hqat;Nv;D-vY&#suA?bhX(QVB5cC4m=n^b#?s`vEOy@G?GjSHoZ^8M@$Y<8VxLE09AI9Wo&vr_v82WK1IVU~tQ)eeG4y z`Zrl|ibN5<7%%J;ky-CTGTyL_B;Hl`RAPeeLhaA5d+Q6kT49yOogtm`eGISF%fE7? zW9FdazyLoa?bQ%=M*KWrw~+ngp@SD>{IFja5NWiXdXD0vBixiw2uCn9?lVP`#12JE ztKvs1UAT_9g@!)vO2>_E`LVihnPw+;VO^ysw&S+|#O+_OJeXkh2BH_A)>x(DSUHiZ z{9(YNK)P&Y6p*Wa1m{`}EfcP?&~F4~;v`$Ha7`xq-H7PB{(tPHu7B*^QbKBovr*GCide<&9-kM>~GLrAul#eez#-wL9Ij zhPp_SRugqS&6`By-zLJ>@O7ciV476xz2JWP!V5e16zpxtTFul^1XjrfQhZ9?v&UpP zLC8ZbJ4XWIpc0fnb;i?}LgF(Q)y(U@y9y_! zFlUiA&~xNW0+yHOq1Pq|kHH&~(;4MS`Xy4fmr;~ZE**7W57NpJ_c`+Vf?1*Sjk_K< zzXI(+-A?6+79?wN7~EdT`q<~Ltl}ZLIjLGbl6JLYdq`t}JVynzuYX7*P{G53!t{gw zsoW9zdH^1xF91Pwi3onD?(N(Wx?m^xN{{zwptP_$U4e0gP8@2R^)C97skv0`rA6AU z^OSBq{>h^1Wplz*1IihG$V-{zPgC8~FeNPr3Ysr6me9xfHyQI7{zO9e z^$O#(&lFw0Dv#ljv>j-NgSmw@&c&s{@6uA*)+Hs+;f2Lj&V|L#<3xp(&Lu_9v{C}? z7CsUdHLHC}OMZ@vI(@*#m|tb3U*jBV_3#qsm&oX3E4d}PFqPg^OQABnS4k4)+c;$< z9$4N#>~^rvT(|?~x!iMp10^mDAcfZs+RwG7GE$d?9Y^>&G6YK|v_mF{WVpVK@P9U5 zIbuCk9u}h31V}N;8N&-)EL;HRwa}hfs&p(HLMiI@g|moHv75?5I(=_koM+%R*B~`u z)xU*esItd(?hREM5Vz8%ZwF>U-J;bKwqz`PYy`*zfz_6XRIo7EuIXU0lZc#a!*jwR z#3?Fc@M!8&j^e&+^z_kXyr5_s#_EQW(is8_<0ClZIuciNg@y-7Y z!T#l;oCzeqbV`Bq6Fy;!*NAWQ7m;bY*wtjySaieyE#q{W z+S$}X_0kUX)-6a*w-UGc%VsybTSW9lXIL8MY^R^w?>etY4fkS4b?4@9yCs(aS`dZ` z>ryVZcwofoe)E^y5TcWk9|UqA8SY{5Cq@K$}f!tRy5XLh2EQk*Yae2-`9c!H!kF4uwz8hY<+ z+QV_gL53{oK<=dr*rPQjo2-k!E{gGD4&+I01|qTga=y<)&#hS{W$$&)R;Dibvss*F z+4YE}r+DK_C>x3eYgJ){C<+g8xlhc-s7&7yr>pMJK{)BEWB0pgoeGksLdj+eHIDr( z+lMBg9c2IU?tNWPF>`8*L10`z4kh+0h0a)T@~4?fec|j~psZb?OT{#w%&b}&^`ITH zoAIn;Wk(%%V$Hn8{Pv6bKBT>7MPiy9Ejq+VGd-NAIW}u}fILPmuD!dR9{x}u{^e^e zxoW;V&sc#+@Oism`iB8Qv0+%VFKDdp3_DhUOB{E0531R=+d$LPFt((WZv3KV3Qz-Z zq79IIk+m8S@V4|w9Ok#?Ll?9F_5od7Ku)dba?P0y3z&DwlReBQLzP7za_Pg7MWIk^ z31w-t&9b0K7_@G*44dIr^k}yiOO3lJWsBr|A4pi_9fhPgyvJcLNnFt)mjZkfo>+bY zJ`ZY2D4qTQ{p|uQ?|nm$HwV{2nvT8st7bH=_Hfoa%#ro}g5~{qIh4 zjo%V1mU4zo<7)d#*2ge@xs)uu%r5oY2r*jok*JGzIow+8CN0}>*7)EyPu_~D@`6fz zOU??QQl?3@(F-_0(>cWLe#G98@_91eRiEW@I;93>0WusZ>^ycFONhyLT$Z9hw4Cew z{GDZ9&VM5q&xg>G%DnmpihOa+_&Gw)c$okCNP2&X*`6X6Sm{kS@_Dpjr8Oz2^Vx7? z#{A;zqOT}|+8?BIm9IfJ<( zpY z?e<7Si&s9FyymhhkoxQkj2Q+XXP(sk-XfH-21%w$BF(Yg{EN3$D*Yxd_n>(_%}d8; zBRmL}Mg*3OuRUz;;#sCj1@scHO?Lv?ZBH0CM-x+mMlOE{{)5Y=nMLIw=91|Gmg=S6 zgOieO{wLg=;-o<@KPGRu>PikM)1ptlY_Ob+(T6#z%(7$(r?FbQ%RC z7GnKH5ut(1;W)5l=JPLw4f$UR`}|5-jZM_}0bf{U65HIA_39dOOXb~Iz6AzjxI%on zpOilLX3?o@=BNSbB9ru2ik+=1LIu{G@VK66Xh{+*j<^ncPAB)BN&$Pcg|`J%)jKOJ z9)y5VVD31c_71=$n`##vA{q&ZCfK~``P{gtheRj*R#mV1l3hKw6ivlyY`SFxVuV9>9wl4*RSZkn3PgeUvKD*m>-l1!9fnJd8cHwzs zO)MZlcokw&HF9-Hb_2JrVgXD->hQCLF9PZ;M*b*3{fS#zn5_0nqtQ3+^4k=M5sOfO z_MF}JvsD|nY=9FW5U~Z`N*&&;hpS=@Yo;k<0TcKO5Bvcs12&TmM-og2fZ5pP-+DzQ?;YgiYvCX|uv=Shk9X-*Vu{v_w`ix>vW4CV=YB{odAw8CLEgc-d&o}A*T|CX$-wZ^M+r`#bAh2j zJ(Roz=KVS?TT=lNt+Q#_cZ9CidrjR}i{z-Ke#$3VSu^$Jqwl|^>rxc&(lCo}D{Des+m(DksOmSO16$nnYl@P~P5vW1!E73$y)!#6g$KYt6j3vZ z;aa!j?%vb1w3WiB=972phjky&f)8XBsbnk_Y#q7EcmAM!JY8?auWF+ot!Rlh1dCay z^(GKIO8)lAiJbzSi#IPR=esSE^49n3YR*&HgXZw^nu|Wbj^}%s79bt17k++E-Sn3P zp-~(xs&SNk6{9BOpdD}Bvqk0vL3|U^N}iHcF{#k3=A1CkZ&fbB?pi?zm_li@kZGUK zLLfrHmSS5AGb0g1_4D^xP;|%48eFIL*WkF9-kBrl1J6N5V5hZXN~rkq;FNsP5b`DY zlh;DyEJ>aZAdeV-^CKE@RpSpO zqBO3ufS|#U;DTc@*JrF6D=(g`K&%kT+j`uq4KHI?_P+U&Ux!d@nC{19Fx4qQ1*Bhk ze_kHDxou#A;q>&lV$tfQ0@UvIHePmoUYgdp7N(2%VB?jfZ5?(Pa#1qUPdIx@vUZu< zF@N2<3!==@S>L}uw{7d{GE5#=_8E$cJu^R0)j1)Hk&sn|Y873Nii{D^Ac*uu(vNEh zL!T5m6c}4SXv?@WY^0mUm>MySG0OY_Fok;2KIHeTbt2m-_5(t_#A&g<^u{KuUGRYW z{r3rHu}{#SKs*vtSm% zA$kntr+N*3vawR-sIEq}&{4kJ7;=-qD0q`0JEJn>lrewr%K*gn*IZ~D)R!BuR}Dyl zKo6+p%Ia8Kf<9IoH+qd8FHESd+kK|SZU~soYlC^Y~CF|{ywaj+IR{4!kSZa zZ&upO_Ib**_?9AQR;esQN<$69Jl}Jr)po!EycGuizKnWBD0qq~r7boT{l%uEOKH7k z>RvC^JeNJAhfGKI8w~H(>Ru}k*imwVvVYe;-}?=O=M(TxN1^WyLSFb>qKhen=YM(r zQy!vGZw`hsu>VslUV3F?{~<5#Svlj6Qn)Ay1Ww1A zyh!Z%azP48CYEL-kdXLa%nph~P07un0C=%Y$;BPAge)*s8H(w*iV#>Br}jV+;NR(IH;qnkZ8)oIDOIts`Ji+WSWuu2hbq z^NMvF-B_)0zGd%Rb`39wPqV%v;iX^Fp#(y6o;J;BMAqT@aE9iTdP^Q0*$ zl2sIRW-t&ns4$K3Ut#yujU#qK9B|98XKar|*=usy5>J%6T;mpCrS8WJHhmfFPgL!p zi~m#*8I%{g1+YVR?oO)$5kUuHWWfj@8TQ(!Fp>D>7%z_+&OYHGp2#7tLc~dETS#2n zU`(87r;jihv$b762Q~UWZ3n}(fsREj)R+qE8IVYqbKJS$*fP&sK9eIihTap@otrzy zRD6j9^ev+J<3{LR`IOji`FafqHjqF^ZET+@X| z(V%Ab*cjSY@ba_c1|zx4Y5Q&1phm3Qqb~KGxpL49;G^F-dJ2W-fbxf9~rc<+mC}0f+*W0xBedX9LhTKbYkf;^~PnEF30iH#_ zl8)(v7H}0r_UVSBo|&J}R_5OwT`!lSxP?W~yr^Rfb2GsHD%Dbs+9kkn>GTR@h^O{W zGhA~B+T9F6N&syjGO3Io9!i@oBuy@(1g%?!opqqH@1YvUKe5RUStpvk=Rp<<&afja zcv9)`Nk!>g4G``}?+XV@1ue9+wH2=E4Aa+c>VeCNN2|eAKqJi9?ap|Q&8QJKvG!;a zI~RBV;iA(#TvFYD70ffcIM4C$>_e+sLZVpl=zAA9dj~M#)`w;#jdr2Mo?6|?Hai-7 zPjNguKIpCx^35EhwJoNm?24edU8TyaTqDcFL){@2N%`qZLnz4Ckr6=Bt}q~%<9hq{ z71%V!FxjA&_jV+9?FNM5x8l0(bHPST|HVGAouXrLEQ++7!5rDdGBOzaqkkT;y&3BX zz2+F`n$2*V8!f_<{LExW4Vh`iJ5s+SWQ*0GOJd|t-Wad?V=NhK?5>Wy#|2R@lp%Zf z2OYuVP~hU+9yint7IuODP7x{YqILvJ7{*-61el#kcE%(WvQN~Q zZt#$Xi^$TCjqJmeLM{S0e;g+FQN1GqfJfAUcTI()xS?U#$5jfhEUJ}A0!HRse>|K+8#PF&6ZHa@$WW1bH00tmy04J(GO zlTGsRk{{-E4CVq09Iz3eIseU~UBkfVCiH)#h}_wh`r}LybfpQ=K+*ll8d(oBf8Sy z8&Y;-CzD-sTg6Z9cNI=^XohI|MWz?l8ORBg%QZ$Fs~m2_`r44H>`3oCskVsoS{s#6PF|`O*i{|icjH!5Qy|0n6Nk!KuP%c z4aU(aW&t%>k6ru})|-O)K|=|D_n+Qdo~YUJ_Za@Jm5%_7=eb;YdauGiYf+KFrl{MP z_3ToxA0E+Z*c?pN(iWwxZU>0vmU=E&Z))8Ep5U8Vd{UrGE5YXu{if^yN>DH>ZL=c& z^@uJjQiJ!5u2}ZrvrsL>MUOmOOxLbXG> z+zD7f(~-?%d%!eSuM>rpmJgB4v_!5jgL??FI!#H+F9KGbYriy+7bY&P0<3!7eMSr` zFGh-ypG&KUHmSKE<+QE@+X`_8tF9&tB|VhT+G@h*`( z9amO6YVc1@a2zt2XV9x}H5zdt9tYWrWd(f+FRybkzPa7nuP$Rz8J#twW+|>El6qt3AQ`46(os;S?$#IWHSxz!3Pdr=hUyR!ASYOzvHNFYj`XY_AASr?k+)soJK9mkQLfJX(>H zH^q%4v?0VsrX14f4U$+(5;k0z2iihM;}9Gji3}Lm9QRni)-Xx3!BzZS@0cA=@i4ilCzFpI}Io$ttt9U4ddsf^Cwoh%RdB+h33Ve=^aMA_Kef zzf5%QYw{{6@NuYJWlAjHf0<~p#Q!qU09^mWM9bO#GSN_;|34F*(mtHjHV@QERX@nw z-O2nPCVG)I&mlo&{QV8E@0W=_qxfZ_lPdo&OtcSEqR<}adr}k#YmKwrWGl((k?HW# z&2{-|s~6-f8T|217la|E)M|_EbPvw!_|XSoU?4=tr}rtQZqM8G)Ki8ZZI}1Y^;X7; zVE(qQj&7&Vi~g?Wit0&C$hM1{_t*PINXRTXaRxBp`SHhS6F+dC*@J~`OyfD2<}?dx z5hUQx{=d53F2FK^^GpCXyB@WX!I4jm8o)e^U{^B=r***Rji&-ia%NmhI zbMD|Viwoafw(BOv5gkr)7Ro6DZmn(PDU9^N$Y-8l#lbaMru0h=h#UT8Ywfpa`qZOm zNc84Z14;BzLB2+z?|S&7=lB%QQP%a-Z`{qA^^qrCEjC4{10gkCrmYPwqPh2c^KBEe zo7kBp*dPmoh0%cD5HtvBAR#(MtSQ$?DuVIF7 za2i%2r)VQbl&?#WZrXF}W|optUTHfP1L1Vl?>)xC^fphJF+T5F#N{OFuaV5V1SE>z zA5&nJQN?kG;m&d{{#Sjgsl5Vhlt+E8aNKqTyARsKyr#42RtxQiQ8}CEroFI1UYam#Pv_oGu%+YP4EH6YYJonlD zR<^SD{W~{g-Iia_TPR%&AvjLkN?JAA`v$tKn_@4{g-htR#7*Kre6tDRcbwTrp4mtE zdU{3D4-)kjz#;sSj|t&pAN@y-?NF0^YndAS`EW%u+^%(Y;v=#Y+^?zzdmn)xQ4*3T z#-~rU?Lbop5~fibSzq*&3ZuPH`zCET?izAc4;Bq-M&e*$y|I*BB5?e!C11)lTCy02 zn1F`w3bkvay(E(&IKl;w^>rWGLQO{Md5j)6DZ8>3S2CMvV5xw&H{Vc7Ib96Q0?F6# zIIb@fRVvh_?Hu=wpWcr(<)8=5imHX{w7U!oF>f2*HgWjyH!U-l2BPaaPOcR{Z2}Qs zh^8Kcf(u2a{e<|+|B?;1Ri_hT@HV9{v{j5-D}WG-Q6i2V0$GrCoB*S%0=N(4E&(IB z67NhVA#}xxoA8u&HK2EyS(5zb0b<0RM5z)(R?~qsul9vrB$R7F=3<>Beqg z90o~LOY)D^qrodRtgw=da!CT6G=GhOt@EPyiP9v9j=lIcW_$!tX?fVm#0z?ZzK1|U zfAoSFxdqX>FnX8MEI`j6uN$L?ONzfR$)A4xe4mzlM0$i-+4YnobGhk+CrM;CnMng{ z0un_SU-*z);Zd7Az)4=B19?TAfsIf9xKbVHF@rky8|IA3Z6zm5GNOh#bnh+gHSduY zOTEu%m(SO~RT5kFUkpB$0Q$!&?q2uoo7TU>A_4J;w(bm zTN9fyZBa}c<~%hcEItji!k^TvFKaeCObaq*Ly=9iX8nSd-!E-psgXwAlyy_E>dlSq zv!L0xG1K*4Muy=Fzk!O>MD+DZL$EMZlF9j%+J!WE^tdIc=7gO1#$>WQQgWr^!WnkX z-Ng#}eLuOg&P$s)7=roO6LmnTO6&YsSe_JS4L^7yiuH6D@Ko3Q>@>=~(4T$K)i9j! zGfP_#HaP-pDw9enyfGU99%*NBYd0%h0k_qbykA(E(u29pj-mGcmC4g>x!1OqXd?RE z^`7?&9-rs8-%UtzXA@wc{+^lqo2a*StM0dz+eFxH^aE zti6oKqBK>zX^wo@1 zb(3LQ0&f>5USMim{4d(>A;_{VY}9qywr$(CZB^PfDs9`gZQHE0ZJU*uC-?ptapE*? z<2F}g#cIu%YmD(d?;v9%Xd0YDa3wMKqNP5kALKKQJbBEj8w-MsIT!ZDPVKi09)z|{{sgmn_0olKs*{9v022hl@g(jl2NPJ7kNd^dhitB?;i zjgY&%hmFEVw*RY$EX3|NFPZfCX7y!vG)288(g5y;X9Pr8j6<9!j>B_Ct;kn~`oJl@ zimkhfyE?&~gYgj?1|Z=mpR3dlS#oFw^~K8lyq)?uftUA1uAw2QSfuN9`>>#SE;$*g z$**s})Jw%?6jK-^lr7E29Tb+8?7%5c4FL{9W(#10^^OE$m&93@aHk9;IkMOp&~CI3 zDC-Rry%f{K@DhHh&v6Xmzrhz^cs_XqKki;23Of-w6yhA#ffj(B> zFXceZS6|fvK@v!ICaI-Duh;ea$$(k@D8g)*z4HC>%uepBVULsJZRale)s$6XaX(WE zI9{lfSPoAjuOQ>>EEWHY!(qbYeXy~#_wMWY5uhR@z_Zz_9`d&)c89-Rk^#k1__B#V zJq}z*V(lo&>X~9RU zZ^3%I+11#dceo;uy=lG?UW`wu^$Pt4n0V&aqG=#al-sk*47KxXuiz&RzycN~s$SUp z&wZ5Say??~?O?BHCLrJicCV{Zx3xRHyuI$B=Hi$4f8RIipP?@JDXe6?Vcx%DPBeRu z9=$ptSc>n%$Mc*fjWWg;RLGVrh@f2pYvhi8jvJXAd_CzWV>KPP6%W|^WtFl6@)mOY zzd`3O;qDPsdeX8oT)7XlRL&Z~Esksg#-Vw$-Bg)JMB05gXZTT~DXUmrOzQ_9h z4bA;tNK7o9^dxqX&4M5{o(HCJaJ|0dI zc4;u>W@$(Af1feF?MXaOj8;LAC9g@&z31{g_Rc~nEFn~S&*e2De_oe%O4i)$4cHWL zs@ByFW#-WfKL~e?v#CzJ9qv5gWXpeT$t8Z>+>)lS$O}teu;eB69#oLWP+W@Ho%UOK znWH`{L!%U^fu)sT)RALUdU#NWoKDbLIswl{XeC`J=@UHztqAtm5GY`c4)=98$KM_i zTy+`qJ&1R~rX5DzPAfmjyg)()%K*t0e^2V;ygv!=h3xzNoQi=}Zy{hs!wP!`uuLOxoz@{h5OJD6Wd@-!EdGUF79*HwN}$xN_2@$E49< zjl!?H9MPJoDRI$%ZbnjP${W@a-faq7JThwcY{(NaPr(*_j5a`1r^dg(diypRSE>-i zz))=rV({CX`Mo*aw77#0wVBWHxanpBJXkELD>(7nikc|^DfRw~MVp~etgGA30nDJ) zR;rndAPL~u);*zZJOgAvxXoF+w@0{0#Y%R|8v|eO-Nwbgeht<(SO&efG zdsGnnyI0IlOI9NWy5#5@dKJ#r+6NE+u6)Ux$1!qCh)$>BwO)?|^~w)TE$U-H#enXDJaJUNn}S)S_1{n=lhF( zmCA{nyIe4(A9(zY#l%#W#cJGwg(MG4TcODbE6q;vyLq!Ay*<9n!3De&7T#hOpp8Q7 zbx6%6`tyN+qOH8R>Dr#iWjkLF%zEF!4NR1nh=NbSyGl8vrbO0je58|>1pCIj-Pvecu#0Y880T>br z6evi`;XsnRu|{ZK>h-lGMvgZRX*qd*ssIif0F(i{!Lp4+XJWkv9@x>frOku~h8lpo znpjS#U_8B%T!W?2i$R#&+fDrg&Jm6DGmg5h_SquV989a zhMoK9ukfP;++)dKN%fuWC8)Bx>u=AxfQcmw-Y4p5t*&4IXRm^^(mvEPs{toiV|D9O zSCGae*h162Ust~6srJ%Co|*%kcUs4p$>lm3b^PiLZ6Nx0<(9LHr}zuxhox^VPiHgd z77z^{ULojv>vKdbK{*?BtPzb*!LKKs=uV1GS;V`W2PKh?v=I-Jk-lC}`F9TBSdbN< z(T6IGGkLBO=MCv-k%%C|vg0A_#qP$nF0R4A9(7}H57nw0MiOWE+C%D^@4=@%GlEDB z6O;E6-iDa$c6=q)s*x_NCcQ`F;)+FRn`_9C4swwxh8w48=6N?cCD(8xw=U0iST#NM z9oWKue>OvWDix8c_Kub)0hx`hsI4n3)Tv6C%AmVJOD+SozUd^=$A0$4PMJDr8}O^G z4}?uPYu)^B^~Wm(K>`sTZq{-obE zyLmxrlc(96X(|^~HpBlmP1urm{iLvIe^S^H$~`k=bB{ok1ZroqmoeV+`E0Hz_qG5f zoWNu;1F{VO$H43UY!*rCc6>VAiDiQTLk=$q{#z(zfImOPKpA~Zf-2gPqM5Jk`(VA& ztYmXsSyl5pA)M07M%t~ugd^B0ZgS7_5)#1fj|eP{4OA2tH@4b?`#9v%Y^~`0Dph$I z6GQ29O-?J8SDDW?mBR)A9G!Z59TQfSs&|agD2{2~Q}KbhJ%jS*LSHkBR@G>&$y$+f z39o66#jEY}{_v#ws<|$6dChjqG%so+y(VFPnt!QVs3& zxA0%venek7UTTQ5TD^E~G8VX}?a&luUH`2Xe&s!70lQ;_4SUA>1U;S5bacV&wTNl< z6clzRJdd+yEzx?dvR7*y#6DBT!)5Yz0qV8keB(f?@MWU!3UOFzgUxoi$>wToD`x9Iu>?Cf`9jr;%_+n8XMZU5b+FAqc0hpb*`#a2Xp z+2$`5j(wnNear7QwlyAIcxXB|r%-idiZgcV+<5lHWwr_}ecI+;Y9}^5MR-*es-=}p z*(6kV=Z{&T3uQtT67SR6Davz0TRJYgwhGj#kH%KYL$#q3 zVJVEefy@qWYvoFqT>V_#^QoGqLuO>QU`T2!i>Ca#BXE1Tx;3p-bDbWK?^CZJY}vQZ z-ThLU!!t|~{~+ccR`zVBqkwV~WugPLTO+j0_-@0sHEfZ)2lUisr5`&8VC8?|MgR)*XYf9mOs)UG1eB(gOc z<6#3#lZAKN**GY*WT6uoDgEpG28`JPj*4nWz62?nk7@>{FWr^7W$@v2+ey= zhj1w_0qkmFjqin42+4VFegRU4A0dDyf`Xh0>W6Yjx1<8`s48VD7^hyHDc-2%d1q$h zZp`#FiK(0T{5*Tq8%NDm2n29h3|4ygT8A6@UM`YSJI_p-R!p;R9q0Y4RwkILj!P|L z9f#C^=oVvksV$N3usZZxg0Z1S<7)=bbY0!4`)mz}q&I0~bAzgW7cXcF!BWOK`P*D7 zeTY!cSn}~=w-DjY`7gT8^Jx@*ammwlqU2~145e_|A&~Ocb}pL(2S{hU_};0} z?kF{pa{dOO9~WAGam_#z7G>@aNIx}9AEiu!44#)Xc$`(lVaC9MM;%6hHhiWD@dv!b z-2z4#P>=#CxHx;J@xjarRroV$gwn<1{)8kJvv{WOFu5H}YY@ z&u`z$^B(x~CqHu`Lv;pklbDKR{9gpIXfeENA}$&bwUQ@R{Yf_bz&UoR`%Iu zF9Rgz+^6PDw;_0AE;v(`7bv_6(32VaOYV0+Rh~kQeeIY4C<1S#hyIh%lf1K-Q>}{B z!}FNw_F&HYEMRec={V{P%{3$kE}u~v;fO~ndsk?ji{XI77A?GDH`1E6m!@{+CbZvl z%ciuUB!4gKe|3@zXXb5<)H zKdT*+eZbD%%Tij)vH-`IYeXW9B+~4b>E0Pm{&i)eLB|mMV3m;;%vF^D)}>ix&N-Q- z=}}O->=K%+=R^V&2dA0oN|1WXXkIOQe{OSKWW%{=T_OEN)8JEt&9kAS!XsP)v^exn z>#o#w_}k}elhLrq-s}qXO%Nipf7kO8d`(sYk`ocZ_mxjXr+y!w(G7X9nReWitLkk~ zdj~?3$Q4dYx9ZYB<)0i5m&H(3zn|);Rkjw$8=*e&wpp@32b7HH$|4P!eqpQ7w`Ye& zo50AX@c{d@6$xF!`XyU86xNny<>Y)3Z(ESb3h;{iY2>-!_chF;wK-=no6=ywBwAHZ zDzA~BoabFC?Ce^%LhE`Ts|GCk;cvDS0PRR7Mt_h^F0R%QJ1_kLEjJkYLtyK4OY`nl zp41<R{e_*&_4Zq6>Nkpy39}`CV zGb`v^_sTGlw-z9;4H(@iL<-xD)IfLVz$y1)e#;8-riR$K2Hs2k27nMl3;8eztVzwW zdnbH0RScLuC-XsFlsY&T{G84*-&8W;gO^01wPmS9PmGB??=@s^0iW#c8)DOoUV`O8 z3$(XEAeQk3LhicUQZ}eqJ>BiFn9f`;)`P`P=sGhBw847 zU$)ANc*-mC7mtfRoUOy+S>iQW7WMnve|H(`rUw;HCZeTR_bfBj)iMTB*G5lpX2Uei zI7q$Yq?8;Lspo!E@3Lxg@TL4vQx$x!_)amh{wFgft|*0z*C6VjRt(x|USHFoQ$DZ2 zfPzl}^EH&Xj?djSQPhJ!F-S60^=@FBlRYIo3BYCI`7GlR)~*tgcNeW7`w&%VDYoc{ zfd+JfXgB|JITSh07&`P+uCltN)7gu>p}U0|upRkIEe?W*Hk2N5f>(b|tg7(WpESH< z+nBd;*E2;q!%iG}nU(x}p!tkk>QB>RWlB>WC}270Nl|LG z<0k$=6KPZxfTm&k^{^1r5vDpuSRgrg&PaO;xNQBVn!gmWsf`6nBp;R~YfHiiP0mW3 zL3B8rc5gtD?(<#xH2%j;bSF{gPdOKf2D9h~JgYw|hdiO}FLa=&7Pk6yct#vukl;u@ zH6<*SUIJ%%oVwS=F>DLKNU;DHTU;Z@94b7EB229>O4EoE%+33QN386#DT6n?*GlG8 z``rtI%T%QtTj@V>^>$$-S-cI&A#3_MQs2&)yRN|v+~rAllk7cXHt?DIi2r^(^@V0Y zwlmNW<^0>&Qqp;jbO3A!PzEDd<%)EXbN&>1PqQ5kHe3cl2FzzX#rQB3MKE~jv5vlR z;F?o%KDsWMxfL$tc3tE-AqVgtMxj2MpUZWi0d6}iWVvq}MJc~F9Otm>Vh!6b8`Wlw zYtTjb+|c!H9Nr?QNt~(gGf}0FKJ2NSTmMrxGW{9F797m(Nej8b`f6O4Q#i&{?iJ5T z6?OFjTPSQqnfX^xkbv0oagFg~PkV6YJm8xVKm8NE&x^*hI$Ly&m*aT3%yMb_P@O5RkRFya#B0-P@^d&F6ZblqS_`yS`;6SFeuwEg*@CZh?v*4`;^0FwG`qPQ zQ>5$+0$)Py%+EF)t}YNp<@b0gC$lyVPDt~vOlzVi%dALW($K}LyIlFVNr%Mp)wg6} zpRBfo9^9_;3Y;0)nqiHE90P{!E>+fb^nq~bc58G2!##Vs_{bif$z?R2N!LgNxS$~X z0D*F`fbaL}6m@YZv^e0?uBm5X9dH>U<_UegD3P)N~lJn+|wto#)obG z@_uL6m%U8=1uxM5<7Wh4M05ZpjGMpMGi_rQZs+`Ay!Ly~jQ@Mo*Yo}o{U=WF{b})h zHhIGTDbDYp`Xc-&*ox27{jBcx4aTKg$*pqBGfHN?mq0;!0^MAd?Q26bCdy93w|9`y&!;npmE2jE?d5bxkHV-et zJTC0bdE9kb{hDt%#5wvmErYmaF7Gd`RC`u?@U9^K0nop9Dff5#Ho5;!$(sJm%--$u z-Y)#t%xo;W-G>NlK}%JwNJcUdq2^^ape(UId6FbwRz|*zH0Dmk{4kE(`*tiWbI31Yw92*!!;lmdNz$sbN>72v>Oue7kj;UsciSiB9QJR&@lCZn6eS+ zb{SvhaT|+IW-V~IBBM{(DW$0cD&ThP{?e0~!ODH^X(FM@*_O{bMBvkWG0a0?gQ%;y2n}-i(J;tgWrLVFab1UaWmmn_K1b$=@ zAUJA~wumD}2Sqsmj4?~J9H%nA-w7o0%8-xf{MsXpuVthBO2-ajD2I%T6bQGH5-?%ga=el6U83Z3Xa#g zR_y)baAL}ZNlpx=kbiCq|BP6N0?&Y)evjc$jnDd5m~J-P?jrF?Z}7EUJV6r`{t(oe z1(lFV#@APbeHCDK{PX4s^~s`c5md5!OqKd7CYM-PXlQQyAnk^}SK0NN0L8Bn2x?+r2S zpH+cNB%Nd}0Sck6F-ez^^z25_sO4^tr_EZ?{ag= z@_pI(e&Y9vKk@tAxf8pb+_d$h?Nr|gX{61B8ZzXY>=lkNhWoAN>=*j|6j0K?)_fjc-Q9(v545_h3UH zsbnjb3s^(JhxWin51f|;VVM?MrrFDsVwg!tP?w;2{`^wHl{cZRkk!MUtXWIspe3@D zj})8SY(S3%-h2w?8=`I8~4a; zM*I1CpK2sxD-{d_DUh`Y6L)gL{2)Lz2Y7H_ch)apRKqZU7IF^Dsxs?F+jEOcKOFGP zU^dVbFvar7q9lVvaH{|~$wX}GVE&aC`RR0+0_=#hZ~q}L2JtxlFL_}|*7`s4;up)0 zytp;r_%C_UH2Htai<}2JY~AAD@bb3uHya1Xubu##>w!IFlPnxv_&wg=pKiZ0rOAJDy%Z)?Siv zn~B+0X@JlujRY_u6R5d6_JTx^M`B;!0*o8pFu_f`9B5BykujNJnLPm0{S&?4PrmT^ z8j5_BpHu2CEYZ!5eOP4W`rhkRxDmwVA)ycgSF)D}IgENC#(ItNDkFft7W8f~tElEp z0SEy3KAQPlrG3{p@!>8h!Cr?!9W_^3oU{bZCn;28E%<9lNCfQ9ryPLDCU$EM2~pR! z&!jmQ>uoQDjsHkjl(y7}A_DP(p~R+3xKku!vw3gWd6+Uyj$^C$xq?F)|Ml$)&wh`hqY#<@?=rD zu-NX3I(i1Q6Ifd)XHev`$AQ~wJAU8DHEdlvEdBSyW{j(-%-Fz8bT zt^Hv7Y-bixEwl9o@`JOW{_&@9&-;DOx%4+(#JXBT`Jci)`{LkF;r{TS!adl(g?q6J ze8pcfqd(f>6-V)>aQ`33;teNq_P@}@PvM@151RJ}V0`}_Hv1P@{0F)aa{u|(zf|Mr z1%dOAwP5Gg>-xbK{<(Pn%8P%&-UhiPLOCe|ZZW+kRm3`CQu;Z1lvIMJmh{NV#cytt zllN6Yu8yB;C#Fo4LMf8^?F}0g5*{j;4ln+nP5QCL<)YZj9ej~;a>@IyrmEg}N^F(-dQ7Ty zpgj0eOsa&D@m}3(m?EE_Q7+w}LKI(0Uav z>Yoz`c_~fR83DT!gl#hqIc*3VZcNT3s^+|g0ocxU9!n z?ikn%KK1bXkvJ9Ia8Ox>I-CDg7a94>nbE()MeqYHtsBZM+bwBUfvq8Q3dP*1fuWZ` z=WNS83dcb_d8d=%%w(3k%P-G~&w<;797oF_OEsNTZe?WL6(uq_nZZ?P(|0hrOlkjj zmHzz8Tk$7LPkE)m5R~7s3W(O9umj14Ucm5ZQU*Kr7T|Lr6(4pf#}I=DobPN*j2=%? zPyYR??-3Ro7l;w>D?yt>e2gb{jKnX7clU*wzu43ddC_DX)_Xb87U@ym&qSiVRRoRk zv@Ti!PpbWK7>RV`$+8*j4-KEc76b;*>f-0eBEoxK{%bZ!X(gEk#$aW!32d9JGLHyl zap-3p6)>4Jd0ntUM$~>uVpi1xjuIDbGpU&3{P)Ge+Rti`WOqP1rK=6KB?nFsh-P?S zD9rh1N`~)+Y<5L@rXph};_E>XoUzG)Mev|ZbnhIyfUn%hzPQbcRB!X&L_Hnh^6cqG zb2ri3HLm%&_D1J%q*>*Q)K>GJ7wl`w-6A!T+^JB&l_4b)wGp1%ZSW7mDC_)R2%{9O z_V3bAR{05L&rhVjCJj2)NcBG>^_w;SMCwO^ej@eg-+glx#Itw?{~`>*?M2-ZSRN}( zCqSDT^|A)qMa|fM5k~QF=i&B$8jNmq3Yi_1-#|M*je2uPv>~0~thanceL;Ts*>GuEcq}?7BC$@169RaJ03-#EgGtT`*5COBv965Z zf~K9Dfi8y`b#2y(YB`W{fvii~?PRuX6b0N&vT%#LuS3X=6Og=XBI2NuZu|Kx$d30C z*6U+m3J<*HM1OS6+R!}{MX)UJjl*-9c@J;H35$~Ayg|Sd1Uu%r#~igS2=a&E8f54J zNwVezQ_Pk5@d(q6Vp(FkkvQ;1FzwTdqEEa0%S2!eBSr?DW&Waw7MWZ!ipL9MB?bx3 z5ap5UiI_l(kZKPVY4VWt2mBZea#e*3i~=f*u=cdWpB7}Iz>mRbp3{sL_%Rq4sC?qM zKtBdUop8!k8ew%X0>M-f72-b)hL)eee;bT&K@|tUAA>Og)#V8IKL(?W0^|RS!EneK zY0Ul)gTYhUiBs}pFiz?JF&IlMA+t#lOxS_+7x(ax0UsPP_yWRM@&Z_ryjcGjj4ksY zgP|COm!b36*HjQnio#2ge7Ywg@{hql48_Z0dYm)P2QPu#3cdczSe@en2V{jb5uVg6qRBN;h)=pTcDz%HuDCK|_z ziA45eF#fRohruA+$p3Ts-v+}^8BWIX$6%C|vqdfb7z_}mC13(pio~$c|27zdf>3>8 z|7kEr2;qYLi&!b@Kn0bL9{SMC&CK|%0WBMH_~pR@Enj^Sl-10@a-P|ScZ%(r6PNv7 zF@$wPbNxUTjFW@qmK_tJN9;V*%7kY?j{d5gT25@=8kc9sY7RFLp<20Apt|(tC(8~m z8ZhoIjUE-%S@-Ag9t=OPF_S@it)7pcqHEPhtY`+$K{pm0xgFt)MmDXsHDGVF`*!@a z8rs|Itp;Rj`MKG0^qE$uBwj92E#?JoL^Mqr%*p+?yR)J_^_*Uib{46%SXE;MiQNN` zO^z35{Lu~1P{YTZ7>2Z;kN4j<*wsyK&%Ms7nX2vj6Qg=g`AM zq95*F>>dHK>pN4~WyiZ6m%0_;k)wvd2|dlVZOYr=jvqJdr9I$PpSbe>m~!psd2YaL z0>JHG{M}mdM=U#{t>f{semAvf(Fe@?EOX9t&QmXfbMEIjGgr?~nYJ$K#{keRXn7?E zuwe=!puHApx4HB&zcZoaw@Ig2b4w__Y~@iWw;PvgFF(_WYArw@RXG)s4ar7=^{%61 z)--i_E)?MN#WD;ZmDe+EreNj^IZ8&we#(D$A*-P5q!A@j>VsR*2l>1T3Ub1&0zxT` z_Mi2;MWwe}5?c_taLniY^NZeNJdt1sf}^WSjn0^{efFMZ&%{z$zXVot`WMLZCQV&S;`lYE-k|m#mYrQR7Q4FsBvJ z0BeKB`~bfqOZe(w9%XdtK@&Z&<^xZA8>ks5gT;m?)e0)!EP0n4ZzF$qqv7oD#dYH7 z0Q}s(a#ApZlylKzQF&h*SJrtP{<=Z=_hrX9Oe5Bc=@k!i_I|0+<~Qpy4dAa}6& zYNYG?FP!Wgt$(F^DY%Aw?1jm6VrWr7qaU>UZp)cebF*NAkkL+$?a2xY(iLt zmi7JbNq1eRI(BE}l`a%f+_{QvmtUDeQkv1Q%iHL)z2-Wi(_u*k+eyI^UePZYi^+-? zP50T)7fMB%16G1#eFMt<2F8*jPe2SyOm>;2*r4C&Gn`&I(b3svB7WKANr;1g0CiHa z`;Fs6f#lbK{9QNqph6A%=9zDxA+jTNwvD`+1Q%&;m2H&lX3nKbQ5Uf$+GJQ#F>; zB8z>=k^?Qss!gm21f=R4xzq#DA-tIh=9@sGfV=hXaX$Uga-?6dFNNdby=MA-%bp$D zgo`|@ay@Kroe^d21;%93<7 zS=eZ4=d%6tnL*~KILf+;yGpNq>TPGs2FYbuhdcd8^s}u-#pHbb1Hqllk|Y@~8aut? zO1B>w13s=#(-+L0N7pwurAI{RVJwvrkagA2HEUev96QRw*t2PbLo>F2 z?~~l_#^{GONpdsixqBq28m%UyzCy(e{?ZN(yDJRVAI+B)j>2oem+pvmu9 zVWNKcp1e#olIU|R+Bl$xB$X*@g)>9a)7%XleZZrCn@!RE`qgb9Rf*DM%mRZ~j5!M% zVHd8;pdSM<>In%cGITYy5F?UKt~%)if$_GEE~p0zhpNv0)`zjR=)$*_eI|UP=vZ#0 zlTJ~d6?mw-&gZc$w2i+}0(>^H9}bn-&|lZ^AE1Rv=^wGRB%WLHZu zx~awZZB7wB;Pyz34QZ=)wVUQ3J2yESRk^dJTJP|IlBY;C)$4^k!j@KNx0B_|dz(D@ z0t^9(?E3aO$KK=fu$6hi4*bjW^J}YIMCwsOT1Men9!f&rENTmCD@iM8#*aeps(Q*Lw_$|CDBDrK>J;v`k3(8w`M(H zAy$~XQ)lBzmX+eJ$@%=j!0V+v&8lU+=&}V*n8c-JzUjqBB<4>n9=4VP(cG%M&YE25u>Xtk1xqcT~6A$g|d;KOgLw6uyEr|EbI z*V_TVX-+nkRkGa4MXz#xSBaossX}YO5+uWk#kN^BJdZe@TvswDI(w}hHQ*9y+Ka_g zPLudU&^}fT-E|N8*g&ir`N9t!CGEl_Q5(E1rGz-dAIS_7Q>$}CtejJsE)(2daFj#0 zYI=-4Y706Qh%R=5nhnOSAvl!{dF;9w%c0#4$W`s$E~czZZ|^kS=P7lA=qrS}mfwg8 z2p16-*_QUKatml?`X)XbgsPItU{J57D~{dcO9=Wg#d?AvOtUmo3(xCUc$>5|D!N5r zLypklVtehBZz@-wPxDYMa7Oe)+k_h^cn0dTF7d=Q2rigU=m8CX?6X7+8p%4>BOj$Z zNO6y)ZmJs~IZE^*KDI1zoMNr7C2hSAc|q52(eb z_t>_@UtdX7GH**+CW83ok)s~C@l3w)ObYk)No5`<8!v&u1*V*mqb9xtPg=NOrujE; zHV23hO67Xp8tx^;y0IjyDLI zJ#W+Z=Ps^iw=u&q0PpU6VwUlFnOFwVY!UO^UZ-kTYbm(699q16p8isW9v+$Gu&01MUF4nmbu(n zHDRv~N+v^#HhlzPL)CQ-grg1aHIlyy{No4@rqhsn;$*A@%lewJ`mC&}fQtd~63=5a zDB$Z^!CTgc!>^Mo^dJieFYsOvDvt~jc5n~FWNYL^ryFtLHJVpBsKy0kAud{Us&(y) zV-G1aWyntbgg58>L@=0yxoMKiHMd zm65RDR{SLT#JG4()ME+-S;c3l6}LI5LmPvWq*&jDQ94ku+k3&6KVw3Kr9B`mE>7GT zjttqLJci8*CzZBS(&X8(qg{FqSN2;DDa#Z;=YLf#HGfu9*bUzdKUV?iNgz*8$ebfPP_dfI*IjPHM&-E3`a zu+0qp`P9xeoM^HdCl%DSE?u%+FO+gDK-Qd>lIqZ%ur!_K3EE$p+M zry6!@6P8%%lZ#0q$G7@fzFt>aO(B6n(ilE+wmCf9-&uzspPOMCtEu}PCFcD2^CL@%ApIc-`K;1J-&P~K3cJ0rtQZ87qs%$A%O=!thR z^$&np8&W2UJ84{-`@0FS9HEs;KN^Q7AMyRkx^t&Zt~1}k)N}^z6PBTdJYL!xC zF~cBYCOl0ZQHaG}s+%1+rsLf<@6LPU)5bECLbUX9WrP00ZJnVrc1~EPayc9dot3-3 zi$&Y{>kejg6RZ;@Fs0T6%_c`fZDu?=8c4)*mhpN6eof-8-#PX(x-N> zqUg@gI`Wn;MGZ*7RC1Un?u({Tm)F_|XIfsl9+qZ)eQglIsr;5d<+YtKT}{65HjG5r z1PjObR@F7pN@9m7Z5Qk!(|UyX@9E#^{_*rF*C0B$n%)cQ>biG9d!v1;z85!+qNl8d zmt%yogo(`cKss(bJd;7cx8J9Y5)yO2$F3!Qi;sWa<_zPTvtWijVUI}N*Il(|lGMcZs;#z&>yFNkH)dcyBP?WY=Psl{qK z-C=ZEfSWZ$lg-W;Gve(uBXmyR6(@!-f#cpp$;A-s+l%ULUQOtnR{R9&7C5x^)f&ObV96qLG^!POlS6 z>zXsa-^D3m%}=6C$CamKrXhiXn}Ffeea~=0UH>XP2pk3MiF|-fHlB#z+Jzh#v}6|B-+lkEt-D36$cMovrdFH}(;#52D3x5R2NiQ4NA zGwF@jVGnYeF;>%d*2cB@0TQcW2-!kIGWk}~45ru3FVqTMQl(*O3gMsBsh7mZlF(6__Ba~kHNQ_DpB3@i)@&wvz zFKA>z{`5jSH@YM>ykv#?g%LWU_4p?xC}%R_yb)~q-$k7Xqg!zl?bBr`;08tWgG{+& zLueNF0(n(;P5Biu1Cw*J?Mw?#)t!Qd&GWDG`fxs@5}ptvt2dj-jhcv4oLUb!j)ty| zSj%&p7V7%oY2jQYwu-b`TPM2m4Hu^&A}~`$LlLcjp8O2JL`+y%BlA9wu?*CT{SkhB zmCjFICdN7;DYxbAQ1*+mAmC%VG(_|vit)E$=vC}dq==z&jxl%Y(g?7kHB;E!g^+Is@%!d38rNu| z%^NU)QVI%L3>fjj4r79Z<;a0?K9n;M_$7^)hMc(k^2M2;4AFj@*j_e5H7N>>nE=c9 zfH&cSTA2Z!!JDILbt>xN{n9m~Q3M61SlMy}n`sfC!H6Ca>145#k}A-jF)z~b71mO# zzIA3PglvtJaX+04x}Hee2N=qm3caXj2WS!nuCKGz&ik|G!<~^TB&YoMZ`NyjB@%+1 zf3_Bv=eGW3%d1D=&@=!;na$#5kmKL+Rqx(O>u}I4KO}7pqIsD+?B`Ku|FAJD4;GbahP!P zX-*K#MXlTq3sHGS275s^x&$FsB8<&0*Q-@~K6&OZNIe~~Qu3oVbqQpM6hF%z2@W

y_ zl0i3B@nug^#1E^{4z;M1;nQc2>q;ufBE$XJY*U-*dP~VpS?$@5JNNWKqTpK|sCv7) zba}Fk9#ho_+`=-kVa*q6H5H_X4MroqvsS3x7rzCB)ln6pCZ}@xxQZ-Fw1HO}pK4KX z&Rs;w48KTL)jqp|D65(K=taUZ3;J{sU9{&TomgDutVkcl=oRb60P>pP7t zGm2k^(Gj4vK$@MP^PieD61K9eSPN<8K&GrUR5%hJF%gYcyy|hPmtY?Vb=J8R@MVf5 zX+#9Hp2SqQ4S74Eei6Vz{4H&^87&M5>>g4$V|0%z9Fk zszNHIPpVH@xg54kHBe)ImaxZ$%X5~8&!$KjOh#g-yD$qD$8E`rwSv+(Y|u89O9i0s z>)Cp0L!1wswwpEURtu^G1pA|^r!JTyCCn2EpMc7!9kgUkZU%8?Bx>MPWnXot`hgAY zaCdrn2mNvK`_j1%i)b$o8Xu9s$<$EW40umd}bN=tnfkaB(6f|D(ltjm$QIvM&^zMlz_Yqemk^ znDMWq12_;@zm^pYCWoT^IB%TgTtCdjJp@EUM2s^)eNYZ%YkI#&6`umxc-5{_RnJu5 z=V|#CJF-rzG`gB!1F~w=%txFDOoBKR2FDyDkdWxn2dadWE-TVr)%6TRPI`$(wYw%m zYgJ?Ms{QDB%*vfIJw$Yfa{5s3TE^1xOA_kGk5qhJ`ugk^L`EK(_gs)8Hbu(VLa=mk z#6+VS!Oytu9D#3(wrOGRV{jxjiSzxIkLr@`Q;Mrh;Rw)|T{9FG7F(!dR)9Fv-&1T^ ziqV8r{;qvkCOC?`GT>eDTg5V&6>$cnGFDg3R5IJH(;uOf@)CdXkqm^h!up!>ylUec z;--2z5J%a`L?twR04B!+(tW5kBU|#)NBq)f`k7*pDHe>S+?WdaMeSuOExITvMi>c9 z$MrEZ`qr0p1qq_0!vs#;J4ge6X}#oAo*pp*>EZqM#8sQIn2+wKl?HENL8rLDSyY12 zDG%<_5tuB@TAUH2xl+u8C9fc|C!Gwbhzf)>hsN4}@lRLdWIzTx1Ebw9$a=EeS+>1i z=O30@uZj^>eh0S>75^3g8iSRqHo;6cWpR1#?g%;jRlfZ}Z5V!~M!lc`W!kixtqI?+ zWw3S>C0Ei1076pYHepxw{In^A`Am`eQK}uzi+*E4K6|ECd*&Kz0d99z%v+2dJKUf* zFDveX32$)*steuF=+-1HGOP55hao~MZj0DMYqF}%T}0iJmwkHU4|d1toeuQ;5^~4D zMmt(bAi8sNsnch_^Q~Xai(?Jw#`)*w{+l@@sfOQyv;WhL~%XI<*YHUk?MV2?8tKp|PYR(bxX$dMb6xN?=2blxokiwvM zr9Im&O$U%!bvgMJ85Y4cwfX?r=7t0+?XM;l!Awi0WVC9w>`4i(eYFi1UxC zSOvfY#^DxlJKz9%k7q~P@tzSD86!i(0z^NUu`HG&cSFRub<7yFF+8&vCx29ySjkqD z@?)UI+CsdSypRs=(w5CS z;+tq2Ba}7E1q}DoUW2y7weK9gxGTdD{id{_?;{Wn`s1co*&3`86RN@q9^iM_QESrn z;OE_xGpwNFo?J1W!O?Tf_eG}gP)f#N86zYUM&cc@{+QMIR}O|d(gJ-W>>}P!k~ioC zJBz9pYc}=Bi$+VWP4m1yg@pjowsP8o1!3bMJUMWzXU zURkGUZa7$WNN~c%#3(w>S}qGvosG*=!u{bzRI&-gph@{ZguMfhWYM?o*=2Uww#_Wt zwr$(CZQHi1x~wkSR+sInSNGnTdH**N6BCh~NM4S_GcIL`l>-T*y-n>p?zosNE ztb_u)IVaji@Vo{^QH^0I4?&ighUYbVcv_0p&`@^JiBmr9SW$=9EPOSHPWNBb}4(6a-MR)ZsRD?$o zLar8TLk7|6EH4ld8BFjQ`TS=kV2UgmPFT>&>&CDtzk!4J4EY*XWFwgZYQh>FktFNh zp4PcZXM~i17KJRIo!!IHsIn9ftnw@WHfgK$6qbe>2p{rFN_d)iZ3GbHMVEYMBUH4^ z+9?^HCX>mxAy?69@yi+pB4>>A2yXZ=#_w1x3r!x+^R40Vpi5fE9z^7F!Y2D`-M9X+ z1Mjqo$gqY49~AO1KP4W01;}vMzdYmCQ3PsP%w98?qX~R(jI0_j)s2q|TWBlk9xUXw zklq|jv$3$lc4SV-ND{Ay^el~2Jn$?*^$9tO4M-1eHdY@J-wIrcj7k=v(D6%vQOH-G zP>K-~UG;L1U2X;r>z*(~JQLu?S!V%*#2SM4pOZ-({rsN6S4U<1)gx@bs_8#ZVYhOF zg)G-b6=7V(mNjO8siVNCCJrNgd0dmN>w+NUAILHdZ9kp^;zN%@XvYNs8S>L)6M~Oa z2T-gi$wurioop=M1;6nB1p5{?=>~fR#6itWExW408^3fa;YrLvPyfT~1kNN!g(oA8 zZb7I)coeK)dge_XE|3<}|0|hP0V`rpAq9a&ksS|(3aa_R3V8-A$x9Iw(Le7Fr_uvQ zC#z|Y>1imGC*r?JM9KV5OLfA26IwBW#KUL39iF|X$lCI;FNg)%PG3V}^Gg$PK}R*9 z0ojmW5fh?bQli?layl>A>@KIg7-KWQBz}tHB;8g=6+zcV?f3Av?iKEHB^hqw9>wn)_ZH*Ur zA~_?mKI9VZ^zP9BB3$qKiZ#72vgTYTrACKV%UZVfI){KLh zX{sGy00*W3g~HQCjJMuRG-T{2i2>6gCc*Ti&W$OXqydN??N$G(OV--dpV_cUagCDk zB*QTJk*1mDSRIq2>=`uB8o6<7VhBYkQ!(cl6X3jRC;n^AK#^8Rls8&HET8naM}_MU z5LQ$Tx)>B@Q6orMASzZaMmcvVh?64Vs%+lq52`w=CRT3gM^O7!T2?vPm+E&SSx46c zPJ3tEa8yk+MT#I**J+s^RikX@;&n5+)tL2a_#P+MoFzr;<)tuTXeIrr`3SHMxxa^F zC5@_Kv=dOGmm&Qbc}0vHo;Ta;NXesVNt<3wzp|kok=)vnwq56gPG?FWt^PUAVp^V- zU&E*X3LGXsDYZn_d&bV1K{gnSZzhm)*%X5|@nXeC-UTIReBz4-9GC(hW5=34FHKVq z&UK#-&9Oj|VP5xw{Pl9n^>f3IvCsC|M$Y>-kf6i0|D7%Iu$*Y?YU}BvwZ7JM*5j0t zE>eYR8;R^rVqpSR{0@2=nWT!`W;@JK3);Yiv@^=WSfO!vR3ihV!m$f{C2t8#`(+mX zM`uh8a`3FW>sn6$5*?;ZknjT$^k$T6!m59xxn;Kpt$R-MMi*wAwyqZJ`oHHZfo&E! zXbKL?X(aiKw>f|($)Hkjc_tH1~&IhkzERBw*GvUE#! zDXZyqT>VDyBkkm-=Kj$A!Ar^{@b8V<;)QlysTE+F^ZSsr_Z3c2IlFWcLW~hb~y5=(unoR3UdKdxt(*Tn+3_885&ra`SuANO5$q`61%2t!{eG?oJYTaH;}iy6(g;OC@bpZW@6pHX7`< zi}5*cv{~#Wk>$2bYw{blF2EM90Q~iAmv{!}1?*T%>_EC2Wc!pA?P(V5p5QW2Id(nz zEh<-W;E(o~Q5iX~NVi?&_!x{MWj?wu!m@uy^A&EJ--51wNl=0Xcgxy@tU@WQ%xF%E zawC&X=z4RZb*Ls(i!VAkaxs zl~RV%LJq${l_%1aS`UAOBU!}Sgt+hQ-tTq{Ob}Dwz?TGfhy9~n63~@^%rsc?!&nqW ze(SsJP4Yh@Hpl|7S4Bz3|Evk;C2;48>o(539lHQm@_UQgJ)nZDf^_-dvH1M;nX9mi zY1|z&tGHjeWJYS+^n7t*pM@4-d7i^1p@OY1jJuMGhlr?rb3g4wd#gWb_~=|e@LuiI z#9typf!G=*i!$b@!|67J5NeX#>Q9aR=eJII|F!7ybquLNTphRrRf!3MRcl`tiLCNR ztwrHgZ$jwW8%7@ahAw&@+3D}i{5<#FqoJ&0MH46>1GKm3q2Q%33A|kUW2{YAC39GSfAv;qB>iD z{#0n_s%tHO5rHtvbO`D2AQ?G00pExYChD`Ed$C&9MA{vTEVF5HrWhNIFoH6!iaJmO ztY2BT)^TvE*3C42(33^5RfrY+Z6+tBN&;~u!ka6i+v zCei!>QF5(la)1^=5>GB1IAYpgq)wH?Z&gjRaKU6Uh7yUZLzjhWhuXS%r7fnICYB8` z*t1CfR~9l{0xBc0KXYW3IgpKFQ&;hXXQh8nyqTssfwjVG@c{Av`emgwd5mu- zf4o6~c3BtGnLAb+>j zec2z*ojB3PGD4%&QzCCOeHwO|{P)Q3Xhr?l!YrK=_WZBw9$z-@;pmnsF0d;h_@rgr zW%Lj0s&bo>S7{1m#}do*blsL3DGG_Dzp58Ux;FL@8$Xl6YF-2ep+y0?yk96z=fE zD(n+gncnO&I<|LeeT8cvobKTYLp%wB%bdm84Z4m}yh*GpBrqCDFUAsTT0*G=U=bh5 zbDy{!dVk@ z-W{llK`oR2Wf%Oz)ol@0qn+Y`%y31#2H#!ZI5SWSk}{ism^D(=Z-=Bt)7z3t=AqKwI{RLJxdpp6wWu137E$lZ+aDbJi@&w$(JVQ zku*AWznn)AIqRRdR+r_p&Q>^HEr`6M4bB&9T<`yxs5HCWXej+eKktHOmNoSLpBK(L z=lLY(d6f14&$q}ND`+XvLkKvDWFxT2&sAuW=9p$O1fSg7?-hWExEgbG{%pXrNs@4i z;C_8EGeW+h?DPF|et;n`*ja}&o}VWW^Q!c& z(R32u1`Ed)%(F~5g6Q*^W}Cr!&V}9Nh8AoHP~43-h9aRuM2fC8G6TF~0j0q*+%3zd zL8*U04XwF<>?3iVOx_yBlZ|wW|0PCm{Ss=Cai+F^vQZU~Nn7qZTSLHgfiRUnG4=nph|((baGLmF=ND??^Rs#Etu!n1#t{FZJ?vI+~CV0K60rU)V zEd&9AVzBP$N<>LkPwj=er!vLBF6c54&>L21IW@u4pi2XryfPF$QM_BKf0W;#IXkzrlIvL^JVK__VS#s`0FNlgJ1&nPKfQHZ>UK8??aX zNy3<+h~U|MM+ZB6u^ZzJsQ7glC}{~QSD+nZNwh@#8==4hdjrFcfAD>O2<7!qsnZT2 zW$8hCD;?+JVU_AAqK1#pq~u{%w(+Q)dnwHNYX$`T89GND7M)AIk#`Adq3zMGG+ec+ zgQZY$Y!8gOQn6Ykq1gFd=$W*sh&F#M)pXlK;j-{sQ`2ZG0os8Kg(UV;6Z?PjS4Bc` zp~2YtTc#ko(js4&4(b%L+%Sm*;KKS|9r^1F2CWALZeDK68W6-G{+cIz5DIf{zxlEe zz#rC!gGe8?hgaUS3heaALivzBWW!MH*|kcfO@ldwmPArhu)zJitv~k31(yHrUv9Sn$GBkjY(ZE~ zFm%ASWLZ5hwe}yN;-Yjlg#ArfaAB0@Ne|6Pr!K2n$8Ak>t8;hS=9-Y!mf2Rc^<_b= zil1@lTy02eszo!Md|77MR#grbwe%#n&cEzbtMt}im#Sa$Id%?pmg^kI zgw%AIoR@|L)wIc+GaSWoFjI~q18ci+PA6ajYMVh%iBZ3`P1a_X&_1*+DrT0@U%i9x za;xYsI@S|&sp*e9)|qmv=yp5S=X0p()?e?F&%KicbEs+OI`;Rosp%$PDZn_?er|I~ z1fZtt>r@iLuBPMYv^317rfGVQ2yI-SSP4#mQ z6Mhl*u_TO9ZL9x;P^3ZUinMy|ujBa=dM+I=H{5okf=M_{n>J50oe51-;L1Ts4r)A` zshFr%QCO>_SY{6WD%tPVhWfCs+%heZ=Gc~5PGx~}#l^vvJB_kTv#X;#JUwh3jg!B; zFmMcMv#%Y5RHKTrwIbP^1O;>|KzJB&~WM{EAZzUw#- z?OnnetpqD+Fjb_k0g5xJN)s$ucUVa?DkTV(pcfeNk+5h9zDk8q)O7HQLz@+*!WuvM z>5@hYw9vrGtM?LH^Al7&GMm99*EI54`3)O0^B`(OS=aiK6jeRI;jF?8cjnn8C90BM z%tduF^70`|pQx+~s~xbAg2~fG1IH|ivM-^hc$}j@D-?MZW6e?GJMt|R6lcs8;@map zz$xF1c`3tV=k8Acn%sV|>c-(U>(QS1I1btJbV~G_!eBkrU;NM_Q7u$lZaL>|=VXFy zZEeTWr8I?9(>L0I`y z_s@4P$_>Df*aE0#R9Ss|SYRxG^goc!_)qz1#Z68FT@;sVe@ai}ZTX^Kh)nU(!-r3k_kMkXg$3S?P?%cm=SDdQ5+Ml%(+wG?(<)TJA2XUT z%AE3rSD##`HVjqD;VlFYp*-)o&rzW2MYd7y;dO>b$N`VxmL?)D#v$WOr!+t}0!lc2 zz|-sOxe?K2P&LhrRFFUIBaJTDOEG{#()uS5qrjh8V7+l5M!-fU1t$9D>`gcHLW79# zIi>@)Z;gn4M^?0{zbA_puIB6X#U)T32y-uALqTN^dk*{TBRNCPQ8 z5vb<**U6Xm?qQVYbmk%r4dg??OMa$s1o%oTt8#M^bN4rOl|6 zzNf@X2z~=7J1J=&k=rlk80C3m4(#Y9N2u4h(JFi44>77R)z9}sv5+zVk>n+racSLq zzHK!NAd5pGo^la=wrI&w-T*NRMyDdit>Q9bgDZh)a2rB{Gzb12(@oWjE9;d5;FlS+ z^8+LpZm=!Oop6#UEdErcw%4f>22{Usu53qLqH`!H*NICfvc!tZPjkTQ{5)k_>#m8l%1>12jR3wnv$%847}(rMFAvSTaMJDCqv7H z;`XJfVtZ>B==k(x*^}s9@zP!kpb9bIzX6=|1{9A0WISn^>^ET~)+^aTU-Fv=$50%@ zMoUA67O;fAIEc2ZYH53fPNXC)TE^mihHjc}B~c57Ruszz!3G>*`bUCQ+5CKlFDXu^ zDrthaQ~=2My-344JmRZLp}#3rdbwKNDx;m`(+#Swuqo$PAWp$CB|$~$f1x0i1M8w4 z)0U@ZWdi0bq~@a;^1CU!+`4p>CYDZ(lgrf)?F3$621WFCBjW7s1zcT$Dc8I(ckFF;6ZJoVQ&!+sE@l^bQ!^9WL0SQKF(I{iMRarnaYmBiTsMK zL9H#g?jqw*iGDWdCDBgRiG{j<)_^K5pLji+5wg z9#WyfK%FlImk~t=3kT;1sbO$4Gt;r~8~izX+IiV|IxXBTJ|6a~%R9sUk9%(L>;+xH z)~y)j_n#c2;4SHeE-TBpltaJKl5H|lDk*R4tjUc$*#D>q&q9eq*g~9}zo+A#F99o; z5MKTEB9nH)YvRIcMuc~(3B?|@d|85X(2VPE%mfe+jJ9}N?qHR{%={Z^sGYu^h{48k z*0?mmD1&R>Nw8o#DSm}3w7i;7jqayImlNk2U1Uw}_khCTNXSz}qNlTu-f%AJIQv$6 zQcckQPR?MK@XCcOigI0HYZGAUG-tPAj&74V$rL%nuDL#_%xMDim0of(sPpyRaw___ zW>U5Y=ug+3<(tgcQXvAGK-1?tOLP=JQ|3C)b?d3?;UT}gH#*PwDp3{+8Qfy+CV*j> z?IaPaJg;^vOpv2`5DuyGyF@YzOtx1nkh7de<>;q9Pr`8#v7I&H&n&7PTe>oSkg(EG zka1c<)o3$^D$--mKEasmP{sIUri$i#E%+`tj%e*5cNSI81f`|4m|5wZsW>Q{J>=G0L6Bv>62j22_FwJKMd|)JT^i2$2i{O;igPURxF&dmwhbxq{n{SUlc?vlREu*_0$!IU zC*cXQqxm-9P42m--9z#Cib$ld^;Y*eh`o4alB3I!Hgu); zL8EsfP{~Tx(f}!=Jp1O1I~0a=D%a5};jn61E0Hr=g!6*k>_excWEb(8mj+;>ZrUpv z3dVFARZ57mz%JUXh`S3F+nT$I%1H{VL@|lK1GCBIgNV82VVWEs2z>=_hQ-}^%Io3K z@%6UPj@%r(^B$4NITyNc$_Q|nWQo%t+8j>d^ZvSwV(xUU9B9;;k3HxA@rNrVWiSG7-`IHTlDyxTIwsxBQ}ldzeN zWoDx<=L{wI?2x`x-mi>&Y9tuT;#?aXW9zcVSeIClE2c-gBu2WZ|C(ivy}>Od#G9+9 zeD3^HN@x~d#t#dfpXV@iRYYS=;N)l*E{#SWE=;k5Q`G*XOLoI;g*wimy;g{@HOa)XErlz`lwo`8G=psZfxDY^8@7N-QcS@_pp4NPK zemr6`B`bGY+G(Mwa+isEw3QjyDG$pg&`O?+h?;T`{%duxqbvXVy?7MnBSplC!l(&}kYKQ@Fbf~Y#c=8)EjZjhwbthXW> zs^rLhNb#Tx@<{3qtM$T(zYW~VGo4ty`%8$%@vvaQ=SK*YnA!P*Nf%PKG@_Mz-NaMD zT1@?6#4N*#gZQQ1nB)j&VXr-hopTH~^q5P_i*XLiz~ke6Z2`h*8kjhYIBfeQy_4-Y z(Ie4Ni{|tSNmu-XpS(y9g@(Hfia0{XvjHU1gdJzBg#!!t)C{ z>2!OUCwjNrnGz4YcJ01+*#63CGXE}3qgBY88j?vTj~eOj?@+kjdC=cv=SkKI`pnA3 z2z%i)g~Bd5_{`ciPe9n-IU6oAg zQ+Jlxu+HL;miN`LiXWoSN126`l5LbRv(`VOunUkvIRV)uPExo*!fglr6-`4(5d(}A z27~HYtFVe9hK%Gs;Q-lYDNiyH>g?r{!=oEkJP9tl(%F+p+ z9UpMIB;d4dNtuo~eOo*UByT6~^M@s84-!__@MFy`(ZZ5l(HtvKOqvvHdOApgwr5t< zmKxvuUQxp}y=SXVZ^>ent0sA9i6q{Da!Nu#GD_8Vtu~zO_!3GPbr;kN`CfWsso@3A zrSTe!SOy6-GIJe#XaKYh-pP*G^zSus%)wQX6)+F)%>42+_d+W*SX4Kb! zE^t&*U;{;;v;dW)0WBXj8k~`O&vnH-x!aQMAS2mh11_wZM??))f{rVj=2dVc#Xta* zj4@ZjDnMdl>A3p`(mfJ_)o-~Qx|m?Dz43OH(fXw~L?iCg@5oH-`nJqw)}gPWOZ0z{ zEjg8i{9O_jI&rR`ON}WB8#si=MOO@&#Tbp~@%&^NQ<0sWiNw)xx6#32>BupCB#ueN z14seCMmdPvREe9KJUUQX9&MRnc06}}9IZFsUTn{2ruwyFDOx12b*wuEb5}OgnHN_E zu3WMcd;el@gq|rsZ624n-dbHp$Y%L4fR{rUS$a*77S$chyZ+rROM28;WpA9Ok^d=i zxJ!cGd9z_>?rg~W#~*L+ng=j35rQS{$AAcElZILZWMup&+@k0BA8^Y&bgmcS~b&mcWqPPs42O zyuu&TbkRDqar^U`EWQ!|DCsw5Zo*1aYP&#|ilxKInElW(h?R1Lf#%E6)`mc+cDLJ1 z+n4ocYYVXQL85v+%_<9bHO5vb`Tnu>5=h7-7M{9J=^*Eqn<%l(pmlRR+v|?=bGJpd zhMHa0fAcLxTK}7GnfQnFAAHO6_Wz4-@i71Y;9K+z{*!M3uCTHfLXfr(dX!;9c6M_9 zI^I2$CQBAVhgjKpOi@+;Bxq;6W!-(}!kPD+KJ#*dR9prs&&yoo{^!EFZbWi9P%LnwA#f^UIQrD8@sj$;}qqzuXz?dJtl77b0 z^fGV@A=PB94i^7OrTG8wEtp6qcN6=z z+})U_pa-Vz%s1QL*Vn%H8-9MR9giQ+pWiR0eY|V@)UWAQNg2qtGd#^$lV)nyxT9%^}DcrB0@zOhb z>o7KRMe}=qWt6h#y#3kci>GZ?Yyx|JCnevxqW+crs_*$CVp)~fHI6v_9FUvqnSMp>-3osZY<7eHpHyP_{RS*P`;G%3#Jt_rtgP3?)(qf>5X4 zN{X^!O>;ViOM3H>xCeGM){q+=O{M-LN0ZWvB7Vx z>`VJo0^Mzr4OHF*9&2b9 z3YcSUgufLi=~*gCW*Eyk1@%9WnAr$cp`^}sr%j@`7VIAh<>;ol@+!N9AkjY_G$r<8 z;EJ!fl}7b(vP&G+!5-jhjr_%ImqPU_B2AeR{JrwQ*i)8dl^W2IvMg1I!EKR(ezeRAb2&qWK8?`hs-M;SebfkpE6o zDGlzgq^Qm$p=crYO~DC>j*;dqMLCP2bG;t4Fs-^~2Tef>F7Q54&zD8c*c8eld-PLd%F6imt9ZXoJ|cP_2P z4~b$J)?XZjM_3YlU)Jl?^ocYK<#BU9#`knnOyKu@8&G{-&yr%B1bIqccXJ<;A;5mB z%owzuV?uhp)&wZ~h)_%KN=Vb(ytr>lH07UVa${U5ex3x2-mgq!y$Z-;c?vY=rA6D< zUggidb8Dc4v{~36D~~D zX`3WsV~Hs0Q4+v8%m;_%G(qFsa-ui$jF)YN5NHd2{1E8&g0=#JvzP$McyBZjNt*fB z6f+Cp3`FoBi>T2H_~zQLCCTH7R$-5c8dFj%U_fdcVD(yPyg5nl&xm$dro=_A$*vQH?-cGO8^)9UdvQhkpsy#@5w%hW(L^TRqg-$yg z+#CSC*ot=XnUOnZp_X+Ou+YkRB^H%8J<~}E=9%oYM%j79?XKW-{^$hb$y%fFr8bQb zNBw=>v+AXi_^o$Qd-Ppq9!K_FRn(OFjZg5MH_mDu|6QflLGZ1{tDO2xoaleC)28>b zvIMG3*IPuE4=Po~pi5nm6iL;v4&mlx3T8t{P3u{yO8? zZxF`^6#Oz)`LZy&hlZ<QCr;;dbpN7$!ph#8fX>TSf?qQpFY|Xzpw%itptW3G%?2@aIQ`PNKt)wr> zF_s!%p0-PUa<+?~w;Ay17OD zIj)w|?fISpLt9vJJoKFe0jebM-^Q+EIMcP5@~REv2Ff-qZa9*_oM~WJ zmv70_$&=ZVSH}<(Y8Hmej!?t^B;KeJg=j(|OLtK-E38i&KW0n|qu?L=AzdB&6J+1e zOSuVenPZQudF@qd6l_FOp6-_%E3;?Al6WCGjG|0?5FGpFY&fwO_rN)~dY2ta6l4`% z^xv`?+QG)yCeQ6vn)>4~U?gNT0y7>yE3qFVPhAbje&cq=XtKF|;s}y+?BJqgcq)yo zK>S^~n}td3MARg6;2)SCF(c$aO^)1?Xdjzj%+SvF1f}KqrykflV1vL)My&zefAaP) zp=iQBDiScTnN8M!2Lyt96nJX=JcjPY8OmCh?Er`Rza zxM~n^E^EaToTt)So;L5|gig6h6?DQTrM*zKDax0makWnU*AzrrBb0)T@ zpk=$Mw&pQ6#pb^keqxIMv-A@$_=#Kfl-XMKkZYdvScP>gd(}SX${_2U^Hix~LNN8A z!qFRw=eUmzIHyMJYcf-@vSG&rQRPq%f0?l|lQDunR95L{seS)|ssTx7ymv3zFS&+) z`Np# zs^lv$>EH6lHXj4~1H2KNf?sL0U3bH1uofh+kP+g5P@pNE*Ki}y^W}@?!b=qNs|G9| zoYc;;hq6H{C$?(f>un^5j$g`>VTUwtwW1s<*rOM7g_P83TO=9Xp4VPP;*Wb+Ext;U zjwjGfSj}@o5%TR6gf-54`Lp?h-0fYJ$#>5U{DGad_4IsYGPq<-WHMHgJ!CTcbSExq zRl4iPgR*25mbRHEL^A8n)v6SlDH6_fXkAtiPjQ({JRK|N6i1(cDt5J9xg6>Gd_xO{ zklGI!TGfM6Nk$Hh1ot7s{7i1c;`i29mZQfq5jB{JtVD}VZC%U{6K?w*3N~0BXKi9| zmdEze0&$iVCp0Br(-IY*aEg=l45c^un&OGJ%#9~DJZpCG9%IW;-&R@wH@!~4tfJNOOq*p42=LU+`QtU=7)KS4(&_*L+8jssMWlW|VJ|{S8 zTL7)1a7%L42|{A}-`-;ew6QhA4StReG}!$Chb^Q#I}R8EqdmXFs4w1ER%(i$36Af3ss07=<&GHl^ zS!BT1nE-W#JNkjGk^qpnvBlI~M1g~a;`fmRet8HMX-=2KRIw{rp{Zf1+jEq5u5dXe zTB^?#(mC_fbmAoMR*)6bvG~nWPR@U?b-#X|^e^YJv+vl#f4y8iXR+gb+|tCT)=o`Qf3EMG#JFs+=9b3^2n zd35|CQF?5YY$`Nq#Pq+4apew|klv@d9vSF>ft;N7+Qn=>=zM?Bo*x zuzL#XS&aoeW(rECQOgT?vzP`JmzAx(_{h9wh~!~}$K7Akd<~VIPZ6dcG+ICkn)gi% zN6A}4q3XA+xbz5Y)B$V}?6(MVC3q3T=Ft}EBf%@Cx=ymL%c9`MPP{!S%q|5`w9pnp zj8v&*993anylH63v>U{w($4C-YpVWF##RESPrF|drkjCRX&9Rmp(DuI#nTd8xMFF2 zaez#Ob38+oL3ZnE4)0op-_c;NH0DE$ogF)jpd(|VbhK8N`w|TuW7{1CvuH!lFG2+$ zEyBli7y#mRu-}`uQQ&m%$14^7T2@QTnk_A=GOaDDHZ>~$_p}CUq)uEb=x0f9ID1)> zb>Y7c`Z>VL(yC^C5Tb3lvZlon9&;j5v!#-xwB!P4r|%*w@S(}D)Wzj#?WbG`Lm z? zp*>zq)~Jml6pd9ZX#Bh^QlrZ$e$7riU^hkQjOGmSkEs&JNmR=@D!5jb9nae^qo zhoh4pni;bahMqh90Bo-4eH$NCIN;~?6X=Ny(?r3a5^awB%kx&5t<8NnqA8!BOH!KP zV{=dHTxA81W=Y_P1V*-~+93Bx;;Aucve8m@Uqbh(cKY^l>Wx24GK61(s zQ(0E0vy%d(OTUs|@DU;cIf@hluS{@96?{^-W70tWtB7H&QB5N1fqM`>2mMixtYMHUB3xyL9BMz5XyH?_pF%6#%w6b2yqkd5gy0u z7Z;3OrZdKQ4>fs+bLUNk9`|(Gv;p>ea@1JiHLgrzSP3_*hT;0FF7$8s{&ls1+&_C= zZ{64MY4zEl=1gX46jtTdoPlW-v3mnxU=?x-y$3E7r=YEE77Hkpnkx=@+he+ z9q*An(G}+O<2TP!B2$5XFcFC{Eq?KKdXK}|_AFNQjbO&o#6<3F`!I95WE%+_MUb)l zcWFY!H~~i$^uE<*rDehd@ac)6sDl@P-{R81!E+?TjIl_9z|Qs#`vvFV&0q{PM{upO z?VIXyXjh>P5fz2uOZ3~}izkhOuS&g5J@19NEw*U*ms$C6|G3Us`mV40ylj2E)t=%O zYaStIAWz))Ls=J_=G$B|r|n5(4Sr3qJ!Vaw{T2_j7(>KsV40K9{+kiJh4B7sU!9hF z6}%?|4q*0tuI8t18k1S$>g&l?iTK+P1xD`E4l$q0LyC(h{Yc~pqO+oMSx zN*&sy3fo5eq{&#lp~={-3R{OdXf=Fu$Nm(7ItVsi3A~;hB3QW4FAiL>!z@e`j&e6U zj^Qk|e_t3^-a(T>GcZ291v6xLdri#~_s!1&q4-B0HYc<1G#@S<7}!lGdNA}OYQ@vc z@=yo8wN50)+cIgn1! z5}_rjJk8;JH}rfuwxxf6hP-&-e&2##Qacl#{bE>lye?T-peQjQh(E)5$G-`-w>zMY z;7qAP67!ZEK#&n+ORPXNXE_U^RuR00B;lyf5Nl%(w=obGoVMk;Tb{6s-f1V>T!DNQVmv6`YD&{6E=0uk%%Z~edC#G&T z4p2&Sbb5H2Zs&fV9sr=Ur^K5$F?@Q~Lv@_o`kp)pDqVSc<>qr~>R3gX zk4B{}bEn_$eqVYX!^Gf-onv`|7N1OuaTn z2X-`ICZ^e<;&u>G`LhXLLUZ;`bHj`Sv_q8mPMbrxQkn-)6 zu;Sh9$nVa9()9X3G%P2sdSYT$XhfO88|SR?k|-nE|D1R1JtbsAT-56~yZB)P-M@CV zy*c-j!<+gc{L)aE;W;?vLYkJBK8{`p9*&BM+1S`XJXR90OV_tgVc|4m0PqkZ{hFOU>{27MdOZvS#qxNrnU**3bmB~SFG8VQwV$yR7zw)oUAOr%%+ZO86)I^|s^7=*B9=){2kv2-Dz} z!Cu3jXshTNHgcx)0;2f}v{qA>LT0=*R&2+jw(+wpdG zz3q&aTZcMg@jYX~--qV$p{5r@_1@O6id$cOtLFc`2}@@42b6rvwHE$=@5QTEMfv~5 z-m5kL{}k=hC#17}pdQ>cZ%S}LVwGE=;&)47s~)O)N~H?;i(sYeVI_+>X?X(6iMZ_w+#g%q_m!*?-9(&#D{gwuaEzLey=E*i zRPpDg+N*0h{twURgP7o8Mpmi=ZnOWqcvZ6h>~635zb9#583Mm6spg@i!1`Ot5spwA zCNV}KolKLy`oQUI9uoa&&hAM(PDAa4ECXOP>I1W* z%=jCEK!)TaO%|Tw5{CG)gG^Wwy%Ab-T4QVtv0p}|9_3=mIr@CIl00}q>#x;pej00rv zy&@s;6BcJ)u;4m&{Ba%=&hwE#1N4C`AhoXww#x=z%G7IAYCYsZM>@B!Y-~tTvVGGYNKoJsLjb|A(33HuwKg~*d8 zPtSe;eMU)4XXrDEXcUOC?MiDyW3TxR#lv)rSZsQbHqeXw<*4po0KmD?s(uyJW{{?P zofo_Ms(KCcEA&$uTqXFzvbVukfBxJkZQVLFSNiYcxm3?k!n^VSZT#QYJFklQ|94;Q zt?B<$G;wb=-ZRpVVzXIsE1YJ%zXr0(`24Z{l-Qh(7pfVp|J0(t?MU>-r=n3+LG>10Ev_@OL%BO?uU z->-2Pj!S`{?-)Xw2~W#??He z2}f9*EsQvsW9g;|DPm}pFe_b*j2TrDq6fZBDwZGhc6R!^yZx6h`!8Pf&^--9G$OvZ z8oiyJUca}y+w1pUzU=jTFJAOERQDA~ii_b~K|iOICpjT)lAz6yL})W%@(JW^ZJ}-R z$Zuu*+Wt2vdjNe#08#)$y?zGow~)SK{~N^9kpwGW-$Fa)8CjX`x3mvGiHB7e;(^|$ zPw?r>m)@sOkgG0UKo7kh+Kj|&vX89-HLv@7mHY2{|4p#(>h*s+FN*fR-JKUZYyJO| zw92bhS8YoiK3jieev)Oj6uI?7`eTXGZ_Z;HC1ayo02e{@JKjT^XfsEsx19Net*s6m zxIL-TOeBwP%#IneAz$sxz9@Im0ZtRfeH@awpb+GEOa=)XkUQ!p`p;oz2ojx?@Cvf-=T5MCp7I<3Ny(>-hgCX_YsqwAo7Ko|BqN50zy_ z8+(>S#AQ$`Y8DM`kR2t$%BqtlVRf&dDl$KyO2dF!njg(wk!t-bPLwAka-XVv-gTzd)5}eC+k^k@zu0-P zT{qAD{ddLR?HP(Q%F^~jq@F{XvHWM`2b}3Y3y9&`R&4*NsQ}46y?5%$xkWai8L0=*GsauKTikhIpEzj9{_-e5XLQlA)V27aPU+a z7@(WdUlQ<)%vijr9(_Y^^0iftUqN)6!s zEiMc4#!Deg2?CpC_XIizWgUOR0%A$qy^u_>zv!XQi2Q_l(KzXW##Zp)V;Ylt9EO7t zjRtd^Og9For{N65qxr`;z9Y5I!mrA}9p(j-eIqtR9W5Sfav zD$Var?|1yB2Z8a`5N{%oAGB{IdV3@0ebeis8`alM?_IBDSZXx3?WbBO(yK}5cdx#Y z>H!Nqz%P-{W;B`%*3hl$Vt zogH7lKR9}Ga%O$LJosys(y!VR5r~uX)0r=5y$@#fOLcCTg~_^(1NW}i(j zH6KWkF77 zX_(-Mu#|_3UNwUZ!qXHN2&v$zzq`J^_zp50ah&_uGCAPF zd%E(ctnIarGywD&0f6$5ehdCwM{I^^g!aF&T;6O?F7LdAIUPVpm}&5GZkJ7RfjIgSbKuQXNdrfPba*YhsBqN1li{b;8;M;x(*LK#mt-4 zp*}1oO5TyZot~V1e|&kg`~Kqc{J;P9{_y{&N1q+0pxp^ULe2_m{{2^~1^K@%xjb%Y~Huen2e+!ooW9ryL=)kB9Y zYdtoPw%kqSKx_KF`tFD8qw~L>y+1xXx;Q^MyMBLscJPe1m2=HBO#*fw9qWRL zwhF4UtJCvuGoU5aj~2kce3469sZcB;lnj*!1k!)|N#;`JU*3Jg#^e6mPs(s0KdaUF z@}<`>#P_eyFW($o*H1swMYPWN==kdT!Jfpz&lOX0Q`@!o##x0{MsZ1wu6H)nzM9iEY`UMqSzI(~id!|Ao^ zul|rLf@si+()cuw{_ymNtLx*-)o%RZ`Pud5`RV(s>&xSVH}6l*POeW5PTyajyg5Gq zA$LtTH;dZ=YUC}CCo#b@zU9$~3XV$&{tA95S z#pB!k{db1PDtVq4Y1QaDDvOgTKAM`r-BKlmE^O_?p93{B*CHZ+4(7 z{3M#hgtrLE-(DVHUA=#Eeq=E{CepqQ)l~^8)|^0Z1SNeV9A>H`w;4(kL|G>BdL@`u z()961`G~Sk@b*nPI6OSQxPJfr@$tpM>B*1QdhBd(Z*R|PPgIHVX#kW?2mM;A~Zw1WV( zXe-t|_jI?#2lV$_`ivpn7x&qmh`!*DA7!+-?AAPrtbrv=4J={uVfCK%aQ3*EJ3KD_ zFtEj&4JYx_Cm!Js#K+t$1^SHA`JBXGzT|(EgRlElj<)t!7+m&i4u44epvP@b&AO+h zkJg7qUU!avN=Zkp*U`zRTr59Xh<4jS?|+S*Jeb3BnN4jYeq{ghbXs%N4=V zlNn@T;`|m#7vmY8s}lEo3W3uROE$Feghq%ZQxZeWH~E;@fz+i-6EYltUE(h=4skvt z=6!?b7JbRijjw zN353aD7U7T&rf|2eU-aO`xVZP&H4AoXYU0$FRrWZvT%d0*#{C`$ZFCm%C&ruIq_qX z@L?hz=EL%Gitj7es|2Eui$IPA%dreIIF8fpph>RMftm@_sFNR69jZHT(uJCdo}M2b zoW4Ihur*u?wQ{`WWr*3!FKM>z)yUB6jOxUa=f_c;P+eD#G_s;)p?YwZ^7)C!XQ}Id zwxLz=CD``~=cjDabkhWDeRY+$R~7k=43M+pi7SiQw=wp~1&Jwhv&?;ad2o3A{^I!Z zp_^)(_U4YhFM4>zo!DTcz;}g$x^Zv!HI0=QG6x6EWHv#-GRk6$cS|&a(iR! zZ9g7aSGFMj@Zcm9alBSeAJT7+1TKwFg90~L;1nE~=yYj@1HgS8EfpHzw=F!X9W_9!>ZMz0)N!mR{8(_UR#d&Xt@g9or zUh9H>Q~dJ9$}qnPC^Nr^ZqYq!#ECx=CO#PdT||*B=j*HUznsq3`2SBv{P#|zG5(vc z80`9#@74aX8VTD{oY&~{A&zl|qGe7q6ku?6&aM0oK(JSxw3#?7F0AU&gJ%z*mljjWjdCEVSgPM^ zEvYm7p3A?=Sk{VWMXON8UwUa_(y6pWY04^eHRO45aHER4^#@>Wta@v22_==iR;)D- zJ*bW}s8Zv&5&6e3Ya33j=oSNN)bn+Q)Tnf;LH)XnI!{Z6`v06pIFpp%o8AF>pZ^xF z`TXZDPDlU03u)s2tIf6W<9{xu8pPsuW|JUqvK0g2L zM4IA%D?d=q`Ch|TngmV1i%^2!XUHRo+P}2cL~Hq%z?s4)nwJ+c4G-0nkU zu>a?~OW!2_pF5ka@xMMF{r_&HmH!2*8LuFcf_9|zM3;nTo{zCliueq?EozfAVX9%drD;pJpV)(J%7bIj;a+Ubo_NvHpZA&z3f9lA{$ee3@dbN%n0y0dZpzZ02&cPKBPm3THlG1uU> ze1uvRB;wDvDe`VmfElzVGOk3BVl%)(97Q0A=nC*eek2KwK!ziZV&G1#b{r+XH310@ zxDx{hX@;-K9rndL{%2DNeodl#&Z(6Ol|YKK(kWtS!OP_z%baG|nt+!yj%fm}UM_)8 zGG@Vm~Ggbul+BK^}oBA zKOgZQJCO-cvu#-y;Ab4gfd2~=zPWS&Z^VB@l?2tY;K=fEiWC1K$ZcQ#pZ58}a6c`r ze_zzdpk+P#aHVpr&Y%ltzaNBop0YE?A#ng%NO0uyn4}f*1MJAcHZNj>pG`?Ek9o?4c@kysZ+P6M1^k;a-w*@?a@Iy+FXvi~2-+o0`JkAY7vbmw)w z1Cocu3VJkl5}Mso>VI^q;!Y;wLYO13n|^mLVwnBIfadX|-u?e?i2WbC=KcRrJ z8siiN_zg+AipikS7$-Sf3W#b~KltLZt6XL7s?V<}&8q?Yw^iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ{b{jX6I6Qy%Q`ELJyJA)(MP2MH6MNT@os1{8qqRKQZ%#5l z3F-z(M9oGA04XuH=h?r5Yol)@B~rALAfeKdgYv(nUfM4D3pz&jj`Qku}=tP_l=L~JBP*6((QM2sd^orsRR64kb( z_Ddd+Na8Ud3GR2hh;uA>S3cvaRwqk`!8M-UP!{uk(AHG8VT?IPLy``IHbiMO2qfcv ztl`@jkyId(Vx~UFV?>fZkaR%*N5LmF0MHD4XGn)<6EUJp5;I|m#-G;`5O|z-o!09d zc20s%Exy~bVo~~kijoQD4>keJ*Z;>SkB<(^`v3Uw@mBwDqU@}>1Uv9uLa$H)G}F3r z?JW!yd^uZ@F&bj|2fz;K$NCv$lO%zRCM24HpfKTBseP0r5K*HkbyW@|Rnvi*91N@o zrErCTPBCL7j&TZCGazY9rX-#e8aY#KsL%4BC6p4v1<(O-95F1E8s-)&#C?o)4eoHw zXbe2VQ7w|T@_51p;9J>t-?(VN>1ecR7Wy6bsDNyiFtC6^LK+ZbZ`o8BQ2( zXEbg*HgzRtZG~hzV`Pd1ZZkZTljE%G2tQZIype78;irET8DOhFTvyl@)JOJ5KM4F@ zKvy{7a6^(r0z_Gs5FAUCBq|JZI$;s!5aTSNGaSoyd}Q?ZeR%&dSiel~C<}w84>xLd zEDN<{NO{bulTUsyuls)0ft1Qh{r@y3Ss-6Gek-dxAp|i(!s9Yx7)Z(mN)j9cNrkpD zRNWj}umcPaFvDqt0YRjBbovZVwN)A+fq^pkW|GE<1gQE_&S{{f87@V_FX1Yo(KQE@ z#_DDJiry;W!?%J5JCIU=`>JYZiWwQqE`bXvCu(S2Vc^(}EtF-9W{k*|8ygZ782)ua z7>4n?SLcC9_~|pL6>y5K5@|~hP{MJbhp{j)UZYG7AlVXSF=i6Xm`+jwDAfa;q{Fs>IVEdo<9aQed))u4*-PcmNVsA0pI=n0Sz3saG-r2|So2aE^r%BE&h3qzJ^h zNUy*3l^|N&HHTLNrD3S`VKU(YGd;mogc%^CO!VQ=;o+fC-*yBY%3d3h;RrLh8Q~Ou z!Ga5h(HID~kc{@u5)vWahois%k-A#R-4LgkX|~ge!0@-Xueg(!6h~6_fC|}2Mq@Xh z*#0}mdR9>%%WpLuvI#PPD=J2EdSa@JGsL-EjwwyWvDlZ8X8H6H$9nR}5pl5O=SsLW zvjC}u7Wqvr9<_=vb!BT72istd6IWvi1e;(xbAJ23&)-O@Dy>d9mhb$&0J#2=pK2VQ zQ@KLyTa-EpjZmW5D-y?snhw3EF3I(XEJa-+OIbT$CV1B%XR63&eTkhK+lC-H+U28b zJag!cF&iqSkRcI`6z4@^^|GsF%^zv-bj+H#%O+_`(qS956&f6~DT%PNgj9!hIgTcb zq{9ofRuYM2xoTJ01GWQ2G*ZS-(1@572@kndP&432I<$XYc#w+-7SMB}uXZG>X9JSp zb3qxdNQV^2LO;expulo^6-DDD&MI6fdhMq$rO9M0xrfLY1RiGz5}3<3xf;o)(fUxx zrjaGPo^Sw8e#3p}9ehXfM}jgm#HR`3TuZxqRVxj3$S*L}ojKHXy3niEMj7c&d!57M z?oNgoCtToEXznTIwWqyyL|INnS%`f($q|b208J9144d%%dmw3)Okxb7l2&U4hOi4C zKem72q5CxTxln{78F2RFsp6v@QRwzuay2mGJEm+_FM>q{g;PFZxL`P71|!4)0iO&8 zBqBH!1|TG4Oau%WMsg&I5lU^tB{ZP-9hozh^WIy}Xx?!E7mZ#CqwmeP$9BH`d~~^T z7XA?wd4ka(r7`9UY@Wx*pIsj~)c+72(SVpEa$R$(1L*!zbLyfod4sPwjjpj+ASYiQ ze0lJh$%#Y#k0K|l&i^|=(jmi~uM3 zLN9x62*(zfUaO>3wHT@CE;gX#2i%+EGbBcR=z722%`)7F7q=)9zC5~_+qMx&TSrav zR(Nvb$CqP4>!dX`E(c97ynA&HH1*+sW&Cv9`sozr2C_)_xhLWC#M1B2wOLpOsI;k4 zEN&>fmJ)sarP?!FB&imYJDFBD&b0Cjt6GBHm|mA!bO7_emePykU&SJo*!%L!qt8qw zO054V+OQ5WN#D98L&8%3TXO9=L;~NS*&=)D^RsCU;(uhhFeI)^Gz>V$x*hXxyHKs2 zyTs-x5}Fc0%dSVaBsbPojnwQIYBcJS^^Mc8tgO6~=FPrsRZ5O*LC>iZj^Quw-kqJp z4H24gX5R(|jE>9g)k|*xkTE(S2}y^G{HZ6$M~CtQhB-~9bNsKlKc;KzuFWP|-YH|7 zc5aQ8Tlf4ib>0~6mh0wslOv{9=snNT=3FmpwhS!Gm$eU^bgWnVpoth=kW?_*{pCh< z3$4r<+dF{bm;-{0;Q_g|MkZGgWQvx3xEYaXRPi8XG`7~~4vcV;NdX;DrhP(M;X5Ee zI80LV>qKuA0-t1Mwsh9iO!V3P!M zz4f7LK(7N_NRrH!2Ny^wBr$@ozgC+LIF0r1r%&BR#U%Z8Lbc_;qa;HrFEJuI$Y6>X zk;BRCjZVf_m~jnbk`iTU?*JTj>%fuJC{|>{?PiF4sPcCg7f_iJqiG*MMBRaNr|4Nn(i? z!-L0lB8 zYH7Rhg6r&?!iG`aJb<9rIPJ^s-hKDO_b=YS)2Hrj!KH6M7^B+@?e@Ij%8@F+?S1!+ z`B2qVT{t5+iM=gZ4dlH6WqY(t_E+Y8Sim^!yAJ_Eg>%?97@OxG_wAPs?c!Hu#6zjx zzo~rf@i6Rb%^2=CBc1nx#$2i*UoCk`X{9NvI$26RW#>rw+iDN(t6q6~R)Z^)hAv39jgpL{#?mN7FO`C5a<{rNgKU_Jzr|~)r?IitG{ZV{ zBsSj6Dt{WoPdUl$Y?FI&?UUSJXP>B*s{LU%y6tbfXmOQ|HR`4_XUeGnA;lMzX-#^K zXMm*koJxIbrZW|DX``F8UYGOB7-db$2&dD0Xn*&^>ld$Iy?p)hT^}BQN4{|{)F|^+ zfNJPlMhkkuu6e%4v$uFqd}9NJm8O&fyYyBsa^$EEG*UUmH5;Bz#Mj^VUcY~uLCkPM zQLMLf*D;VSyh5aqF>~jPYeKuuy1>k;Itwfx^#`5aqt3xHquq+?7-jpwu{L%(@~H~l zORad81;CHKGU~#t64XMR=j)~1-qF*&u@S5}p{kp}Fk`P)SgnWnj|%>4S^vyHk|eeD zZ2zw*ml>nuHole0aDBq*meEG_mGyogTYX^~t&Me?FT(P3EJk?3wXJONFUar7GV*I2 zNRJ;sUP+igJE>WD9lZlNla-+-zZZzzt5 z{Dl&@qBOxMg@IZMm@OG^(RDMzCbEtR6|{GoQJ&j-mWoeh5}NiG7=(>Zq|!crU6s-n zZ(Wsqx1;WDA$qdbe^>C0*VZVwLF;{nMXzGrV5}XAeh03zM;0o!`wTua^i~{sI#g6y zEcjO7luNP9C`rX?;k-dA8YSPcu5W&A-pVy;mVWHf$f{_gw! zz7gUhd$i!x#e%EAE%|+ZI#qq7+*Zm&jF5I?6=HjJIBt??7k&{W;V{W!vjwj8(CG+A z*L*U5<{I%erd+*A#Av2Yd48`KJ^IIa#xROcY03pdB-Op8&WD`iL`BJ0x9Bg#eUV)Kos=lmMq^r2^9Hbb0e;S_ppeGYLNFJTnJ2%|W`oI6!y zADritTP@a=4?lYy*0v}Y#*mpH$0!Tj$%saxy~^vfMh9d#M%nra)}RaIN@0r$XOm1v z#!uoQ7E)I{cMrc&&*~P$jpAE{xK26Fp=;ohQJFmi_z-HTEBee?xBrcQ)o5dJE6halbK6ALwLHU|Ov=%vS*{Icbmh=#y+K z1GJE|#O|*ANw3|8_JnIw z$ez_wR7Z)5&5!c)eO`Fqr<4U1^0N%Bb%8*oP@s9y2d0Jjfj|>Z(xLK;Y3u~0iT?8< zO304g)U;{<7KQ)pxI?|>D@i<8#w%RSEK35X15R}<#X9$P9SSVY)o;TtnLDiO9B-@Z zIJa9?a7s3N*01QT6-wiXJno!WzLs2(C1>OvJ&*+-+{98>f*`* ze8nb8;-zHS{^&O|xA4W&HJef3 zo}r@Szvtj@)tmcrjdrhuxD*lh>rSW8EB)$hiXuPKW%*I~^!LV)w1y$o#Z7gYRO>5U za;fz2i=_wE1rL!J;l-_BNF88r$9O=}hfRebTSRdTh+PrE5S!_iy?g+9+j;CnzG>MH zc8U&s?KCSc$mExTp|=*4tkniT*Ia(gqazJXDkWgryTStX6vS(i#(nsaFfl>Nx!u-L zohwj`1hNh5jbtJo(6fO#oS*004l5xK7KS`nDjI?Fh9(LsXxj4u-=YJ|mD?VxJ2FJM0k2+178N(fAL09@g7qtal0-~cU z%TMPwTWHwqzdI@JsGT_3a!?XnsW+C(|E13i*x>E%#Rw-EX1pV^^`(NFpa1Rf@T7NC z%KvtJa&o-Q|F((p{(bk0;KglbbCy(cJ#~UFx*tCV@88S8B=x*e99j{z^H*{}Lr15Q zRV#EWwtj*r_#jnn8o{F@^(PshPX+^W3t>A10}H3I{4-Ffomx+cZ9yu*8T>jyiONa} zD9aSmo#6klhOO!g*@7g1!xh%MMVyW?eD9`ZO{&`L)*;C%FM#$?sEwvQlK|}bn{!#$ z#%8xV!OH=d3|Jb7OID;4jOtKxk%wS&i6;k?r_*ZUYOdlfXUV`ZvYc(pGOY3aGR#i6 zgR`p;?>||-H**{v3p9|-2F8U1z_9>p9=L$|j?3WF z$)*v21TUfPEvTst8-Ndv{5?--f04$btkG)C$HSieF^zkrjE7&-Htv;rJluh&<*><( zCVO(d37bmIB1-kx+$_nJ*C?x4c=dR^Mp+Fn7IDRFvM#`-w5>h|mr~6JjOuZ5JKPJf zF&ku^q7S1EoBEn%r0TIL_z&)a(e2V0-QE+U+vPFxJbDd1R;^jrX^j{yi%8MGG7phr z&81nh2$7m7fd-D$)SRnjbh{1B@}?nEX_n6&GWTn?%I>CS8`yo=TN+4 zvwkFbCl4*IX||ze35EJ*{Tbh&pyzpshZLthH!qtNdI)~GF zsFi#+o3GvRpMCqcfuRXhyV{{PNZRhlHJ;gLYAZN|P$YRZ%mfc@TZSO+sE{1BxaQ3l ztCNBI;$xnXuE;=JA&dzNVbA>R#Dvu;6SblHXWo^zwnwPpUanm{45Ycgm-;-?WVY-R zH~;t_H+J9?oxroyjuE`t2Zf)NA08(ltTY$ap^yt$!CE!}WI1H>pkk3G6veMG8{#u0 zqEQHY+G%bEgESsP2+f&VV@1u>aB)MUV@HP^Mh&z$+og*M$t}=8&aZ|@s0YMdM9o?X6Pre!9WZdDSu3825tNvHBI<%h^Uvd*o`pRI_ z@zxe*vG~kgeInnXEbA2aC)|Ag)&Ad8sfNpHPe9XlF%BEjZC%_%;$EQ z&UP&l+9zCLlDAZX|pd--G>uJj5TXPMA zl|Kb1e_RCbLs!%1US2bwXzM|>ED*0xWk={>8_B=odxKyeN>hUCy|7Tu@~|7#A6}Iv z?21qtCy0u2ayMJ#qj}d}zR`c8ulF#|jdhhVDriI#_gZHrfY6;X3L$ikh7iK>uR{J~ z4hV%1nmx3zGCQAnpp{8gn$7dJ-Ivy;p$zu$uU-v}RjUlTW41-BFGRxa%i4Ede4cOF zTV_20lx339?n%*-Fjl>{5LD)+L%3CoQPrF;{VAxl$!#Nr{wXZ1C11WBCDOprfww&?4Zepbe3@?fcQs8R9ytSeB@p7gaPC zNd;yD6yf(DRiL?i8npB1EdTu!B_xKwp8xO$6k-t5Xrcm1=|m_L)jOO8MWqC#0R4&P$`4b_ZWs|*Ki!Kl&Q57IgT0QHu_BCC%Rwo++9a)+aWi<% zHU%`aFFHC{F9#{dUCZ~tfpx(-F>aS6svuG}y@)xrnCjW;5N&7G+0!yTaX2E4X%P7tu7-_6@{> ze(0EY1&^VptJ-C!owY2lA(S@8g>nhC+_P&uD?f^meWEl`+p$k;v7&3t=&%vumNc7V zO{tnHgh(Ya*efky6pwbNts3ZMFJNI+SmwHsOXshe8egP@Uj}X#KGomNzx=<8QaYe) zj6_97f6^+}S4K|MjP_L>pXc1sfOLw%pjXZACtG`qZd6!|OCVU21yI&|X?P{;Ml_vb zCK}TKHUzzRWO*{Jn6}685Z}Jlfe_D<1j3)gufP8JXa1jioiAGQ-=|N14sF)Uy4syD ze*W2t%gm zV09Di;z~QE0`^9TtL3k*9nvgpm8M>0duyvmniylkxw5r0P>z85nWwtZr3XCCAVhI2 zC+XrthR1Y@>z*q;TYVAHY*u|*4@6)t>gm#J3QgPyNdrnt5tS<#3!t@#$U07DNQ{={ zrL4O=H=T>E%+caQk8{Nrnj4ZyHE64KUf5d5EH!cpT!PS}NN1juBrRlK15LJni%)g` zHsCHt+UlsQ?CQ;!=N?Cz$u<7>(p+&aSk>!g3hzc-34Onr+|A`Z)MU@)@-D;Y35l@7 zvp|T^7Y?M-8D0Zre6D^`H3~|pVy&xQZ6-Qz%=DTE!E5IU>{Zlfq2Wqz`=lE{*P5hU zPkQeX#KmirL}K z?Fn!te&%N{m%s9i#4Aw6eS3d|L{HI^N9F^g`ViMbm6ga?R zl>MLwf%8-pYZ!WnUCq`2s>CK3pnHOzYi{onFS5BbUM!rN3VB;r>YYqCQEK(Z z6UZ3Wn#Vpe3seIt%z=gmXqbZ!HBy?R)uCQctu@`D{fYG`mSndLBhH8afIT)(nc=Sdp&lwP* z4m0Ycw|chHOrR-SUpeveVc4Fiz?la| z3vL;V?5?>pKN&#H#9fIpE1ABk-^|}~Qfn!p)%k=AZluuvqE-J&0jPG4*WcPI@T$vk zG_zN=A&5pKiGdER5co|ttMw*+R81Ufi7#XL82h|-+V&`@>0fXD_A0(A^#@iM(c&imKKr)~Vaak|6~uvv23o_@*1nN)C-iaj$8q$D!8p?zoQ>^u7&(LDSLf} z$g8SzaTM>JOSx&$%hyD|#2&++udq4fZpMU=O=YQ<|cmHQoT3@u}Ka+!l zBitOmIRC>abo0a=KRtXDLPy6k{<{fmG@*@O`*Ds>U7(|z+EqKRbx_CLCiV^=eK?9f z9N|_ddE?I#bNkxWt(ZH8%ii0Xh}lm)pnhkiqW^WKiw)*~>>ZpudR)o>xYhrgDOPXl zZofnH=ll~iFqot|q1%1qJJoBH&UDOqgpvfu3NmH#AAPHpNzCRll*ejg*LZc}AQ+>J z>*TW14ldq1%V()Tw=PLz5k!WVN!s}LXRluc?*l(gtC=4@Hp6cOzF&g8uUg}p7>suMx{hJmH695M}0c}Q6G)?oC)6%Fy|atrq27BNGU0ZDw0c3h$c*N z8YkFAFI$q`2XeuzH{)yTo;3ll)Hmn!9&Qks&})0L$i@~6DwmDPtZ-+FOX}YwJ}*n= zO&&Gf@gFPh^q+urE0{QG-wjz5KyPWRUi?BydX`6**(mE#(d^J(hy0}!x`JKcz&y!g z?W#*qQ_c2Uu}$~1xn)`W8qqEWWGWOq7GllXYP!l{xhoO)8>_3eIgt?yZO@e|N}Apcg|HWtIfyF_<2 zd0#xAr|tpe&M#Qvc{H&0M)?w@HlkGccOJ~`$y;b=q_DN9hMu#k@!#^j%RbNmyy9ll zlcmdxR_W)ZP-)s>XwordH?HyU7oh@8RnB^#SHIv$G&^()f*^S?mjz8ITUMA1WA(D( zvySPrEV4n>sy|>$T$WYMxOb<3_vANn^sBSx`JwO*Q%UT~dBK=UuD~#F`3<#NEd?X2 z*>#c~U}!4$ZE2KRH>e36)D6-s%(wKMQYrMPRV@mu62od6WSDeL6CCbP1*>D>b=%|>K@=u`ye*%)PC0TObqH-|F0k)<3v1rEQwQ7u~tLKn_-E{>^Kf=~hj(3{NrR zxZ3-7pcuvR0cjW7J#fG@gZfouATAghw{BAJF?#lE#GkghV*R%OknR?Z3ns4g)R@`2}&}-H2 zVc*rBTi&`V|0?co87?hYzJ6-Ak1HkrpU!E}9-~ZU@LW$D3-*5w4v!y|&wuxhw&%Y$ zQr=gxU6gJ!aG8l}QpdhVnaf*r--NMF){5C;i^*C(HJARlr8NH4JyLCVnc8}kz@qWr zJ2|ZG|8DPp+DKV`{A*jsDuCjJV=4ttyB(PORZPaE?HK<2OKJSuJ3HF;_JVaNfQ9q_ zqssU{I__=9|0c>k=l}8zGWWLvY9(%K3v8;C#=pJtXnn^26662)adrQHoBwGuWhMK+ z=2oqSRIMF#m25d#wfDWtDqX&1wedwpncy`L?yrh`;h(30{z%HGH2!U(`mVj=q;1kX zuc8nZj{l?b`v39c$J_aTBW3yVPX^Gby;`QC986+!|HIPYba_ZUQ1>6VbA@)vf&2#@ z-V4jz@qfFa@qbVn|A*@JcKmOk+;jfF(-6O1_YlwJvQ|#-KIA`jFMPVvH2%HoBUfGv zEE@kukIUyj9v>V&-j4rGlm{OF-hHKO82mZ3vV3lb{5?z4_&2MpHZu2!KIr`4JFeLO zN89ngk#aZtzjSj^?T|0kDcxM#tT0wl40Y1FRSCYI4$?YqBTk?t)z{2_e zs51W_9dGUbjg))N|8=)-uXSiQ3*x_uXKpj4X8e!M9olQ#16aKNKPt!n9Gz_E|BaOU zj(_jo^+un+cOQGLrQqG{zM7)&C3ZXQ->HW{jMw= z|CRh7CnwwW|7Oa4$G?%2bG(XU-USu%U@{lCM5 z!}9oleDHX?{@+MhasTfFxO<-MozV7G=~i=RAGAMy3{XaX#EcV~_F>u!u2s5~Ga8p7 z2Xux=3)m&7>_Diri8+!O0ECDQc?f&z`gH(+kdJh3w6Kj$mNZ43I!rl(b{j_{3hICV z4jGA`{2cE7+t1-wz!Qu!=zRsIwi*b!;)uXg=!$XHWteAQ!8J(|_&MCoNG!j+K}387 zLxwYG|N5=0?dnPdT0yIp5_3>cWkso)InGh?&J59|xG}~8#Ymw15!lP!y&G%VLXUB8 ztcPBhWv<~n@>7!)E^Ed2~{m{|}G0@xPlXJ8*`Cz${g1!n6#)%?PJ(H6cl? zZ@`VN(Gc@aumkT#gae;sD)=7w2qy^)6ME&6;Ozs$2@+(A_075YbCkxx4y1Uf)Uiq= zKOna_)^psywL0)an#_Qv>Pv|dWSBuhQrrnT&(AN;1!Xwcfm1pj(-eL@J%^Yu9(0C8 zbk+Yg`a$RFH`Z1Ew+}|cuKb_<$){;I2Xuv^>q!Pu1@qvG4!_BQFFIG~I{2a^#`15< z$T0ZgpTQ3Nh!~+04lkd-;6W#2^cNh7phIGey1F`}zXY8rk7$g$L9pY}tbwwu17%=; zPTEzC|F`j8Xv+9gim|iL^Zje8vSH!+6_DUbCjbr8c38|2H*&Bpi|7?r=tUi5`t3!2}*|(G{m3?lBSkMx7sAfbNYc!>4ac#36xK=2mv>LH@~-@#8;uYXysN*SWJ88x4DB{axj;#x!6@}1|0f#@f}I`s zo2mGQ#+U~|8@~8LKXUhXA9QZN_@WQ*Mi?%2{#IqyUILFsc#I$#p>!w-A;XjmNQ6?6 z%-pAPn(B3KI{{4cv@KG*VyK9O-s~lOqGC zf?M(U$s_$Ad)|+hnu$6=@M4PDOsLGV<{KppWcf0M^5BrTPU; z646jI_|RThmZ4=11 z))MpX)%hxfs5yhA!wc=tP55#hbw6T$!Ga5h(YV|8N_e~x1fB5QLRak{2*Gm4^L-b6ZK;VzmGd3T? zWloG#W-s;AH7PXHhE!oG7B`e#OKx0$DHjy2)rlGZDk>6YiBUcC`hVZOTcvAc1L}VZ zC;jyh^M}#QLnQDGnl+nd-{}gg5MYA4O;)Mi(R%jCOyy5nYSH8Wey9rR}jIF`t=fmh;`S%p5U#BfDXF_Cb466h-b@ z#5K|7+HRudu4^-f6N=(STHpg{hJdZOQM&F(jDLusj-U@9YhW?L6Asv(cGwg_cN{Z5 zG2Y3F%bb{>JZjEdg`9x=bzA!wDeJ^|s!6d=x)SLfbKruc!;VCj@=ip@l9n89tHjDX z5o7dDqeH_e0F!-gO?_bF&YOmc*ZQ5r%!{OGGG`Pqd9`&BWFT@ZBvB~KYUZB1j+s0Z zWganSd9`(^Xd17*XG&QN>n6?LkC?fX%#HJm)m*yT`ZU*o496&&PtYBSv8TsvdKVj& z=BqR7(UcV$%$W(7#*EvfXbVac{pUrLkRA2RHgOl%=Bm{El%g^I$0d9&)Z9rq`_$AK zHrk+RU(wr7Vbt8SYx01r$|6A0@Z7y#6A^iP&8qp{#55`C-<5JM4;r09>at9Xe!Mo_ zEP*X1Wi?{b-!n16&dv^~K*k`D|ETRrZesv&3`$F>UBtiOWbC#c?Olc)fETxDoFy3A zYCBpfK6BPj2Lt4xzb+AdU+rek&^QV7gwqcI6y&~&*RFHzPsFG!ZG9d&o;c5 zPx^rN)m@7>l*N5O_TrCk7Jqo8{+$pm zYWv7+d};E`!nm*QD^pMOjg^7sFU|V0CBq4QX=hi#=iRn>YVOdKJeSiW9#cC#_8%P{ z9y(5#*sfFGaly6ly4@+eg9tQ*Bj7kgayWrXReKLw7|s$BA>N0h0Kje5G*x%oO}6W^ zX_QMFC%@r7^bWowLEx!#SwYZ@CUiK{mw=tplnaK46aJ#kkiE#*iMJ|GguK0K#ys5p;CIG!Zfa&*TU_->zD8P@c29RrKcu#fMFeo5#v~YrJ|YyBp7i4hj4oK zH<0R5Yoaf|Bk)=`F`x`GMq?dH;t7$F3T|Y;DJ;!i6Zh`vktmz=Aw0~lZr3#QWn<=< zLTuSjT>qSBI3j}?yd0w;26Mimp>v3=qZ<%t*oWKBtn*tNB^gP*9{<5C`r$Q=u?}M? zI1z*3?IeZElt*AEBkTWZYX@TP7xOM=R+Gc!4`(mlK704W+l#;c-@D6wxIF*+`Ngx- z(;xo!=H121=a)KIs_;}+)L6{ugqhHkPVgFCW8f1e;UXd5K};c~!bRZA_T(5zqyoI$ zzqIi*73ex>${X?)|E59g$rh;Smp%+8Nn#$Tn|`M#>BHgJ)*)j|C!!C%&VTWua9S5j zAAHuRS30Ka!pw4gDDuilp2YMb)2=s*RIzIDQwd&mw$zx|!LsC#Vx{*RfNAj3Z4XZD5@R>rOT^W4 z%!CRh6a|1P4)ipKWG9#rnqok3{_G7XjOCzs{^lH{xuunijv?hnQnfP4M}g=pY}%(~ zNepBoMJ%*!WRbuq8iC@fG-yO^pCQo!9mG#KTz=8{x_tdcTN(>bFFhgEA(7AGsg#o# zzQssP7&f+)u}dU+HfZu$ng=Zw<2y}gqPq;g9|Ub!(-r+vvaS64clCcz5-%U;H=e7S zbDCcF?frF_*<1XZ@e6Vj+~@(T0<=9>H{5eeFXzD1w!71?bRw4fs}$T&`}Z*Q`zabF$i%v%imvOV=w&N*Qpjt>tH;W>xQitnju|7oO+36%z>o}gD3KA49yI4eB>#iJ-;bjNl z^&}BQio1uyHJ))bH|7z_S2MGYMW7E5X+g8ta$O50*$7=>K_ZmgMMe$|Y~y_;FRI`4 zn_m9L-hC?HIj?&OQjCOK{yRu^xP$MpFkP?9v*J(dgn*w44`IF!LzjPezmyc&^3C1a zsQMrlw(-#|;T@xV(hK9~@bx!Kj~pv{j-g)##X%s4fUV>;{#8CIUfc?X{I%-~Wp;7p z;*esMdpZ!iB7z|{%U5*;$A~ua@?bZZ5(GaICMGDc_hOM0UUETbt>8JkvTk)zykM^% zw81|#pT}Euh=ebf`qSPO7D%q^^?CXtDoQ-{v2fj-)cia{kz2l$r>3Xg{kWx>!$Nvv zVT7;?=BixZ+u+SY&A{?$Xcs=fuM?_Ixy!oxw0RZUhh}K@fV#maw|bRZ$GVz)$B}wu z!;Nf(@vLng>5qlT>?=i}wT_%y#rd)FDvVN*dlMPyd!q&4qDb_iYuyCWlFPr3F&88) z%v6?yeqjLCG1xJtd}ETts?1?CP$??`PAB6lyX;-2xk7`LXhaELwkU_;r#|tvEq+nE ziT$JWBIsoG84OG3t;kSZMK^lJQ={NKiybB=!o+XKF zzqJ0;#;HJTh((zOA9-a=GW_d=NYj&!F;E65Nz8dvE>~hgepSCMwPU}Hfeehbn!Af7 z62JvzXo#!Z1ag^SP6{fbQ+zAb5%?uQ$*=Fa&EQYgP`_+!m}g6i$6t6mn?~-F9hDYE zJ0s41Jay+IRgVh_V|0yy2t98~=I?{r*p%BLkrc<}kHtIuHnnPWV6C4T3 zx~kDv%3$hNa`^nS=aTp+fECY0?pJWRpI!f#EP?!xmEqyyiuq}*dwh~jqeY*&;NoTL zRbe_4N^{%sS`9l!$ClqZruZ~LWc*ZM-;F2+tixZk}x-`B46F`7B`ZkK)99S!Ht-uV8sW}Tt^*=m~7FKQ4A3Q9v0 zy#^m$P^Sjp=pY0?7$Kh#`}KS6#} z^Rw00c&3sL809SANfYCAgqZjbKKDGoIaM$9X@UhdSayQo*+5_hV=`pghi>5JRGF&# zfYW@3Q=`k(PA9(2a3tyy1ZZnV&ns6m>pHcbZklLvWmA#&K_>`YsyVgGDl5uCZlJzK znHfdcI6@{Ib2)QLV-Bj_%~{J&oN3JX*sXf84BrKrirLT&zs`wWU& zKx$-MVVv6G@mWj1bI~m&@wr1U2tGKPp;SI7!FSU0trUoIjoyM9UfnraCl;rBxJx>U z55Wgdy2}_}HjSan#v1KX6`!W!lB}sE?9v$sRk!eLh^sx(!{y}~^ZmqnVIN3I8_;hf5%8lS4Av;35n zy&b2KH?O^mZ!W9-G%mcZv}9~XFSxy?C2NQkfYjC~-^qDdZK*67cN|Z1@B6zfv}CU- zHzC#cZmI4{@tT%y*VNK&wWZ)&%B*d&FXzZ;grjRc7goY-)a0karR%LYzw+l{$CYP> zdsuS!BI?0xxynQ~kD^cQ{?-0}W%--A-X=m?;}tLq^S?hjDBu6kJ3iX_|2I)8nca&C ztKj3uKzladzi-YBE^DbRM70TMH~Uh0f#NA9Boe9Ux|80X8w7V_`^91r#=>0$Q{|RAl z!jfMnn9a)ITJ^6ill>yz_J97n=R{f1khckT&pqv^#(1 z9X^dZf99ckzgP4hrQQyG%WvTNOKz;(=la7M5>!w2pGcTO_p8eu&QwI&F4;F(&?l)N ziK%E0La54ZDH9&2yWKzYKlApVCjv zw-;}oy?y~tp9TpUdI#Kl7n|_lJ{%qJAS3aG6t_Nfr-*gg zB<(tjxRa4sMd>Y7f*rHPvuypGRAr3U+AMz%Eqxazx&tlu;iUVxfmQDP>I}Va^LBM+*vx(#V21Iu-fMJ}u0XH3N_9|K z4XcCu7uEU8hKSfYO;y%4d1Qpr0l&B~~ z_^l?;d8pF{MA`+vt{+gkMQ(qW#kzPw))w@objq# zbwS___$fdaF)^P0m=rAU63!A>3FEwmLtJ7jKlUQT=KzqkcnLy1>Hf#_2wz1}RmXqP z&$12~TR8t8_A2B5aC`sfMoQE8FF5v=+S}bu_rJ$d9skamwzf7FjsK&^i?BWb^I4x zsB39s(fB{8wXxX$S04YzhmW`Z zzm1d~5D9Od-1S+MH^#@WHimWzcac{}fw1 z7PXe;5xOH~5vuZMP4-Q7{1-!t)*)jH{ePAC&y(%?e?z5d{x8I^H7o~e;!-M#h6dO{FI^9F&B8GyiYne>PHT$G=S({2-&h_7LPMI>4s*wMna*0ND4hngF>Q zo?f2y;SEi30FX_t62eDssCbJ}JbM<$40DdTO9H4a{;&)(ry`vzwf{ujjAhTXhHh6i zgwR=7A%x>!h5W}fA3|utujDHo9vnjG!ev9qPlakVcIGuW#G)L4>0#u)BmGN1S= zNjaNai7oeS%p;vW`Mh9e>q!s>yMkx35x{SBO?7 zcBr$Ip6MF-Cmy+Bk@ycF=-<&esS0(4X}*2y>3@HnigkGJ`M zH&Pa^|2jr2q{K92puhf->-_U(`gp0oSo8F;wt2!ol!G{bRlfS7t*PhU8PnFeCXtW-I0&G?~m&Sm)-f*er+|KEVr#KryM`i z$u*uekS<>>OL=;|BH6mJJ5ilpFTaz&<^YB@#4bF1*a8_;&RHwIHSNf5Hp1Z{f*Z<% ze`}enUhXje-+Mi{X#LkaEcyQq4-b#F`#&2gpLYFsyP5UhDyzTJ`sx?1uIsJYWES*{ zVIgL3(am3FrE(_DO2A7Y(q$>*JA_b0zJ##X(IGIo9+l8q5M~B=NB!ZwPY9RqYvO0T zxjuBH+NYuAl#Z|Ype{E0ySmt+#Qm*C{ymmD{h#M?SJH<_y4q=gMeDzV!^--v*W1Sb zY@~SC)?LxtpmP5d86%}{jK;`FbnPrj2!{#1LP^-F)uCE$6o6J~!PZzCr&C!Kr&F!9 zi^$+~YHlL)O~Htc$0&{aK^yoeXhR!EL0f6)8_KRPV#1z;yL;J9+zJDL@wK!<+Zlwr z|KIcPE>3@V^X<#;F8=bv>lbPO$SP4h=Or1yzrjz?=3rNy|M&{T2&ekO;#9sVEvn>P zV*UsK2E^OeC^5n)>(k=;J8yJg;dDf)VH}Mpw9~qowgzZ!YQs|>q>r9+0xEV`R!SD& zTO2_br-IEgN>b6`BM5i@CzQNz2Z#-MsV@XWnTnTymv7#|yBBX?e+4|jI0KRnNJ_*E z{vB=*5rMw{?zO%dU9ROV|MYAa*sGQ8bJ?M?@|nJ5tipE-BF#Zq){hWBE%=~8Wvlk! zrwicA_a3JTi?f2rEq?y~PcMMA0Gf?&_=1#u)GB%H#fu)7f@?ZJLyWP@)m)E1i zp5>`uaeZo)v@IJf3+DgQl`i*dW8wbaL9aajA02Gt|2I4f@avz}@?jqgrd>WHfen*SPSv`<#fV8>AVH z+ZKZ{uI^>i`e5uIW-)Axrxe{=p7#5Da60V&3@t0ot#Q^dHtx!UYj zz9Q*0&o6wg&0;=nJug=_?QiyrSaxPsaPO(U5W49D96flCsKzvM6BH-d)53-VlYkH9tO^QaAtC-LAPx8w=+DgQLUaO8n>c z{=dzXdFQ{3et+2IUvVy3%M$QY^Yr&ryz$?Bv-65=EE@kOy>kBdN5{w8{r`;=fBftF z#d8nP8IAJ`!}WdP52FjRYD4Qg?lVTWe@oF6kwjXs+G}%n=g?x$(5LRn`<2r8_iqee zTN?|<|H-3D{@2IH+ws4N;*WpR`6L~7BFZr3orsPL>cHGL|3F%R(eaDhj52|lR0;NS z`v*E8zMfGJATh;)k%+%YW3?Y@j-~0WIg+aOSXcNAb%Zzm*KPK@ve5qTRr0?d9c;({ zM#?9%|LB@_6h2-$=>N zf2@4=qxQ^)v8*?2SKrsFcG(aV9ko_1B_JpWMutPo0Kt%< zNUC91%Rq9+oNT@~)hC)(_pHs6CrLbh(w!pKWs_8OmhQ2P#5G5->~(K?AVJfesfdY* zTw+`)YUMKLI~(?+)6R8A7$su#Tj27%+3kdURbEXOuO|9vgk_)q<=wlpb3Z!Sv&5dItf3AY)7?!aY2Z-GCXPaj_nsC`;tsh+#gWNvwAO2Z$sShP|i% zbr3L&Vv=Icm!b5(f3e(e(=?eqG5KJBr_>(>37O)%&~6C%Oo>0b8}SY5uzVa%4kU1z z(S-!cpUnrwdiJi0ICh%A2QkJ?}d{))x9zJ&Sg$J55KTe+&aoYTWI;cFh1 zZY_Raf0MEw2q?eEy?0BWE35x=2i#Rt^N95CqpGE`M8wzENV^2Ss@q9YM(KVlppSdp!eqWb> zNSfdGzBk5QW#SzJ*sWYb(XuT^1}Ae7iW*LQgbq(0@yXc7sd|X2{``ZUFRU+G%^fyX zWXXq7wnaS`w)*T|Ojxv@FCUJunLRw$v{^f7B<6dAr5=}PDPy!knSD3sP{DmqffUHJ z?KF_OS6W~R?x}7m+p1ZA)~~r%Xn`-hhI&7;<)JyC;!Ut=Y(bANNzuRZ*_h3qi7Dw# zE6t^rMu_1vMx|-%_Fmn66mt&Q_||LTNQ-^|;8dJlWG;1ePrHOSmjk|1AUQk>mfmPi;y2}RDYDo<4wsZI|=WPEBOQZciXBxR{8w>3JUhi?~ z{Lf);8~?wdVsy3N+beGb6asmxdjW2O@FQbA+xg7hHd!AST)B|GuG)PPNjc}Ygz;n% z0&S4PBK=MN!RSO_^%tL9seh-4sed!&fqtSE0&QqdIKCjM3J6IqwD<6W#O2h=l|9&k zW25~G|LqA%lCrO&3c&5ClmN)*zb*dU?6Z_UHct!RxAnaw-EKl7l&ITFDn^6#F9|2%Ktb3fx-zdkk*iAC>xo*uHg0=6I6I-W*yM`ViWB@1p-v&B$J zG1Yvdc1GjZC`Cg&#;G_{=^grTh8Ri`oGi{>xwfp8^Fs^nlCIKjX`CjAj4g8Y+2-oP zV+seK?iV2Aw^WIZU(+UD_4LI(x9%$3TPD7yfk|`tuwLpbw&%Tx-_G!hikknG5k_eG z0C#`?X_@o?kIUzOj(R6s|IbE>>-v7shACo1C&?*IZ2{POWb&Fs4i3BBYJbeCs!7W3o__KDA)w6xA_aRoTwsbr%R>j z9F9lor^b+^LSN0G@q24O_|%;LJc=6sD9hRmqj-!v<9PjTEE@lh56kQS!;@|PpUspV zc=PPtxjONWSrEWa^5;MH)Pd%HSG!6HZ2{qcfRk~S;CX6vHVU zXA`MB;9ELLV;wiR_tWW{({FQ>qcj>wlv@Vi2yvj&via%g0HTCQ!y!TGaDs*y6hYEB z)<{Dc zVQyr3R8em|NM&qo0PMZ_dfPa*I9UIVo&wkDnTo3|S$5(qnqJ1`BvrnZ#S^=#zkAcU z5=250+7!VCK-;QL&o{3zuQyNf`>>JV4ob4)B=jGNO@appz`@ypLy;fB(1-gc3rP83 z1((5h+x{62hr=h2AItxT!(sma!$*fl-yJ-D^7QD*(ZQ2PN8b$(4xc`K^c@&(9g~uu zm~lwI8*bcJesEvN4-7-XA;%}~Lnf6N@ zaun>VPWv#3aESU-$QFGsra}K7|I9*aY@YU!n}Ps)C}d~^jw9$TQ2%f+ENc{A7N+S1 z@!};4)$D3?Vj7IVg7b)t_60U9Ghdm{cYa2}5;QPP)`CxE(&>wzZ+L)pML5BJ{LV^+g%|N(1?7=9q{#3-`qX>mQ3O$V2 zsMiM`34P3E6OV+91ZaRlI1P~B19}Ga^Bw>cMTB8a=xPLJI6$NQ{lUH`I3C+iTiJsc z4vxT|4hF;T3tffCH4%3F&J`Vp}DkK#!6YUUqc2KWL2ieS*^c!>ZC z=Qu=QMkrVkAJGuNC}M*i_QZF(XUG`hY+pQM$u1nQt9ehX-ESpJw}d$45Qm7$xz4Uu zU+m^yjt=Ko?gg>w37x0i$j18-B2j>Pxm9N*rk+~O5-?c^g3kMD0(*QFp^+G9fIYRj zl36?&JRcnOJ~vbSf_`%HKOo-a*86CX|HH?RpBCi*lgFL>zl)zdTdm`qW|OLIn3r71 z9vlvy4i2B&u*&(OGq{7n!K0p!=ZNtUU<-J7^knpCc=%}c%!5x3yxFti@M!1{XG8S# z(d;>T_GJ3>5kya)KY4oa)O&JtFh$RvJ~{H9`_t#c=g*&@qsLDUdvg>b3b_!3JBP!= z$Nk~+{^660!^6?RqtVgP;MvjR;lbe_hliu#aOdmgD9Qf6fR~UdjKxPFwS2YOqc>I z`{V@t7m4*4tl{ce*aKP}0z%J!03M1aJNo6$?*9o^BnC^k0wLibX2^n!ZafrmfJ5Ms zWfWi-dMF)M(!&5q1OyB+6*?Axau|Tj>}CM+-h0}w?Fv~O`A%G#+IX(xc=R4rX>+&%wJ_;P~x-fnQGFzSsi@^97;+-9%L2Pbk1*8j&wn)R2!sKv0MH zn?=aOGwgu?hVvNC5tx%JL_Z@(vz_{(4ZqQ)veFvP+X z23qujM}sGWp;(AHMUW#3{`99m^&W_6Iw8v?2?0Y~;K?M&ejmKMLX=`3fk`6Fg$^)D zCSxE?0Ml#)c6KU1oW((q|JXb$0(gODFb+8QC7vQ0A~Ee=5Ho?aPlPoy=;^;-$UjHs zwa|EBpnx2w>?VLy6fm(rpf9%x3<4WCnf?QLoDKAPq8qr30<;Gv%hllW85=M}udrts zJCi}rlauyZLLPyC{abbVmiP!T6d+G7uF$+V73P;BIp!^p9|wXO&WO+UfCocB%ycR4 zLnt`skfT`~oTC&eA908SCU&ABqz~2*GDP+9p&_Tsq=obYNTMR4U~Tf38J@>fej?0D zJP-R3@%th1(f$MRuNn!VyMvzi^IZR#j`w&r!y)FYZH!cGYw(|BdW%C&vFf8M?3E83 z>M`|U==WjBao;@I9rVnv=@eY3L30A8LLdc74;761zAdrffLxABqbVNl4tnWdYy>`h z?5S}jZi*Mu&8B>B36mJ~lrOFafZDREQECw=PI|q--a^bx6bFGEQ7PC#&X{oaKAP?? zY{;794dhE9YgAW1$5S!&3gr*SK>!$+QdGBR>6|X&=|JNkyDsm1pTjxZmEZ*Feh^$G z4mSkaHxLwbHHiPq*Br6m2NPx6r(U&*Xv5)L@=t3%OcLy zcxRqTfg;Gm+8`+ox{{fG!w)#s~7fcu#+etM=?P|yir$fJT03w3sighni-Wkku9SR0QbAB7x4 zB})}UNVY9T%u?;vV_Y1v%am&&$&|I~hUmT^!oKXaA5nY-IqFk17nR&($z2 zUiRYU+549##}_YOfR|#qBZ?VHOq)xz0uM=~l!e_oZfq3RiV+n;0BTfo#QVZ7<;YJJ z{l5w=Na%}yPUqo4!URx)WgjUuW_Qrj-;OWQ%F>n6p{a4pT_PEhT248<>jk1}4ECTg z1B??YlyU=GeKV$LCaGSq4E;z)YF2&qxBW^Ybct4d*-c-=>SNYd;PomT$3EsDAoID{ zB5DVj5gQF|4=iKG!2(_(pndXyK^DjX$*00py@az%2m;JF3K0b?jv_*pk}ccDd?5%` z`;#B2zB0XYA`R04cuTku%LwwAN^^*W!3w}Dhy%&X#pg69T^RVwpTX7Pqrs!WaL|*$ zUn|&&OnfQv7b>@pnfx__!=8j2QR2s1TU1lPz%>Fap3f2E(n3}9uqVMT$ThkW)1+)` z90UqkX=US?Y!3rQ^hfF3S<@xVSoK2Bu;B3e*AbY(fFU!4U$PS|XkbrR%VNqP2bf#S zHOWr<8^jmHpGbDk37CiuCrSt@C0nyy1Dx$?6C4%a>5f_KEdXR-q9ud`XWEPsPHvDt z4LO=4s%$r* zCHuP&-6iz)8Z#~(4+2xkqS1{P#6D8GnCx28oz-y|2Z4mDTKX6A+XBdl;?Tp9=KSr! zo+aO>8lzYb#B$3qT?vWt5QplwU16#b&uG*cd99|>3$U2@bcZhyV{nd`=w7{i18;te zXEQ|4@$YB^4xT)H`t+g_0~x6mIb7~wQN9${3+zZk`QxY z^?ywPvBz#Bntp-@h`&W!#H(R1;31P+FepB+7YQicRYNh}V`pfLC}vo6~f0h#Nq zpscQ*f zFyKh+yqV-Um`NFt>zob1xl&gZQ&sFjNCB-9420GU)8_)V)`@(@l@t9}GGxQXCWchU zvY)XvuVX#0dSnwl7S+cfaexRdTx_L@vX9KyujI!gEmkd!Ce>o@trC+yOgMp2No*Yq zfFxBTwQBMTj+17SKvG}7Pc$0=w5ZgGr;hr}d+1$)<7-G!h#1S*JXLd_`=s3xC`n-H z&DO7d3cbrdG?0ZpES@A?C6oQP1quO;Ln#Vz2$pfcaTFjRnoCEm)_ZV(`3n3_LZl@# zv|VOziI249Ys?zGK_JW8`2wz{Yx#lHijvKi_$m!bQaOQ%?FT(iazgodXO8%e^08U& zV7>8)(n3Vv((kE!p@}UaUa-t}ds>C%V4{0FR-FwLhx;?9F`7t1o6srrOpb_pUad0; z+go`D!8Hnk{$)t6LwlY$QS+&}t(c$F7itvmGL9n2F||^sR=|rHCrdR2DMayYNPKjh zJQ)erMglTl<*Y!lo;~B?P1fi{MTiR|3{%&*kVRSEZW?C^JP)!Ri6`BeL>_Gn3VPO0 zM)t&ur4VvnHd?}HBzLe{zjRsD<}QEdqbMLNfnoW31zNIpb=d- zR0{q;bUR>1B25(V!n9i)CEEvBB5wgh%$A0mBr&u&LNsQG4#2xe*)>9Aot&S%KYr6c z|M|Foc=SYbwe;E1!J)<>0Xzbk*C{r~W-!vsNg``264SJI+gW60F0Mz5vg#q0A*k(e?_(Q0e_(IOKbNO8z5&y1FVqQ`karjnMW10b-xby}H+ z-XitVNiKs!0^-k zo|WPXQe4G!Obo?IFPWI1k*#iEW~^vId--)t*dLMpomHU`CpO{+1tYK0(dE9=!;*_v zKizT&3JvXa%rXm-HJ2ia`Z_*`d~nKGY_O3QtnW**Ox+4NO!DU@ShkizG$m8@Ve+cD z`O|cFgd|}4R1C{o~_Hw)` zi)+HCc))B2Na7duHJM&7kaW8dDt%v;!m%KMpV;zVx|Hc0DQ>_31QQPqJVAPwXf;rN zh>0|%_p|`imWg($vc%t?0He|6UMeONc!DojeS<4R)vwY68Tu)wP#Js%+(bJc#;U`y zU>Hgwgan|QD8L@(5=X|RyqlDCZlT8)2vfVgOwv;LWpEOfpmG~qXfrh@DRznlRZNbB ziQEt+^N>Jlm=CvkNbxG252+oQNbUCwoE&Gzra$-K%N%!9Kz(f!kHF(c&xXTvjdGf$ zbn#ejs3aKRhiU^e@bL7d#Abn@A1J?^awX}M%p{O!rQqxuI#sH;AF{Us*2H|1Auk~` z_LK_7V!{8UPdU`=AY~7dH=b$)U%Wk+APctLOODo$#Q7^4{wbX#@@Sx0X3=+46R-p((SwRmH^g2GugwcO#>w|GDbHTXs%NPfdq+pa=ooUSTUD(Mux|4@*iI2_*<@>J*^nZi_ z41Gj*jU90=Wf^8E>Y5lSl-y9ynDG)N$%9#+scmg(3pS6fi~MDyzZmK zl#*Vk2N@g1PF4KNzR|MD4UlrqV-H8Mk`oRnSv94dYOI z7?pDeK>teYS%$K#Njoe}s7xwBCJv#@Q?brUsY)VidGdnAS(W~P{A;nCF$@Bokoq?$ z&v%TBUtRDxduVJ=^CjtgxJ1E9a7sk6v>+FFE+`~`TxM>FiNT@hQ4BGH-X-E7AWVBJ z%nSkDVAfrf=JjVLA*bBV1ws%)UBfSvIWtK-jr!f=jsxCUo#d8WT+h!2Wi>*?^cI(cS|hEVY0 z?YWYe$%ag(R4*Eq0#2u1Cy#O~!Aw6%zbZ=+hT7XK+9{NUo{GaP8&eo19=v2ug?@sr z5QTHaej^n9l-p=C?WveATQ=g)_pP!S{SB^`Y`|C zApbz7)a7yu68DsKKF2(gVa>suka>WlBo7Gm`%}G#`fAhe7_DO`i99K0HAOt1DGje# zzYIngOnb!$pqc0wA=^_lXm8;}21>gq^wd-*TTTs7pP0;KjRTYTEk9U7?k()Z@^nvv zKjx`Qeqo`d)}Tz{WS3l~+9)mTHJSGXaRiqB739)eUz52cAhoZ5g8}x_@2oucBQkl(-*aJ)R(a-%(y;Ovm~KR zi4W)d4`c`Zqywq-NYn*iO6dA!YL8E7bg4Ckv1~Y&ASNK9Btle)qT*_5p_?jfr!VY$ zFtb;bnd^_FI@MPfaj1uS>E9%{56lrtNv?T0uG{G-uwsBFgZ7M)rLbgU)_)fv3Pn3Y z!Ee|Tkl`D|DfX;)oB-xg7^w+Zs@H>FI*p}C3F;G*RXGBWhC=8B>5;s2VwpT(d8m)3 zQ5cD(*8P|?Y>n{%{3=EvrSmD{n0(K`^5XTmjJs-88%pw%_ISWfq~4_HOf~pf^kr?c zq*21M;42)U5!grE+ZSE;r4N2zdN0JUgD7#=h(F6)i+}sx0^-nWjzbycLFbn^`c2rQ zs|XDFP-yEz{Bh$PE`NDiPnTsTm z@2XKT|5YPcX9C*`ws~HmdeTn-%5*}M-0)-MbH5Kx&VEh%ZQ`}JjO2s#;E)%^=?lqn zy(qS9=0rp+;U$up|56nNd_fWPW#YF-D3aGO1!egwdQg~w57U6mQ}i>Ki&y(R^7<-6 zo9)`5bp9h`B-~38(#Hm5>faQBIle+6n8ktt6KecB4>Xv!L`ZF8z#7X(wcL|Nn~&r( zb-e;b%;Yb7F%>ixtg=?433tln`U&%&D;UU(5&|auK3hgY7f1<8=HxTZ23`~!WK2?mdSR zQ91YccLdOEhCN|duF|6@lC5BGA_-kl90id)2`PA+GN+8UONEp5sgoI@x(|Dg05c-( zACv=76QiMu6<2ZBGvcRtv3Z-wIPs7$Ax*hQvn$v81|vQW?;fcw({N)ZC~CS}T!6HUbBkN!E7)NI}3b5th{w!H`*b^CbM91ISpsM8fP? zKqie99e=UEJURPykfEpKoQ)83AXXPXp{$aj$;{fjGPaabuNTDw`CMikXslrfCI=IByeqL( zk_}_dQY9J4;yuYut(A>znDiTUh9v3w-mqzPxFyG_)x&~=lbNG10r4(%=0e$yFP$T; zPAdpw4IvYYGpko{4w@ND?Mn+;<}2sBj7FxnF%xiV+rC}P~=Rx0QO8HW_G zc*<6cqa}Dqk+5WuBBkA|o}+hJM2RO&(nOLFYt{xwKjCz?iXJ%SuaOx)ET+~xN?xG0 z(cw=xFHw-CJQp zVaO5kCsGOjzlq9w%CrByB)51)X4f!wiU)=e~viot7|uq--rEw64v(u$XK7u`txK0G&Vngmsg0ctRdnPb-Ty1u>y_iowZUY>N-wgXXCTXOb6Psqm`iYJTR3=yYY6cUDQ# z_PRh<5tV4EsY2=17DmbtwOqb1=42^!Js1RrEly>OMO|`ac#i~8NEc7?77P|TfrTq4 zjOR}$o>g&SrDluOFRCp({t3Ro@zfj?obHyrv9gq$tfeI1yzs0`3)0Jr0ukg3W5+Lu3Z=+&poDP0XOewb@&0^# zSJ;#Cw9pGoC*X<%u{wDqgvFo`6qYWdNo3}R|0dgKGUJ6=wFf2|>4CuO4D!W9s_7vC zNGjn1w0UKp;69x>frsh(=td_2#7og2xqTq?B~WuoQTfCu9wIhdDbChJXl{7%S0P+tFZEcct2nhy+P6=1CCM3Ld&)He54A+z)vFh(alyG5Ka)wR za|K}-_G{{<6^p~5adR-{qk~8yaWFSco(7Y zoI~%@oSCz5(W`1`w)C<^bvS^exlYJ0Us%2QGohOzvVjdP8LCvTH&@a^Qj*_5HF@g>~sfxtlpIeS14-sm3b9Oz)7ymNS#_<2A`LRokO zDG#+0=}=GUz>L;RdL|)K>~;HQRs%9+L9%(~V3FJn@~mCTW#zeg>2M^zbWv#MYqB}| zz%Ww{(qK8Gh%NLkP7u*HrmXE?pvpTmSOTuVb~Gg`jbB1%RqRj#Nv3s_pw`O-8PZE- zq_Ls(F(0!_MKMauP1IuPSf)&=80)DX%VuNo^<$VeCRTNtg76N*?2vGNIn(bb< z6|{&b3JFOq6mg2tmAUd)j@S@adehYTBhC8C#Y0Q}zti8z*!SC#09%#;4N{;&4s2Bt z6lB5nr9n|1n1FkFay_{+CX?VG2nlg8$?lT$E=nUdT-ZJlg6 zPmc+dA!O)J!TbfS%mdqjS7hTl>}TDxp*$6agZFigi45;lVW0GrIi@0T0F9sMD|f8F zFH_u;1GTq4m~^qMo(R45Is84QXv`LnBEQv4mf~A7llES*ZibxX;ZOF!MBT?NUF3o! z2jEN|+g6USgsyapWN9Wz7p-y5Vr;FvB~NmUJh@IqHF$4s3!0?YNDcJ$OcGbI>C#vJ zAb<7Kq{8!k7s^p4_z#o(*OXcmCLi7@-=V?cEO}ptLXjvfDy*i@T@$rUvy=2f{3K6) z%TS3*@j^NZmzyL!lVizTy=8nIsjy3O3QP{0bqaXh8-kp7oi^eU@m2cP4hEXs7M)0^ z5`2tcrD#bw(wF^ZFZ2=GNQkb@wQ~1q^kaqgSfX7!6PcE|(?d;@B9mvnxH%D6J57mb zSe%hJwd!@^me1~+bRw*~{tk!WC;a0*nWI$eub7*(!3Z2Zdh+b)@cF^vu-A(S<70gc zbo>u8ExWKwu=47Jm_)4?pv;Lp4j5;*2>mGT7+l0S{Z^XTC44c1Rp zf4NT%3!fYe4r^Pgn8v5TY}V5L*!SbBMp zlu@Z(`n>>iE({QPU`0v>lg++FbS`80szVKGh6Q5!E18M}KD-ev!8uyOkYkU1eE2|o zi^F-JnPpKE6B6G!Gi}WULN+xeYEv~JLA6)v5^+h= zaWtpUN82E24eCoF=?6B6S&6V#2^}-MGhzDws)zTVdSK{=Q}{BxGDw*PIsV)E`26L` z`JUjA2tsf;GPqGXwl1r+YwG0#ECRi5cPdFxJ+tq8BpDeS&dbNfn1 z-C&qt38TpP67-R6LV8tgIkvnR$MWCl}$vC7>_Rr`$AZn2s{j;=E&9nIwd zrj6V)=!OHxKqw<@(29~}DE1#@Dq5-FC^MJ9XLgVthIF=_QGA61G)FI)2LpZbIK3?s z02+tK>@5l36T*|NlwqNwojk)X&mI~)gqEp-NXRe85;IeTM#x`vyV-e~BMw+B*M1hu z>y2b+N?oYK8K7c#F_%XHsGKr%!;vaaljuBC=v|W8OlOFY8JIlL7Y6A!uf>Z|Cj;)C z4A5lKP6k-#3zAUX+vM+Rj(o_`Ij4}Lxi+TNS+(~h2yi(6RW|4WFpd4WxdL?wZ+;Dv>IO!hWIYBJSFsOP z*c`^98b$WU7U4mvHD8&?E|zg(ZN7n6#z9gFY>Bumf@6c63}iNheRwko4J_c5h=sjcOh<>7^~WJQv{&z8y|7XBV-F;s$iwD6{iYez^Zs?Drdd6x9;X#p(G1& zE6kw;?l;6EauxC2_(L+)|A?8At`VY`s1Sv`x*(!tsxHr1B6GPyh>+iSY-Y0>V1l6p z1o~`0BI=)hfM>{Cc>$8S*lHH~3O#A-$rx1}orx!Ea)da>FnECixH?B33H>C=e+F?7 zQ*^PQh%HFqkAScOfr^=6;-}4r@-Fr(c^`Qr>|q7)N0p$3b&j22w+0Q2wqTDk4a{Z^ zm}hkO_nDJzO7Eg1o-cIPccf2`rJ0&Zj@*=7>1b|gPCBzXGudoXT&P<@B@BIkhRj@& zR}HE=$IXe(B-OT;<^#!d`49C8zJDrSIrgi_>jbH#&9rb?6cOvYbw zOi=WRLl6Z}rUQ9UNS*g6o047Z#awMAv$>V!!VT$~c~CpCkW!bH_Ay!ZRtDGuI}G!1 z39*o1mQ>iyPl7>hnMqs}3(oO;!2_AZ8U-fd=GfPVA(Q1Z>m?5a8ZL?Fp($XH9ORH^ zUHfOmPYW;7*w`hxl8cF&mt*C($7vc0O3I6bqM5h{u=(?<(xiJ@qj3ekLUQ3-NZWbZrI9UiQM58#DtS<12 zx_C}UMooa@Bo{1=q+eJwlk|M6)N%K~@qe>DK+#<4B#3(oiq*pil$XRyQBnslvIAA6 znB<+mjLi6C4@?%2`jb5wBvLoHCFxkd%A3a2v*ao)s1gv>g;weHLuK=64k71eZD2s! zSK28BUEq=q;BQFY<0tiGiEUXg2H6)z4^Ff1aOI2Osfq5v8@+d~0A4#S}X>Hxy zrscP4)|M{6{r=9^zN*kJ0Qpk8cdYmurrK95xo>SEgP&?}F5jP|uLb|_gC)EFY8Tot_#BXA}IS4LcA{F}l`%o%2avlrT= z%Ik;W$NU$AUeUT!)&cv8k~k7PQ;k(RD&@8G$s^rHF;Y_<_nmZQzQIgh*(1PXADuvB zWhz4Xo2(y~oDnN#8G|ITtm0rGb2$}Q6^D>Vp_3y&gYt8L;GUfX1h;S&5Zu~nz*g9b z^{`P@7Y3|_X9_BZWEso^_U+$-0B-dj1mJuV!uq7X_QeRgi_|lax{sNDL8uq6?UiFq(kmu+2#fJDeD;g~oK($1ClgGD4{*p%Z(N*Fl9ykQfv!^OUQ5w9Vy2fFgBTKvS;? zp4lLiBhAUJiTV6gsdm2?OO!qPdE)qSl{rv(_8U;>nsE#IlMnU)=3oXr9AFN4Qd!i}@~zqBL|CeO zV1Z!37b_k8xK8WQ$OxP+-zi=yl30=}V{{fs6{z~;X?~=vkbiYJI2arZ`-hJPhl7J> z$;+gQ`Dz4ojs8p$O?jz)qVF$Dm`HNzseQ-#`yY=__R2~K?x}klb+IL!Y}ve4P)JPc z)Pjs!@Z|{H`;TF#65LyrKru%d+&EU3e~!S;=-KeukvV{&FEq5?J|8|iG;e7frrfX( z(j+Lg0R@{%ERf9QuFRN3(#-~C>ERj{g>E9`apb=`AAy@0>loJ-?3vHR4$26$S~KNw zsIThm7W|u7aEAB`$l(i2-(3qnvA|Jg^-n`Pjm})JP6^@W8bX;QhWtHK`b=I;s2tM* zLt?RufARtXq&pa$j!7hd1byuy38TRl>f` z*FS;Y0#y=vM+;vwEu@Tr&~DkknPq>F$p;r2v6TqZOTInLs>6@5MCe|Kpz{d2cnhKK00Q2}6GbK7gJ5 zDGv8V^PN4g)Ax43$Fv=!b2du<6sUc&|CIa=^lwo1A@UXk?EH*^fPlXd8uAwNydkYZ7oPh{Zj=ea5)>ap!{!nKV?I+8$-y<5NQXQ6;A{ z#Cd?UPc*cFt9z9qm6999Jnc8$*8##j5NI%3`(cCTsa>wvHRt@`Cz4W&rG)q$YdG@@DcO_93stJR5~2? z1qNgWcuGM(34G4%1i>^t>;21DYK9!+#hPKHzou!KeSsd^e<1$rtEr&w)@#j=*zSx+TLD72njAdxQ!v6YY8#u4))+*_Y;m6Cw4Ix}3>`^s2aXFI!&C zQ+Gt#WeT)lJ65mKifsC#tF+Q0ObWCZFzJ2L`W6YX#Ohc3=!#58%jQ!1N$I2<%$js` zS%L^IlY^sqY*gesxv5LoM}k%BGx_!)2MR}3zFPU0RZ^rbs?4kk?z(n`EH+}?++v%l zD*=+c{GK_8l+=ZJPXYvfls7*fE9aUHBMf?U3cY*@aj~v51i6g;NFotCT!*b9b2ca~ zk7NpfWiID4RYKHoR>sAy9p{**CFLjmzD$dqLQl`e`?FtujK%&rdC!#7T?!mkm4ir! zBG5T@3G>${oW)QjW(5f0C_=P`GL&TZKS*PBItK$;#^KZBeS^Wv)_%Ri>Gg6*cgeqy!J&pXob97P!f`ufzx+ZKu%s^r5U2WVIaMMc8UUW4WKMg z0ww3vxzXBbt1mxI2T5eL1pwu>n=0Ld;bk0f7$V(usuD905hmk(d#12~qFI?f9mPE5 zyz+DyPp@LNDz)tCo3hQFN-5F#)^*65^k{k@E}~?Hr7%X8qe6C)_$rb+f4B)(Dh+j- zhR7y74$&B5GDcS@Mb(TFuEmL&2=SAdDm5 zzM~@jwJ&h(tK&x|8z_r?del{=y{|%#fwvcDYB!0tUO>D{MfUk?=ueU**qOp0fQ;`* zj}Bl&a)v#1lSHZt5FY^=hfI*FpjZ|`52ZXnE`W?t%GuH|6-a$!>UHAeS9+x^E?^P2 zPAyjgRl|bnq5`QcA&*es=%lf(S1-{>4)v$oFPQ_4i7ZK*p9I0}P1Mw#HkBR3kZ3Ga+C5V_lgsOM=@N4ACk6E{qd#3O|1$cM zhW8iELKY@PkVcnU@y^~ZVHlyZEVSqr62!#c6Fg4eCC5SaL9TPMlqVEieRoUPmCd6Mm&J5=PC{M2qPbxGE5=jex>hi=|K@meu`qFpW5z0s4`IE2$)7g+)5%itx4y~86zBM2E+5Q7v0997biYVd4BY{csh@vz7WK@DtzA$e} zC7`N6{aZ`3PChsDY`j8xAE&X=WL}PvM-~;@Ip#^>#pDWGu_$u+q*9RY3M8dSvdNzL zrOnoI&4Buz6>7WM&|k}2r9urScap)V)=W%GLPK`l)Q8teF`WgHMRD!WNm4&ouja1Z zvvt$1yxNMJ!Q?Smr&g=!BwN$is=zFF$sm&Dk*!;O)ejF?y1LbC0Hi8AO6E6tkuHZA zJ+q_ej}FSW&&BKWyQ|@e#F3OQ`A8`zsR|oau|6 zRxs=%xA-A>THH2f|sEm5gg{w$u5LYXvR~>u=nlk)nu+7J8grZnbd7;gN89R zFHqxt`T64FEX(M@LwE_nnNZ))D7jImZ3Wy$Vmj=I$(fiQxiRlbN;9;!J(hcmwAOn7 zUfx8Aa;=HTV#O2*&Dp1LPD1t{(s-3Z(JFnUje92V6eDqJ#iVsuZNHLIwU%%tosiPL ze~@0UAe13!-&UYgnFi``ulDgXWSh)OT{amovP6JlcB!oFUzKfOH|9j2;>EwC1mE{o zm?m|^XzxCxNL7~=1gy*Y$uJ8`WPYw@pG*h{3Bbz;dfX)DW}Q63&P5A&g$Xs9t2JhI zw3_L7fSSIaQLq#?zV`4@9bi@NA%Wmjh9p(ZljNSWm_|eu0yh1t8I%uIF9QElb!dJs zKV5UgO-(_SpqAdOldB17T~v`eCYVQYqz|;tG;Hf`VB2Gnot~{!tj```-5vDOD}iZr zY2EmfhUCX`2;-Rw$21gxE};$K4xexz)1)3c!@)8+m*c1|#s~>A~>XvnP*h zNA~3LXBpTM-i#XuSKr9GnYe0jM+b+WWpq-h9H;j1m_m-mGL=mat)_*%%VU_Zq7Of6 z_gzSQw7V8p%wep2bA_wo1$>JWolwXYARr`CIe7ZbvAGj7es97X-<=7hHoxD=L8(-NAF+08nvpt zQ6$p`a?ZwLMaC&j<{ys0QBPmcX7)DA`5?5zstq<`Cie%F zzys?(QMEhNX4Q0aOh;{Z3EiD49rA-H0U*?4|)+frqlvX%JwY0=cXGo$|Ik z-KW0AwxpMX;c&^Uo>szULSy~Gc*(4*hROzKMb^~~*i(}MsS;Ae^QsX_z6Z3CN&MIo z{c>+HRzSxp;mc}PhQM^iQTy(B01n>ZA4_|e8iNEY`hNWE=;;&JndbytL(KD7O!fUC zb(5dP!51A=&Az-k?g|DKOD{NcyhJpmGrUA3<_!p#&&K+*vHq+Ii#PBlo%|URlOLs> zmUWg+c%d&L`s=6sLSfT1W`^YX{L--&MyeaBiCf6fXW;fL`M?qT%JkV^%zEY%mX%3Gb`-# zB@9o?3T?a@@nw zv*9y`aa)9|N0z7Gl3rRfhpI81C13%JRNW@A6AX{AR#B#UI4t7>aC%nUg7Vz**@II|y|6e!G-mP)ZCgUfgq9LOf^pIiE)nbXxT&L+4IzK`b^Ro#0h9n8D4)~d zAB==s>qF>gPaZ#({||@5?EgnkpB_Cq`tIQI6Y>ASlSfD24G$h49X|OE47Y|s%}>lY zq~8rU?khjIFXZQ6Jpgw8fc>43%4HCS_8jv?Jk8u<*O!My7ARQuy#=J4?d$(?^s}=k z;VCMzVG4rkYvLkwzVA~w8D=^simj3=6g$h{u+h9%<8G(OE#d^nFex5ujZzrFJ#7D=)_I2OrcW8zv zMg9w!A8?*rXn3lWZuR)3Ijvg&0Kg6j(Yx8s2z=<}xmdobY>qiv77=klwtzMYJyg@m z6`E`*(}Q2$L{wREP3;>8vJMiu{UypTVP#Xkio^`;FfNv9r}2}2?=^RC?t%QAIOrYg zh=J=$tckD_$`)KmDO@?sLqm(kPLmE*e5=04259cc*8)=8=oLnR-|e7o2em@^+u1>t z?`pbmM70vajw+i{FD^|V`f}6CPD-CwbnSq6>6cCOS@Kb-zG1+GaS)V1$vyeltLbCM z9DQ0}S!&>9J9ZhB3q&h7WsTNVH50&Xqjx$}?x*AU9mlVS)#*(2Kiv-Mc2GU6d#W=z zpjYv6r2wv1M?l3;KQ<~Z1w3j8Z-1Tnvhpjd)s9ut@>}pVrK1%Z*|wA?S=!pDdd+;l z6+3UQnSr((t*v|k?PLsCk7YVC&Gz!<*70d2dq8{n1J)gY^AOt0BH$p8oDpaxmmHzC z8&I?8l-p8O&3D_8>G`y?w%hGiG^BQOT)(!ix^k2|wn;LeT3BD^+LRV`1 zMuscH;SuyuCr9g=cXG7ui%yP~cizd-EbiaB98H+*S1wenI?&Anb;rMp`nY`gbw+(Y zhugy4ztBZ|azCBFy7O1p!`eo~$5DS-S9iG;(dwW>d=@d+!svC{2hNk{GN@W&sTor% zTmFj~Ry&)$lTEpwPBwM2sUB7*n<^oF7TM%zH-9k<+|@pI#P!=TD|;3FImg^Xj=Q*f zMdL2+Uh_>CFQ|mw#S1n>po(Z9`?GB86%wLoFTugSlFqKy|s*9lCz?&cA*$mNh z{5#4=^D8|Ac1D1{`?c!ZDIo!ZVePjsuTaP@R#9P#R9Mah1G{?fG*Dsnbp<7ql51SR zqMADFwf|T?6E~_9`x(Wdha*_vzTe(dT#yKR-|jS+%jv5&Rv!IKmJXy`3g*J}Ic@2G z#wbQFD8!*D((q;jKp7TuhUobM(n@ww3yz{F(ATiPf+eb^zt)szsT*i^knxBJGCOZN?jN`62H>atj#^o z7bk3^0M%Cqt7E+`TH;P^0kmyG&y|+jKIq#(yI7NMW7y@T1-A^=uGzR{&}l)&jREUo znp=TWD3#eBY9-Tl+2b_2T!%H3*MaW%L&qOF{_s`t2VF})zq2c}B2Htp=gI-*l*G|k z*BG|;sieHUWl$tRw*`p14(>3xySvZe?(Xh7xHCw@;O?%2Htz23?#|#&FW-B+`(pR~ z-PnkZ`f)2OBden#Pv*VnoXn1;W+uI3l_U&pkmX2L2bMeNiHd|Xi?W_>`K8jns zh+wXLJ|vkrC`wud^wf+rP@Ne60v;(2$(UU9wjqzL$QoT~<+X~37&8y~O}2v!t{Tx^ zD=Wemzg%VtiU0{#*NpoAsOXcaLwapxH6LNmInO-Yj_eAIi1bE91v~ z%JYvh0bUXx&YxJ%-mM1dx{BPz&Qez4V&kI>*7oHAm~X`-Dc+hl-=^4OT`AQARGV(i zTm2OR<1Bd8!iEIDxkQRf1ce$eKcqgSy4Nk6QPG=gV#4;~!T;54ksyy4AB4~@2KD0I zxGzIML{dbGdK|LZ`u#_u`F4-3PxgB1_L%aIJqj0LbD5tYm>S7dO!jY1FAv(UJAh(` ztORVyKl>87nyLiZy9PC`t9LnFeV|lke}})#zE6E%5~>mAM>q{e=W@QgvJ{k)5Lh>x zBw08Vm?U^GQV>0~JJ{Ah45Cd?#TvJfm3J78QVh|{4*nf<;Lcm+we8Z~+3vsjh>*{_ zxByT)sQ+pkBvkhCwreQ;5rGQgtIzTK2J#L3*p7PxZGxVSR{|XTQzxOJjvw2FFRnh- z{qKh(9y5jMMAD_}FG++xrc+wwXth_`E3w}GoO@%#2C0m)r`Rg{n!#1**)2rKR+7ib z7nEq!);70~CAVdH)#E3h;cEXeQ+i2D|6#ux)1Wa1i2EKTFmgz@c9qUB{d#`V?+ofT z20a;rUPzvVKhJNvJp*V21m2%=LGQG0C$rt4jyFxoUIMTYH0x?Y)1ak(>#UcP-QnMcxqzWaUpB-l@#1RqwSO^ z>@c&UqPFuzEAjJPcfuKNLnNyB_yO;`sF`NSq97R#;}INuZTs*rapXyz2=!Oh?B>4% zyX99UEb?InYpK+gtjq{A=ZUcuY{iW>=X0W$6zcA1n^aB)J}~_cT62I18)vA=xe|2s zo#wP2Z_&)xxwf9)F?U3kiByiYnhK^v)4cf)t75mflk$Rzqs)Tp(bSCIoGJSyzm3fzXjw|0)6v$) z<*K+M!X|qNy58s3rI?@HnoK=3L6gLGp6QwjuT9L)8fT43Qx#tkbD@mVmhx)3l4O#< z7^$Q(qmKAq%DqoM)=8BlYXa5Ny;u9q&f-K@S%?VtN#oVoY=-fEa^2Vniz=+}`AXx- zzqY2qYfUd}0fA?5ARE`RMqc!_I-Nm6nmSr zi?q0RAw}9v375H&6A&L-w$~Cv*yDwO_qcXW!C2&69ltSDZMV)hwCIh{i?d7Xw(;ZV z+ZnRCzYU)6C5)`jqFrN={6{#ua4`XMP#yH_5yjLPw*^G!-sG?b;%cj}ZO}61OOi*! z6xsGvogRFVD}yJ%9J;|3+5>P1$he~CTynrDeOey9QVo`_f)bPqlU`2pf)_@kNg~uC&@8i2iP@NFFf% zUauL{k|?eh-2FuC>}{=B++Vh)+jRg=U~0HCE=!bR7~kLF>gEZ!+Bvn|}KE8Gm-7?s!ONw2{ku%rnjDKF$+a)Ad}7wV)8W0kw)*+IDQ# z>Je*FI4}E*pM(jQpf&kzT+Y5C4#RC%D6rap`6HYm@28Bbj`LkMU)anJG7o^WiXD9mX?ADv>u~#J}j- zB`2*^R<{3nv2_c(B_P+W1yhzeDYgC4ugH`2M^Pwa=uR<947FO-oYKMxFvZL8EOLJS zubdB1+C*$tx_;LkS)d4TOQ|w^d2jxnNeRzNz3|6nVaESRfNz4?^pIms?e9?EwTs%?Z9^561?fiWm8KhX*em{(5HWI~w!qT9i~ zT%QbV<%BZ*sga33Un<4^)UQ@7gjpP--RaeAQS!uY#L~wqaR)whv&@|}`@dfL>E&KJ z_({BQaedXzZcU=5n4Rwl3cNIQNmpr8_r6s(2dz@-WNZF$BzLT!T5swI<1A{!?tr;< zb3$`SPQxwGjO_Z5ORher&)1+Is-B2!m|(Y^sOO3;mcW5kDy z(PBWNB}^6=S(8qY-j!J#tZnp04S{^m+>Yr0uSk9 zAiCH8K(A~9E<6sJzsd`5B@^VH_vh@gHRw6a8Q;EdHspz3_SiJQXTvNIKG^1pY+4~{ z9)G4FH>KU_CgRlP7o6->|K)r{l(0?jDQVqxkSm$T;Xh4!D@as0%=UaW0g?lQ6oKU2 z50NrGPPSo9~$mi@@R$&Y=@y%uk+C(jxtflocu&V0fV0WHNzIyb= z)Hox*l&#?MT59@hB;b+@Min)GFBPN>XVJp}jZ;!_b-XpBs;-Em@DFZI5r?~Fb8Tl% z65hk{Mc;tT4C6OWtCA3|wm98xz)_@L+ShuLiy>j1XQ$ad5vjoeUrjGla)usJZP|Be z)c4^h^&NkDuG`$`yTZ}7Zh9`utE1YC^S3{N6Pn#TY%eLMZ6w5{OkyvT(lpm0KIPe< z(r5*by7&zoeTJfryEo!&yZi?Gg4)fBik&k0O+@9*xtE=eS{?bn=SBqZ)y7rTevF3q zPU~-Ke7tL;vl}?sgpAi6iG|u5-R`_=eYH1|h{;@^(b&(PM}Fd!lXn_ofcA}KGp@Fc zWF~++$mx7fOM@C%!sFpw^?Kd@RdjEkJFIDexNy;|y5>vY#s?}K>1MmJbtk?&X&iaB z((7Nzma9(gmxg7D5?pohD=jb^^M8#~5)9jtU9m(@GwGP5py75yDE3io$;guy0RFNI52 z!IAvsu%{^dmuj`jZ%zI#dC6S(QpI>J%qd#9`qp?!gh>@HU?t%5CJq(!`4seS|76(T z84@6@=il~ze>AU{%OsTT_X-{GD@6DsR9JsU(bDUwcJSLvEKyA^{y~?z=wWPbv68M* z#;QM&D_zK?7I^1B{n8M3J}rJV9pzf_O5IyK?nbAPFq_$ZqM?ZlWE;#OS=iaO|F+kP z4VKXOb$%}62&mq-Qpk@xE3H;y6oxGii)i-PGCTY+p-D|~a56;pP^n*p{w2c|DttzO zwE`Hhp~C#73M)5>2k3UBI|<_U(xUurFD>#b;JY8E8`0!&$j(>(;>`RaES@8sGK)vqa9glNxm_iCH4xGp%(7KN z@=tPpqf_tFmhkl;W0TD_lNnDSe?*#Wn1zQKbxFh5NB3NRpgh^}dFkI=W}kSKIz zD7;XBrSEBp`q!+T$7Tza^syq zA?&ARtWJAofex!6%;zXXxU1WjE6d``pG-e({_CPBkQDXw^342{vlFsrRTM7W=;&{1 zHRR<{lr=jkB1R%^4c+yhA&d>HELqi9nygo5={)T3I^oN9K6b?p=knAFzD`Y@)AKhr?#;S+ zeQVWob<)mqb+3{I7{gZJs$ZbwtMTkfz(zV5aM^5g2FowD2`fg3%>Pb@BxSptsOO!y zNexm2U;)M#vXyQiB4xvrVx8zYv(CfP3COLn4FHY$3ajcDf72_@Pl00JlYG_qTpzN8 zg_9UcnX?XiWhb}=##Kuf)v9VjKDGG5)CXMXwR2G#Rf{q^j5aT55_fPS-4Wdau*(vf z+MPCj<(hnqiahz2{X+h(Xo8$BA6t4<(U9VB(~?E53DWVM<@~L*NpVctCV#8Z>Smv! z*1oBgdac$@Dml8F*1CYwt+VaZxj+N0erak5S&Lx!i@y=y?8@+h+s5sLV=A!$(y}_;=CDk=GQuK4u7SM7 zt(K3+z`>_({k-hIlP%Q((JV`r=tCe$}d2ZZ2t=TV|w3keTwmwsXR}tlr#0t zfK+E3>dL(BM=3K`?^Tg1bvB=0-TI%!zwJb=WDrkA(p!jrH?nf94Bo$VR}HF7ysX{N z9XFR(7GE6tGrH@?yV^2xUmM(E7i@ly$JHZu!SM*obJ}-Q{di%wV-# zo%z~2>1SWxw<{b0hpH1_G^n#DuFXC>lV84~HB+8nARv|=q;=a^d8fbG@?VhE_kTmy z#aSZX1CUesgAuFitEaDA+{*vP0nK9{@^}8buKdL#Z+f!fFJNIK_`2W>w*|DgJ2O-! z>Z%fc0n*2lK4Im!{;7+m9=Jy<{gP+)gk!8O^@r+?=dqU93 z(Z(0>EP)}lrDY;sFdZ!oZd`3)UYR&deYm&MUxI&Kz5vqtD=FB<`~^>2UpcpimVk4Y z#&P{sIM7swqtzmtXR+pu`Jtvpr5t0`1%7*7REE1_+yv&YR5LE0*whxKq2jp!Ge{A# zESRuh^ig0K|1kUZmJ@~&U5P^ePEb&_ zwyYieRx(aD>;&_&H;xlmVz*n#$SkY!F`I98gsnL=teMuT)jJ97t;ofmC5V87b(#g} zyL@*jhR{1LYer9`>+Vnp&~DEO7wCSE9g3Gmzoy7Bbu`Qwur<};>0#)jkA_+5FXy6> zsmj;e4=&KPe^@E=uUf2=Z5-yGZNP|aaJbuaPu`Hx*p+yzaSPxc^dkQfGh4iIMeJp4 zRxEmaRy!x=OJ#FOS#? zVkfO7WK)L&QHhu{wlyV#Nyc9T?JNl#=jjf zv9;^YtY_~X+J&g?e5q6p;$7{$h3DF`1-x4wmx?#A4Z1c`Jw<7*K6~uRo+Qy_=t)ek z*4^PtvO%m*H~KR%m8EP?>6P1TZ}V68vOc*MkEM&~X`J!xe%F>Y{SS(et&Zw5JJge+ z_M+BPLJJ$7+c2&!kK;#O=Wc%$U~MC0=+E4(++|1YkQoU9!c8YPDD!5S{|kAsJ+JrU zopGT6)$X*9S7fA?E_LaZ@cyFOux zg7k5#wlMk(cfsng_D3eaJgHjqoV_Oe3n)C+F?AJ%l>Z-?D>|}N8koP#6XUogsm_{_ z;J79m45m-!+2nyNbu<(}3%`K{((M=P|CrDksNn!IVLv5+*bltT@UoTJ`T>o9QCcxj zVG#SgGW~mS$g6*+LqJRS=F+~}6TMWUYge~l))4`< z4tutr^PK>2+XJ_)o0~OVC)m6ft znHWv6hQ+%At(m!vFp=|78uV~^7J}oZSIOs%Cd9R!uDby2QvJL^-nMr4;|d?9V-3Zu z&BbIiLv(9?ewZvt5nJjWjnEz)i%*ST9^40;lTSJi7c+$kfO;WRQ=4 z8G9^C19j^9-4**de}pE)$ynCp+#N?G9NvdD2zdQ|3Agkj5Ew^Xngp=H`v++OMV>5!=(O7rhpV4xmvWKZrXwnrNpC5Z;#U{EY-;#yPqE|1 z?SGLzA>K(YQ;4}IW`&$^jp`oGHEF9{dYI~Wsa^(SQbw2_sqnws_+3A!6k@71#rYw3 z(D|NT&e+_ibGr=ik$CTy(5-)RcK!Pg@QN)5YwoW*gaa3|S57J&3DF4G>*$> z^XGXKr%*-tJ6^4qgATQYk1o}+x@SQCueo}7Ilh2}-&>ud zVHPXv%No#m54s%UPwvQGpo}0hyu~8X84k&&g$06ODtxOZcU7}N_QUZKv1j{lMrU>P zsT!QYY5|?l6kQ=kBAr;OhRT3ru9(9mhSDv2i5j$6n$|v~L?@yqV1h}dV3AFBmF1;i zj%*_ZM=rs<2;mxK2OvhTufn!=scDUC6s8=ox-pk-4W!6TD0Ps!`R3Rjy2#Dn9(yL` zw;?g(o#SU$ltVYmsDFtNuTNrIIx#?gjsF!WS2ymrN1x9JZ|4u zUI&d8pBcd1zvuRyY0>wdQd>l`LkW{Sl6Rjr$D2e6v0xMf1C%`EMuT(%#CQ zi@`K=zt=4dUF+WLWc{X<0zFrR81?ozmmJFwnREk>(TII=La|rv;MM3{09KE;@hn&O zf#;^5%dlr+iK+=*eX@r2E0UUTZSw-h<8hg~o!fsjH@jE^K}rPc(qKzyZmmq~vi$4d zuKl#{u~0YPMrRa_k?C5+c;lP8hRKeorGDiy?RNBJo@oRYM6yhbs{=Kh=}~O4K2*>M z{^(llT&m;)wP|2ymN*WQ^ExjWY0aJ0c=VksCAJ`U~U<@@4g z+jr1x&p_SsR5@w;%{MguDMI;|jKrIx%w}JlJwb|M62*j#SqBYo(~qUV`(4bk=YPaF zI@U)}>|&T00rpn5Cx6WgN5)s)Clb&GF4yT{*sDd4KMvt1v_ zsi@CSHEo_X_*4|RlyrcY^Qr)#N}+Q8K{ZuEaeEu*zI z#uvZZem#8#=Go-gJfo@Ub4+Y7sF^^yxVUxtUw3XV|9hyDzso8+_dnggIwJm>QazeH z>2$xIp?f{Exu)>@dLypO*8h6FR>vmK?@_-SoxU6o;Iq}{!jMD1pX^^rRPA?O)lu{G zJcdu)eEX9Y&`#|^8wGLEJ9ch?(BCZVKod5XZD^M^j?c6CGRXY){=Hv_FX((j@}9fS z?tD}I9eFFwr5$k0nQ+48YRy+N%9{y4N$U(KCB~mLdb+5qUhide8N?6d1k6oZK_PRw zJ!psWB@U2f*6PZgAKx(_U8eb9RrS*@I&9Ntg7)L8@?l{2Fu zJ&U#diSx_l!yL3Vt=LaEFG@^hYIeK)a@?XPnKUAVQ@0+b-l8mkbp7tM^XIVZr9Xm@ zD&Su7_!ePT_h%|y_hcK=ej;>{FIeHoMyc}eIKPR{|8J{5j0>W)$Aqyzvs|j_?4v_J zW$=?M)~XNvb-pXq4LcYku5HzK@NaVb2I?!G6V$S9zTohK_LdJ4&fcR9XHB-sA6EVo zF*!D5=sS6jej4mve8EBd*f@Rn{2ZL>etvkv@xd}|D~5Ld;Z5k?nqz3nL@Dj|Tim(_ zB#|F6WpmWe*qe|DHhY@^$kg1hGwb8G;=%~2b~EH~4ZS7O@l@Pj6TzVVw?tN2sU*MN z%4CzYb1QT$Mm18l!e(obNvkjOPS(v2 zG1|Z|j~cd{iv|IUE(fHjFu|pX4&5o z`)FakE@XKMPHPQg-aL^3j-P+vz20X_+tsY%V&SOprhZ2!(v{$^tE z!}w3ENtVRJi&FDCqfo6v-vy+;c&vJOzN;?G`;jw4HEVW2U&HQU%-DRAzwNkMYpaZ? zw)j4&C)m<^qK-jBTM*uJ9rK*E0McUvo7phhahdc<~%mx*Tz3OuB>VqujJ-D>6?k9?5d(K9HsG zmjH2T?+S?z)MN#Mmc6NjhocGdD#Y9o`_1|pT7>7iv0Ld~c}K{)F;ypwL`ID?U2>%N zx-a?m?_$?%*&$T}@9J3ybuLSHy*}D@ZEKghTal$f9x}f?r4aIVzpWeHUYg0>=iDGEe;r7Qu@9NBow<)wjZtb@1fCpM01y zf*BOxlIutCan^PIofV=xIB~0ORFGrlu@Ndu__IsaY6khs8&MvLbVfPoN(d>872pws z>gf*f=s34(IL9)I*0{U^WpnkY{p&`-@J+EZ^9=DySHMh%R|cr8xQEHPhPtDF00BR0 z(KTBp)B0d2lt`qlQitoLE{uGLIH)YEHv5}zJfaZo`q*^_A-K-VVnG2ug7yTz=!HQR zMC#9v+$+6JpYO3d%@4bdZ0z>$kD2$X=at)E9Mt!_Orxud#BCjFcmHR5ca=+@Z4Fd~ z&qsGfh}KN{V}zz$`Z@XYOYBs$1vzd@eTy?-eERF4g_J`I^y;{={-5q#9))P_#HGYw zoch%MVy^it@)TYuwRB4Zg@nZeEkZL!{2+{P#07)ova*C0R?np4h)Js|;)nd8yWJMh z_FvH3bK$4?N`TPkb3e(_?Xi^dUp}l3zR=!i;IZRwJuk`z(@)s0j^qWB7%>B!JvTfd zuqWmeWi~Ct;V8nnV;Esyqw&FE#-rZN@OeUZZ1T3*m8DPi1><9Gk<0_A)uE*+m7eRALS08(WKbX5kE7MPql^d0qNI zb>rKmKpWIN;IeEsN;Y?EP_$DeY6f?{RwceBh97VGG2lQaR^}(a57KhpEvsyRGtG?0 z%yOd+QtxkX?S&%$qS3;p!AylDHYNq15IZ|#^nkK{&I2qcQ8Ba*&p(Cf`HKL7aK85Wb^;U zMg*;a@}Ka(Xe%SISzuivJ3PT#5J9eN`^)j)|3wYtGlzkDdHH_Y;0)x)(U6isga%XQ zmr-By4$r4yAV5H)^zcg7|KlV8bNZ@ue>`puo{q|r;zIvpRV5)K(KGEjxq-IW$(WI4 zA;&B-zzOWf%a;x71DRZ3g4Ub=4D9BTfUtNpy0lh*G+%Tywmw|$^C_Im?mgFKT|KOS z+2Vv!)X)Y~lJXl2Pj7#I>?D)Icl{_ZE4JM>Fij+7VaJ_7f(c2-jWxP>*@bK2X^Z`s zO@r{oC`gO>C~J3~LObbJS3>LIKipSF@*h-%?+hv%0O7^|Zs>LJv^0(8bUL6f{V?3Y zR_uk^3Pw|9p&U8E@pD#|2qJ;NQ7q_*$dASpYkOka327kyM;Yc1M=A}rL&lN;{)0OW z7f%(xb8D-swe?gC#T;k2&^~P8@om4qF!574LbUCM772|^= z?5m;q%eS}K*!Ff5t4)zDNbuUH-X%EYzfFe`4lEC7i4SZqZ`EvO$nUf3coJ zgB{v8VGMg&h7v(!Ja&-O9&0U|Kw2nrGADVOeT2V(qsM-3BfUm8Z+iM zW;}w8LGH=_M*cJYd7eW6m9c_2AmyLwEC{msz1b4PPB~2U`Evch4(MqILIS{5(f{jiT_8U4c zscC>%n;flp>XD?`Zp6>oIH-n@8GeDkBiiAX1T4nmPz8{b?=(8hp;}+kFGAEd18(n|GV5)RSTI z3Te&16dluQ_t?AAx(yEG{&x2n!L!X#ToRNOdyzNK+i#6!~ zBVxxS@vBrHk!SSdT{%*~x-~2V1ncs=8oojGUiBNmR{1_oW$r7{E#wXOKL#HgeoF=9D}jRW46gAs}Dg zOGtW$=cxWi&iaojtzME>rXnjmH)dVSISU$HZ870m6Mb`dD+!FEmlO=o)5?D==_wJ~ zQL;zTO$Kodx52(8kT&0>JaVr6x*OO%iqwmB8nsg+U;!+uL^z66JidQ9UuW2Ymji<_ zJH>(SYCy;kbbudU4o?p+pYOb|)4_+*-=?=c%4dZ4_^97p$JJiV{aG`q63ZDE*nE=QPfVAB!@#@? z&*&w^IEf%c!vE^ojpx1_tn}RKDUCo5Uh;-u%L(RsH+SiDNV(!RlTFUX>j+zF5Wksu zslweDer5d8u_J7&`=`&?Dh1If+@^frr*zHc6_s;La)Eb7U5;7RWBm{lz85Vdll$M& z&4{9Ezk4k5j)PITKW^S~88Z&FGz|IMrP}_wRH=+{0*dWeP-DdDp+C;a?j<9qYSco* zq^TPqqzm($&}!;&E(OB6R5>*GxwT}HX|G|HEs}}jV}wzTBcIXTO=GhV(3HikWzYMQ9+}`JrV@n)n{iSsJO;^;L&~!q-k# z!=?(Uz0H@GN{ZPE!x|7O*Y`s-OwV*yh$p*8E;eQG{QCkMIg2((4)~4?YH;50Xw8sv8@|g`f5*%QSz+fXEA10Ta)ZDM z7YDw#VpfN(Vr@sx9N%tc;bLr_xlC zll@pzGcFmOtByaKdLrhKqT>`##Z?tE#dUYwr6^-xi#v-3a;7BQ=x=_`PZ$dPIMPCi zG$has!Q)sy>4z!e7c$mh!lUwiI0Ly^j?9-Z0=Rtq^N7zAb)}C>ANqS)q^z90>1(!@c;s<%D*}X{ zch_bh!Az z%O^etC#LdRYJ{y}p0OJdMV81yAN!73lbdM}<%PB`74Nkd_j%AvDOrZg=X5e*aZTwr z@uUK}^)1v3ieL(O!Pz2!QG15F6f7ckD$HvOu8fB(32vw42M@}=v3qXwTQU!2eZxwH z8?^$YaNdy3{Y7S^nt`{CMTGg-Zgx!af&g;9BSu?o_v;7k0kQ_Q*dUqvIH4XeU3h8H zsPOqf(zRIhX;!hM;}X%t<~DjF{{h9U^X)4}rx%;CqvaBRb>s#3M~l=ovPT3Bt4+--e#ooKQvJrs>shKiYr=z9x4;ZfLW;9_s7s7p!>6;uS<%rvhj&!I4;eT>BEl= ze?hfL`taRc3D!>)MEK8b)g_%jzf#as!o&&n7f;y%HQyeqt`^I*_rNR(ls$Fd5ZK%Q z-v2>C5`4*B%WQyrB^DKfZTAW3>{WQcf{O;Ph`Hx0Fh%b)ph|w3bLLSC0gFpv--f=m z)v$Ny+b9#`emAkLA74BkUp1nfWOL2hDF)D3@}~OTM=uIzSJJMY>0q57&_*}jY1NGA zKy);Zw;Des^WJAvoh_Ni)GAG2IaF_LSA;9+x`^)s=R2~Qw}S8uSH{- zmW>Nv7P|8{39(h#l4*v$Nb)4G_~TXK9USs;mpUg??D+ca;Zexh?SZK-dusa$b@FWK z;hM2plr%?b!#SU$-4d}6BM&ERw{CRD-VVFU+-^8bpSwhoOeL$yGM#G50Jd~^a&jR- zB~pDlX~^#?eT`9;p32f@nNKyPj^5&I>|O>QSt2WGZ12JB)*{_nIL>O6ETTv&&~Cm= zi=J7a(YN`!q9zY&;-qgXiYj>K&O`z(PQCf}dGTHam8FGV{t)MBL65v-TKLa@)jnwg zV)xY~7{4gEh4pNfo=hUeMR8vMX}BmQ?*w8j(lH@DMWO_YHhl~Cl)^>VxT_WiMURX- zgH#&g`Ffo&lu>;vSUr?^1Vqw2*h$-TXK}zEc$hDTWxEYcTWe?LNC^}F-qZy#wU`kj zAp~{$Qewz|OLE-HHaq)8L zsw}?KfUlhGGbZXo^bMM8u8w&pX`e^+18EvU*LMieH0Q#P$jL&7IM2=f|?pG?7}I#=uW~x2Ymq#-@VR`XMmY&vf{$-UPOZ>6l1eO7E8|R|vZ1 zlSDlk0fRYqhJ~hU@6uY6y5^?!Q^21kSvk=U4`BIfH&O+L&ZJ9EejP1e6~Y*5IfSlF zfqbp*TTy{OlWg~m2(z`Yph&%}LJO6m-lSEwJGxl9`108~(U3}G4&5RmL)9){J#Ujr z1Sa$Yjg<(DPo>bHmR;_UXw8@LKf(pQTr~qzNfS(QPVK#xgEO08t#k<#$S=%N@QJ@m z${BOtHuqUe4YQ2s-XmP1Sat3Lel~8IMo9hRU$LfL(cqc*cvuR2#?G?`n$eRC&HA9d zn4q4f+g1}w^5o~RqKVmq6grq7E{u~JeT`HE^cnGMRS59brxLe(+ZNPsO$k|H%LOe> zx)@;%Bi*E0O8H`1p=|{f8_#lrG(9I5u4k05S zmJIw{J#DAUPe&j(Jn3`Zk8oB;Fw(!k!;g=Okw4YnF*vN$dRBOtw>rQiVCzvX(>~oA=B`| zA}&{ete;FgwL71nTo>q9*P|zF_YkpG7H9#xM%bK!+Qh1GM>Iw`Ia-@$5T{XFowjAh z8K|2s)bmP0jC0ASZH;gHsAu}NGmUPLvu4lZ9k+V{0v=WZlu1g2h2}Jff&}gyQt)Y9 ztyxN@`kWEqyT9n-7RH<-3M=CGOMHDZSlA;r*hneuLSn`(L_bbYq~$eynm4Yv7&ytV z10T%jOC>c4#*8QRd+bki@cbue80Q$N4;n6%n>ID4NT(^CZ2@WC?#pClXTS2XYG7^dttd@%tHu%HF0UGRTvQV$ z?<8+jF%8ngK0p_%g&wf&kUv5W;tbrG%3H%%*&|j7?jI|Fny!@nXUHCvAFTF2*%id@ zVXX!`(&A)vGLykAdUMaRv^o1i=lac~1CMZY+lu1)@b#h@#CLurf}xW4jlaZO4}7$L z;RIMjAOM|*Ul8g-8z<{_LC^?4*5o9g>4Y4L#$`DFx(}?Z!Z&rERAd3Q_iF0Oz_N7N zU1D~19`~l8Vc9)tn73*oO=Hi;;n|CY>G5C9N#Kkmt2*%g;Jx%*XOhEf=|OKCHj~GY zljHK&)a(GgjlcDiC*nqir$=tX^xMT9&_57CZ;SFyU_W$mndrQb$HJ7%ukY}}?FGb3 z2`lY51-1WnFhX;{@GNW+Kzb`@MWogIM<0u^<{&B zBNV?zLdZO;z_ZVI-mLW~_{YLR6cr}{zomG0}+%n4rlS8|{6g&(4md|guD040GmBUD~{Z464& zZbflt{|q^!6fO^OEw)9Lz(UJ<=7vOuYeC3rT2WRXYX`E)o%Dn7AO&*ao4HQbDpL+I zLm`nfK;q9g=~8mK9$2RZ1*wXls`sL?Fd@Z}(LFNyQ~Cn<1@;XXqBBly!dthn79ahX z)R%e&5o;Qw(G4au)w*fRkcUd#1&SA}HhZqooxWr~EUH!<_PWy!ULAreP>JiW(sK|x zVP1FzNPQ7>e%Z0HKDq$%xj9>$GX3aQf8W4b0_`&>0bfaMI~+XK!*Ubz|Y;h9=jR(K2krG^GUzm#@s1PQ03@ri3r%9a8rJCK?0tOOzD;Z69cjNtsYHnHMPSC7;A+v(Bn%~6X2Vdf_UiWGCHZeQ6muLTtNmLf zOpV#ZLruT$@a6MCozQcVWBvy{yGfz%a=A1u=UVn=7T)udQM|{1Dm0huu~ghYd__Jq zmErbLs-(?E5_*G9_gMw(mJC&0d$~(vl>ryl|@+@D$enM?8P5GH5Jr3i1{) z>SNblMQ1ww8`T>oCOX9d%y14A^w+s%Zgv3m+ z-hYgMZ9l_r5|%$O_m>F|T&Y5J(bYr+!2l+qR5V3Jh!So~xIu|=$HNiQ zMklavUUr}XAu-~Xn^Uh4fFFc|lP`2Q56tgrxCEdp>7bL=Qer%li4Y{)Cj`S z+h{F`w9xQ=P!b*5A1=+Ei9MP0ADY+IpH&wAKXG=;NPJ}cEC{ewjgkwsRzviMZg?aIBr&VR4*a| zM|Fe=1tBG-Zo+wS;Da!ggnr6nqktm?xz4~2`@z0@%?Mu!uRp)tyiAh_XNPo?WMva& zWs#6P^bWH-J>MKm-n`rlCkj13V-se*BWw}nc6h_YD-P4ZoX8F&4({PT$GDB0JJ4t- zhp-zM1th|?e$IG`g7wd00?=@GZ7C@HL-&3wt{k9)i93@2qZT@R7rQ-iDp(?%qvdAJH~4o z@)QAwg-i<4kDY?yHmKho;d*n7XjkTgO2`wZDN^l2tcLj19t-_l!#9J>htvj$%w>_o z@!X>%P+9kOb8~lk{=^Wy$$#glylVU65S7celC!-{6KKira!~V~hevI2xTk?-BI9XW zfzkq6m`;=kU#|3AU8lPAfUD>yUXd+z0lcVUj`yYK;VOYg8Ts6|{gSiZR_#YOrCV{6 zpCpB(VyxP;FQDkn&CTPNI}lFXBZ$r)VG4wSUB>rD(!VAduYr-*x`QGtrQCBa0vZIL zB28rbY5%~x@oCd1%&Tm~LvL4vYV_KX^pQ{8gia1_PcG+@IS6M`AtUB7=&Q8&zAAG$Ntfw9+$P4T-@W&rQi z1X)k_;-Le%m}_lIC9=?i*b-_Y3$VO%Ex<+erCsp#jNaQm+Nx;im`LrFH;$!J4U|5i z07|JDz@P(4`cHWquGJ8~`ENpz-`!Wtiv6KzC7nn5-9XNrO?MAKgX4&8;ef}SX5oOV zl+Vrw;Bt0#b$2IMj-NT`1=-`%eda|tdpltL^gYl2cv2g+X&so`ydJPm@?k#idxtZt ze1`70E)#)!*FHRy%@9jRt|Hn7Cq1u|)&4J-?L8D(#ydWNd83?B zh)e~G20FernM?S##Y_nc^fZ;!F4!r>v1q#K;i%ZgCJ+xhL;kK~g->XgU|=s*na_JicYFe;%ZyF8 zh3IsMxO*s?g48_6%T=T^UOZxuQK#=UQrx8j9M$3TWopuq67g5R)?Q_Mw$V<8 zq{H;*TI_LXH{O+v8%h3P9&<3jjMFKqQ@C~2xsmrS9{pU0ExT{u8~FSt#S&jL>&G-u z>zt@Ll+;VJGSn6)Gu=wCz68W5Mv^5ZvEhbJEZKR&nTs<_*2OQ9D<~vJY97(e8j9|y zQ?{kP*1$xlqRa1@maOekitl5{nd6!U#_1!EVR)(oqLU|UDTjbxCZ8}6g^96?hsSS!y~y77>~VL< z@V1zm@^Loa_i@I}3#pxC*O=n7B}TW*Wy$$Cxr&XatTW#7BRTHxQSQ`OF%wj~yhXQW zL690^*xG2U%Eu&eIOi~)Yk^$Ggio2R3C9Rk>B>2|C;r?0BU%KepLQYN^*}X7zoCVt zwhELKZ)o-8kG9xJvudJG9a^vOgHl{Y@*L3`deDp_>Tt|lDbK&nbv490Xe%$nZz?Ad zH2!9>5f-st_{8ywP`}U2^gl{{$zMvO(o!%BQW_jZQ5Rc{ghD1&;Mt7Pb~5Kzx*s7q z#H0tpz>}oUVgr>H0Ues0@rD*iGkoVR#OjuK*R|=7mEAu!I8dN7nU1@k zJU!dnH?yZuo?o%v-Ami&FWo(|ibKb>&)YtJkG4IDm~9f=!*mMMYd^IKN{zvOKflUN zuWCo7f^r!o0%b{9e9s3iuX;Z&Z*E@QCC@Ia6y8nCY;QU^O3!&Zn*SdF)j%r0Vqy2s zENyomOxpg5ZG*j4*#J=RZbd8qj=`Ue1}udMfsyCD*uE!v%eq0;nd- z4w_esG&u5}$ippf^M*=?|2+*|u=O%YN$-bC*=6=WoUV@t#>Fur$KeM*2z+^JTeV_h zMDR3r(SU!%yDfIisK%u0M$;}I%~pEPdO>8P}#+Bjjpw zacXalg>RZ?O5-s9+Bm4n$-C>t&kL^CGDtd$R&$qMX$&bE`7U=vo^1!iF`mLYGbc7GC5Gye?@Aq?=v?1b9-v9SNUcsQ(ttI zY#+jFIR^#7775TOytdU!O-AM|+BRn0FI=XBS622)RoT(qI4Hb!ILyUj2mO(Oxt5g4 zjv=utSl^O&OJlQnleUiH(qPvM8Jcl$os?)#-ZIzIgm8&;Q#<^54q*zk9pS zU+iY{|L(ndtpBl+pU3(ikM%$PUF&~v-aq;hiJ~6}aNA1G22cE`+gWzB>1?w_Y4z<9 z=C)+|)^Y$FqF@4mK$!`{X%O6kKc+D7hd%PyJaf3a8-GWDI|+Gv3SRDU90<5XE@bRV z@C1Q(I&q`GcIczPBY-V(PBA3|d;+#EZ#gC2ob*{+Mr1Yt?J}Yab7^>s2vZ!8xBzif zo*mY436!!~JwQtn64i&5Q3i}rFadJs{}&(o0lA>ji$x$(#vN`tS9}pF1*uf4Xq^Q;yP_3yK$!rOVunLC zn^@C)R&Yz|o4FDBM3{!sc>?_*NYdc>gzF)KXbA??%%fNYvi1C`He>6`0l=5($H4Fp zFSOJqQRAt0T`!ZTtO&rWI>z;3Jye$u!8MG1rW{EgP=2kYqoC~2fOJqcyO!M3NJuU* z4xHkpS+iuiIs&m>*irAO@B?Poa(-u+!bp^lDaR<4g(MG(DC}K|KF^%P)01S9?-;=A z3mtm6bow0gdlB017%5KL)+-PeR8=-0j;iQKeU%%a09Snn3g|cGBQtw#F&eWTz5x=a z^V=+ja;A{_`Xg^gk_N=cxK$`--Ff@M;Q7+p?KxC~^_^ z5Bl$!{iT+?+CC}}w3RIPtH=WZf>#8{BsR*+65tW(f>WNa6u4uI+2$XF=my2Q3p~`_ zb{zxcstn#%j+lmI8ZkyiUWaW(I&u`V;}(1Ii##P_G~-)@ExA?b9>NG-`hibjrplQc;x2eY0d>DXZ zLCtP5T)TpXR+BZ&PCIj&fkoFiYVFqAS=mwr=U$U=?kx*WDIJ=DQ(iP!7M#0H!nxZh zoOYSn-0bH9;+uutBCnfUVYy)QzY6$c8pX^I4(AS@*fs$5}7rILh8HR)BFL^F;1odm=LGqjm+7yn)fQq zwNyVv*z2gkl8&3bJzF%7w#(SHwj(7D!vrRMemnSX+@BZQ@Kzq>E=pYK}H@H-K7NC=(E#tA$MMEl5PGGPdUSe zPJikTOUJS&b`hp`jgei*1_qr@1{BcgT%lX_;0oPJ*v$W?;Z##;`%3{)V^_+3G*OHx zc5zTN>pW5KGG<;Aiw{9;=6nr|wx4c5?;6F_C&=sYZKsIHAnHhs?JaN^+=8SX;O&^$ zW6yEO5A^i*mhrI5_ z#yLO7^@Bjd1|SfL&Ve6NCVL|o`Yr=V_cXyV0(1;R4jzX@b@*)Ka!R@Fk3u{hjrm)m zj|Ic&r37uh7RgB8goeZlj?W!wje9YU{ zTcdJ-YHl85l5jHw|73bm@(r)`!)BWYsD=o6l0ijczA10S-WyD>=B;;^y<^D>EcIx>Ew$`j12W7BP}^&euIFN%GFR98&zWvd`q+p8Q| zym{pz1415m)S|eKeyVVgDO5ya9ZfQ{d7a>V-=#s zoty-CD2kEG>%Yq@Fa8j?(>O*U)lUfEvztF}wlRgV)siI(BSn%Ru#hGwr17nVGSy^Jyl*<+Q*_az7Za#mi$n<;DOxEPw^*N9 zdI|6bF&bJ&u{4{Tx*~vmX(aBXgL)RFGyhbl0$dH%#etA`mm9j#sbI@wc{9QHb&XC0 z@9{zAAv^Ls(*R^%b~=WX2i(c{FNy&S0$|)m$q`qy>`b!7DU#|C#V(byavEi)&i+vM zpO^~Vy^?)A55^N_tdyZFjl6kq&QxYuHPR{%X~8^4*ejml>s*#@BbRph92ce*ufkW2 zkVQEAyclD?Ez=>Gl8ZJkGLJN3`mwWb+zxcQ`7;x-ULIH^!J9bv8y8ZSz^NegPnkt^iNu zi^6L^#^FRL3>jm$u>pi1$?6f(J9`($F>8HyjkUqT`R(dig%0Q10HpT&DH z5i#HrvB9PUd6t05=&B>n0QAruJ#<0LMByn=fgkYf^xfc7|L6>`UrrDDef|r>W$@wX z@aKb*XPafcXDH`|>9Z(c}HE0O1lYphM05t zDsdR59t)E}?fT!FVT6eXP*hyY^p`#{NWZHwRK_cr^2Plz#T4Z_wTdzk>%&YyegFV? z?2!@p!tdyW`T~nSL9nPd-a&_T(24T}`|{@uW$MmS`fuTIx*P;~|HMPz)LPDu?f%~c zO>lhM9pQ#<0G8kX+j-gR?Pc%(z1(~Cc>iw|Kf(#Gqxe0(W`LtvzyZ>EZauKqK>=ro zJL^91&(6Rw?;W7Y1b)^t4M3FQT+;r0fzk7 zo$k)gZt6)wklj>5rzK=IQVVC@R*YB_BGcB6Nw!QXtRyeN2jh$7&0A(k?=HNgcgvRa zuI#B~Ez1V`4X;);@`B4W?uuC zQYpbSDAfz0KylVw4#r$$C$IwZlO&2F*&9o+O}tYRLck3V(@-y8gH7)lkZMKzp*v%L zI;*2Z9{&XsOseJAe4UFm6ZJZoU4alyQsGSeaN&e^O-adG(5|PAvoZp}FRLWLW7?i? z`Ny{Z4>3igx$S?&{(pD3xA#1||9}2+=W+kPil2i0zhZ%k?f>5)mwKxyD|;gcE6M!V zx)GcG8g+uAsRX`u`B~_LL z(E4y13~%|lV=d`&Fs0+}F<~DR7pXR?pxP35auHl6>qLVxnZsKsfpc+@{7(y?LmZA` zNT-2Jm4!p#hlIi)V5Hh4|8XH`!gKQQY*uaF#W}w%;He{B90YjE6QDsbL^psS7l$6{ zf^#fSk;IWdq*L-b4FLdG(@W&i0Ce~*U)7gr42*zH_O{cxfz%yKsLl|-0LnhLCi6I$3vck4#o&fi3)fRF!aEs z96@I};-~5mxB;Ge>LNw_%uIwN=PvNCP;d*z@EQR)rFa6V@4_Is?ToZdpd+`t;5ZaV z`NTybjD1`bb5Ho?1aOJKH1c>Seh6^vp_t1hMI-=S7ZHBCe}m(zE;yU=6MZmbY;Yrz z{7oi|_&9VE4+Kw0hoS)AA}_~K{4V%38pY5Xzb1 z#!BScRc|rBj}SpR-hXoEqnrv(HIlTnD+k8dB#TJX`=3&`_G|s|D=6UgYAn;otwp9?TgC(xX?t2Vm$N%Tao?j z^+`p{G?lR>Mfoc9ITOgebLSX3G&s| zi>Q!7EG>Mhi_nzhmMJi2TYB8&eo4+(E+OJcsI2~Sqk%}5RO~U=Q%mADk(VV+VDB!!omOc-GuAhQ32Cz9dTiAbX_EQI-4#Ju7Zz%AI(Ahr_xDfQ zV*kDT1(_1`hOY5Ku3!R;uh^edS=l1Y(T~mittZ%H2HCH83S1Z_8HxXxqWD%FtEspw zfQNvLaV#!K@Ij7GO}p;E^D=r(-nWy4dm5M$qF| zp8^1*sC%V})%EcRJB1izg8dQAl;8je)Q16K z)-!u#1gKW*qYS|!2y1e`bEhp;E=%t3*>cDWk~?W?-ZLR{{I*z+UJ2Ui`|9X>#`$-!B7 zvoK9<|GQ+D=HkV2Yi$LN(HR}o7tGFrZXi~+wACiJ{I51EByV{-39k|?uk?i#FNmmYXc9MhRF4y|(=C{dWz;(Df*b9j)>c-r{d$*!A~EDgOR z^v(qa0lw+5732C548RkyK%VGVJdeYZr|bcaP%LVmz#ssf4wrf03A4Gy?@un8B~wZd zt)5V>7@k*qX&AGVrdyMxJC}SFJRsRA;RMi$z#g~Dy$i6#BewR;*dMi;%MxJdBg#et zopXwQ^?W5Lyo_AZOl=W86Ik1b$mTw)npYd!A3?DZdVUIrT<}E))$|asO{`_f_Wp-|o)yz20N| z-zt9Y?D2ng7O02@JjLD{{n3y7qxG@11QL7zn=K@9oWL)iLU;}RfL~5AGK29>CVqIP zjHcK6>Q5cpYHL@YNoP9M=dB~Eq1@`}*5+e#{HiN1)yVmTXX~ICgRwsv^Rz6`=TYR~ zk139)lho+Buv?pV|t zvLn2hx{CyPa=><`$aBCBPZbfPkp7HdK*zWIk%x#MBhP$X|~M7jSZgs@gDgpiBoiX;;5Q` z^@c4f`j;8FolJN2ERbYDRW~*kkdt0cY|OMQaB{*y)+~R#Z}LDtcKeUejtm3s$T+&r zKk?soIcMDMvv|n=i7z?I%hc~qlEA11Zaq3)Zy>cRA#@qLH=k=9pH3cIA9ix z3_RNPETxB8O!={EY?qi+ANejv;+rTr!bI598N!w;oGNf%(n?o198Pj8p7W+< zMYfAqqY_=VxU)J_RVzZ@(m$WD&?-M{&2^ZYiE#JDj>K6`e^UUr%NC+Ydiq|;lUfU} zlu?ub#~w<20%|n#DRAI$=!ZVNt%GQkm^A-`FAtJ0E9Q#gK%U>$+Rde#SM(h--j3<1 z5|Ah88pRGzSez-HR5@;)f>7Dvc_H%CX%L8v%N$@e%jsEB0w5|S~~tuB{B@kq~EJ3S*6*KZ>l58j{{4QEh8y89ZoV>^XJ zel^rIp%#EPGv=%?&yYiF##P$}j!0vyGhqwqrA+fV^Ls(uH<((>H}xET5uMaK!V!)V-e zPQ?|8eVmF6?+n21p131j={U5UxCkXy!(%{(|3da_ulz0;9-uJKLr25 zNZ_>I9sTNn{r?~QV@sX(e^sabU-PH^?H2g`_y0=h10*>6PV4U7(XZbj+1Jp&02dw(Q5i}6NfAl%=S&O?b)}IDya>5n zwJ8yQ8JYc!%a}@S6iwqiopxED`qt1tF`Kl{p`%%1uHfB&;>!lZVv5YiHFJr{>KMhl zWC{2Jp`^uqE+ykuTGv+skwm;Em^Q`)DdT=kX5OfJS)j-i49`G|ni)3@Y;wJo$!S&A zR$2S$38F>UGyGu|;pVtR!_?SR*R{phg$q!44MjCIHBb7Ls&i8_snSn~z87D-_bG~D zFoPkYZit~6g)R~aUS}DxpYCAhtWF84soYMIIAu&NnzU!w!e+Otc|*#%7Kw=ru+o>8 zixkdK=?O&0}bW&^vU?%S2i56E=GF?PIOtYWPbwq6(=ArK~PfGmb_e`V*q(`95Yq)PQ9Y4d^rqs>FrdTf2A?LD#Ztt@@BP zr-<10yEbw-JO|D|0zQEMn#O3LZOQz>oy8fVQRE-%{rAxqpNLXaChpzyUE>2c|GH-* zS-HGh2a@T(#724!!pTA8PTWep-8A(G%)jsDBj@yg>=VSLBXskrNs7Ue*-aP#B?(Pt zkfOQ0PUQ-Po_D~(8^aiR?~u*mY@0l}Qd4)}?D6DFhyReVk%X?Vgn1Kam?ChcSRC*q zK+RwwO}ndSpmio^wwkNyCytK1^xknu`|?SdvoF~fFI8@bjw IQ1|~H9 z&`@4k9jk!5&gTkJo6A|cvjXTscZ>$a{})=dnWm2q&Q9MAHi-karcs1q(7NJ&Pnk(l zl^0q((X%!0d&=G^rJx}-_m-+$=xv1T%Eb{S-W&F!mc&iD&W}xzZ&t)y?>-q-v@;2ym*u~`=^kSJ_X;<5}=*BKPdEaYl3!gCi z^K~{66YVpTU5Kv+FEeZUd1}>P4_@To8x}OY8oV++Q|Wq}T_c4~Qui3D3C~%Q0v>Un ze(-|HtT_S!=ie}&z8f6A|M=<6pnv}H?BJ)P!NK9-QNKUn2Mv0G))2>#5ERQ`wPKk( zc#%H5t9>1@_VH9g^JDT041C)Tn$6$>H!YV-?m2xGCE%!1(zOC11*DurBF$A2^~n1X zZ?4d-JffWU>h|meZ_+njyi-_fdHiCH<*`|}d`5ZvLq^`d$jIaG^Y0CLOs)pKommC4 zUOZNT{DTt6-#@%S?jIeV9i1;tAb-CO0+~h4z1Kq`a~j!2vUv3;kjYu^(^?DT zmuoDHb3T<>MRIR9BXeJ7WOA>UZ;%nnd(8^v-ma3$z23u%<%9q8>Fj9G|M}qT=*`lE zbFa59(s^%9q;nD3*GES070c+oZ(c@Qj@vuy5mS&!N{2#<;wbhB>Z(XUXAaga?rtgZ zLrJo8aRh&bnk)-h61lKWlb8<-%Tr$?&}>eFdDeV2jCO%g<2xZOW)}Ju3Mz(@o3wb1 z2$u&<+5v+yvK4<-muQR1*7+~r{+p*0u-*R`bJtu2$nyLDuU@=-{wh=d@#W6$WB#X= z{M^~^|0gU^aou0v|5}04l0cPSypT;wFAJy(Xcc?E437Qt{(FCj+*>!Okuur<36kIw zK{2TtMJb0n=<{^X)%RkuMwdBYVFchDgfcrW3dRuE3H}bLJ4SKcAWnhsq50{|NM{Fb z6!A>wg%?$p$9#u613`6~D-+wH*hjL@Dxv@~1HSF+4`-f>^q`H-M5^nedAP)w5*ovZ zF>A%KX$I{d%}-}WJUeissAoD~v_P!xzPbG97BRUdTN#P%GLo#!p3uZhWg=*{+H59- zl1^Y~vWLoM(sX(=dK)1JI3FYU$CUjdTz7Ab2~A()Zln zwX_b;f4NCO>rTOazkS`?4zb7My@&qDxya7Ctfs=+e>gZkIX^l%I5|8Tyg7P*bbiE! z8JwOSy*>Wl{U>6y{{`ZeF)jw%9=hHRr$GQZH^AAv8&et$TUdxz?kXG5L1A@K$l7mB#cEN0dx#07~*N@sj^q19G57Efa7O?AjAh? z6d|v-w?{r5PcM1aPF=itl;4h*H02EK%vADdOYR`W` zo@zD?sUHBjjP_ewk`s(|bq~IRQH&zSfKNX2Tq*0I%4IDXsTcV0WXD&434(V5VLI={WX zfDir({<_6^*Kt5=Yv_lbs8A?P;ceC{*?tOmbr#xgr+80yv){VYzrXHmlKTs$1I9(|yQ`shOr?%TFVM4ZgQtM7*bPqZaxKn7|rz$5IAl)-AVn%;qK7~al zr&QLw^+TVGxv;snh^`B8k%gn5!IrCM|6)0!r~rPi@H4)6VARcQ_|C3 z9$?l=1Lc>VYev9aVl3|QkJv`f#n&jl9k8V_K=-{n%cM=i6)By^@KTF4aG( zmDWB6wJr*8(#+d=<*W!nal-UM$o8i|Qy#}m7bxOzx$z9RJgq2*rW8ORmNlCeoD(r! zr&v|bi_469R&`A1$4-Z^^02C;j{jwWV`0via~mh7k~&;hGe0%itCE!Yl!rAF@nF zsYclX|2h{Z@18p;#jmPVZ1I)J2F5KPI*0SpZbFtyXO2Rb@&u2DaMqYDQ8s5{nJQca z{OWgI7lBc;$g#DS>hlr-!GAYn6oTBK``pqj;*ixv56z>=GG~ozq|I=gu99F=R8~Eg zI-~5G(Y+;UG*(bxK|sP&Vl%=Shhb@-(sJrMF_~cMjbkG7f+Ya1DtAtR@zpf4SovJ( zDs5Y!ZmY+K!3iU`C_3k%70JW&yWslZtFQ}+8u)f=C7btqMS0( zSZk!5OvPmSL5T06Ll`Ung9QCy3i|K@{5B!*xZ^6WuhY5Fv48)rAt@@tQXXIw1-T}z zN(0Drvvy@52~$hp35sJJ55_R`0u+PR-$3jA@yXH2$0y+E>`XLFHPIe?;Tk()?_Ptg zR<8}P%j-mX08$Vz0n^%bl5-)M?OdKgnE9y3yoMyR{sH>pQxM{?^Dh)*w)B1agn%hu z&wyg!`7n@hF}b%2!&vXV=#f?Er<~$I3(b5O2G{RA-YB}xPc)BbnFu# zGmKLV+!&HEfCTuIcP5T@DZE0!!#5$gMHIjg(=m#bPmgViCaeJjm(T;mr&GQXzzvQG z>hf-mLqZYso`HW(2?aOMryMpqMk@4$4UVo+NT)m?hvUxh?rO*5-=WV>DAQ=kp#VD4K*&YpfU7!GX0SIz&=n){QG65Rj zvgdFF{jl5ZinQax{ry7a9&cL?oAU?Er8~y?+5TqiGnR>`D1+_Ur<0T8lb>FL4>)-Ij;QNneVg(R-gJuXZ^vOo@jlb2tlZOKDkNfBQ zt)Ber))}q_f9rtyzIki-KnqdpQ*O83EKh}w^prqR(SOVr$wrp zd-XPoG0*J7(b4POBt+}3*Rc`fKGpK=@%y8FdFU<bnu3^8}vW%ye<1X^38YP3_(wboy%MP?=v7o7Jy*l6T+tU=;M1PoY)#>mD-X}xZ~cw&OzC^@9rzdm z$n_hUx?=j7(05h1P%?9^!k$1UL}14@Z{LB#F>0QSd62Ry);%8&(J3GK&e;+)x4*ApuyW%V^g;AcboK)NI zm`1SHFra+H#~`!#6YWd_L*(I!rNnHGG%lX_;z0x=UO_=e4foB_soI#Nshh7HWM%kRD`fp^$QpQ1kt$9U4JoSa4qFY;OTSsXb@mkcP zF&1vSn0<1PeFqMtp>0T^7w=Sh?Z<`Iq6c`Agk7k8<$Cty3|R;NOl~9n{%s9G8LXgOaXd~GUekqdG3(E z=sm=DYNL3=cF_Qaw{*<yEQb#%h9>iCD=!$p-a1X~$82g49+? znRBV_sgg%;j?a>B$@G$-Kc*<8(p)9LLln7;xyL9*vKjY}Fi?f%Hy|h&0!V;|-RT5{ zthFENkX|^RAlmgO+m`_zZ5!KEKg84@-fkPtf|@&DvEw{D>hHI^$Ax?-J|{nPEpv@==vF?YuvYfpp%rxV-kH#G9;aA<5E78Y%~TtVC(r0 zI=HX7lap`k=%id~n0(CShCG4TIQrkyqr>x~H-oqR!TGPJNBgbb#>Sh2^8@MQ6&D*W zldBqhhBwZS`sYHhI}{N*^aJE|7tV|T5IHuTm$-GPS@k=Ig~)_%rK1wR})>;q;s^frcm4hjYvxg``$03#^}KqI^54MFD| zv=k74txf0$%zXdLF8B)I%@ufZ$9WL6cJH6GHw5%f>rQr}+=zEsQd$sVumA~+xI!Zi zFp|!MlL>u^go3v9T8gbd1nPK5nt2eg8RBH%xNnF!Z-emLtvfxR_Z!+~EN=&P|2w&# z`(FaT*5BHiI?AZw#M#M{!sQ1`Y&L~_P;B%JOyDhl&TV4xGD0!;TH~-b_R@is!#**I zCo8~BLXoTy3-l2rgxQkoqqEb=R@OvmKWaj)3A-|TJ2(~oZkAJ5(#pB%j3Z{3++e)rwe z&iw^&emwj5?&xfAeDdb#fA=rYmna4;<16qN(7SL%hK7$PZ;yZ4=f{j%7i${dLRG$7 zT^*Kw9j^Q?z=a!$i#?Z+AjvuDubEgAWAJ^bt-W?Uh!4`BbklFM$KCacPg;t(?^PFb zZ*-a1(Ksms?uM<;T7zMeiTWe zTsgfYr(E8#J_;*t7UYpxWRi0&Oe{=J8dDlAh}_TT=cf;fn}LHR`ea$lQSYi_=w2P% zz!-&y5XFpB)^&+iz`U6X&?lMKJ~2@if#i9Ene>>*H;< zNPHK`(x2Nd?7Fc|xzqU>JUN)sF^>Izah3iW{D@$TV(_H3#Sp6BF~wIXYy(I6*;;po zdQlqW=a2pK``6Z2rytMG2aNIh_uDY?Rr(*2?nvvY`@cmoqV!hWB2m|QH;);kk=YYLgk-LvbT5o6 zZN}ls!pS$#$a$)1`dj^h0$a?|DUA8}8XG4MUa1#a%JxJYYC-q@xPN|ha&)%8NiNi4 z)Rj3?MGe#hIlzHpYMhc;b0Qp5C%K2O&?H?>n=a2)BVBPkah8UNE$r+nwk&kEJU2-f zYKjgv$pA+FZ#%yOr=`$xF08aHn2>fx`z?IMIEyvSo!c zsoF9$o+W?&0s~@(*B1d)Jm@~y+Jc^!f3elm5NAMIlqV0~{Bm@5e%wEL!{+qh&6~5M ze*dVyzs2;1EW~Lpo3^D^@ZcGnc%F6Omw^XirA^858(2BZCG|Nplz@t^Z z1go6wm1`O04hJrZ@fWk0Ux7_-ZTrnx<%~A}c1AfzdW~%I6g-b6`J+kxXp%pgA$+$A8&)@gE$K*)m9j&&7IPzT@5dDq@#AIFgAsA|a@tF<^QZM>#h^=vyK{dTu)dM+}%F5PNxr97;S`&3e~6o!cx zqgqZCFWQR06X^yKRBPC~pcjfn1l8Lhni~$sc>s_sn??mvvehf>uyCK3Vv<=pwCzI8 zbu8r2;MFSSn@T*W$4+gwICs}&?u;DMq|tpBa%q~Rvka;SDe8GqlU!_&o3+Q4G4k{I z`RQqlDR%LCRquZ=lYDlIoCk}|W|q&?_iSCyF!{Vd-kQw$%$DmWdA+^O*E#zixpupo z^J=m49Y#i8);2I>3pvPI1l;PuYtoO7u*Tq&6Cr z94qIfdK#!&U$iqPz(wb#GCk(Q5mdw%us>9ljiMq!YkD?FRyJMiVfj0 zU;op~z$fDqOwSPXZV!|X&=H*OxJKI(9CD$80-o!m);!9PqCOKB0$tKizOUgbCXSMu z?fFYcJoNtM@n^B0vi(1kg_lwmF5&|y-~adaUcG#g-v96JJn!v1?*CWuQ@;PtvOt9o z;Ju+drJh-zvu0aiGkrc{)HSocR^(94R+8?XkW*=oL5G!@uwpJw*mP)-~kr|AWgyP8sYdMq?qsY^~BWWX;OUnFQDgSx^E~NgA zF~uS+yKtc6m3c^VjezFtl70qSKKqylMfWL+z}8k0T`vClDvoRG^e>zCzNSOLBkYBi z`hN9JBq>=KR-h96da>-rm(MkbIu&~UB?Sa7Y5N7cGKxE z#+Xofx~<}Qi~L?*-;@tktfqyD4MwxGhWV;!7{^@DX&OY>>qr_%PRqHzilvi8JQR0P zl%vFc4@LN3a~Dx6qfl$8FExl>N5uw4KGaf`Sg{jy2!r4fx>u(LB???z8j9Ry3hDK# zcRu-GPBpz2IaD3K90fn*y=!SlnZ`WjOp_kCMkY4I9%7?uv6G$`v#5Gjj5QimJ`2Ma zBt!UjVt5;4tObknxp`#qMOoZ_xA2j}*MP&>)I2iyq70rr_g=WnXgc?!&~C=t9`59$LMLXB87dV1I98l!}$`P+<3G-T|& zm@#iwrOr#_zszQ_bou{$ueX%KugTl*|8w1?tIvc@1}M<-aXK%PNIG3cU#X zVMP^hEe!c(`fC_iGt3Y-hLOkxa}5LFL_C+Rv(5J}?qGsw?7Kv}A#`FCf%wmqM!O}M zYxsNV=18)DWOD!G_#qR;nWv)${4^jU9e8%8>=!oll%#Pb1vk5r=6W0}74_SEYJ1g1 zF{JfJE>pTj#c;<(+!duA9CLrC7?U7(8l(P|AN_)2e|Rf*$8GZpUYVj=8>f(?=t^=e z&8@y7h_)fJ+xYp6EQ4cQ93xElO+kz4r6udbn_jgq%dJcL2+Q&m!?tTVlA7cYOOFC# z^(5VAH8)Klb;lVxR36xjcl7*j%H7!{iSic4-Iwzf@|550|w6Tfp& zT%7U!Uns_f8Q&M$FEHzi0eegYgaVQ|%zwjLM<$RlY?86*V7l-nRp z%-g~~%3TpM^wOK$o5&p=C5 z+2f$xF;Zwf=|(_5guKcX9eW1t|EP9U(gdEJ)X=LWGt7NZgR@&QtJ3@-lh z+fL_)-~Y1pxyygK+j;i#zWukYtFM!7A~bP^5dGz!q5S0{C?_WoptuKF->_2s@4e>-dy z0cYZXo$k&~4>(s2*y`=SZ#hc=&4X)$`u>M&onw{D&W2^m;FMU%fIuIpwcfyVRwX(Wq7-Q_f6QZrNoFW#N{TTuisO za#xGc*eHqRIDC<_<;_+!TfuC(vW3alA765OiShNsR!$aDqcLw0&KHQ2m%5^1oIgh}p)Z4$>c8zeKg_2CTXRtD|7(HCVB zh{tBGTKepLi_&LrM(MLxBz@{~2;X3WEf+C<+?q^-VNN5NYiSwk$qxemK{(|3x5y#S zXXKFQOW=?!qcH8!-7y(u*}M~aDDF&P=npfoCsAOsP5Oi-9g3b}8r79i9zstj@6;OV z#xYVHkguwq+UoxHJCEibLKlI%d&d~k3WnlrTQf^qgTb?;C0CY7PbNUfXchVaxWC`% zbUGV%cNG5$Cjr=+hJ@iR{z=-Zd(&-OKxw-|eX8FdI@Ia$$MR#1|1)y+FMRo@D*mtc zqW9|6%S`;=%U8YK$N0Zh{M;4X|4Fex#pNH8+;TsY&yK=try+ekn~SnIidz=$baJIU z&5H64aJZxSZHyGBnK*4peW*Io8Tu-5Z`Q=y^V~M`55=&HJRzTPA=qTk6QoJEEY#9W$ z-1E`!J0>nOUI<$D{iHcI!|7XU#XO*?v}{$eb}C}IPXBLDMLf^Q{$0C@*vmJwtBB`~ zsE9owuhpintIf|~scNEf*rlopW1ljYj)<^#t{@L8v_pO@yIQdHX+_W?byIgcBkXxT ziKh`0N0(D?#PvgScX=0=m3fLRIe%J0vnFp7FHfK!m|0?KN%fY?(*S&c(cu`mS7bU_ zPAGG|<&^^_LCD}*(JFm0*_9tSHjHLonzd3_&dJ0x3|&T#W#x>j1a>(9*5>kGa4?;$ zs3!POindaFWOhNAtOptUCorSr%N`rk#H^li#e`^FojtbJbI~ z=}9J&Y4^nr+vSi>;17{|>jrFVpysj-90~si?6J>w@T*rZlDbt!b_@x&?xjQA*pDc2 zX7EK-TA%#BA_B15Fz`*wyE%VjL zXA^PjCefb%KsrOxxmNf!#Db;W7G@G>bQ-*f%XPc zC=@}}Rww~%@Uk9Hl{1v8k#l)WQpi*$?36rUD_66Ml&X{idwv_$+~_Mb1(F}|G^FReoI-8lj- zY8H2*0PY%~U>8li6-lu+mAieF+Kb z%;*)XAdJPGnI88V#@mMHw3$)05oH_eQqRe@$VQy={>*=1J)euhwj}C#C+Zcjn`MbK zwIV3Pj!5kC%Od?cM$r2h21!!xMYppGon;8x7g^{!j);ML52j}*q| z(~ze?n9=FM#w~Pu7@(IiY0^x)KHR~pB3^L^-!Fz~A5rPE_;|wx9s8C*o=UX8Uk=*e z7o+{dVrakZ|B`rUXGZsj<)HgRF}l5-g{L`XXLIXs!AbA!EQbueokBXy+w1&<; zFm=uFn<#UZSVroqFtJopQ09@G5yzjvQTm|r^`=pDi@)y1D8j_2IKHjH_~)=vJGa@6 zWio-Gr`}&|U-}{20E{odMaR7W7jbk2RG)xN4S+##!OK0k)7YoCjJwd6dIyazjNqjo z_|)e_sZn&qOF--Y+8>-9^*??(J3P7&B`~7czxD$(LY}H}8c)Lm@`>=WxXK28`MjO{ zB3k?uV;+ucZNhrKPHm$LrBm^XM)$&voamJeRY&&86TM#%bum>iWQ+9?Ml5^$Y{q|g<10p3P(j+QR_qn%!NC~HzC;c zUT=D!a|Y~=r3*oIHc5|)rM^g5jh4BPJa>_5cTqHx^JohjcFR&7c0p51NhCXwlU&~E z)yCsX8D%4F2Enej_EMUN=Xfm+xbLSs$!9pP{i!j2aXxg0PT?Jz;tu~WdvDquw~Z`- z=CghUhG|dKd15cJBxjVXxmT9tL^ob^)NyD$}FM0$vSBqB0}|yf@paGL4O4fK@`NDF$_isP#;;&*g^J(6gCto z8z%KvYAjjq2U@4F_u^HW%(F`A$>gokWHoCPcD3LN%@@*9JEzvp&L-50Pmhhwar^zE z6%|Q`-N&V_pwka+U_dg7(o!bbG)ABg40Pu(&@;f*+2xxb0lGsL5VD|jex_Z0hFxW) z?CQ%*r{Ea{e+ReFVW9Q54|Ai53j6$O(9Tt#)L`r)Q7~P%LI7@<&We@Uj7lRS^%)=d z4=cUeo#bUJk^IAI%d9$&q?91cz{&o8ck z(fX(dQvGc3H^01pd3O2s?CNYVeEaS+`V!0jZD1hprjF1~{OdFC=2uwgb+mW@*qrHv z5l2HqcPRJiI1tHw`pXWT&JzJ4@#c{RqK$UStGJ7#H*6dR;}>+FTR_6E;OpY?Ve|0o z;ey5b$m)35MsJr7;j04Q4v$YyFV6;pjm{~~V9LAg8+AkC#%ywGC`0wq?Bv! z>{M$j7vUln(^l3vwHEW)N}$%7cv9_h$c8V5)V%Yt5#R7=>X*^>nZqZ1*e{ROUD~5$ z{{Iz5_L<*ZzrQAT{eH={h4R3&Rr6&8yKbRNd--g4*EHMRWv^|m+bKQ=MIVc#D3a}X z&^@+q5Md5Q$F@xnrKxz@ooAE_D%(2i-L7-QoU8Uv@eDe7p>|WmIg1hH5mM$8R96!Z z`@uxfnj+u`V@A1DS|JF|Ljw{COVZ8dnivf2dTpKfF_^LegQT8gKbNoT-2kYN-nak6 zjt7k2y~s!tS@E42!T|&34R~e)UImzUAbD}P8;!cdTio8Zog1*7#~v_5W{xLfhW*!ynF+aOs+Q8sA5D;`VC5TS3Yu9Nh zT}O+!Xt>S|@(`tuYm-F2@{8_(uYLn8jL->$SQ?{~tu2Mp$)?J1I*nY!zy1I|gmC-- zK8W3+p_ysIkaISPZ<)}x$r0xV?GGi)^>!xCMu+%T$H#=l=_6`u?B+=iP^~z7XdPX- z5qGmXQ(dH(Kkj0=SCsM=V)s6RlydyQIr5P)!ioY+I38N~29f*W4BKd^+<-qQxi5sJ zN*v%}8@2O2ri4T#5|_q8mWYMoJU()s&-2`U(0CozK{h`(&{@u@_ z^!;Jyd(JX`x8!-AgkUNCQ_S*Q?Ir8XMM_gG<cIj)wsZ1M(t(v`r?c=G6i!;y(p;@`&1|>rS?I0^7MEMXJ{w> zQ@;U|ZZj&QQ=v-wc+Bgbsj8iGTI`P*wx8z@_h?okQd29eTu@hI^(obuFk!R#{xEE%9vjZe|f+J@XsYqWHtQhK$QQV4C6pfdwv8?dZ0^F*#_vviwU;OI_e4!qn6@=;5*noS-Lu&6 z1*hU&l?yq|^~i9YnWJgqEI)`nnWADH%MUshCcMH7&BPG1h2)n`+|3N$Wt3m2Rz=6F z3R_S-BZB@45MA4x9Iq%z$NZipD|9SLD)S$UBT3yW2chCT#S>e2*YG3q;6|S;r=_@+Vb>dvuWe&DEYZhEDoz5Xl~6 zCiaoIFJaEGjgAENBs?wnbg2(5bR_1%k?0b+2vQ{ccEzW*UO`%eO`qTqGDnVQ3-=5} z>Cs$(kj)4KrE=g%^fE(?I2K)^1Jy!ar^mzF5+3PpM%d^*K$AjdhLL<98pw2Ct{82A)*hh_|kNTC8SDpWn7u}j zvf=LTaCg|Np)S&e<1r?d9;mrRZ)#rsMYEeZ?lb2_mp0A_!Q>EJO%Vtu18!ur46yx- zwt+)|hk=W|2_k?7zK;n*Hu&AU!T?$p@)=-LhXUfz>m5J>Pu$!J{0V_J0&oHy4{+hg zn{Y8n%=JjzlKb5=_*9E5H|lC@vD6a=c8QHj1c|F?SI!Jk24{XYFpCUo64ju{73RHc ze3x+Z7%S|}(({a^iwciiQ?4X{CNmjjVaLcFcX7Wpp)Z7XD`QbwTcdW;$X48Tu7-z z``nWzU5u}Ti%5OqnSi`rvyxdz2K|%Rb>c#27M^`M^el6i6q9QAN~OI7+naZfMSpF` zJvKdQBk2IohW+yNiqT+l*5Nb^uU=E~4c#0?r**s-Dedr6t^^4Rl*p=L-k{@9SbP|T z-l1&RFV9|32ABkToGu2Ty~hEey*gg$wH4HKr4hrF-em(itGdcMMx5CNL1X6*7_~gX z>bSP8$*(1c|9m9czm|=BQJ6DR#qUpa08k0|Gu8!^!t zN5nb0^${LBYo3M*nBX%qJVivr>@7GpqLJCcM;I7J(OkCC%xCx6ipq@x(N!%@;=Tk* zV9-+SmW+ILWNw>I;qLwc4Q60lZQSHw*0iM)eAZ*x%XMKEE?>Ap8oQaxp=#gP1kM!e z{?q}g15X!dq5}HMHGwpiQyvR6LxHQ@%Av)qNw8{|rAcBM%HfO)__wHgLob{!lO>wV z5XX`+g`KQoK>2M|lFk~?^08feY+Bg@`BiIdAy6$nn%tIF1t*U=bB#_bUoSLM>eTY zQM}gebnRS4c6#2ja2zTs(_MpZS#(<=##sSncvgXPIRvdv53=oQ0-X3g=XtRdRjzDt zby^r0HMue#uS`4mNLan>{mpW<@MiD8_&3)29c^+i$E2KC)@a_%WaW(Py))i)ij;kT zzTdeHMu>QbA=+_pmp8Dg6lr_cm%rmeZ`+7%Qb58q%LMYorXO9btI@dn;`7MeSBXf~38nu<|9H|qQc z0WEfUCFfn#j>@R$LQ2cnw2VHO;E{*9&d`+E7%DX2(8R zFOTR53a@K!H2wGH!tvzT8=G@M!aC%f*2`R3C;S$@7r2As^a#j7W=G!~T9f z--GfM9cbtGJOfViGIBsGV^Z?CEzw1R&|J#H$cm4ZIjQG<_DHxB{pwPI!9Agms%J9U zv_>iouN~03(L-D&ZHNVHl7UH?ompMUs#ayr;N9RF-3nc1T48A1PLcQCqmVgt>~Ib* zsYi_JZntha>W?@+ep1Pp)FI|H+`8#x-e#1Isl_e~q_oUEBj@g z(^EdU+uJSJv0Mjv>44nU<@X%HNZ1)ddym+zOKL}%E)|j$vbvT1}!;xrL zNCW(6FYB@J^o>UQSAYU^$~hPj^z#O~Z)keB`@P;ABNZ(UZQkV2QEd)qR1USIyP9K7 zO!ESf!4wiZ1K{4?5Bo3Xfv+5O3cN#~{}9dzpw?Tj$lME6(VZ2V4ssIEaCfB z75OFNRtj05^;A#rkt^sy~c#P@rld?0ee&$|-*^?G9eE`ii)()b1uKU_X!XD)56 zT*p{wxQ`}J*F-EV?2YF$Ak|hB(!7XPY~~MH;Jav8ewkP;mW5|Nv~of_R8{1~8KQYX zA;gr8q@^uVEfj^*&zlRr76+j=rOwrE{CSl9+Mgerh1LXLuPEDbYqXx*qE*PTZaiL2 zRG}TFDfw#(DRu8Lr`lcz{~Y$AqTp{}U4O<@We8Y1g_`h z2W@0g3(ICt;zM6KlALgo8g6`OP0>K;D%Xx7F^MgY!?30d zY>9qWY{l1`l~wCvwV1&g5IaA=Tn)S~wJ>eKN*pg_xtGwgJA*SH`8&g)j5yvT@}`R2 z);QjatD$LLOrp0P0lJ-xGLVbdlAF}$n?P;bA;aBli3DoPR_4Yz(e!-itTO~_;=L;! zwlqK-JQmbQz-1Lkv7cJn zNS5g5P52)VHDP7)y2;vab7%aI)O`MtwC2f$OMcItZ@;(J2}9}yGejJ#97Xdc>Cjg$ zhHTjHr>4^HCFVK~=a4GW2cN*0w{Wo6PHRbCRBT3xGKE+CId64S-ev%iV!hhd5-YbI8%X@}4#A<2^pbQU_IcbE2B3p2o zgw^}c4}N&j`$vB_#+rFf@tNZ}vtSkhO~7G$7Pw=uz5KD1GgW>%=K1VsySLZr?YHx` zbNv+Cj+X-&u$`T*c37?qC$9pp$ggf)_wq{o>g1A!0etn`eJt=~`oL&~TQpY-->>D7 zw}xXf;*w_2|Lqz5;~6z#UcnGoImXaJ;Nxebt>&|o(Xro8oHetY&#N*y%4M1h>oPp= ztm;s@`4aBBz83TY5!yK+2r@K4$Q~ealT4Ob?6KO4QfC$3ryHx>Z-rOsS_0QR=$^{h z;)!z4*RYH8Z?0>O&JHgYc+7DJ4EdZ`_mbClJ}HtH&R+f9m;a{woa1J=T?al zZfIf+HJ{lXzF%YDwwyE^MR-ag0$aKr;#(d5S2&F}_%iNl$M}0}&m52c`Gw)_>MneX zZ7m^`b$|`QVI+|%IYW*~ki%KWrSC~b`)h)SCy#_9TbHDieOj~2Ccd!8AMRd zKh7a7R;CWaVIw>6e?j+G_yV$N9s%H>DvM3O{xVn?^Xwdv*QETT2zj}TlNgS=C|=E`GbHt0a;SM~z}<(s7AIyX2G+So_jBs_ z)VLE9(bas)!qbo6l$%RKsFo*f6J?^SxfP7m5nJ*D`Ejl;$v<)q{-mN%aOP)FP=twl^@$pRcYi>W^~DnEwES z99UB{gO_OHP)6?S50@tDl?=S@PGl?1E-O7@l;-^M;+GTUPnAxUYHi#wm9b`69pYc- zlE^R3qH*94u z5M(fQ6i+#kpQ0*svMv-Q-dtV`U%q>HHMqJwz8JnAoLw3!%BTU1*7oJaFXCnUQ2xF+ z9t^_YgX6*L;hVFQpO4?358kweK(k7brW`U)2sxHm8wv4nNnR0Lnnf?A8Tkd>Uy6V( zb0Xm&tX&c|JQoi`nRmgdrm!zR_SP~TBr!JbYF+^SgxDKoO`+$|SsrW>5Lw@rNDiaM zhFD49yisQscA5%TRr4<1;N@e;X^IX7ySSySVB!Y&mKVBKI2Hy?{lbt~F`(Za}vXVB*h zWC|~*OmEU8ne+Y{-LFX-9}Z6v34Lrj*@y;~csci|YOj9Q+Wmwv-~nu#1(=mJl2viI zA^kRdu@80jOnl16)v)-QNRIfSMEi{%XKONG=Iyn$ELD2M zktK`i!y0V_^F%*fCZH#a(@ij!#_>KPh=()`5ypA^bpd`sR%m@I5R-2f4Q+YKJ~^u zqg@MjEW(VayEO$D;{8(Us(vkKTCqZwiV>`7gGfi;ljBFSH5!Cjwtq3>g$GcMIA?b; z;{1ddUx<1*;}pAuXV7V7NuE|mJQv2f>b7%0T9EpdftHhJFIw;V%E2tR#t*xUwYU|* zhqRm&g;*147iCHwViz_1O4W8P*s3XSiS-^fYos$@0>h(Eeoj&Bq4pg5ix2DZ<_?Nt z1FR4AgzaZFLTL3M3#9c-o9TVM9{qC4`RxRI6uao^_29vM3`MnK-A$q8*FDfTHVsR9S*mYpJO|9Lka76wTK7Y ze7jM&H6CA_Uqlxxjqc22f^2rhN9a2mQfQ84ED8Oj;UyMRQawm0gpxyM>hdc=e+3Rf zCn6E%aloeQ2SjRO2{cMgEtY_4%`Me*0v~f)mMY4cEw2R@bCHhd*9H<`Ngv#(YW2>v zgy&|sKf|G(jB^5|ZMWQ_OV6pnU+;jH>&OW0ZU?EuCxgm0J&?o0tDJH;xgqMxUF{{b z%G`ZLiBxC;rHQ}Rf(tk_5n3P)SYY%z;y>eIf(@wQuN|`=!LgXa{G9vj^*rV2*GtMXCoadW=c8r)os7xacXQ453uKJE);saK75mhe6Aw!< z(e==(J_nv0U7l0&vSce_+yvPWC;4#fxTvO5Gn{x^oYeJd$|GB=srZ*L%Qp;4ZHsl1 zGD@&z8KZOvME!zZIQY4iua-8X6vw{E!{8BK!%Ce5Q9Ql%$}2)yC%MsLh27j&jR3j>4J$aSd9$q?lad2?Bl<5-EG;`O zN-14AHCex4Qrhjxv`CUCCoC`Tb3CqhM9eSjy9$xw%c6Obe6<`u7ivYFE{R&TvOBH= zwe|{8t8!|xemQE@kG2-|_eI1?DLirob$x1aRMXTN@PF4rwR2;53H7ES^ z{UTK+HMF?_n|99W;CS%5m|#HRmy%_{=F+`z5xYz@u9e<>9is96l3JJjf=S6>Z<|xP zh&}L>v@V;&&T92d6?WFjFuxA$JXlh3b5M$%W#_Ue@hH?bY9wnvEgpf|CPg&9I?c_z zX!!v8n>pxgqrfRq;LN$yjT)y><80tCXjD0kD(4G21R7n=N_9CYVxevm&614cb#t9) zwbzNRAK`T(aSZWOGxt7`_`1|(qICNb2!*$auAkIxqI#2C=sHo|rXS!wQQ?`^@PWNJ2)fpuV>dsy)so8z8LVr3+meK7dvHB?~c{k=-_rpVJ zXn$BzL;FMHTDK4(e+1gv5a7AjRK608Z484lOpQuCq~>-JD%z-UOH{ZEu6?7*ZB)7Z z%+L^H?Z-x=*KPE=U*ZwbD0o+@;4LB_xpAY)^aqWmcM(!W$s<(tCUZCD>U(7oqKYh~ z_|5H20j5y>t3E#!{qH<;Tu2K%Uk4AM3$8wA8l~_G(~JaS1S-qv6@eagAw%m=Y#PR& zw3ZL_xa zI93iJxT#LT{tu8!!g`RGg8d)!Afke72%>Apv(G6oMi{$BqGbKHN{VkY{BJmOli)Af z3}413IdKEZ5P2&5M8~dLrm2PZ0=xH7eh%XZ`_ihQf_<^uPw$HtiS)&z;chRdL_fWA zcKcP>&ReP}D>erNRB0tI(YSL?e}%4N*OLx6$hd{UrTK8uJVavoD3QtCvae-E>Xq_i z4kE}NFihYCoe*Rrk2%n#opX9@S%^}ZuSzD)PQ#Vab0L!S=f#IlgV4N-@lYJRR z{zs9bYsD!Ri=jQxvV%PxXh%8CilH49$%A(MaXDyzqn;4bU4~{pKl`Mu!E`7M5TTuW zICH;Q^6B+@y@S0y@o%r!OaI$H=$PJck8&v&i@g5FKD4F?4DguULW0069C)@c|AX!0!K*e1JR1>! zJp?cTGfdEy$eitr0)`22Wpe;d2tqUDG1>uOfRJeW?Ypba3mk8Z$xIG`pa~>4-*^`G?};;+GJtPAMCjD^8$wYWVC+-_c#DEcn|my6HuhJi|#Ds zGvIiDGhD6%Jqv{sidydg(K&Acj~H}30L26V9s{iyfNX0E05E0DKkRmIZ*MzLjIx8t zq#I7E`}+Lk?Cs#ptcbk&A!}Z}~Eb)euYUc;J>e%<(2W zfT}g#($^veP&g=uCKd~O0D8bU9)R`%j36K=Vt@( z?h>55dwY6*b^h+{0K9tzj^F+p{Br*GbO#`ZO%Va;&L@2Am;i@^4%wZp5LLp?IWF+O zsgEpY>{!5s-Xwq%1Sa?fNgC`UGIJG{@4F$-mSTJf;)Tr_ z^qjHee{0iLw(T+y%qNJgGxpThT$anEQ$8L4~r46JN1GH{LVQ_d9)>B`)--8js*N9LM z_Al@JzEp1ykAOI9-vd*OqTT+npoyc_$NUe6<}>>FM@~{PVJjHxj|SKV$rYI) zYYIJw&g7c7_!be+E`{q6P>YiOV1VC#1FZru9UXz+jls#~@f&mS^Rcknzazq{~|^43#dqXk>FrZ_d#2p#?jy4Y8dKtdV7 z^dY6UnAlxnnO1Cx?}qP}m>;tA4o8kBe+^aFLlSr$zK3)6e0Z>hZ*qFz#7( zBwpuGGAi8#0TM7VDBGl=)!U7)FEn-+ePDB1w5A5SgHyPumsTt=bqF)>hvrM$V$8OD4m?(A1cN_+1Nf{`_agy{`t8i)dCSuC`kD zaON6XAG~SPG?!|gF97ZK`sQr5Ybsedub&ukA6kjG#FMZ8)GWTng$D}}`IwjC-oqvN}!9o?K< zDp^aN+*?Y^CVFt>0;_^RoI+p`ku72!5b_uzK5-~ART%?x01y?w1tT=Z1V!85nnG`a z=#Jbdw~&gRBTi$!Vo*($;~=<2U;+g~aO9ji))ZKr*UA+BlkP-0Up^Z{82C z0CcGu4S=p2E|kO2jCQ0H;f%pH&~KnRO>(*V026$zWIpSA z6@()ggdoY8g7h&E7^WD`tjr`iwTNCVM0(<8Dyh#hG$-~iOOYK_;3PAf1itFCj*G`w zlHZ-W@tC9NIMJKQ-goTC8#a;kLEdmIMD`Mc7w;vO0#$d(S+up{5(eoKGw3H(f7xA> z-HdObKi^(bBGl&gQ)-+kQE~q56#3|s?Wp9|Ia+-u>7CmB9-KyE)KYt>#QMCHO>eW7 zxs}=FemQ>i%W=xmrM-&`8``_YEOL1b9JM~?y-r%=mKkA{9d2R!TXJkCKcBrhzC8Qs zd~kL7?`V`qt(>7RYs<>*F@!;)$MEH{Jzk!jUL3zYJsuvPzBzw;d~v?s31+)n&+NL; z_d|sZX#LL;CbFtphG}Z8KT*rqlQK-@FnYqsa`k#pMxW>N7m1gYB67n;56zn+4!eMwS8Z{NY3M-l+uM&lP)j;`-)^m@^Hs6lhcgAvX@%qbe+1`)R1?6q) zs3isVP_C1OEf|Iak6P6hCFN$tUnMYB8L;I3zj{3wo*chAe|>gweD!l^x(ba}aRk_8 zUXEnAwKNg~rx3}BVKkD0fJF!A)ItBBY zYv(RGGi~FREKGSDnf;vHVsOu!X+! zMQ*bBCRe__!nW41v0}w}QuQiL0eNC;jN1r57V5fcx;Lga-S_3e&MBjY#)0bR+igr+2nUs<24*1H@~p_6ixji za9z2ba*C%*sMZI_3W&q*Pq4?(UCvCiW#Z)tS2o}78n3bAIeY~fbYz~l%-9m&Bdj7TGy3RLG|Mu;qzdpl z9=6c{xx&LMTS5OSFn&Ddz|FzS@Cz@+u#a6lxgYp^E+^RINbBS-ZDCP?PsG6j*e;|r zsk@5MDP2VN?;=vPDYTDUp$XL)Ck)X_iHq#guc7~&cpCcO(Eo=1&qeFff}fCw2;^IPOz;dC8622k1AN~t$<&kB7g3@d8?!Z~;E99m@lHZr zy-*ux(tL#x?J~1kI1leKDJ@-Lla%W6Fh{k@0arLsSw|ZujEx5KwWL)nXznN(*&)iA zJVoxTL#N#-#@B{Kk&sO^l3z_5xriat$F5`D8^Dk^Lrw85ymgkYbBp*%ZUDpV_Y6LR z{E^mOpyDLcGsK_`8BCgy9PC{=GejAj`RVlqZD8=jM+@j7iKVf^HZ9G{nJFrZGsuF- zM8aPc&oWvy=sSw5;p+gIHSON?4Pab5o^1d_2run+&OC|%SZ8jkXx3vsi8j^gx0UZv zIw7ZxnVx!3bVPkCrYkY z2&Z(7c50PnqTFJXP;UE1!kbAun-ir{+>&y{OGIGSmQZ}|5aeU(Fih@i!0ZasUedgW#3Q57iTf*2Y zM@bz+kazQn;91Fu7S?(tWT5O8smVAfRf5mR@Dvf@w_EpYOZ8cU!E5V@m#aYp{FC2eVCLQdsdSs`eAG)egzTd@y?n9?;7mHOheR~Q5yD12~#Mm9CQ@ro$`P;Sk&mU^y zlo8?4uBL7nmGe%o{PWbj2aL$+B+KMZd+&j!9dQ@G{lS?FL)`5eb6NP~XCvf;GODZ! zz#OC|y_W`z>sV;GpDmTh=r59DOZ&Cm+2;4Ce>ZLly6z&w=+&NAT`wCF_G9`E1l%U^XX&(&l28@95U=X)=*t& z3jOrwqna;L^l)FNn&G~XwhCTaaPnX~92jMgp>g0+#KL=3G(!02t3dc7yeS3&cy1J6 zkT%VON4BCWF#B-kc*8M4XgIoOX#UmwA+?$Z>D3Gu@`rWq>HNtEa$HPTH65%>-k|<{ z<9M$KLN66O3gD@_Op{$f^7D~_L!)vmm+HqcdyODv!`F2S3o1;uswXMfcZh4shAR111_Kd0dZ5;^bfmTk!7rV)9>176im8G zGdWa!{I~k|NZuVb!)ORb1dIAJJH<2TQXB-+)G`shMv&*4~5Eq4o%ZXNJ#IfqKUBof# zR38>!5|iG{o&(byL&pWCNf0CV!07MxjPNgW2JcMf%uwnzbX^k>f(ZqtNvUfR^p_2O z{}6LZypv~?zfu_5mha5}0~hbFfEj?+$7o`o4_hC@xqZ%S=95S`f<6dTYJ(4B=R*;$ z&41PZWXa$C?io>Yi>ZSi+TkPh|3jBW*4pjL3oJgkR61#{#9_^(ilcc1qKHBFB)nm*eIX1E&Il&$y*mV)1+JtL! zCxRbDs^2uDnHY2#39|?d>6d7!gx%6Tp2RvX?ByhToyWI{_}4E3&vsE>q#oj5nDQHpzQsHVNZ@8giv@gk#1g`QO)+u)Bf9Ne{~!$Nx*tyhGuQ6V zv$Dn0oElc?hLiHX38j~WS-F$;$q5&%3LS0`8I^beK;QX^;J}ZXGK{40OuhB6jVS*V zwkKbU`-Fzb?;F~n8r+=6Zzf5CzFz!_;zLja7|64IEaR0J=myCj!be^l$owy#uPPUs znKY|fE_7z%1Gd9|x-Om=QRE*!H7hhxzRVIQ6*?t#V7P zhP*Ew&vv}YqhfVN6}--H%_7 ztPgh4rSA8lNS5@LQm2BUc~EWS?1_-LVUHF%zM@4f233uP&Xz1($N~;x^-vZbpuy-* zWU)F2blJSrx1};24zJ9N^3cC1}87C8mUqG@|Kzr__ny^rVV?= zzTx#G@rH0WgnQG3`zz=6A3t$_Y+Qdn#J(2pf1O7{!@W0$z*oS%KP=lmPf&@6C;sc= z?4j?|d}dnPthB45lVsTG6yv-hKA(oSz@_=}K_rlRfGZkXM&Ni1;*v57KLMGk5tf>B zvJsY|L-fI=q^EV3KA<4gNKi{kP!H`={iL2E|Nm9QeGZ?B_|Loj-a*R$fA8RVr zr-}dE#D8w$KhF{WIeF)$qxn28(NgSLx=e#bTEf-08F77&1hqc4~K%a{m`il(sU{13hUem|4{q5tAV zL;pANH1xlr{|)`0i~bAh7>1g8>gPZS{dY06N6_WSOqMzWs_B1P|M%iWL;pAPH1xlr z{|)`0gZ{t9(0-|?;vl@s{&Ww468i698~K-_ZX}JPrMC=zl~1=b-;@ zv5hV;VT$%YVbU+2V*0OQwyeMmP)+}P>HNK7e3Qhn3R&xdbu!>UvfK{CX0IcLB0AR7R z0D!Hz4g*ns6$b(U%O42RxkN#^{OIG3oR7L*} z_S5?RgXazX-^|nS{|*2DwetT-DnEvfYhup~JR0~uCJfo;6uC3=CcJLd$-2>ol^joG zZbc@A)HPi^nMn88_{!q^r->rN1GG*lBZvMoM49}*34OnkY>0)d8PCcsH`$8DZ>d zCB;clQdC`1j_>mxf}8%;DRUU$mA3@G-%TM6105b$Wf93*`xL3=2vqCxx*b_wmgDpD9M47` z1AFpAcqvo-q1~`O6qO8qwsz>WJH`0gI0Ss$*$<`+EMWTBb*y{i5RA|m6J&~S;oamd zju^aEl~U|N6g~uR(G4P70Hl(t3n)ZW^094(1;ll9kqo_HIszIYu81W47lG?4mta{e z{q|5)Wcc53=2k+<3bV5-Aen0AKYj$^`K+ycyy~K`>RT?dKE@6~KBinIy$7E^ALcj4 z;3UzOg=aJ9*@x;+6LbSgx+BNyGG~Txz@iT#Q&{xZ2-0cvhiOGWKdD~;1Rir-peHrt z)E)dD6#&3AM+9FZLO~sr?{#uZMgGgSN(a|bvk!q2=Lo!p<7+6Bz(oMykBtF!5%R(A zR{Y9C>JL4`eG;iuoON@ivL5K`{zKeFDPl&rP=TJRJr&L{e;iSw{0stW==ad9Nb@|v zQ^EfSw!>aaX=ZT=po0H@(RIy59qVLVR5jWC0QL zornyHqkAxgH@tNiBG--(A{+*00cHFv0-XH^iv8aKw+KK=gPE8CMSQDBtfqi(uNmSC z4Jq&;VH^o4Voda)5nwPv{Qs)Wx-tN{Kt{hz_%=bxBLOGFHJOlc>42HL&&}s%FIUEi zB0cdb9v*33uxUrUT$^0OClRUF)-KvKf=#(#13rQ;K(r|lZqnjSO2A2oI7uM~h!pMS z9n#)l*B+{keboABcDuj*zjuFhb$LVJw@S9pL2zUYqglvrE}j@#1$5^liy?c+35O&o zM;eS0n?5eWL7_GBtt3`5VO&5YGN)$p|J-RW(g~{*``5oVmFnZhA=u+*zj*_R!zqs1 zT5~6{*7^?P=#^5gU9(?Ax#E^CFMb&gjt8%YQF860*2nD2Lo)$TMdCU$WKE&x&>8py z0^dgjd``43kl&>!)#usi#qrzIE2RGsjGZKcdH5EPz!PUJ!@x$2AIu)&E#4w|V)Ad2k0Xc%E~7~lo#Mc?fsLp| zoDpxucPv4-aKM1bO|F$E{9Ht^Vil^cvdMF0Z$ntS3^?8?BFG2nP7u z5&t7IwkR3BRucfxjS;~>&XSi0Hbzu1zB3WaGg<4-VW6+Q8awInv_8hu`OL@E`j|t* zKGzvkR2)#}KU|Qo=O5S7Dx4@}>fx5I=leAqr86q2HPqj2ltIn&kWab($HJb6EQX1B z<3Row#V(p#5mc`K+3oG`r|rMHy9bT`&qkic{@d7p8~bmC?j$0Ext|104Byw%jidsG zt1{6S)#k5Jf$bS06BW(3o$eZR2EoXhLc-$F$P#*jVEN%xhCi3#d1av}TCWIIZlro| z14HRlj7Ylzj1%6Qk=L>KlIT_eF2CoZd8taN9>O)4duU-reRSRLL1<%)kf9~)fG^eS z!z0PpC&I&P_I-qGlOl41h$-XUbAD>` z5s$<(0SFD9DQ8zc+>EZTcFnI!E%+q;9gugUD+J{@u3is@XK#;RzCJtEq(`wQMYl0E z5F5%2T@K7DH=zVxg94r8$nm<1Ya6wnj6fg6xG6kK!P(`duA@nR-fn}BS?SxFBI{Z! z%g=9qeoAMfM0qP9ZgL^{8x#8~6u(deDlR7_>W1`M-9(c?dzE5L<-PXyww{Oo*uHIb^-yXj?tDdCLU_B88 zP0y~I8T{w`eXbbVth!j^PE#ZUW%c}9DNq`NQiNI*NRw zF(N!6BLbhs`@z}ek&$khzvYQIZoS!cli{~Avm?+vyC7sVnwM^<4P`2F|ae>Z+NBoc8re^zgR4=KIH#7-9B zunmj+_`9)V6in#q`0}T-D?T9x$po<{IU&jAq)8Ua$Boq67U#IHgdyYb2!x`RVA}PjN5|2ZPrMi?mzO?OcsV)5_~&+0iElo-|n|PvE23Y}agE9=|<(_eSTL zAp`&QU*Nm5cdxz!{{&q&^Sitx-$BV6|-dt66!{g&}s}tdxya2 z=QIlGHSNscUBUMhwH;y1C>LKkQq#hR!$*@;ZN$=4PJanvx9aww>p%e_K}WFX-kTvS zQ8~A$u6&;@e~s?>(%m4!5Gh^Qs1)tIyl3c`5Xhx}RWsAD5MbBSw496iPX(t?20m1q zvjCpvKNW1W@*=-tP6zj%)e)$v&MPV%{coVl4=3!|0;c=hf3(u$esmFXEg<8_5H%avW6+B>tA(wIu6Ls8Pk$VwBcT`w?U<$Z)% z8^Pz#UFbWK7=(K6uEJ@mD=*@o2?o6TJ-`9;1L@byFzDLort1Z+3r5I-(x8e|nNTrI z#XBxaM8bl!*2FDKe)>eH#=Qxc&30q0kG_>^X?x6{!FNJy?lJS~-baU_9hDdA^0oaA z7_E=*FJFH)fN6vO$yxk-fdPBM`&$u{G(*L?<$hN2a*8M;__sEYOd%K{d~Tv34J4CS7DJ;+uo$k8OSMQ4r~bBRb_Va9Sug`$FdOj$cpO4! zC%Ro7whkxINxDENr-^9v!1NI42{#bc3NR-O^zt1j)FOe__I6wx^f|j6g33r$KrTh8 zSKoq5!~)`_fF%3}wb5sL=5^wsC%z{x87nuL_`*hu?}8oB;xvy_+wevOb7@D|GGmlh z=Yc5Nk>v3bjX~Djz-f`-KM;}BLUf{&$*6{E6aAHLR_sn-Bs|9DM_e20DHQR)IZv|NW16Y~ZUXM8`DkQ|EZ^1$>7hiKL>QV!LEXL)X;=E<>O zdOm)PoT!A`C39(48i$`zLqX*8XJsa?^4>GA(S6+(`O00Rd%d=@j3fv*v}cYdB4GxE zA4e_l`SW*MIisk(RyjgY^;(6MrZKnv5r{Mj@(w?UlCcm9voJvw4j+5Q`@fsW!sKVuou@*M-_z=E9Sr(Jwdp<;Ug9u+sb!3#6ZjHl^ZtQ$1_6MSQ8n z`-@ufB@U3{()C^=QlJX~c^8fOyYBZg2)083jL(;`gIpU>3~mt!9k&&?$`2P2$Wws< z*l6THFUG92|91Y+DRsNyO%q|R;&h*Lr}}u4Qb2jGjyO)EK<356G=5=nLmmF#!;%Uv z>IPil|IzCm^waqtUi6#%ZyR|U{=eb>8~(qD|F@lq;{Asq5ge*((ZKla4+FF`7s9bK z2`~9Y;n-RpJ{8r(Js92HBUPi5+sn#REzHT!hr?NziC-emLc_jSv+s|UdCv`|7KL_s zdHL>_v&(_T1geN?bsXhOJ%&4a#3i}0PNkCh6JW%d4TAC5xdTSWsFw=P$V}qm-Dx`F zlovP=yiMQD-l9r(t4xpdT(* z?!dD7QDn$MnGnT-UUInIH2S|r|M!*a|MGQz53G4h(cDG>*C^l`1ze+mYZP#e0_!rYg}oxYK^{8 z+RUr8sU!c3owtDBfB01S|G(JXP09cLy?&Gbb0be9|2OjgS1$k8@&B*#;9t4ApnlB2 z42@nqdSIh0Xq@fkvp$*k4sA7(UnBWFF3B%f^n;cwL(fMxb^h1f!kjGdJZXYYPEcve zOwQ%VKqV!Gq2-!`4~35w(ajs$ZM~H&eKB0ahsLZRte& z3zqfro^tt5v6~_a!{Wi+w`*hT8W9t^zT+X2%Y>!~5&!33hk~zQDOnTz28<}hy|Duf(=xyxst_a-dRQPv zD*sOv-HA;h1Gk8?;&0zwNiR_70qk>TU$AZANsvt>i*%-Z2JeOrLoyBeQNO2s62b4y zo7r<ZQh|0RKeLLmn?{B|>R$}>7Ak)A99c&vdk!exnhvi5yRM|Gc zr%yotX0(NnXeSfqCy}DHy$w?RfIdh_|6e$~Q?hO7#9b4_`TpEb4^o{uJj*k>DM`LU z9+{Idk=qX09peG~tgGa|F|zJ07nxk9_vgs@pg)!Izh3NR?0+ws{0|#>8u{-r%72ah z?=krQu1Qu>B=ylI`O*a;O+YG^j~YYW!}|3O&MtpFKRL^Fi>>E)-Yc;K7T5qkegv~1 zUtiAnUi1VK{6wIIE)a3BJ&?)S!EVZ}H*Gz8u@p!B`b*3UM(eX}|f4>b0 zQ`Y>P*z=zNBY|gu{hm+@nv_v94G0j%bbEtsbO?I*#f$v}X?$qjwRx6*D&#*5?Gbc2 zKTAyJE++m}#eduD^)vF{?tYX1c_WXI{{UEl1St8WsrlDqp;NJMk1dNcf09Yc1&J8~u#sDrH193!ADZQbAsQuNp*L2xrjm@0Pfp&we|vQ#_ri%N82R4` z5@!KD(sU9@hd22>>stwo*2nPcX9Jin14iEf`3VE1r6X$05?dXN5DxJ`Y15x zvyq4s&L8vtz)xpap!G4@Akt`c(~l8R#Qx4TdWGmtyY9%$Ckd%Tq~)|zBXE4a0(_ZU z;Y?#&qPj8WYA0XE@h1Fa|E>2&$MHe7Ifb_^#|JI-mr-nfOk352s^QjgU5;cV@MIE9 z%A&UNDsVPIKb?U}S>)U}?0#!&fn1X1c_cTNW$=+?7+gbs!StT=#iqSxl{stE3Fu|O`gWp_0nM z%9<b0@_HI~0bYmMb^9?ReScE43v{c_8f+W#_EKd>6J-x`g6 zOPc(+Y}j4M)>p^UH^r2lUx0MQ2eRpfCvMW7w}3hC@fh^L7j4u_ZMY)s_DZdKb&_kZ zMy;J2@M3Ng1D;l4V1UxQW4U{xNH6@PB5 zetGtkY6*L7(toB>%0jaq+utLe@X9QJRdbx*4pY2v>$@n633_%C%rfb!KylEAWL5ZR=5 zQs~PxTdrowX<0KJs$*PFHj(U4FC3~kCx|6Xmr~6cwiQdodOw>^fLVU%Jl3c=O^S=h z9XV&=u%k_~iY8gbdXiOe=)51CT^<<{QvCO!nI1fU`}X+FnI1Js*1b3$48pqnceXBn z`>%JGr^&kWB*`e!xGos9GkgtQ*A#k43QUty*CgmKJE6!^n2AYo7N$@2j$OXa$YYKr zi0d1~rZ}~fW&q+9_%W*I#1x%r9IER$KqGzWkpDd;LuQ&;9*_ zM*p*kr_uj3`kzMsQ>6dlOTC~HsJ$UA(8lwPX3m618_2j($uugN#Z@wgjY6hT$UHHH zOk&@OOB&c01W_U8QR7kll&jb?A-NQP~$eF1Db1_>bN{dR?zR~^;d;+%?FkJxJTUq>TNl0lQ(s$)-aaB&-_wR$}y>=$CZv^WUf}}35 zt4+bn^1)R{O(+P3J|YNSC*CFY007iQ$Orv>?WMS*R;Hy)jP7qsj7~)<5S|@R2dg@% zS*X0=Qv|$VHsaFBSkVg3?V&p#Sq#}ff(d4z^-+TDb5!EH!2fOsi~<$nULYZG#jz(aK52yoT;f1ju0zr8qUhIh;D#tR(M1J)0|?;@~P^g6NpDFQEbRZJd8-Ok=UmBTjTTR?~-#+ zB2YN^31T3(@h{S1`p~Rv^Q_>hkpFys*pGsVISM@6MeE4_+k3IUm$CouHu1kV^EC2b zBmaG^^52$negI(Wim#;zHEIQfAdk8CU<@6Xf)TPHUu`@F5R8HexSb+``2RgH3tZ;- zF4DvVfbJa11QJ5u0W#zo9}*BZ;5y)62+%1GTwBC5jjb9ko>0N>0tBsT++t^I4uiCa zd{l>#e{S}L4{6#hW(2 zRV@T&*b;BTc1S@hH;{B)XB4-g^|+*RrMZ&OTuE5Zm4t<_280a|{~CyM5Xf^7n7D95 zb>)G{e|G-k_`KV~po@#^Mn(IGBx%wpp!Xwum-JiOD3K}7WTB`*ePSS=z~eB?2doXc zZ02_rYZ6rv9H=?gKXy4|SZFUddmVPimZ;xfvi`29pK2g6yRHxovFjpIKGEwRs7O%I z`IBO=vZPeG&7hws|A-W1oR#Kc#zRZ^MJqm< zD+25HG!P6hml!w`%$ym*fi8NBSYO)TbLD(PjfDGkO1PQJCHk9h4p{*2nzPpMmKi&=Zn%%2`~m zaMar7A~m#JF)BGIlU*R|S)EQU++PP?M+S8_?<9(+>Og=p41z^hEMsho8NU(9Ey8j|%y(chF1O z|NGDTFB<#*MxJlM1!N2nj|#~^tiLpFjsnLOQkD;`YdAr)v-K?yc2XMnzDQC4DajA~t=$3dJojD*mA)JjXX=6L zc&M}0IUNiKj0>8VXUC^+&N?%@Gr?@;yIbFa6Fi$?5Bz#E0JcNuR%ha{uK2&4&sJyj zAJP^74_{0tUH-rDPkQ5Z)w!XZ+;_LOzVA%%7Uy?4f8X7*obCgY znP~qjfpQ&vl<)uDgZ}eW{*V4{uetxRnFmxoNfpUfNl8t4vIG7XdI2Q&V7J%XE38zZ z;}DF`)!F5n0XTkps%sKny}JbO2WLCr^6cXB-Rb)i{(480Iz1m;U7o*u&)bO>A|lL{y*R1g70oVxi0+kqvl?y4zXHqwr8 z2tW#K-lbH<43H%o=>s+;IG9YqKcv#fp}@vgz!~K9xG>2KET!!Nm;mH4huwoP*Oll` zwUbvvaE%TH69PSXl~&h@L<2w*=z=rRbY>8N$0w*%R#0A%3rFGE0J^Sf221r0|KtcI z9ArRQ0(Jl-2t;N9KIk2xp(04>YAivBBXLv|l;?zKM|Ri&uasiQ4~UN`qA^sX1rOKA zP^}nZDimxxZCMrHBC^BJ4P-H)h4SR@9ey54*B>?w@m_us5FlU%Jvb5iP2MjJtf?B< z4nIJ}^hft{^iZ^|L*~}u*dzi-Iqg_|$y*vbV|LHaK8rWKz2AG*4%Ms*@L@v%qYR3~ zbke>>!xo)37$Fah9m|1kvUP2o@sj@=2L{;2MEoK~TVHkP37FhCcEH;rK*tZ&0J=lO za%fr+C-6*e0Cxtye zAmP=eq-zU?8-x+)(O9d^QJKGS)t_Skfdr3eZYMcG)kbQX7M}SI-%wZ#PEB)yJb8gP zIbof8S=hUg)LXEDa_`QN?LffpeSO;h!sI$b6okf}k66$lj%o20aJ+CD(FTy9Q`4G3 z8v%F&9aku;GrHOxPE9!iT2P@bKk`Bt=f9~}D$o=IB8yAsRA_rmSev8Ea^K(+`)16@GSjU$$FM_0Y>0OZ0ECgES0 zgv+e&rbwjs38Khj0{Rf#PO&RC1>mf&<3TrP&9n44q*LR>_TK?%@G0nVYz{^BTk&21 zhM*aAVgs)aiNF*N7cq?)BFMexg2J@`+{p0+o_KJE+To&$TO(s=i9=#XJ0l~YW(LKf zgYYlfuF8Xq$p@ zs*gSBx*^%7!D!|%MLa^jL*^RhBNxL{TS0Ur=y-;$2v=DgccrI=&ZuyzEV}3TK0;II zjsYGQGcWZ{dtgL!3U$)*ypPB-9s}W5NU-NvJ0kxjbOj#W5?)W(@MeLhpbz*i(1DI( zKyf%R8gCW>f4Wn86lp5qW6-b|R$Fnf;u{^Fh!>esSNr-kk z;3v*j@orC|=|?u^fy}}i;%criqir*tDht1J4M2dCkkP&5;%I0*hn&On5euLjqTekh zu6^rpUc+%!j$)4?ai(ofMV$^JO8coTJ?X|wwIInk}?_BZZxV; zC={v+g{m2ivRQkWGS(tIP1%)z^XbZNZo&sLVXZCJQtDu$__!kJa&ewa2N4gVnPSu= zqO(^1Bw;CTwGy6a#lp4QTs7ayVo;VV5Noz`kS#btJI(~1QYCc%1!iYMhd5A)QPx^T z;*v--h?*q9u{yIip_i;h#`KDTmS+$GJ6a5fO3xESvM6fl|MN*A(hMiY$^oq?YpoE( zj2Ri+#DF=nAty-^DRWcA(G01qWS2%Qh$x>(-PRf0V1}Kz)U|RmW&x9urW{u1Fy-;c zSTxLr8oLXBLpBMGbZiV5fRh1_tyT}8l|L{8LJL>#wwcgMUJ*GB;#y6G+3S3AI8^g* zZ6TTQO!2gxl#FY?D;-hw8ibrS+&A(K%j(vtkg^Q~Q^SDr-7LkwA#x?6*K*1;HPncW za1+pnb-(2LwGwnisklhM!JdGKOKocB{Wt+eGcznR9~012Aski>tH_B)WirNSDF`TE zV|vRoS{3dNYKf}ZGrU5jQP@J7S?06U)e%7JIb*J8$hRRtR1xXD#%Wk)Id z9i2L9GWWnsRYu8iqP;j|uXOgBESj;!WP+9kghY9JY$V8_-fbalF^r*JJ@f!SzAAXJ5j z*!9xuPx958L=+0NX*8+9F{iZ?=;v~kT!_Pexx&1_WN9Is!F50pKFsBe+A>G^4p{A9 zq^&BIsnPWuFPF9rYN#|UtrSoou2_nbm5q5Cw$&hKc5Y&kPL#o{6bnXEAF@hA*g;%i zLroPoxK$|+Xi8frAB`O2RcRY75Utb`U) zU-CkhO9A#2jTKN9htr8sTMHax1Pj`KW;)9<4G8SS^VTjV@K%ulLp>m!miZ3}GwrnwHIli2!P@U*;xG0O1gj{K@1ueHmgU?-iHAhC+jdNBchBer<@?`^o z(D7`JDdKwP>{5dM6llkrmm^R)tt#xoR_n${X3a+hw~Vz^N|r!jLUzH}(I)|DtL9pu z^i7s>HEHa967hg5^A~z_4oIwjV^-E89cPx~#+vK8$~AojvFyk}Rd3*WpKoHCX*CPb zbQlJ^K-D!gr;qskvB=a%_Vfn!mw`Z|OfB0Hn0IO$0o3F)VX0)Hj<;9Kz?l*a2(=4z zkY=nJg>M7c!6IXD@769c5WJQkd5C?*_RwbmPkeH26cFiST!_)5L%}d84ODLDL`V@{ zAE=@FVvaHBgh@xEk;)*%>h}6ikrK_r*ti%ppKlGhnQDXKhcF&01q5&7lul(PCN!M^ zHasRFlR?S{dMd2Z!AHF6pEaw=%$wc~YPJBR)Kj0l;1WzH%t`tSO%+{c{z|F(%@U}M z-nSE`*S^eA-B7qP8jQ;(s@s}pvN*ZTdAa=6&m9B&jd6-${*Ie8UqN})ehZ!INGdRh z(yE9RLvnt2{`#Orj!%x;hsQ6^4v$|Q9332=x5&}K+5S&^$LD)L9=<+2{|B(p%fs{I zgC2$t?CCyE_s-4__ustUJ0quW&Q4Ey2e{kfX<@`7Wvj_V#FE3Q1DwpDRaj&fnk1=6 zQm)i<81Rrx!B-0WmrGp7Uy9yFDW?;#RgAdi5+u760k>u{3Uz(X3f@@vptWkuBJVx( z$!kke_0eli2Rwqq^Fy`s5_Y9{SK)zu#DYZN?99eYq%+6WVotI$k!G&TAZDY8k60YA zX3L&-w+gOY>-kyA?;EHnND{J$4?v*<B<6`gA#sOs7Ud2V<&8#8N_2 zJTq6jxZSJeG|I|`E>Lr7Wy}(VpH$26rL`k@iA? z-mX-(59@;4Mg!XjXH(QN06HuI*V8A>@3;4_Z2mqUcR9YPH}I zOYvF}T63-3k{@ywg_5v1h=fF;KS*hC$udd2x9_~%NQr1*cDtEjCXlMy>T@eTkc}52 z{?5h=IBV2&{(qWS0}9O4Jmr$bLt6*Vw(XqFsJTQvl*MC)d9;xR^WuxU?SCr9^6-AAyG2eQ+q}6k|e*=zx~+X zUOJ5Yi?;q?DVzqTt5o`c@my)oj~MEZ@0v*ki(hU0JeWo_ZQ*uX(}_9WFuN$s(f|AZ z|9>QT+sBE9R4{$ms`Jr}cs8D5Q965l8g4m_Su}w_lT2<7A~D#UP#$mU2Uh+#JvV)F zpj1r_Kj$F40<83J%V-0mGwHFk+=C=A-3u)0HySU&a+X;-)z>maOvb1>tH8@Kb@kR_3rfsR=?5X)&9ia`4Ie!e0ploZ1c zH}mgxQvFTIq9LSAXW?d^q|o`btv_x04Yk;A@YC3vW+FdagYzC3ATenww43WK%(KFi zTy6PVJN{NJZ^R3^5>iI*B)>90LEG79!{_?!zZ~5Eg&s%tPBUanPb#u zR~#1lCY6$p;x^<06(QSvWQNwJaoDDD#@lwVexvdI_b*U%bienHgm?o2FpB;90i4!+|F*8clnz+W_s`c(n%Q&(n|Elu>4uayoOMzhht zYBKu39?uTlHPM3M&i(1wKsl3xb%~5GzldfN(S-zjuk}luk)=In_OtaBYo9Bq7 zXc_67Tlz#i-(T`C6cJD+keFRZGXja%i*(0tv`Ow#X2Q zKg7Wdyv7jdpD>6;N<&8kLLkC`X66Q~vz1<_JcCmj+qy!E-A-pdEoxPk^;4u4Y)RLc z(D!^Yoe&DSrxZ_2*hFB!PUvbLTHinl44_*@PdM@eQdYSGHL_Z=RFt%}QlkQ`LtM%L?&<=K$_UNA5q%c`c3e&iVM68{+*gwYr+uV@|*DEuT<|pyGsi)n6km9s$ z!NH_EVFj0LMm#etZw`MhV8i7MlPAP{AlAtNf{UM(-7=#52MRq3=gL%akax57cb73l%ImmAo1ODjuVLUP{zl zrAEo3uB1y{9~ExP4-hVX@2sE%a+M60aO)$31);V@GkrFp6y>qRcp*D%CCNezzWhuZ z=A)@(ZJl|z>P#;0WL2ud^Yu{_x^FfbCy5O@lRAr)CLySDOgg+Itq?bgr@8HAwh*|~ zMkg51qVu24U1fOrPao;2FQ7zR%k6RAx458b1W9#Ktu(k8EfsTx!|KPAuY6nd$(z`O zc)?=9^goCO3Y2Ru$FM`Dc%cK_lIcG)hP$0>^ED`Pi`P+Px#~^sN@S6A1~=z`zZ`_N7tejs>$^ zN#j9*8ETRKWaeK!lfJ$|(zQnsRpFK&>Yxd5|3g!~n)7;{DIphHS2}s9J>b^IGU)NJ zb`3~66DN0#_vF)*1(+{{(3$^Mwe`dU7$Vgn)&6Md(PNHJk>*}x~{4Vq1EOQo~g zV{L<~MXG4`Iq4FFlFC<1>vd=<>XBQSqQgbNM-~ghCkciVoA3k2aD{OFF}>mGl(gCK&t+LD?V&w4YfUrTLZcYK|KNJ-?=Fx$H2O8KbD&x`Z0B4D@Rj>U#pY ziEYU>;4xLg1nwcG*)%cRQZZNtdrnf3ur%Y$-LHydx!J~La({#WoGVQc4nzxG&b9IM z$6oitr7_$kzNZCjs zQEZe=L5qXV1uz5)FCsCzkZhzzdLiLF@X6Dy&a-Dv9=AL=(!9`z>&mQGc7?%atJCSU zyz=K46Z+okZa;bUcxU(V?vuI(Ja*3MgYSKs3Q#^8k+l@$P3iyP^Q}7RA-JFnEPi7{_E;&1R*(EoT z1JyP0sLX7Y(}vP&&|_N@|LfkBdZlS-h@Io?lNT&W8N?=ZL4UN{HYAVI{%-5Jf~o5l z=dP?b+KurKxJ^}eDNRLx{`c#hz6F4r4OZSWL7S$Ot&>S8kU3ntaRgX z4Xc$R%SvNdEJN2!z{S8Hkd#Xhsm2$WoyDQ54t8Dx$#l=nM#CD`M>?(Teja3Pcleh& zVAc@IG4G3qs*ag$J9av}ry%_x64OvSk;8UAoVk{F-UXW6jAl$9n%116W=z(!EA9AF ztVJDD-MX`~ufx`hr`C6w3+V3FoQ~gXhsS(R2fRjige@;!NBR{fCQGNxoM11W85U*$pxm^^Dn-|eKvd=)zBPS-{!-9IcYM4v{HxQ3%@OpdMi2v0n8F=NbrlG7*WF`Etzy+l>lWRX?o z4R-C!QG#QcB!tvH81@XiAD$({VNo6zWe09Xs~FyLkIXo_Z}6Da_rlX{ypJ#k4WNm4FSOyE=6`K{UqAq*YBXo zG>T4jm3Z%Pcr3D0EXd-)wL5*a*Xw#AbXwfh%^w8}y_T2Jky13>Jr*mf=g`(d1gC!; z^<~S-<5O6beQcZ2QD5=gcWTaL_Fb!xm4Qpr-;1v4OxDD873fqPVNSF4j439+1!6na^LbXf8tX$g9vszA(}B{5y5#Mi z+UzpWu*?QF$qCm<5BY z=eCUbrsC{2z-%XwPLQ=tWJJyJa~?vb&9RG1cJJ%c=~^w#gVVEv{k`*p7sT-#xYnR! z<$n2Y1a}iN14Rb8Nbld^u0kkMv}|(g==Zx>-c}>K|Iz4<^_5P{B4CYfVwH+fBnC8c zw7zFi@^!-lLtKFG<_|T>Bh?robH6O11i3Z?WpvTp?DPo%FhI zceb89e*CWGDJ|OT{_y1SZp+Ie2`)gU9_3wq`t-?Z_qg27fKhr3g4S*chY6qH`p&zE&&%K#|#d2 z!L;S6pEvEQqjgWSg5gf9qQ*dEV<(SM96Hl!gPWv@^tVE~GE^li=Z)_gs?PfnR%2zOuw$u$;3<`l_P`AOOHA$+La6ZXv~~_6w*vSEJtm z*YkvC!I;oOGqBZ6{bDrL%{>NK&IYMfn>l?1>x7ld?bbfwX(4i#RpqG@Kst!(5@xGGt&u(a6 zt*TYDH~_Z30Hi=$ziEW-ZTh9cMBZlJ{&)u8e4gp7BlPPJ1t~OCs9y&kNC=UqnAx2fF7+IZYHT-v~_@_y*KE%@`Xf_&W zr~8h%44W30B!+6AW&)y_Hu(4;nrlhl(Z5o=Y>O_J^^u|or`c%q-~lnm40n^E|CXL0 zcRtsX130qje_xAHJ7QNXTIP_5#OSqZ2N`UK0x~1f5mR=XtOkM^>yrL8O(FZI8l(C*WP|Cbk9WQMSxN&| zn*wntyz+2!@~msXIRuCRgM{)B%8=2F%Zvw-3}^sF{_}%vn$da3AnH2_XOkGibT1dc zCnAP}&Um!>2mrJ#fV%sy^+9HNC-+Uuyys@4ab*9{7fT_uryL=qTj}gDG`6R{gBdwZ z#e`*JHkIv@gr!uq6Dj#S4^+SOh-E1coOhWZGDvBHGcdu|%Yry{Fg~WPFt^@SCng1? z*Y$QfvJh9Y&H$k0!9Obp{=_0=Jr=Qb`uzY$~ z|Jd29fJoD1l+uu`UsTlrS|+O8Z`LWQYTzsvRqjU*DXLb0yFO7h5BM5I)nbrq5moa* zu1!=e0{E{Ws`U77Evix)T<%@d6w0yR_Y4#|Z#Eid%9yhcmflAzHNR_Uo0F?oA=aj* z=jFG~w85fO)jhlBy{?yuL_}gV^NafL?;>X2Tq>_i;MM|ZHX6T-SxnMt9AkN4GMPph zPa;Ot2auvsS0%y{*$R1GSfP+L56q2R;^|D|y3(#S&sCo$NjO|{F@fshU#l5dkDlwllVDoJ?I)q z2Q)B5!{>{S=8DuVa>jaRwg^i*o-sirxn@z+zKq3n>`s*qU(j;}Q*`*k&*M>HeoWnP zb5V%u%!cKOufI*OXeGD{VLjtJ&aJ=$Bf+b+_w4VjV_4dYX4Ni zdY#%wxqr1Wl~ju`G+QokYM-P`LhZlmaYDZ3x;(uWoGbTS)uyIvp6Ps-F=G%ElERg* zD;}{ClfHW+tsp;)W64QMt#i}zEYEA+Z@1N|1{`oHpPl~v<1`Krm0e}xX=xu@126C<7T6ADndJ>BrnvYy?7=TMM8DzA!jmgtgDKt z*Mph9v;jA`iRAGpV#L12h35YzODm1B9?l1?Eb5s#`e(tV`;FGrPaDK9lWQw^yQzpIc)~A+-6<+Y6 z)()YR1by#yy={N@6)#0h=5iuPrfXwi)p@hg*gt*a2&T_N%SZXWg&>*cFKUxj8p766 z%ZJx%r5S>7?{rS+C4&=vxadx@amr{2MUPZdG7%w*YAMSlc{_-NbHGp_pL(^KB|#hO z|44lqNvmd5irA?Vqf-HcN-$s`L1QwUMiC&P7WA>mSl3=VH}`_^HC|;789Y<62%egv zG&+f5G;{Az+bd+Rc=pqDK)96CRmvvYTYT_=+}zpiG(p^OYhFO4-fvTWMI(lxoND)& zB>fiY=W_vdrep?_VouBQw~&|(-yzxZiiW5u_aFC_B0Yk=C{-8;EYHM$XM{n)X%+{w zyj~dyQ6BV(S~AGPDM{e&s*>ZFYjK9DI0#eZ=ej7El9}#0BL;OqT4Rb7(EX|DlexKW z^zS_HGDNdVdkFC=F{OUq~)zzse$YCWJL8eVdn&|`d?N{8XnPw%d$#-5#ORkrc zZp|gh=%o^hMuEsgMkDhY1*Td^G#C>*Sgcy)*sZ1{tR&Am-`Z00rulakoO1x)QrKUa z0z@g3nZ>xLhDB3wY0YHDCS)UJ%J5~#$jzeSgg_LD)v{Moy(b*%D1OPQQqAmuk?(4Z zu~e3~rPr8BLUFg)e#KGwbM&v_kOi5N!8kUpJhs~!Rr^?}@6zOqcOw9F)_Ox5BmOo~ z^x1+N`MIXAgDB*5IOOk{?2^kCIckwtEppx>r!Dd`Z;>P3BCmLhobwhra8b zcv8E7A-^=%`B2R4$b1J|injWv)K z`&UY!)a2&qkE%-rEY~Qv>cJHAahyWYN!V80_Hz!)ed5YHn(8P+@G7Xy zuHSR|P!_Lmm%)T(kX6U+u8-=od(ko!44n$7fy6TsvJmc}h4W7=<`H)=4M!|fJM^1a zpNQRm9^j<_E8!7ab-02<{qG{0PS}x>LThD*3a|=}^-{|D?xFBo6*V67Y~Ltlhigvg zwKCu;@`I_I4aECZ$FPRPT+1O=vBpGe%aN9T9vdpshh^#;A#xk8D)qUxW274+pj4l^ z)~#H{w5{N7y}+i2g=Y`QTs6>d zw@ii-+%vfH)^k{WGw79J6z!E2`+A?SAY4uc} zi~?;Xd~PS$>bm|M0&XE5Uj^O2j-Wf|EM;LY6Db|BeHx6}m$b}oiruXj-4Z~bX$h{1 z)z=02FR~!BY0Tr%XI*vkP`KUF(!G6-^-~7@b&>p07fHmg;O@j}DhA9SQXWlHc0Nv- z9E)hJD*0l_l_jyW9DBv2oJKELL}xt~h&Wv9npg_FdSKC6K8S>+T!asfegW)?h_5rF z!#p@Q&hB9EU>3rjF!0L#)XD!~)6n-_$bEBp>kG~VQ963uThrz0Ibgta&RE)3BF{V| z=`>N&UC2lVf169*Y82`%<9t(QW8DSjaYFMbR zEE(5`trh{7W~wx35k&)x8z(Wlu4`j%0`gd9jD{xiMT3}o4;k(OVyu<9=l3(4d0nqa zm9dZ+1Yg-IjANRHUdy{?d^FCy?pCK$2+Ep2%|60>K*rJ#n~laky14q~25L-w2*AUp z7`bZnJ6q?j^qD67n5EU=o|P7t?~wc<>EVFY!BWl>9RdT1C&|8(LMjtPCU9ki2C0zJ zxoZXDy+!u^N46ljo`@x3Sx^mmn!{Bq(P|BK1DC;THX0aTTwHMK6-K@Er5I-Y7U`?y z(1&$uSjZ=DB+D79lRaa-DbPlj{@jnKl*j9c_gw_6*=U@WpXC>JKBwlWR78VrJ4qRv zKtY1dN9G}TWENFya|fmh~cvFq)0V@pLl4QZSW^wHt-(wfRN5{Eo6Iqz%_>ZAaH4y<{mW z&PLJG2ji=)p^{KuCnZXt3UT9Ia+h!pV}bHU)0C!K?2wo zLtdC(ZfYLY)_JzObc3~B@&~*=wGslg1^GN(xxbKt#r#n$;4gFzI&THluY|;! zFJLW(T%F0QZGX$(>a@3a{B3{h+3Itu3pso)E-iwu;m{vC&$d?|&4Vj|Rmfk}Kk@}? zSYIASUv<9Eqx0n}b{fC!ynA>-0br|=jz-bya_%!}tMlNms;g!+&87+HBx^<4fdi*a z|D2j)&)^+}1p;TSiE0A;JYg)uXE9^pnhNAxi}W%QG?bf(!2h))K4ifxh!|vlLy6Kx zwC3e}D|^|!?$&mv<<)quz3x`aD|m#x?$+GMjEtod9>Z{6r8Hot59PvM2w3f>`Fk=_ z4a_|9m`H2|dD{5I$@>d3iUre*ktAikOeAD1#3i{N^I%MpX(mach7wF8>TJnsKiJTj z(l+ztb$B#4p-RNYG!8I7r%!%lLyg>A6t#EuAKxXhzsU6w1$g{n5$@fJH*iQ=R z)DDn*Pv|g%+;L6^_8Z&Nn8snmaB_yzD4LPp;j8n5vm>IE1sW0Zqta|FP7p1jrza#* zZBMac-e{(8rxoChsU%~Xh9qP(jCjni1xY5~#Og)1VH7an&}L}^>Xl)Y|ZoX7@2sf9t1?~=V7>SJMa7nec!ue*Xx~`uIlS^OrJG~;r}*PSTnW|&l!$R0+(b@VE@B3C}HTfklYjvYV#z<#oz4hFwbjyZUXr^NOp#^wmLS z&qGqhmY2buLY;zs$Vc#7B&OkoZhR5YV9YMCqure+&z^RE09~}$N+nC7Y?yOXz6TZ?QFg z`>9o$yos2`**Qi^vq_T8Uhs6)IW5#qEzeOY@(SMi2KJg3j_qHWRs$&_P_bz?HckNb z9<${MCtL7$l0cp}0>$s8PA`crlbFz$^bKYD<5r?zF#Jt@!LaoMqnAz zFXP(>MKTtIL1yBG(N*|m8OpjST87hXG!BO=4U&@6QltHd@`-Aob8>=lVI#Kdr{p9X zv-FzFda9XexM_8r`w&7k>|LSCTElji!(2UX*UU)mlr1XnGZ&3@#qTZzw^9J_{g1W4 zJP$VH0@P-sagvxqTRK6CmQ?{PJCoKD)51dTZ`ebLQ6KXDt&kh)Hon~@2-dWK8z^Oj z`Zt$azPqX(jBqYcJQE4Igd8#9ET$74;Gu`)BIfZZPx{~P>n%c8EFvN$urrVieS4{? z_l#H&7YKy+s%=7(uVwScn~PNyz$^tpITn(|WMhq|ysLhU<8hQ@082^4CB)MwsYqCwai(#2dji*9Ec{dZei3k8 znr0J%6_x(KnfJSi7ikO%ZRgG0DjZ*+Qe3lh7I?*Rjkf&V2Q!y|~EbC4p9` z%M50u$ap@{)1p@Nc89#;KRU&R^c>EJo$wnnYR)M0x#Q8?F;#>`&K5VBqbkdMj=8F0 z(QGtyl|6#h+l;`)HUw@77Az>(8e?`%GLi5=e&(5~8Bt}%ior`arP5k;mK&n6Y__1$ zA7{F7O!qWjpK(E{RrCrS;8@RcOfy~jNS0)s(izo`2pcrHWKg9@hmeF{#N^a0pi%%` zfh_CxSd_rr*l|%JKS=h~6~ND7u&x050qxd#*sRxlT@3YMtk`)tJcLQM3hWzLW?tL- zqg!Sf6nG=ka zIz4b5g`Zj;d!Mm1rcvG7vR~0PZ?Z`G0AUS8#g3be#%pDN(kLSPYTp}jEao?6DbqZ! zQ|CH+Ej3Q-!2ReuscQzsSOYAAwFxx<`{sA)|JnQsjsM~sRQhIq=TQ3g1g;~fue)0t zVGRJtJHn;WWgu8GCmGPdC+Ai;mtHHWozvP-uH{Tc=?iBL>S*3B(Y&snaEW|#N$1;^ zYbRn33NlxPnnz9jE~UbYOxKSLQkIdih(dcOHE;;Z;~<)bOcF}^0rdmLcb9DDlV234 zo8nhk*%GBgNP>v7I8%~l8jJ~*Buy?`nBV}4)0uvhDdEDpVk!Qr>jD8>&}lZtggmhz?0pjPfM`6OerfT&2-9okERMA0zcEuOIT1$y2jxU&U{t`oY+@q&^Q>$#=?`a8yKVxH%FCmr(Dw72d%~q;}3Ezy1E%&B%tvta!0?d3D+|5J*1lDvb>_pO_|O-Hcu0KaKC z-^fYwPO~CcQY}V{l!t_2=v6B5rV37*NR8+O?US=8lnqc>)!w4m0SoIyGqv{%$wG3) zDJ~5)e!tOZlNZngZta<`m8kv z4d##h1|j|YIz+!k`YgWcH>*kOl=aOgJfbO~*E0qF1S-EGc%#6mX}~%|3IjWw?<9e# zkinQuXsL76m*b_)u^|P5B`K3iWaw)lBIP4Upoby^x;#EPx21gjM#E0r!doGDIT1C! zw!_fKY;qHWo7*(u`Vlk=vZ$RX_Sk$hm8?zM((q0jMujiinP{8u+xe<$xNP_k$SF{( z;PoH>4nIcHYyxY7z7a!~a=Ez=Yi~v;(H&uQI-Smw$B*IPPN!4;cWbxv^gp&9KY6V zcj_9&mz6=jaCHTZ)-;WB0aei&3ZHwRC~f@ZIoa`__?@O#*M(9>eK|(y#^Wp%n>>~o zjiSv4P59qgD!GWev-CP+o=K8)RHW`D`rj~Pq2dc3_0O!{a zvLTgH*)TE7HWT{WRhG<#&(iDZ=1%aBpRRY`{67Bg{lU-Ev+c*PUc7vDviWppIC%1G zn?2dueHw0U1zVkPcd$L!4e3_6ONX6Jd8y_}?vmd&}>%I}Nym ziQ8PaVY$Io(im`EblsBo)JSfOClbX4p^(X5R^v60OZ)&*C* z_GvV(%pf}cmcO<0$K5Ly$bU41?qLI1EdO^pkGDHz`Tyj})35UXA$}f_*C--G<5fmU zNqSB#JCa`W}! z{=sqY0Jb*u#hW-{Qs!v^l<|X-OBvS@y;jo(a|2V(V~BslxCcGwjYoyK$%$omBx5jYs5{!}Fg`-kg(P_Rh}sj?WJddgSDc?4KOJI6OZ*Iqs2@ zmt^nwALQr5;}?*pHNo0XSUTZS zf~SSXVdD`dg3-R0%AouPaE_TyZFx!KtO6H0O*w|A*@M=Q3{x>7N=WKLvDzdv7bB#t z8awl0eqM@{45uj!*5zsuqjN=ni0(8Tb-`~zXx3GXQL99N6u&UAFGf=yGA+pAC_rvD z0Exf+g=&(Shz0+fA1o z4v$54iq0j?EeZ<3%f1q}EvFui$>QeRMut5F7|KpNXHtvsTjy(2IJTkNc9QZdWm}|d zq_&{hX2TK#k9;+&tAQ(iKxcIqu8%evjtT10GZAT~B(Ub{F(W_I;UzUj6gfNSos+%O zLw#}v$;22u(04_(zJf`;)RMbm1crnQKxU^R&AQ}S=h=>dyQdU|32jT3P?Q?x%1EUVj6mU<;i{l>r?w4?%S`8=@#u_rpo`JN9pXgL%3g>|knHovb zW2xeI%YpOJ?x92TOi#>Qv})E;wf$|E~!g<@!YB zCu@oO3n8ek5@nNHwY&&VC;TGl08m5Bb>)4xOFd9rzeku;uM55ieWcSRaDD=huymFF zga8Re#7S{*AAg7KpNtC5zZ01sA;D5bzsH;&0sqjVI0T6 zWSPP+#=Nmu&59b)Ig!SY~_zM_^>aqloLA zS}i?~B{Z)o&&n84jd4CYpZr2Wk2c41kbcc{lnFATFf=%#G8EAZL(&P;9V*_{1Di9h z*E}Av^r+V*TWV%8>=@^?W)e&p2Vh!=ztn~X)b4}$Be>#%L$68>Uvq}_eY~V<^1Irf zr4yRFGE4qxA{G%O};4IQ5K&XwB4tG z;C*!mBPq-@@RnlMS|*yuL-`dGou1Rm5RITLv&Mz#_#ziK7rO0z;*%o+0s2&47MV?! z`K%T(e7SDKH0R<`l`QjaEn@gG-{|xisIuJkkul+*xDC19REszneSjQh-|3CEu$Ajj zvYG*^vC9@=v7F|xCetY6Ni+wFgeZWLf&!A!>O;CExK+e7L!d(j5FoG&1)P$ziaw)M zOq0VGt`FE`TU8nkC|BpNdvo{0fG%Wy9bt(1`#?@XBwp@6fD>9tBB2CHXlKk^Ft=N( z5jjKBm-+4UL>SYO)_`(?!{{^{LlG^qvA@?;5WzcT92^#e8|H{vcQv?UH{}BaRS5GJ z;Td86$X9lGnzVHf#i0~F&-DbBW(&zD-7)ECM9j2YjMKCPT!DV}okP9V;aIZSUUh^c zM%|8CZ1P$v;?)eko^(Jt-O~z$yJWK)(@h&i<~qUs6RZTFo>J=N{ZQ(X&6ZF~`+TMf zR%Z74+=nsW@6y}ry}rNuK$6PHiAC6K8vpZc|b7<86AviM^`Nz`QByNvmO@l{uM!vW+qjuTu~fXXy;~MkB{_2*_soJMcOxeH;^iBDpbgppflTyQ9Ks zS2GelFG#5cm+g;7AhFEN|XGlb)}F$&-1QY~Kiz zomxzG8#Qdh;wzqtc!Kff<~Y*`RXnpI1gaDs#8;Z9AK9>`v%USFFAiV8GlCKdg^2-W zoR19qm8$(%1~be;^m02rorj_o+;>vz_qCul5(?DAl75NI zNP|>JNkTq^5TFceShvXD|Hzg;L6d}K`f$Mk(IrLtkA=+CmXsrf7HDy(N`o|3w-{#1 z&K%P;?6)9)WdIs%-(dU(?gQg9!r>Mcxu&>f$tkFapudUhxR#=NBj}gt=9@0{O;bm; zRk-8>_=Q0*o|;(1whoFx_JzF+28gMTz;jzi0Q}|}x>tg?lf%TC*HxU=cX&a}U=KxS zbi{%sL+LY32xW93O#HYa?&((~40Rm19DA5?Ula#Ru-tBv29zvNv-1f=?DV%t(Ruraw z@^4-j<^d@*FQ$x;a#Yy^n}J58woxFroh4-On^RLn$^SOd7+}Jz-?pv@cehC_1<0WCo;Eo+WL5{olO$kHCDIR6j#5W(rnx%o7iT~ z#|`cCgNUEKAW+{Gyl1lT$~tm;T3OE%fzWaWmPQj99E?&Qu!fYgr7fp}uvNYy9d+ z-Cdb1H=u`&>8d3}>;8sEAhJ*UK8+J2v2JqB+X=+x{qVT+_>X&$=axSU?*G^b_RR~& ze?Ag^mfY+@(Bk_)k2^a%TgCf7+uK{aov-(Q9^&W2hc?;#p1iWl3|w-AJZBN++KmV8RI_hFk&*6mvccn!y(c~;ou+-6g3A8Q1vG&0(XIUDHy2!9 zq%51_HID9c6wmp4eK68}4nX|B<2|)Kc|;T2h!4qz5+}N`?+ge<>Rfow;e5cp-3WP* z5ij+~Mj&X!WWY$wqh^zQB$@b|6tQhONEyAff3Y~sLCjT2fC7b%D@1CMZ?x&DMqC}w z{JvKJ576U)W;Ug%o{;8(ubR5e#$+lp$PSU8>uY*xCCein;yD_YM?8;s6)g%LH_f+j zlxR!}Zvm8M4lN7Dcs0W#8zYwC`7O-OhRLYpa_p%HZFB5`dU{Zbr<$bMY^q6Dzc_>0 z&@*9543dw8$62#9MAOK5SUYCZuJTGjZ`LvrAC}p51?Gb-Fkfm5X3ZX}oQgD4bJv{n zX2bBILsJvwZi%9HTaS3^d7CEOBVLkJfLC4!c7%zQgQVUGQ-rrEx9d zU}&)dx6U6ojsZG?n@ly7fOm;I@S0)X>vR@97V{+t2tigSGs=CGWt-ar`)!3Dz}-T; zF-=3SIUm>OtE^^ob@2t9C-kg8uqLSieYx=8BgFo<$X>$x(Z?YagHs{Svv9Nb49cK^$JwL zrgc!h^5YHo@jh7+UABvva)r*Yn_3yX%I_O ztrBesBdlqyyG37@EFWhP-~U`JTa*i_W3-G#CkVBpTlfX>%vtS9-0B8K)B1f$Fn;LSSk)RASPcoqBUpOGko8}?Jr6vj=2(qnZ z0Ta0EvG{7WnZ$@kc%tcB_ZDH5*`d%9#DEMFtzEK6RoY~e~z%C3rpW@C?d zo1S^+dS2iLykeW5&d$y?D})PwUgpUc$@#fCm$>GevjWk$I@Vj5sXImRNKO#^S3L&cNmlxVQh)!O`Bu*}<#B-uc-- zF5aBIUO3bWuJg~o){VNEt5^FMuTNfG931cc`1;^QE%tinD&IrAE0_Fquy=ZKa(eD? zhc(XH|2>i0yHAct`@bjezg@DCmaa|Sc_}G+ygvB*LCsw1Ytla6h;5cRbp-*jH_gU= zZ?E^-ln|RI8hkp<#*Tb=XvR=DUcBiYoE`5S9aJd+wU8v0k#BC8-<9kD@aSOwr@iCD z-q9k6`KA2(0C~FC>-}xY_}^VhxVg3TQpSM_4n z7FDn>F-OS=FbQJs3GPhn;|VP*=zwRZxGG5a5$C6^F4s~Y)s74 zt{=v}hG`+eN}*uQQa3mIR?WO>pg^r1(&(Z&%dn~@cB2kX?4^~`UiotA^>Q+ zl&*IjL50{$`oH-ImQCkfM^KsLCH>!g1k1U|X7ltho9A5NQS%ArE7cQS6-br&xCdC+ zXBAe3a`ymBXN9c5GTCDN2-3y+6FIl@a$?y9ok5OTU-IAC(%x+P-CU4sTI)NwseC@< z5o_t(;yO8T3w&vnroL+G!==nR!9AIX*e`wKzvL0aJ@iyR@(Pwf9i81g$;O5#Z;p#} zA!uQ=q3S4#W7Xpc#KhNii2fN&Wya!xNYw!Bwxl|t*V6A5J}-@}!qaoXCN!lJ{m@S! zi}UkuE}W+_K>HJDTbS%AyI^ZEk46EI&*`gjPCt(>NW8 zP#HWO@%ZuM{JhbcW~+J_&e*VcFst#-tEn%(k#G;D{l6963sk73ylQe!G@onz|2vVq zK!jR~gWF>v!5_qn{VzHxxs!VFEEJu~i+sv=cG~1roaeYPDm1pdXP-?euHa$zP)Mt= zYzuu5KG&EmVsmVA6E62`+K8gt(0#lql57*yFB7@cHb)qnW$wE%SKfyP@}QKd+31&1 zOKnYZGoWi%2|foQaNk{#1P`!Be-0YJPPiHg7H^t&m(g}?tBGiorneQ;pF6R_ALM7X z{2yZ$CCd7}Me>iO`9HR{9zS_p%Kx$Tc;{>V-v{~mP@n%JpYWy0KTtJne;H{%zJWXX z?kOm=#j=VJzhPvJTSN2~&X^U{sw|zxL5(h@AiGy5?okcR?-_m}^D$@JEEjRTjXUfP zGcXT}+fB+{c}~&D7QVpFDi^mOmOfSJwvd+z~O+{!n~ zi+6|hwGdq=8aDdXh`z6zF1h1Ilcba{5%b7}?ZK=xB_`3_YB!o!z8iVJv+98TLd59Z zX1+QG`}+5WRnxK3^3vV+%PM+>JOGlzckByW;IbGuY$s^u{r!ilb1n#lP6-&P;>6@i|qR&UY74M_2a>e$Z z$yU9}{DsIm=U~1z7wXL?#JU^qGgHSL9JRKw4lT*Xb?RTd`@>;HcKM?Cpc6Y{`Z!)f8T5WPy5~5PWuP*J2Y24tlYl&eY5#j_~=g??wdbhM}+|oI}bZePvUT3#+Tabx~8#=ew)#ATRWQ5lXJ0 zK7_*#0^FKex&xa42-#1?KfW^AXO*Up^55n3=PYknbnlkcIOydwQ&2H@V zUN&`YX%RCbQZf-KgX*0rA51fmk_fvabd)kkCNF&g#W+>p$0z59`v+JBH{=pOVj;-8 z2Gq*97U?C{2FlCU@i;Fyp0W|eLQsK7W+|j!6xT6J<(Maa<6I4(_tIb?u>c3a%LEiB zvX!yTK=t@r#B5~Sey6da8hHAZ*ZeOirZb^4tbHt*(=U4;up}cqCd!VDxH5drfNbwR zv6Yd;01B5;7=X!%|JqP3YcvQU<19y&3a9<_+nbKG#}A}5eRip#=eiI~usczZo^ z*z?Gbd%eS6tMSX>`A;Wr&dD!(XJ>oI=Z6P9a&kuYPmb}#7;ITyw=IHGTNHzWjSRksn9}cnI#y{_x;SrewE~R_cfT+2XRB}?}+vrsZ<7Q z?(!kYO*bx0`I?1zXRcL$&%C0#y{Z1Un*Of@j;;!Six`k4`v3Nm$GheFFWZlIzv}-F z@$;cR{v#1#KHp12Ku$$?gss0Ak5#$;iyjS+M|oz58~YUQPyptONCuvW@Q7t859C1{ zLS^J?mRL9Sus%l2Gt2iX?{1T>+nI|%q)fm8T_JzB%TRyJ{M|Ktr&YfCRKiX>H8 zIe*tOtqzS!ZE8@iw3>(1vZ&SpqbW1Li79cmOwGf=f?F<^1Ro{OFH2Z&+9IEho@JM)ll@Snav*Dwo!#uc`)W|L_;14VL{twIPN77OtRsQ77#5u1~9|b&r&$ z?bg+nZlECCT)nwbVIb==sfmz>=MS?LuPFb=d~)09pJnoYdwXlQZ2xz5x3<2@|A+XQ zBmZr>`njUt@Wd=(8I!KS&t}P7fsgCC_}Ufuzq3>n-)`U2ZlN{;h3uh33=xxCNPg!E zA+%YO^hYp24;aWj1Q$C~Mx|tFDXr`s=Izci1M#yp(^DTYYp=kt_X!IiU}cuTDe||! zk&(!{=j zASMY7+$p2!Xk9VRVyY9Pqi$B}l()z?uoMx6(gKkz!w&2sIfqQ08#D~b#+HqK=1rTI z^BeZ?J~oBo{Vgb#vY|6INtUi>W=th&1z=vu{6c7d%p(HWv6RIDyKB&XlBM@Xw1~wk z37~r+*kl2@R$SX1%dcyZ94sc^Ozux!Bw2d#;s$K_O~{68++Nu-o?R0IuH13RhWASQ zgWsk!a;5cr$`95@cN&Mt|FlAScswXSzWJ2EZn~Bwfp~v2xW7da32`}1+*z^ih6VZ$ zkHh&2kTs*{YC(B=4*PcJzBcNV$!UapHIA(?Bt+doQKx<>2uI9|f*svj!z#K`ZlU_z zP{Y#WzPTp1h&!l^rxTX)pqxK(eOr^ZIJ{vbX!hi>_qnV>7Z)CXL703tJZ`uEjB;?_ zYCn}c&e$j|>?LbvN|DZGhT5t5EIa}`+uY@&_KuBVBt&W-eJ*6b5JpO9D%qK?=I6OP zNU}y-r8+?h-mSM8-HqvG%kSKraa>Q2C*g9mL2HS#hsSvT`TtI7obhZ%toH}IAtEIP zL+u128{b|vb@vq@wV0*({q6q$zU{Psc=x9by#M{~L#OrRQ}eGImmen|k3PQoc>eM9 z~?OPkHmN-}G-cmM;1Bw<;M5e5~H}v;~m~bFI8IpVOG5Is)T(sq_zT z5yIb8Swe5Zh_oi>hMW$hvLEd7*ieti#@y2p*T}3Kh3KI;$04@YTlJ?#UFpnrYQZ^! z%qGc2HccXSu>}KN0@iweD%oz9e3-lXDqrH?o?1o3n|P$-cRE|dyY$G$R;ObL?H%a{ z?z30`7?*N+j-LOBYg7s+3wRPIZ%A~bm!^gt!GZ-bA0~854&4i zPqv>vbv`+TS6kb=&wlvfht88{kGG%XA2v0+mMx<^Pf#_{w73Mvmot6-`F8$V1~kH* zx!7cjd^Dn=T43TEak*r*PUFj1T*pMAt5+(p+#M6;>U5BLy&>}Vx8s=7u@^^EnVqWb z=Rvj|hw$5LU0S6bwN}V1W~N$h*;Wiy!z~55SZrU*UEjzob)rxqQL_ijTdiodg4J?W z3lr8KEIC+Wu%6V)DP!vNrep@ni-N2u%ZVBpQ7<3n%7%hiC`*JIVNfpz=7|7jggkt& zhS%OIb0Kf(Tq1@D1?%}Yvhj^{$-kjzHGfnB@|=9bZ?LjH+|mzj9G?ngduv7c0;qQh z)V4L!;7$@IPZjsA^jx(;Gjr1(&H%S6Z0{q{SXl!79ZPvWtn}IWBTAp08%m#@dD3T9 z4gmv`Yy?d4b`x)Woq zdcWU@;FZ?DQ}cdCC-;5-cWbv(zW=ecyZbf%_d$NX=KuSe|L@;7|6iMwt+tA3kr#qC zJKhT`4L#yF|KO_aO7h=L|8$ED;1=@#$>Xp3--G;omH%Jm|5y2cBl+(pr~3Dh|0YMm zZIu6&{(qJK|IYH?o@h_gs4WtmcFG)|Li{B0NLyY_c1XJoVVmuC z%CdAue)YDtJHLA7@AibgZ)beMDlcdhwON{qRFbwJZPLCbzk0v^8e>q+^KU<>xxNTQ z$Uc#8Kcp<=DGRcTX&QYZlK;-0fBQlGa}kQ`I1)7cL=>3k-+oa4Tx24n(I=u7Ad9nh zHcQy^Uw{48`}Tu=bfF%7QjdQ9HU8BjUVXT#$)Bc#y<2KEztGwxS6hus9*13WD#C_I z{MBs`sN&HjA3l(}^jLX4AfJ5t1e=HgqCbPHvG8q84y=#lx2eb&`ShtlbY+|_APg0A zEU-dFA0Jz*RzCSiVjhPq&dB3ZNe@DtEMjU5B(IS^7UI(D5{+f)MLT2>%UCpG^%}9vGw2Q=YIb5$ zg)vrn6q^+!KNVKi=f>AXrnlF7eQ|WK|I^;_VejaQXJm%IVcnWmr1$8Cx6@9>s{=h9KSq#bX&qQ3H#?n#J*&~H09aMmqAJ=eoy`XwHWdENQBdfq~ZU^-rM)LZ7Yew&%cMC0*6kwR<1-@c3xWT=InKCC-pXQ z{Mb&reX_kVL_!j3ieLfIj+*BF?$@|qZ$HWN!vG+`7roe)?DW*yJ*h>3n89E$m>CRa ziuMh3v#tO2zx=j8bEs##C$A39)KGPX{(q{W4yjjDH>whVR3wV6`_|0GMm=_vpe8<- zv9Lnu#ivgV(r>`o1>t9}Pi?c$pOJnhUNp9E4o@OM+KhL!KtMRUb#L#oEs`$Jr?TEt8$SKK*cT zwENxbgZ&qhXSKx|9Q5ARCXlm zzx)e&)PMzg@dEj32s31F9lj4epPs&Umk5cMK;c>d@?kcCS=C6&gD9_a#m=DTpqSQ{ zss6!P#vORF%bA~FMiYCXjNwNoyGQ$P-F+y; z68+o1p|20#zWf^f19jyj?W&ea1_!^2l9pUHdUV$6KJv?O{C2sO7Uq7x@-}jmxFC$N z5UQ&NX%B6J3FVye;0^re6!yqH`+5Z;LcUfyRfh#->a92d$CXkwgCT~V`pEA!bce-- z2qyUBjNdDJc9GFoXwm6wpTiO|ws1l;AW_;a?*s^rDK5y!l6bms@cAp|He#*)1(_=B zE(w=}&zC<^{iu~1u_*Iom5eJfILJG+^fvnBy-Q$Bdvxat~ zSLZ{GnO=&Tk8?eMrLqfiXN@+a5QKP@I>GWw;?IF~-L{z1Kx^cSX3Of^dEKl&@@pIA zVt%<{H%(?yZlOURWes8>9@p-G4Tplrj#_WREY-#hq*r?Jv)BCh!P}Q*OCdrXihR+n zxKFC?l#xGwi!M4UkEi>n^8FeeRcELBsQzeici{VI>c7sb-A4`2mPfeG+vN_;vt>~3 ze7v@|s`EYide5AYoJ~{Gw+CdZQCGqEdaWKU)QQmlY#5j`jtz7+Ca!YI5|K>^3RxCM z2u_~tLD-OTA<>Xr!9kEfSRjyV)(wdgLLyP>TQVe4e3iiaN_B#w{rdbdAy$*sw?E;m z4VJb>B|v8k2^L?PGf$2~g;t_ZXUkyJ5a4u7i~;Wffpa}L1||`r2^wHAhLO~V$~a6u7(=6Oy8xt!AsjB5j0Vq0=fOs)znSBTmw)p>Tc1{ZF)i@cQ8F;BMXAU#d5_ zAiq9@bBwHpiBM~;yhB)xSu1i0j!oZ}EY2q64a*Vd8nxQ{9>6K5#; zEUx$&SC8-9lRkroQg85x1TMPHA>cRqMg8lo#?fg+PYYnxv^eZDO4Az_kv`gb^5ltE zh-#}H%`}4M;BY-s%sJ=1?+BYO`!gs0D;Se_LPrVX8I;V7mF3A|wc^uwvL z?YxtN-TgNQ!6XVsOit3++dzA8_<(-gJ4F%Y!V5-JcHv(=9xoXD&b#oheJ~z%)j#&D zxJVWGM|1W zq4WY85!}_yIs4TME=9;9()GN@!H9Wk7lL>SFQi?Me8fsY65V^5|2ga5gqYnP#)A0I zXT6=LmG%Gh>GnhX=be1eqE9(Q(wo!L37%}D|G-Ix`4nw$Z9SR!(t;RAQ2fpgPTriN z-J^XslJMo*6ZG!%pp8xrj!)k1zuQxf+t6zN@bv8D@Vj^F33Sj4&_02}$4XxftTvfP zb|Nvxaf~Je8{>%Zi7?iYF>wUgE14ilx@q^mdThNBs%;(}sVIPji7SLq%u^ETPI^d= zImHh*hFpm9<24B5a(=G2`@ifM@z?dP5mg%F-EeoJb|w zOEHl-0%U|^bO2q~kjN4>KohcxL+Hg~kwgf`R-@L29Q;Hf2p3BTNaHMSBg~2Y5(Cn0 zh*0Ik#A@o}{U-}K_cPz2hfE&VFHBD{@s z$R$LfCi?HT+7Cml1AQ&u>z{xE98GY7M_|}0xFQS32C=rB79l(G^9g0ReN8ky54-c^;OG;SsTLJjxs4EPGFN3W6X)LJ<=8$kc13rNO4^5 z-NCb%@}F7eL*W7S7x!E4tm6b|a!I31^~I6PAEpEHk?@d;Y9KD~nO+1iEj3mA$H`Pb(=}2QLf}*}E{!lZIVH!5D5BaGE2}55`8q@x zY4SjK?eYLkAC+N-Y?4y7pco)$hB?Y}dzA+4N-ur#q9;wV+zAs=43!m~VgJPVMNKF` z#J<897~|k z6+whw*jy5j0RxWhBa z5<`8YR)I@&QV>efNs3~z0R2UK?pBn`E*Az%9GuVu(^$P6Qz1p$-Li63NKAz!6XA+* zDg@NW!6EFCriGq!B2pS=EEDk*O)$SuqK_BakyW{fprZtv!vk|~X$B`MVdWn&i7;~4YT(zG za7Dk)hizBjLY2oQppuW13Q#o00u2aB5GNr4Nj{jC;1r8ckl!+r$XJ058Bdwsu9d>; zEI%!XwgdD^sZ|Q>UOxQ%j@fCZH&?@}jmC_#%v`BVa5zQ|fshg*gQ?cyguOh6m4=rR znc>*7-xcF=bVZe}k+7r#GcV{ReC>o|%ty*_VpAN;X=lg@X(P%xxnyuZt+t!n>w}Wz z))r|ibud+YT$6N#I8U=dOv8Ap7&VRYv|T(&3D;Y#fG0+=aP2l%&Cg{qD9bg74cj@$ z7Ck{b&IBD}C3OD@W@pn}al~-MCasD@1rpjIYN1q*)tS8sz94Nh#+L-NJc|(6(QG(W zdLBc9#BtmFOD8GgQcp}S2aKX@v_cRwc4UeKdXDldr)e51bCV_UR8v{WE`wSaV>%J0 ztuwg6RCnT1HHeTa5A7tuGPb9)feo5 zw1sPSTgi-)S4Pf&xKdML_qqTb4%PhUwvdoiDxS_KMN;E;#UreK1|eq*_swF%%5`hb zgy;al5Zutol>Vf@!_CzgUx|!LHPo1l^d^91j(njLRHWiO0S9}6MqC(EyXeQcU_7jJkXjLX_j8-lI7i-LHc~+~^yMtPyYW6IzU||)u2+N%La_X8J!I2gP zPXcs8T+dLDUjfb~TU82$ETvYrDaoTbS{_V^QX5G`vq@X?k*O({`A%T;}I>rj1a z19h)T7c=&+u#H-n0|%yd+!U&`vZIv!uAMquu@GkynkYWe)}wngt3+JR(yC8ox{rVu zME6sM96FFWk(efJt2a9)JXiga1O9wh_+f`#qQWP+}&1UF(OKDYCFmVu&6AS zn;BaX*HOWzDpJduo0guo4?r$rpwOm-!xeVP%!=c(*tn3<;Hv{I6D?{fp_R|SG5pk2 z`#MK}k0kjh^$mM0EDWV`J8<09<%ocWl~SWD%$L)ZH9axh{Q?`)y`SGiR(r$NCBG4B zAQ_xw2km9(>U7gg;YPXwvtfy1f`u}tTra(OrC68kMH5>b3tBrD{avmSb8+}r zSD2TW%w5-I2Na^iLe8iyb5!hr_5K-e*Qt!HuIG5UjBU_BrD0{IfC6zzxSlLIrabDX zK~D3zNf@6fgIOsS1oHr5w9LJFQ75yT+(Ic2+LX?nd^mQDSEZqp(J^ZaB-XU#o6olm z97XDHuIwF`Bi*6MG?J*WDnM-oXT4ScDvmE_DpV(C94^X?qlhZ4wWQ@X zXz+z=ui?l@cjKHDv0(!??PA$LB9vr0!xVA7bNNz&{uF4(n^z!EJFP11!nxM1Gnp7Z zD!FBHOQm87lqTdU7(3=9K-;Q?7AOK_QkJMmBOlY4hE$oq(4%uelKVHNRV~tSW;t%G znXaos(^n9yjvTG(4P5W@bxbp(W&xTG!{{!w>KfV8NB#a0lj^1X^al2q0n? z3(%QWKt!P9LaZJgF_4^6tK80skRrS}P}Ay*J;uNjA{>oID1#6}29f#7xVcs(b>ni< zoMLMz%+&mw@(D9*Ulgc9RT6^3an(e1TT>~@liO-e z?W4Q6Wr81Toa!_`j+?YtK}FV{wsxv(Qh`Cl>mrs7(b?hI>w`8rdVAD4JbHO@c=YPv z&B4)G8@)L=+53L?=xq19!`FvrKLZQBJUlx(IMv|;yQYuh-IKG!y?3v7PtftZljFCi z2YR>Fr-d<9;56kds+V3Aw@a?v-1D=L-#4|QAW%eNIskZ}Z6A!Ift|9L0$}42fT_h3JSzL})!Q~Cpa>3tTvUaV zjV2+Dlwzxo5|jd?eYzCKwo@yi!!cGQA{=3^&&<^>p6}Hni)Gc&1!`uwjLGy9nwZIS zz{Y+!uC z%4VWNEuYnb*Xtc5~^bQg^?2D(C&6q%S<3ujn(H^(gE7sXUW%jynwStZRdY)A+XlLOf7CB<#-tD zz}dE)vstxP#59rkqjTv>Z~qf41N0L?I2H_XqFWn3sg>f;R`ZPzps{MR3)IZiZpQX# zbwG-c6*wWam^S)m~9P`82^V3Qd9q&ClZv_= zKY#Xc|L0CV8|cJv0NN|A(SA?j3EEQ}fliG?&_S}DPRDb0u|9f96MZaZlPBo(;MMI8 ztP4S;5{<%cy)z*LF9rb2`}_Mm`|MWG3wk@hY$_Qp`rR&_i~=zR^&+6GJHXM1bWQ7y zZrmw(-~V06X-r-WV=O!3w+wUALVtf>yAQqqf@-l#-sa z;J_+YW;AX0vTjQ;I9?Dh}n;Y90qkgMMFe#j})N9X^m7i{-} zt)MNx0I!0AlPh<^A{@WaT<|X`mg5(y*OsT~ zIaWG+9*L?!>qyv$NK9k!lxv21f4Y16dU;*}dg`E1mlbR(n6AJg?l?cR^x3CQJrUD{ z6e};}#2g({p_W7xpi|}~s({mrOb~8=2Q#%89I;HFODCHU#`7LO-q&lh|M;=zou8k3 zpL~Uy-~Z(28I>S^Q`>hk$M}$dvLnX0^R&0^xBdKfx!?Ewwr}f$t8bq_L%+p@R`SrS zXMU^o#XTrofXh?vmr(13E+g{f<5NjX?cT!a0|wI?aaSMNWhux&E!SN!9f5xDR<( z7)Sd@r|@@Bp-q;TQh|$RW`fFcyQ^Pmmfo}Iw;-X~dg-|+o15ny4$*looX%0os0p{m zR!ZqGWYFmdHy$@)ue!)7+T7c1shtnpT)C6vTql`3M;Bz;2HAezfWW!cBHF`d^U(ieg>JDqhdLcCawkT5c>Q`qx$rPwpL1bFQM6E5$QwPt|V%vGel zDOgLm^ax`L-e@{fBF|;9GEc<efwe#BXp9`3Joa0UjbG+9D_%Lo#Z=VAEvILmmT%F2n=IMAW|+L)Ln z9mffCw29wL8aWesMiP+~uqIh7X&TRfB5V#qR|SHjx~lz}$2IBO#{?jN(+Q5G;gq|+ znH4nYn0}h3#9SZY-(eY!PwDULUCT9Smglm`Ku5I=rc#Hva1t^e350DTbVY_3LVn34 z1%eG!FG#YH$&vx}vydPr7?S0L4A6Hbf0Vgx3bPM6RMM=jp!arqThF)W5bHHfMufjP zy%SnlV1`tZP6&ioOlTZalRw(r&#uzy3R77n3pQjcNF1P_u)Yq9hm83|3P+6rX2d8If_xMn|ffJ$q zR_cNEKIz($6Pi$EOF@l%i@f&skd`}>zNrZH-@pOiN zTXpaEKjlR_jC)&WvdzEhDuL$f=e7^HT=zBC_1!r9{FL)0q*A{lqF12Slnv8Dn5d`X z7_h9}nafUfN7f9&Tgr8M1=-Z!mS&yab?IfQKim)54DgocofJPIofALj)UvBo=lia% z#!l1TKO3wj-93$21D`);-DWj|)x2>}gVn(24_3Fi$za{mCwDSH7hr=?TQS{ctZncg zNXDJK@F1%p>3xaYo5g_t!NU1ap!mU5aq;J`e?5RZtQXk&ayO8YQi-rW_Fh{!F1u~;8%Q!U+ukSqk}ank~3h{l`>r?sg5NlnsL@M zl~o`u&pT#Hi89<;8_5B%7cy!6_7&*O@EK zJxhZ@=hlcGQ9cagaqLB7+J3_%6xQfUb3njSy?XuGfI8 zt{1sh|ezawfTSl%bX#+ z{)hAat5Dn<8-@r#(@NOV)C z|LMeZNWy6tlkP??ZaW&S)(pXE?wp>DIT2$PM}B{&?L*#A9Pg7DPfu-0#@<%j*F!En z5?L4$A)F3+ZC}y}VVNu%&Je%}i^%Q}@{CT`I*l%%mggO@h#>nN@ysqV5spceL7vcA z;urkhA{&i}&^N&B6*#B`20ko!6^9|?_T)vfl*Mc`MZdFztcM*6)H~#oLVR@>3qeOo zN3n(?KzBp^+rgF&%WWm^0iWx@@%7A6$xd#b9bpNu+~lMzx|8+ezyY_dB)p@{g&VG+dmt{@i16L=e+MT~ z2PcwVcSR^-B$D14;T>3N2XZm~XQ6w3--)08W{)1tj#-w3F z>H#QQTTN8p6vC|cVl2cFo~)Uxs?b`VcU*l28E+xk**$J=Y9F)Mc2Z8rL|*~iun!?O zMO}~Z8(EFB5hp_I6CA}fA;w%(JwLBaU$ZVt}Ui!!rR7~t4zO%uKi=<8+9aFnMiOi z7Pg2gJ3MP#bZXn6xw9dtn&xZeiv_T2uCwjM_&0bF?s5nX;A^9Jw!}1)d>(f>fD+)k zCv^$btG=1L#J&owQ$CF(lwMh(ccwthaQiy|QU|K@b zJt~xOm{BoC10t^oN%D)0=y$>yY#B;;n@l_nBDrxr8Jk+)YF;a)N|5FR?#(_i3x?tq zXIZ*lG@D^INT;Tgo*8dzlk*N1&JytJq<@>7Fecwn0Y#UWnFyXGyW*W7>vfmTgu3ix zNRA~L-GR|qf>bB)35#QzjNUqWJI zqa-Z0m%iX+A}*5nFL0JS-84GO-QVxbQ?51x32wsze7A07H69gOugxiVW%i1*fcIO! z1QY!6^nzTid14kLu+%yE+>Y+bPqr))t;R?#+aM^<{qHOxezR+IF1)KTN!}#_ODcwR z?GX;wL!~a~PR$m-n@q3pG#7NkERGX%l~S#?)sLYHq2+n@PY6Y_QGK@EIg(@oc}M5? zG3W%3)_^N?3!%3rglM0I7lb2tz9i93C-wtZPX6ZJ(2r2`Y7bSp=Py zQ}@^}6&(GxFYyR6+Bh5v=mZ74H4(yrVAN)Ke4Iap5@qMQt;C~qr5b;&W=_bj+ob~( zD$u#M3>sp~O0+7Ev7p;+YN>G1t-SOKx-nh1EJ-4>YKU6E#SD(IkvG!Ss^Ep zPB9PqlNLNVKT;xKZssU4aO*MGU_pdNd{LdBa0{C@pIO^^-rbuI|&z($i%uSFKx?GoJXu^bq zLc~mv7Q&qL(K+Fq@$)u1SNN;{(qza?La&GnvQdLSK8u+s0%yC%_>b2zEgf6gXEj!7muZ{dQSuDJXo4WZ8Y z8zMOko!=xwBIG#LTKz=-JSzydh-THt<<(SjI)j(~4N?T8ILsq&{J!d8>i5+MKev4i z7D7!fvEsR%Em7Ko*Q+!wqcAP4EScnEtH;uG48hp8w9kUL{n{)gCSzaQPZ^iO@4x?K zpQSmsm|y+=w@o2XaCJk4-GJN;q3rD1Mr`^oIMO`00b^>RmP-%IrwzPk zVB84{Ho#hj6YXmY8PYafS6F-_7&TqSH7@e9M7V;xQ}02)RrjKo?!#9gt#zTfKpJzQ zl?GB@b|$H36K%k#vit737N@yTcgf;xLf$Co+CQZJI>zfrhr1AD-GkAUlXM}J}j>!?3{L+9Xq z7o2fzo{&VWPu4n}&%J!K)N5t z=h;rJ{>S$AL;a7t_&B;@-$SUflEM2U`sfcRpVR@3qR2~~7xcs<(nrhqE){F_FSmo| z!B!oZDZ!%z;f zfRqdgk=+#kb}7^8@Ed-Wb$7y_zrT9=?)UM3?hSs(PPU)C+JE`#ZTI=kaPaJ#ZSt)5 z^m)|lg}trl>0o>CG{U{;DIRWh#RZn61GR`dnn2=mPgbkBc$Y=}nCHRvw|`bi zy`Il3`R`O(xiyUW^1t_d=lS!B{D0Pa{^UXa-^FL6DCB3n0H%uHsVQHFUa~BSbY`K= z-P4yXlXaIRrWiRV-iD5kHYG4?g~vru6r6L)W0#8FL6!Lp9qR#AXNTpgm`?2@r#gA1 zGNBmLH1IZb!pGB>78BuA7BsbfmnvH5ZPdyZ-lS$B46CS$w|vdQ4R7O`B@5LXt0-Bx zv4V<)8>=f=xUrIYg&T{?6?z+Jzg)#^Xlgmbe!Ss?bpE{i=5hy1_mPW3^_A z1OnQ6F-0e6VoR!8M~etN&!qL*V_72msHf2AbZYv*tndP@eR&Akv$;l1%tHuzz3rhj za$YU=d{@1*keWgOJcNocfj)B2^4-^JL$_zm(5Qai43BSf=4>}TI2eZBZh!1-`mCKg ztKR>o4Rz>r8qS?Pgd`sIk?$K;SjkziSw!nO4Xz$w_tE=b4DzMpC|F2USEGA=1*4wv zUXz=$8ZhKgZ8wt)JcN+@*QJjY9`+#0`dVRm>Z;;V;9>iI*&}<#E=bZxl4r#8%3j#M zW#T3WwLM3{vpv+v{Aqf>erMPna%Zm?va+KV561wUeLzqFt1x!$NA&5lyNsJok#O0q z4b89Z+SV&{p?iA<(|E|5eZVPuP{paaWRu|q;kl)rV3^(lN;$!JUX?^1+@h>MbGuI= zcGr!X1`%%qr~ByJZ#{%eR5*O|#EkYw48p>lISz5EON>(@G|wUwahBS@J81XyYxtWJ z9KB8Asp{Y*jft2FNhVHLGaxvK_O`aR@`a)xXaj9eXSP2)R(k^DvX8#m`eqAWPFO^a z;n9vV4=hW)bz^*Ce^$CnKG9lkLGdiY1D*R@^#WIQ6@Q&4G}f|}j|e0b?>F$TM-#Y3 zr+za*0eu8#MQVB48=g&XDphR*mF24GEPxmLC>hb@V`D=Ziw+KfD-{ua51}y=63|c+ zqQ3OC&!A%ph6OPTaco=_DVAf?Sihhi^iel|qMPVar-$nG++Sh~yeiVfT5{Lg${QqeqluC!$}R}UN=p|SWue$s>9S5LD50-x##Bn9 z+T^I1;{RBn2~DV)PB^72-3m9uaNfxhTVB3eNPh#WDvCD3dE%yt>OCPL5d!mR8wStG zL?`MeD9m`Qi|H%E3?<>{>w?Z-2d2{rEhZ>TGgy)n^Ihlg>!aTGH*csJAEY~6@(tJ} zMTldXj2f5BgeK<3lu)`YLKFPad9byWugJaQckd*P>F>am$ApK9Lq|kO27s-b=`*L< zEj>3!j$YEvv4U1i>_v0?^NeU|M~hi-$6M+C?s0^-anF~!YxmUkc4u9%xo+X+DuI1d z=QlIedpE5SY4p~YaJd@l)DmUgvf+$MdwPq`Nl;VhuUDls2be4B8fq8N(tqb-g|pc1 zYUq#a%_WyhOX~&wVfW<^yB|(=_kK9sHwy-~sy_02{&i5O zfuGpbhj!$>xbJV51Zf4MDX8?DCj|KI#$~cH!l2K?kc*Sqq{G>)hz7pv-V4 z$J?EhvyW4Q_Fmr95mvj&6e;;u{FqnFEUbbG#AN|qMQ>;jv1T@#SHz# zcpUxRu3WwDG?RcIC_#9jc8ky?&)2CY^2(5Tc2S$aAs_tL+G(iu=>WWT)*UrwEJD-` zlr=o2lS#NNJzH26Icz=QAZ<8%<|>`DFpUOj*g6-)#ji$Jd&86!zV-a+Q$w^p7>Bag z$dy|J*U$+3yx`wR1cibbFKX(nNVg>vu4-x1l@snDb##`?vQhM-d_YE5uNoJr8O znYW>~Y}H{!TgwD-z1oO;)R(nw{!g{5tM(yI^1|=uuGBr(rB@-MTg}d#l%l4xnL^T? zpWIZ5sG_N&eV<0=Ch8D}O

2O_#%#;bLrGUVP5Pw(?Z$B#F6PA2 zT3g_ThqX?wOl2&`n#fEL`x`GNlti|^)C|%HrWL(0mIWuPMOK>Gl!g~tJI>O;iYlF~ zJ*NuN-0K)-0*mq1>=prRts7-5E=k)*&7yQUBBwphEh;pzVrn@P1-=ymu<%4Qu1Z3KQ(0a=_6&yma^q28(5jZr7SMmQm*Eu(NC-Sj{0cF z^U674a{cWU2Qg14dha7b+QJp|67sAul%+y)f+yBPTkJVnqN+JL1-XN);8B90ad5pg zjZV{hg45bASGZa08=%eQV2ph0)5tv((CWUA-|zjiApS#dIl-@jB{zq$ApYaY_LHZT z_>bpLc6tx-A9wNjOVL9wrZ}E#v)%Qtkln}r^xT4 z_aN|nFzb}?{{58ONE6}LPS5vy9vJ!e|uUx{nK4ot?#fEYv2fPjFS!XU{oSglXeS zc27~4v{=OIwjDPN_LlwwU6~-~|-lrXY^UZ2WLM-25GTR-nd%e|Hs{YK7Hyw_EvBOd^H!qS8@G&RhPe4a`pRW7r(vh-TL-capn8= z7rs|^-Fp?6y%${de%$^1+57aVgB~SJ5`p?J(B_Cpw7E%>FwP>9A3+93s)3I-BN|HN zV;^lolxNUtwa_0BjQJmeB`xH0zlA!cTMng3AAM+R0IGij2^yHErZGt(_2<2;|HbnE zLw+h8j94Jk>*oVmApf_Y_qNOOf4jH6{Sg0gCm+Rs-N)!veuoyKi+y*_ee}2sj1A1H zZxR&CBfo*-=gj{oViHyqO(OCU1sHABR|YhImDDSKeDr~e51hzMFY5jaeUGg8-Gnl$ z}NcQ-N89cTR@gp3$;qr7%9O9;?0UHRLHpxVoWC@h)Gfxa#bjBxvGVf=mT;02cn5= zq0KGxmrGh0v>?)uz=wD3z}=x(I;-FPW{{|rkF1HvD<7l1HFk@kb_S-81w*!=nn!Mb zT|j`P8F`Wk`G)WjoFOSCfY@IrL_*?}bS^?$Q_Y~_^Bv!nUQ zzwG(Qzo1FvBi|7ntyTjbvyoi}H`5e60B9y>SYp34F)I!Hp~znFflUp+xXahJ;rtHO zfAxSh_q47jVC>&FR3Dbu|D9Y0H&X!S@BdGpKHYv&-T$9FdG@gX-^FLf{$HB&g$jW7 zO@Z(BOHl$I6&WA^$mTa&-&oOY|5H*JNG^YELj1xbT~h#>puCvZL8H*td-m%xq7fZw zUoPQ3@{9g!5^k0TkasU9=?9smG5OFd?3>w}qcUA_DC_cS(TiAs%bnx6LDp5rSO`8x z1m-BSix1l{uMY0P*>=$Yi^D{k@su0&8fI1ZckN9whhlg7>*#w+0&zI!X5zkSDHd1M zznFDcRmL5`av$2bIq=s8e|bI4!q^Eq4~#pz)zG10Nb`mpRZ!*15;m1f+6!Lf@Mrv+k&Kqgbq(0K- ziE+GB`nGZZMTHJ#z+Va(G@6h(uGG>zhl|I)$Oii9q75sR{KG!sWZ1A@=?+a-$oET% z`fT&FBD#qoj7pAT^A+F2-vTD!}&g6WER!hx^fXf3xU z=gy&NQ@eLmXrYx~sS;JMFD#nZa@O#Q9B>MaBU1)+@f?O_ALUlf z%oTsUaPg#Yl9WaiG_)~63Ru9#Nwg+IH@`a**hS@I<=|EfF6UwQlb3{dIdCLB=d zVm=GxTTk(}&57)j%?%3eJrn48__bM5%zOcR!F07trl-%4cw=aDFQC;SX z_@TI77*w;s>FTCc7;{~nW!TqI&Z`QYiI4S>51ncmw#4QrY$nJPa1YOhd_krb@Zw&R zk}0)_X3j1OP;x>!mpMD;&E!$Otx@ZftBkHyo2QO zN6h_($!}HOtgt&=V-4ICpiXBu;4Yo!`*ip8^@ro#)6<{cp6q{7oVGegaD^51h2V~& zWXEQz^xbX!?q_vg=F?To^6|;rv$x;9d->tj;n|1pc25uYcHfv%FaMh z8)tI-rEo$$o$tz4`R-4rZ%%(W+P7f&u6bsKkV(kJbZm{ynFV&o!uFS?K-c2N5-NPV*ftJPPkmz=nqcLZZLkr z<$Y3MMax_f;D>{suRnfg3EaI#Q_m#65|Ov}{lS~vlY>`>r)MWW-)LoM%&a+g-wUNN zt@^qsb?sHuM63H;R84v2*F>yqueb(UeK`worN%{>Sbs@%Q&TsuGkOntCfLBYn$6d5 zUmYHO_>Z5?wBq;|nLkMX)cN&F8b$Hmlte%z&>5Qow_w96X7$zEx369weAs(^cyRPr zoL^1W4%DUUXySfR^W9WSWQFs-e|U1RclP$==MSd`CqEwU9qjJyy?uAI^zL6GqQ>D!~- z*SmXr2dAfJZ+|#A`YZB*CAV7hM2L>m!DaW#3G71Rm9P7^Kb-CUbyvM2=@+%yVUBCH zu2weD#X8?TKK$z~ZkX&+uXT9x)R^g$-(~d?$Q44hu!@*hex}|hkrH4k|k^h2n%BQ-cK*< zlf8mNt@=z~&yC+esC#qbHxlU9PU&U}UBe?igGBe^k8Wn7TOV`GV54iCam-?*;)LTm zVQ9|PWgArl?Mop>vtrh4BONMt&CoQS-)AoR(UhGLP<87o!fOl2S|*y&y@~UM#4?&Y z5!Xy5u++8_I@j=S7hS)$4XhMhU(JJXlcWaATsyzk9sZ^0V>RTZn=W~~?>Ypn(J@b< zu=11%e<~u|><9THw@V)MY+-Na?fcyemD0B622*%F^Cme(!ko zvo4R`K&We=>$bu`%jq`zh;YcNV;*XSrbO7NLT@*L`VcuTPHwHz!NhF3*kZo2C~zJ+ z>!2T^2F={G8FbZ{jB`FAt0Hw|-PnR@o3U#`+@h#9aY*0fS@|LNkW0t0mQCyN8ol3j zso~3sg>aMQ$H6UaI(GaZ=zAD&i*Rp~3CM0aghTO2a7D$WTz|kl+AvvY8=}9 zS7@3ddw4C z3-GuLdQ*fV#6S`X!&4HG7bh`_>i3~^l_sWwTvZ3Ui=>m0rKXZ6T2@e%tLlfC`3F#iF&d};AOBdrdlz4DLtpLCRqNEL%Fr;eq)^(TQ|`O)(0bR98Pxc~&l zi2@qcR%8yTvteNgTLo1T)K~#o4Wr4esX{0_n$9%%IYB{PxAk6JW>8}f9}#8MS>7YL z`c>ywh=p1aE$$ynA*C|QSct*E?ty2HP{Nhi0i5CdD^7j?@36O+w@)v|ij#Rlj(UpK z%FK>ls`R+Z*yt*?>9>&XM)n^aDNxndWp@|Yto0@6wX#_?0jz}r?r!`3d<7cKoVNL$?%h6joGX~gA)6y8JhGw^80h6}vY^EMit;OljR_hQZ8diVCKgCw;l2Z2L!~>DrCLQB#GzwzihPmq6(?aaQZyC`uq$?wen2wN;; z{B`%Cp~qC6!VQuukIy;t*lqUjA~N-kl8suTeZA#A7tHGf>dGnZRWfC4$u$;2HYzFpA-aGAAu$_C!2tXu5GO9hfSxgm|n&MFZSG= z?+^%Ernq)bt_S;15r*|l>nfWHh__l9$_I2w%cSZ!B^cPQMe#fh?D0}aP9zi@#=;(s zKMiRIt43nI`0v(3^PZR~7YZ`w$+WDgCfo*1k`-Ph-fH^bZzD2-576-R=}gFKzgg#6 zs*}#YnO)@8>dkKhbu=V$8Jp_7?46pQhmZEptbHaIXNRQ|@=JstYoG2HlP%^+ni{^ACw z%AI*v7!r<4+jcQm*;sTNdbJRNalYBwO`>ZG^C@VYye0B(hzESXw5qQH3Z7l@odP}X zG7Ev5+=j@X)jEF6T|iP*r9Vy$`7fZ4(NbK+Bh+g*)&oTzl=bsQ(Vpo5K5mL&qIYj# z_Z@@$NU9@=%pmi;aly|6m$;;)998krrQ%p=7GAYwW~lQtGmiFq+!1wGc#fIJsg9YZ z9P6%{*Zpu_w8#

~EvWisY}W)4{s6B2(4 z6_bXsz>V3+G%ZC^zGnvEu_0Q%S5&E|x7gC*kl_2Wa;D@b!7d&wmnRnKg~*hru#=AP z+m?SxI9!j;S6#Fe^};J$!g^5+cacOhQ|;XHK!+zfXv)sD;-Fvi1#p}!IeCV(>+J1E zDmFkdSi#Q;(L7nQ*H_rhe)+`&z4S%ToahwSmj3f*oCziSxcx_PxOKPri6r^k0g=Wf zqp5-c^RISc9b+%*)w*&O*oe$`j5NbtAs`jB<#Yx2am7sS*0Ix~P6bFXQn?t1U?WR*7Cur{5l-^_$o zr{gqbcgsWe#VPs^;~d2w>6RbmroO52bH_98(}*9azL~2D2u>jo3Nd=t0qRI4Z}m|w z-r0Y5iN@mr5H`EHF{4FtG2MujhlI~C9-tD|y%F5Y&AuLMvY1dh>=F;Og6u|I?a|X! zjW$&hOMxl!Rjt;y6k%(0k!IIn!@B*Uv8t>Ebzw6c7+QLA97+nYTo~$MJH+e94APLgan}9=l?yl z{tML!b^BJY%Lkej?`p$Yyh)cnFwAI>vQ=KLz{E8@>0jy%r@8ek=NZYiTqWao)_eF_T?(N)Ik@e{L%ZOdpX(t_0=A z-8DvyoS<2zY5&{W=_9+Y$*M1+te2UJtwpIfq}#2&6IzIW9g}XVi|SRdb9-9+H$SM z-nuvVN{yi~OF@sgPBj+L(PXenA18_NtySHSNN}C!6)GH`tl}BN8ei8;O5oshLNA;) z$TQDsyHA{#JiM--rbX9mFL*Szbb=;&_5L|3aY_S#`*j!+rb zlwj*{>k0+vzzk5hjI|zaFw}L`i908P^Jmp47;srU$~GPqN5Zdm^dyV({icA_>pF;p z*ZhwOkp=Jff;Yzz)I~9GP7C$dANGZzgMn_*<|8Vo-)B1Mp`-8fMs6`AKQBpSx3$MV zIb0qIv&5P)3jR{8(a~2>Eu;dwnyccn(2_>H>sL%^5u}T+3oK;<(n5>t@1+9S1qfTD5VB|-*K3BHTFCP*Iuy3Uz{;}tkdbhMUD6Mla)RPgAeA{ zgK5J0FRu54e+h)Agbt^K^{0duj|rw5Z!eN3oIhj<{hoAl;g8V$$&SiLgQ@HGokF#AP$bPP4;Z@Gf zWs&Hd?4PKOn}WoTeG1yp`BDz+Js%TRUH@G6bzQ9<`Vp1T7F=6PaL?%5vc9=70dv*I zjI?D@A8m1c(7a&!^6TK7@j5|J>7U!XG>EF8*ZuV3$t-Na+x~YoQuN;Cikp3WaOm^f zxZvOP|Jw38!uCJ66Z|~hbm-gmex6RbvKWb>AF5NItbi68vtY~TbT3rh#9YM6vBMG+ zMRm!Tb50?68;TCsu$vY%!GhDUN!KI0q!EVIZ&nF9vd1a0oB+vwDoZlljyIj;@byfA z@v3Rd=UsQl8+535vr>0ok|1Wy&&2IC*JV}%Yfn8i>GUJ@;73j7%{=ub#O&1Bu@7w1IseMWq%N3aF3A&rsjTKg@ju?0vKZo4$|Ky z#Fu%^U;e}h_T#DxU4e#~S`zU|UrUJyuksd@$gJiXQZS?q9JB7AIK?78dD` z+UcVG{bJd~${!uvW_f_f8n^6;pRg{u~?HDAFsKb6cHtgM@KK1HG=Phzy2;iyaO9G@~4BC}2Lvxg(6 zph8H0dBeIYjCt4Y^pikph?DC{dG3vJZ3S}@NL9b?v4~*Q_)$L`;PBGsPH--`HGU%e zB{=r2QSR&h@Sx53VzmXt909pTI9EQNEDAq%cdB-PUQIopM8KQB4@5x1Ltw~C%A|X{YpZ zf#TmL%LkpWKRb(1uK|?#P_MxM-t+!`7qj%05(Owb9+3NXYySk?Sqb^*i9>a zc61IoYI!~X;b|A>WeUJf&@gGi_DMb4ef8YIn>Bry2wK*$#f@cc}& zcsPIN4@Ko8_N$07lvU@QYLsm^{^Rh1*Cx z3#S@>fQW~--v(5P9Gf2k#190ddd#q8b{2fm(Q1^W+y2KL$q+d?sLNt6%ZbSE_+GvG zVtoMfEHfd@lj9xTBSvn3EtSRnE9>KEln&Z`#t2)^^E^r?*_J5PQK}P7xeqhuUuZ`+ zo~lnBf?L0b*P-%PR@pBoYpXfsL9Xv~CB%Ke#o40FXT(nP&P)gp_#Z?VTUOeWM2IyM zM)H4VuDK>vJcB(Hl%V#YnbaBDCiIC^qW`J63SiRrvDsu4Oz6(Yg}>8mC!Gru97-Y* zqlr@7I133950U{65T|yiiUSo=>@qTyqRjGAdl2vCgbJlBYzm0(FS~f)DOA|Z-;**2 zu&c)LQ1a71J*w!+4BbXz=2&0L2Y0~(H{Ec+4X6WU%}>+5=*bdYSGN9r@$_J8#_m5s z9Wp(C1^|Yh31HmH0jvs=I|slky8=SyayqnAN1%|W@WgsOS*n2$Y4GnZZi_zefl_E~ zu`a`cEH0bR6Eg#l*w>2yi}Ka#E#Mjdw*Q+F@aX?R(u=AIy_9$0SJdu8<)eRt$>B61 zNJ&H#RAFF=4}U4Ur`4Vt%NXpDi71E`%IOK0G;xJB2`tl28wJ6E1s;BW`qg>aL(GO; zIRvb$Ni?2%{B~u59nMJRLIpA328ov_vC;8xJ%~SG>A&lPQ*-f&I-3Tn(Q3j^)J=R<141W+5Co<74BdJ;q)sc8>qU4l9KAPtLK6~{NkblBS0!T+3ldyE$E9xA zxiU4lIBxsx*diz~(2F%Bq2WT4#vqS>!HV)S!h|1U%R1tRaS6XMAnaAvtN+~cQs%EK zBwCLgW8M#XNp=!LBlg0~Qco*j{=GnePwa#zinPIQUM6YxM|7~(^v2IA6Y5(!wnT_A znxI7$-PLHlvV`UWH`WQiWZcm9KhXNkZ_Flmb>&@yx1kah$0 zh0YObfd(>j%hwA`jN^xh;#VJ4?S0r)+mTlS;mt+qR=@{#Zor$bJu%kkS5*)ee>Z1KU6AiWpd5(Qs zBVN4o9hc(Txy3;EbK#uXiO0b!ZyUv#*}2ZczL?H_L$z8XFx5X$*??Zy%G(`oMFFh( z!3qPwmX$T=%HKl)m2Q)RTco1-Q=yD>eU&A<_3K1|Qkra^y4+;h5*=T&d_M2iAkpea z%RczN7HXd5Y=YUC7y_2QWjX4M;W9$1PTaS~ENzSdY2jgJcD6^c*GrgpO>u1QCg7fN zZ0Y9RUsvTv7K6 zU&;;{EvHNaY*jA|ThhxULY(wHX=FXLTN!swM{Dw`Z$|IeEiI^c?V#cJhqdKk^hpGx zxQ_s{ zErV(IN61g+te;LbijN0}2cm_A&c_zV3kYqKWbBFUMx+)(3& z$a4RL$y)BsTLbP%DIZ^yX6^OSXWP$?Ifhn7)<6Igf8b4XkPguA(VsIuDG|BUY=hfG zdf$8vB?o=G48)zBAPUnnZs&kYLfiTG7f&15wo}~1hIzCLpS!` zr7~#I1SGgQMI__VrOG(dYV@xu=;)k%DikJK%*8>%GGvG+Efc4G?>{P-ZqA=&)m$xL zx!)`uVP0y@H(%Psg zMTuwM6Wm85MW_suwdLzx++|{dXYwdnq;{lf07X{S!AFAIfi9?qWcP2fEQ>`~eOt~S zM)=#J;=5a(ZRG*2%wuUj$~k#9TAj%u6RqoRM>7M>yy8a@6i9ZV!x`pIC1lqa*s@l1{(*Fn=Rz1}4%%|>g^?hXN@^oW)xH<6S;(Y2#^3|5%tDBLS z<5(4DMsp&WV@Uh@7N1oIsbdtR$C9P~eSY()SpQ{H-Fw;?&q5pIFcI{ped9QmMSQHS zbZLxHxXHgIbO+TE3uoT()`?A)9(Fo1oe!^CH6w1hFT8}$)G(}(mu699gyu}>^<0w+ z%cQJeN(jFl`f@|?XOs2s6cW{4rudW|m}TqkVffFnhVSnRO=~OWLnPW6)5k%8N z$a`kU1=gQ_(({)qN$LvVh%FC(xr6K)Abq69Kczy=*l!< z#YKS@s}L)%nO(cH0?(5AT=9fj0A96kKumWWgAbur$XlGhbp{Z zQtQhnlfsrlB7{s~;VYEnmkH}C@FUqK{_hY zX!U-P#%3kFCzm`=wItX82jk~!e=?)Jj1*77wk}WoacF&XJcn*nA2#B;N#)vtsPIoT8%BUJhimbDeOJ443uu;DSscQR9>?mrv_i1)AEFFaOE zV)L=VDY(!pt1J^{JszEGKk%%OOc!hNEc6l5^c|3R>`;y##yP8jHN#cU z`=~*6qsWr+j&7+d*-_hoxfuf|*OpN1# zcWl4Nw?)j#3p8H`46Y(sD}$4|%VIy=1U!55D!Ny_^yTyUQ~+Hl2}yAiGd*UD(WD?6 z&pxLqrN>CJV!OUSp#0m}{n!_)0x}hT9hr#>VmOxsEqCyZzV)u&ciUs-q7VnLaoU9u>B0IAzP(^JeO=vE2!S_Gln zI6ZXcmXrMZjA{lhn?l8%U4}*iF|*TRU~#_1@v-sfLp~*!U;VaR-=5jIR{(1>9$q8Z z49;$<9eCm{Ioi|+_MhyZyNmcA{{gvve8zw^E_Yc`x;^U9-vBLcrrS3wnnw0-c2B8i zFc8*SN|*R59PACXlkL0`&1DI!cv4G})!HaD)5s=Wy+MpEM*+srF4%+EgYZF2H5i*w zDJT7ly1vyjmD=Rm3JV|h%|*-AQPm1ptXIvmdF?lm2+x+*EX)8g91V$;L{6^4p=PB1 z<^bh%cB3ml*YGpuJo|z;PTc;r=x0#+8YsM4>Au$;_JJ?|U6}mVd8=G}yWR5|SlZDa z7W@@9LT^j{yGgdvsI*nwj2Xw2#2oK?f)vV1Z(w5wJ|#MsqL}EleHCOcm7kPd3Y@f5 zMX2e`;+4c%pF%XqaT##5RMBj!pFk(up6mfnver9p|GP0p&9gCx@B zt}qSg$zY1;pUcZ2dq{6k$b&eu2)>H~g2DF`Agt^u0RRCBQdUbk?{w5<YvbOa|V@Vl!yEK=w6+UPZkt2Hy^ssPfMyLmuO3>73CDmwkj8j_3R2p<@atvV= zHQ}@-OFH4lLc>);QGL%jyun7bZ~vcc!U*Q0S56>sK0f{gSCo&}d042$2;0DL=$7%S zC(137;&{@UNj;@BI;-9IU+$Y-VBkM?x{!=HK|qz;)#K2YqNSNwA6r`k4lO%ybb|jBw(@X!xQ3m7(x13N_Lf9J9Xgwv+5xHO)YS zo|0Y+Bw8KBk@wMBZgiW9W8vG|`x7gM9KCF-Z$3}~f~`~qMvb-@|noXMJl$V4`TUw@)g^d07 zgJzFl$s1r6G)g>}DV^388D2%-1skeTOJyd8fd}SKoH8BtDx$2T!;nV1yb)bf@g(8W z+KNdKD`qM>M0z*hco#Kn=4{QAmY12EZKyTu7+hi*e&pGQgc7Olc;lCuPV*Koltpd@ zHuwcfcDqaTBUW=shEVtg2q6{l#Y#d`y_X?8t^qZ5w^iLvAC)F>pdA48L&oxxjNd8_ zG#zzohs8RJRKb)f^%Qrj2`t&x&RdK?epIl8U&Yd~p_+gm+`#SLe+!B7<_^!{N)xaJ zBz`)kL>Q$faZA&mzvjL9Zon*S{o51MS0-I{Mlc`?xRD(hEtT<8r_=>zq|kI)t1^Gd zMXlSm>d8*1$JKsF@+8ZtH%}J5B_z4>aFf7tD{FiO{S8z)4*C*&eTVXudssoZUdt?On3 z3p9gvW3`;H_)DNP0AThW1aZUFAz9JV-Rsf9jJ0seu7XVsnT*I6_mk z)hK%)uJP_&J{)B`ZH!a=1pD_b8%8BM^Cfpj_|!98^fvE0SIKvb6W_3Iqsa+tCHe0 zR_&oHojMRE;+2!99FX#N_S)b$(n`a4pd}jF!8xi#>$M_79-UQ&qS5X!vR*{n(jlgQ z0Fc*Ra9WFRgvi75+6{RS@j*n0Q3>_5grU$F7(5HTF`;UG_3KrZqF|VN5#Fj)v{o#6?baY)rYmL){0Utgv zTrh~2ndO8KpdwfzimUr$Va2)MEX`LEeArdDX#`o0d)Wi)P4;BG)qrHV$-Oi5F{XKT zXZv%dhLzs2+_^9JXs#=SuV)lk1oN-ui(k<}9cE@c*<0%DCjdIUAXFVEI(YC9XoIl{ zJTsL1tj|>XTejQ>bp#}{%5l30fO&TRn%zC}c%W_55vJ{TZR5Dzb`N{BtYk>mk6jo*Y zRtT9Cee&5A{!!yP00Cp_>SL`rLJ#xc?3#;b*3xQk13&=0f=u>skH5B0j8F#OcM1WVy0o&UxLET-O-_qOj?vVsLLK6j_ zVkB-tm2B!L*qR*|4(CJV+Yhb<-uQtg@Y55{paBmhsoW{LDD7pCC2up+ToCL9d}B6O ziAxsPBv_C~!w2rr7%eM1ZK%Z2JK&R>|EVG6*KB(5`K~RH(yECc$Q!rV{@S;D;E@gd zJq_GG1|kjsxuFkkh5)dwS$|Cct&))--K7MSxf{#sm9A=4711=CSyqZ^#q3u&&T{iN zU%xS!k`*XHoVB6Gt7@_&QR`yO%vA!XeoPVDgwhhvAY}b@&Bx&9bXBOaRAQkgUBe2DaR1gmu3dW&|jS#PN84a|mD#)BjKkARl>;1q69`C$-5d!?HRRwXY3WjOV z0Tm3qMB%OFCc>C9FESWUy#gLDp8@l|4a{$r5JXIraF%YCZ+=?Zko+TPu6V&3)!C_v zw$cc{p{Wo+%FctWoC{0i$?%j0+xS|Ud;BqjivwKXm(;j3>Tr3PuOi*p-W|>Hm}{Aj zS$RRZRXxB>ug>@`p^reXv}m@kgiW7^n&?`t-8_5@^F@U^%1=;Eol^xwb)7{cmS@tR zlzvo&P_Ay1->V1`32><~}m zo*n*CsLvLh0E#@-Qb&9Vt&96`0saAfegZwQO8NRzx#+Ce@XwoKV;s(oQaB48GMf<6 zaEEbH$+xT8IiZ5TLGN;rVIua%8+ zQprJml6jHvANmctv@Xc;85$@5S}Q?}lk0*S}{7YW=I zznS7};Fgkc^lybeirrwFLXREbc4NVNxsJBk>WB5N`Sw0RMGfI`qRTg(Ho*C8*O=>D z>{|ZW09A{1428Q{8_JgL9Dsv9T4#BX7~u zV~f@;N#z=M=;|=-y`vN+(?&T%uW^b8Sc-Q1r;VYjS~)&L8k|#HS-FiIFdTZsm5eD; zQi*Y2;tN(ntz-@sb#Ar&mo7}!W_lcToxyn}mE$7nc?7;6rNwU?4>yBQ5DzyPw-*mL z97mi0H%5r#^T;O3VK$eaVP}#iG3JGloyw+R#RXHDr%h=_Z$6do_{Y+{C{8?%8%|s6 zWeFz6Ly+0XYvH1b)H9PvT>f4EP-Eqk+t*%5xEL0qw$bfD*9|3UX9OILc6CW3|DZ}1 z4q|&qpK2}D;#gK64zOq(5zmb<;Xy-uN_+F~=Z4&Z06?kf0ql>Fnfyh2b&4K8{?j>( z9|z#E1?X;$<6B|}1-~S#fgwJTI;>U7OgrY?k+SKn%`!2ee%&V zp_(-zRQH!WRg_YHs!Ozky|FEsEB+Z2HQhhhi1?GTuV!uU%<~rD6|mVV zY4RA$FsW<;Elgd`&dakqHL|TunIE#b1d8|xp%H%%8qK))O$_%Cd4R>1 zsMgXjW)MIGc%>!N1Vql^HP<&tDC&uG1o&o))Yb%Nx;97C5VrQ-7v>@%l8~#epj<_9 z2@|yavo%M)v^;|jV=*BV3W?9uAHy-v<9N8T-DNJKQU~mXKl%&XsPS=&`F^^JLLW01 zW{=E~y|;Q1xtaS-r^I{5FSUqyBKX7EQZ z)F0ylAk)-3T5P`<)ai8LikqjivnQWB9}7VO`Ii!HY%&gnk@PHJ0&IRV`la`<;XdeZ zOVX3f6P^uWoZ=snv+=XAgUYo>TRv1cNs<)SDA9SBKRIxYW+30Vl2OS-D0dNJjKLV~ z_2@ip9ziC~2Wb(OUWRC~<}7U9ME*wF= zwxQBCNBxkyKf;b3d)%gepd#{J>|^)|684~-2lHcuD4nHx&zQs>zXjS>A-?+RSFX*4 zdt8?}J5nX0fkxOX=2D{}5$F?Trt@Z8Cvc0{YMbEp`N)au z=%s_N!jyCUSquBI=z#93`8UiiaA<1v=mdC^)3EdFNorST8=PNxI`g2B|Gb0c&B{fw zh2Ie{0{;OOZUNj3$o<>*q_cS(5;)>0e6u?A=p^(-2wBW*@xdva*nZF#kiU!HPV(^{ zuZ#Za_lF+ltM?#%#DCYxMx^hiV_@ut*Vh98=qDEGYh|<--+RGtC%XP#i}n1yHtMbS zprF8k(6t`!6`&L*0-XvWj&TI|HTzRM`Q>%$K2Zk_8ukk=(6*KUl5r-VaRPtGl z4Zxq$m?S1Rfa$?m;2d@#Ho9MvDB-a#fR-5#uGH)omSB6Z(w@Q$i!MnOCBn!=R0LNc z-3JJ>{tW3NnZWS;!y5$V2*o5eiagc0mI%&7l0MO=(qrw-SiX{VU z4e~@S0cV!MWeFSahTK$@0r%a-qKX;X9IQrWXeqZsw8RP6sG8uLKmsyk*lo;k`7EZ( zi21h;l@i&(!}fQZ)W&7l3(-N9Y~OaBWsCVmO3h~my4vED$8d;!=5*Fo-?c~|V4#Cx-*VBDP0wArOTPY@J=ZdBn^&({c%ksU2Y;jt$N#cXS}GQ9bLPjZQ~Zmwtg zShxsgMU4(Ff7zC#8h1`EKX}M#8N9pd|MRhWWqCp(I0t-8nh9^Wf0Q778~I-ZcOR53 z>r-`Y)+tgUID(1>U!AV*C)l$DduLVcnG^L%`^$+nDLc42UoTyow_Q0qtYzQ8cliWK zUc6g(bxKm%elT%5MBM;q8J9h&7Tdq3a<0ybE>|kVRyv`Nf%KzP5P}yt(_G3%qjwYTta_ zMN9%tlf?Fr2k`z~t=`*mCE!XmrEjb9gOIeT$F^mZFe5wea2v>Ipp=wg=KndBmN76@ zN1Q5NT;tVOSw5RCR>-23_J^w!2}587Og5=if~lz`$hSw$Iw-A6Nkly&R0lx;lcYbV z!s#K6?n4X$9_FMjFg63DWvD`Jk_5ZjLadXdswh~48mT&||2)|71i_k;xKoK#M;W7@m*uPYuFN`kyP#b z14swfCqrzrU6FekF3&m^dP~x?HBkYXnOHF>xn9UMZc^ zP~|~r4K_pCn~@+`KhOdQxFvkiWvxk{T!zJM4VJJo$8tvcP0zi6V9po1$9r-cj$xQe zV#4-m=VdX)9u}_Dr&JB`Yg!a9wMufbqE3mZ7^dv`b6MPK67v#+)t(p0vf#zrwU87b z7jcE}X+I>aiAV|V*3XKOp7uj`6P-Ud<&1FdOI-227-`6-ar30ixU=^>epsGBzBIbX zIyS~8*Uje&X0mZ0K8xpib2iYYaG^;}Vfn$!s&$sok<5Jc)QeCQ5pd)_lD_-0s{B4)jg}QcchUjp^_&QYHBHKye~ClwQ4%mngp#izkPG<>~GsW7qqr@iQ09wt=-AW9pZa3$0m{|DtzN=!Ow&3Te5!L1@ zQl*7clskTLWocp)-kXQ4QG3%Z(6Cede2QGOk4?Fd?t2YnPxz4ha!Ur5$Os?w`eVHl zN}$<23qH32Z*J~?(*w8Df%cOD5s5&$!GAYtAhbnQ_@Hq}j?o?~G1-*>T*<{-^u0@c zsHbpF>iRRKt_f=dVMuFfke8hk_P|Ha3HUH;q!5<9@;|B)63R+7G*yrY)FpnBvGuJd zm;iPz&`n`~SU(dPs9QykySb{OEONW}oLhYEqPX=BF?wpSf}wvXLl$rm)-j>MqVwx4 zOPxJGqlv&e4N!S&=UjWp-nuEzbjWQ+ai_8hFgK0jOBSVjyi}B8R?e+z>HBp!8<1mr z1EJG9ac>n@y*r3V1y(8u!H9gTTi|_zLh&EM$j9Je*Ugm=oO{wm1FR$pg-Mm6w~m%I z0xmvEbaU8bAg=&Nq5Dz=`4zudi}0L(eJ*TtfYtMoE7kH&0EYy7?&OAoq2TpkTMrnv zd_(&ikTxy61MMj*ZrQU^+9Iw?Tdu0B*|)?Xt_qwBrcReX2S|!UH|G09isD7ZngXHR zyelVV`$U}x>#O)jqb~J&{-Eh2oGAl0H8_VMR<-HK`172p5!jp|(r|D^xOa%rf76G3 z4g};L_Q`zDSlu71aE$i~4G_))Mq6HY3iO5eV*G zpXYawS{_OYf10r1^5*5_C=kA@?mF|6{#-_-ill)Cr;&)0b}R=4Rc|O!qisOV0tOYh zcLi^}O!Tbz4MYpfq4|?$se^dXe7>~5>lbCEDJXOT3+6{s>Kd&+si9((R7P0va*ANB z^KWca$HCaYq*Y6M>G)Gezv@RTvUd2`}X6KMQhk6@=jd z7>-DYMk0d0Oo)pLO{2DLRc`D4jPLx4EzFdwdM$Sl_v)S0W89m=Z2t-cxv|PFBK5ET z@n~$Xpnm-M%nrTVwfXwY z{qRouoL_{!9J}zGlojZT>ywq|H;tyRttKt}cdCc`i2$NIosj9I-)6A_T^=UGpjU+v zCf2hhiOQgxVj3UuD9VO+g_mBQnzsDDdu|;mR}{Z*lR#lJ2utG^61^w^vDT;=xrXAI zu11t@V?7z!t==+(v{Y0OTn0@pT)2d;6P@R)MjvfXL?zThUJ7a=`i%(1=%DK|^=p(z zcNXkSBJ&j{OT>Ve>dX`G#z~!g;yQI377MMDH2tx$;MT2;63+kPr^^N}b*a~hFo3wU zsltnmZpygfZLlZ1y(snZp*z9i0eG(djk=!c!f1edVnRze54>i0>|Vj2_#oVZn3%qT zQGbLzxWuo5KG4|Q*GcIk?l6d%Yb;T#kc_=!SU=j1`yH%X;W7MJA+{<@I1|TZOK9*u zSGb^k8g5~7742U^tQ^7LmR57#{Ynu=*xCqb#=58i*k6!`T#U`)>y@b34A{YAk4{UMeDnV}B? z@<1zU_4U(aBuk^KxZFe>!?)8!8ph)+!}iWY<3T9NhV(b?>%|dCHhQ9bYg_Zxl%)sl z9@wVKl^$m_WXlYOJrm=}_+dv*F;!EgbbqAMD`@>F`CMiW#H8jT)0}kTiuU0FZ5m8- z7-Zk8`@KcV-fR1#{Pi!kBhrNDvhW4Ok8RvmEO0kC{z`e5;+4_OFCS6F)zJx8_YU{E zcv?ukcQ4yDK=h@MSB^*?cY&|>5&*YGyI?#XxM837FPHoO09`<$zr_RiKSRE~DK_vx z{*QL^e=JGe&j0$m{BHAqxB0)@{NLgEKZ`K_=dpoKJD`;g)16aRpDNJjsyiS#m_%KD zdFwOIwsC5DPj(w($2Qtkh?wI|n!7o%7Mii0ao3XMVR=pB=hA)ua7o z4;;4M@}|wNotDsThV^C<^$!mjh3EX(BN*={LhroMuZJMK9{I{HtfR4tUL0h&u2!L` z)Y%rQkKHL$+~B%=+W+t42Rre9s;H=tNEsfrfvlj2N}wQCL|IV9Tu@!r7^hx--S|J8 zp&7y*|3#2Abvys#@A4Zq_ETdJ(xRdo4 zY-hv=z!V>z9gR{UFwCc8m733%$w+%$wkHK5Fh+Z1&o4ycgwLpJ)hRVt2vE4$s7qd| z5MT*k)|PBn8-U-hb+UpdGiyFkFBly11@vk{i^O1U(x(e|A%GPMLu654qo}D~Mbv7} zN|A`LYW`UkVaOSm-at@#|MD6jgnA`iY1|y60_AxP6+{=#YvnXDU9|3jcJmqIrCir zr*NFWFdXN704Q~2=Cj5ez)6Onag2u_t5R94)>R8K$E{eb6_tmPouoIU` zt+@~=SF}+qtuXnh90ChrqDf-f_SfedLxUkOJ4F|gyssupRasJ7_891?Vl?HG5o$$H zeI=4(I~VX<#Zu~0WJwJHKj!x-Vzv$;Rx7HwszO|M7H!kM61tLlqf(u#{uDxxk?HDq z!KbL&F)P68a4J+TtiQ1H^)H_n3~@AKI-+Z6ib@%R@ls@ll=9k!YY&q3 zQYl$2N!eBiOkewccI%P#SFXQ*_0x^Bzx{IQ+OwNKuI_z*Y5mci58i+)lozwDY)OPG zU<|&5!NP{dN}^ZpC4;LfluFfRQkEK0Ni2vljTY#+=FD1iHRG*SfKDUFYQ1Kj4gkbe zF{}6Ebyxy8jbjv#u{7sHNnS%^CygO$4MqGYL}7cEM(CTn@wMT{t%@;Q%?S}kd}E~0+{Am;O8RtpstG~sAAHV+m^>_Cl`qf&-?4%9&`sX|6-nsV1mFM#NU%tHl;P(4JTzz%x{V@aP@G?QB z9Z=UlVs<|K*Po7WJ;j`m8yhd}y#B=Hi~H|9wfW%sX{(QDWO=P+>t^rl=k?tuzSw;H z+KZL-H@2SLcz^rZw?~X#R#Fj1AKHBYfVCX9L(1?B&J#GzkOavQ3ih`}7M8t^EMkQ-!4^R=pq zZX~GI2pjjfpt;8MM1EGTE<}hBn3~VbWX479q|MG!%@9y1Wn8l*IRL}h7dh+3Yo9<2&8F*1vHh=i zwqLuj^~R`mG#2aWrmdss?nf`}oIQ8%)wlk%`^cv|XTCBZCMw19>O#u_cmDc=whM%z z=WKwszj`>c@&3-Mr|yVuynFda1I)x^!AUiC-~V{$@i+E(pp7K8z4Mkb@JM{#<3w|nm`{&fg^;Xc6kC~D zkbLb`ePJ#!t!+S;ATnc9k#c^~_9V9yS6As_Ra}ZNw#P(sT$q~CD6L+SIbZ?P{+Q(k zYxRkURM7us$5)1_re1tH0K^hmry7W@vL!yN%#`YMW}-RBwL_#v#@AN#e-jc_X#2R7 zDon-4noDj`qRD84D%H-4<`w92scjHW@C?T=9E}kq$zYIWl`f!IpN?ustC{<^XJ3Ewz zz);4cnC)sLOQyxy1xx;G^IZ;sY9q3;+FauY^B&F8B_$$+!032~ccMljvnlVla0)XM z&4pEJ2(ilu+Q?8%sU&kv^BIIvRK&PyJko|&E6Rd)P0wX98)2Xv>Ia>Whi!iYcsGl( zEaswhS*jFL*`k=MYos7vs8r3zu~ji!hj*}!W9T!nk`+xM1AwL|6^g3H`Lj4lQ7p+K z*}yQT9Ht92R>LNo7Ui-M0+o8H1h1c5xS~p7yI#dhagkJ~*wNK^IG0>fJt%_T?>Y+$ z6D5yZ8<)nocs2y4s^n0lz^`bef+17N>}oU}0@^VR<5Scq6#_H-Qme2)sQ8c<`j4iu zi7^-Q6AZ57yTu3T%JGS+HYA*9&AV`_yf##tkNFG@#^jREdB)j-37qQV+)XrHh4#rwU87sS)%M?Dg?1VGD zG}EM&c{Y(Wp^2)BSM1Od<;Ah)nj6;CDJqwrC!sz|V; zKA5hI4k>7j3n4H$6_wU?*>5$ zkLL7$jV$K%e=Uqijn%jk9%V@`Lr-~X{Q{bFLozhRGo2K40i32dp5}0t@zT)oG(poe zK@lA^bOgr}6hZO4hlVadFf>Nv7*4uK$;6x&2^g!47qcxQ+jQ&Mc&78UXD^u!jiTNq z)2FG$CH+OMJ*prC5*#fcp27?W2?4|>RHamib#i{l4JFmTBo;rWR-&I&F zWyGvBxwz;)hRGbqWt%Z)|E<}oXV>e`UwQoA?N2}2xVZVy_7C6g|N8m%g_C_-@BDN7 z%y(Cwp4>V4=&_B@_a6Vz9MxjiF(u@c)i$y~MT&VZ!XU5ZyePw3n&hTjgkjd82~ujf z%uJ;54!rXG$V^4xI6)V7;!D!RB5v$F=Knu%($=$P$ezrR-^lZq6|qv<8r z@he0|aC&B18C{e;Zgho+hCp;;hSlC#EJLI^7!Lsg6DAjh#fBy#iP-8&xjGpQfkcMZ z#@s3mPsKu@=5@I7RUFS^D{bs8;}pm>W=J$S_vC`9KG#pb4ewzK-CHH))UN1qqd4SL zGfrW|*!01yGOn)lz$OoSaLHrbai&RxMS7M7e}U?95J)H z$ayiuqqS5vT%KKJZml(%tikO82Z_(C>Z*Ppa2 zxmOl2o0fa7Zoc5xW^2}qLYvah)Ev7MeUmdtu&LINGHQbkAA=N^_Rb0eA&=D=$Z+JV@Z-@Ig+9nn&Aiz z8oF(o36>{Wj^bF7tDYRR zy;af+om659IRIK;9PjgvfvIZ48sv%b({j!Boj5R4_@;AnvsOnGj>uV~Cud;aF_7L7;EJZCS4as^8FFu-?6-J63 z6!IiziuMHBCYxwaVU#Jr&o<=7>J8t5x;lPnDa+a}HqJxyT+Gi8g+PO)Xio|GBO&rhw)g?XkY0v*6Hmc}T8^>#CA<<+ds z&4`_dPO6ba-pL8zJVs+IOF5j4wm#fB_wL>ouXRF40^@j&V_DpTjuRNqFf_-rxHmcy zBuQa3$B-WANNAH`Xqs~qa*Cxr)Di|#97<5pMFP`OJ3QFtF$8(PYIXwky>)W$%q!O~ zT>WwH;um`_JonqrukXBbv2g7vn{=$<=#W$rm6oE4Wf!*USWc4+OW+*I@I1p}JV`LD z2MP3K@fWhQ^jea0s6ypxsU%ejGqoIS4^CMt}R|wVij~2iwp6tGWB+ z)0=PpyQsPs29GiLS4|w}1MVooAojJhk=c_N!-hzdX19@Y_4Te3u{tJ7-RAzw&e6Zx>Jg zWB183&?^A-2yc>xCigXqVr8bH2&$yyVK$-=*gC&??(X$h)xD>_-~4Lh{k=19`T_tJ z=eOds;AG7q;uOgc6iw2k%dB7w61#r(%E_HC9=iV6qI(po_aIicPyKTBvFmSK`FZcb zk2?0RW{XgU8WUSOJz&xV{O{0;+#Jf;2Z>l{j9|D9gWUV@)ZRDe($`ricZovBMgO`7}@A`8)?|!}UntOJ$tr^~Xg1aYwXkPna z>$$}Co4;QEX#3Qq>rd`~bMENo`Ry;C-GBV&$jrZa=o*m${@dpUqp1jdpSO%UD`Hb1nywlcxlh^#O>JCYG?BsRUA zh&gEM)rYTrzkBlgjSK(W|LKRT-(EerbMDcrUv#3hEKPDGheK-VrnD4AkrYKkU9y+p zg<&Lxkp$tXF2-5y%#f5@T|788+a^Oz4o(j?rpH2{I58g`A5LiZ<8mtml*VCh|J{ck zTNJN-vj4`TS3kScNAWmLvUnRSU@9WLFM19m7=|TT zo}_t>r#TiKNsh!Bj3XEf<1h^@!+T!9H7r$3G7ECOw+ooy7{U)^kONh{MvB zghTKy35TQ2E4a1T>iK>pDVn69w^CWEM5|>%s%X1KFbu)5kQMd1F8qEsv0s}j3{OYA z$^HJN*S61oef?jT-?6AVj{P1cd7anNuge&U3A7d+wTFCJu}%y86f|2JKg$W}%9s1^ zJ#^*G%~!5}nzuDTp*SJilK{v^XKRy5=cAdyIa}H)m5=*)EajZ>-J%_OO<%|E= z_+kHzFZZ8+skL=sV*lxv_Fw&C@5RU50O~6x8TSNn{ZyNK0?pDCgQVpfUb$ABPzUiW zGwHo{J0JeE^TV6}+rRhRyT|@^?Xm4Ap4xovfBJ$#Hc<;)&D{odd-WS^zlEXQU z!3Z3`rG6ehW0;;iP8U|ir5`us#d@jK!H*0D0yqR2Z!rcg7_(qgS1;9D4X+pivC^=M zsg)RK7eR|d`Qf!(!+K=-WOww+)_dnuS@VIecWg*=`Xjezxx<4zvo@|jHq>%MZOzTp z`-plkxA=L+e3_FPk^(UcvrtPmOZiV1nnOmgL*Ai1CGcVjNQNVDiXqU6=oF}f z(-ckMNbGJ?g)$6JvpB84Zs!d+5@RreqR{(x-j2c;h9NQNNZ`U+!*ej!BPUsIvYi4a*kY@i zDRqsVC~Us5@!j5wr+40ZW&h)^?%e+Fk?XJR{rv0hr{DVkXh4fgRD^YE5JKnR9|-(f zsUXycZO37z#YPo6(bll0*5!y?NKCAzY_0vc-|WNSdbBTX26ZB@Hpv;Dt)YmlcFX$J z3*|W*$b>k)!ml;rQ~K`d26K9Tp;AkPGxn#*Y%Yhzk^0oKyI)~)iB3lb$0|11(Yc{% zC)i>4XVpe^bYdYpwa9iD?zQjl+WzQYyJx<%!L2e=LNdxZLCf)K`(T%_A-pNLLRi$L zc6u{5$*zgZc9Ij0ak7ivAi^pdRz2emlvYC^O;sA|2-b>JM3l;bAyI7+0uiO{tWzr5wqpQ4EYj{xl@e*`kmiZkalMZPy}6-T{BG zQcUCw(7F&>T&-_^^V;^gZx^}{DGDbTnxq*o8b#1J#Zd%Dbf8cK)U+a3r~~B}l42Q* zCkc|`Ns7jK24^}DHil+7p20bbK+i-LM|GxLKe>+5Eg?X&6vwc}@@uQ6`x?>=&hk7- z+D-u`8*yz$Dysdn-|fHs#^p=N_`%kdP;adc;V3Oi6KQOLJc2QrxqoqVW6FE z@CGzWcfP)_JYU@Y@%8Ix{=|*%z4H9_xnDLPq4qxc#C1o=1vz}6^IU|iOoYwDjVY_C zStZ%k4{g@%goelH>_Tp$>7gH#8e^6lTFrJ>`27yQG%D>0`jX-VNisY~LH$K)|(_<`Gn#+`$%M+G5*27~gIyIjV=RKO}USsnjo=p?sdR*$z23pSx!bo;uDeBz> z&V*->=b>(e*XgQhexHj)6GbUvJhc0fm6AjgPxtPQ+klA?Kqqh9S_Pw}@hnXu^+-1_ zhsk;UvA2`M_#i`-)3p|IYq0q`3{PPTO}mFehmd@?N-mvNDs%`aw0 zs7v#mjAhI5wM=x#rsu*B?;Ctm$}bCgT9nHcH|b?WLcexX68Z%|jITuMj4(c7K6B{& zlKEt0xRFxTHgyQe@;pOwJaf>f%<^)cBXjf?DTFC^M=Zh66ocX*ZcOdswyyQA_mY;1 zcyTo2sX4lGYV*VB?vGFJe)ihV8&4jf;u@UH57DcGj%TD)r`#R-dD8FMTXf^=J0I9N zfBxFf?oSf2oaYzozeW!jlaFoc*8Fq4$Y3jm zUr+n)_rCm1&xviHdEVVnoMI{qJiqGw!N}e(kL*47_THIiH!p6#^U39}{<8DhNjC^? zRE`XJ>t+4^0~WG5YtTOjHV?KYb^Pmg1RS4a2;BXNZJp!!hSx_!{1WYUOsb8BKpxA; z*-CM?7n|tef|;OWizAweBYOyDf~M&nVwot0Yx5u;ZI00sV`(7-=H`3=G}u@O;00!M zu$wzoyD#wkoaOMFj3kv&^>7Iz7MHO`y3Q;|Z0H>VIex8d$kvuqu(5WAt;hphdD`jJ z9+~R^#f(a-N-{BK%^@veE7r^KYJ6;n&1S|+S*r=Y3_XWjlkAqBgOi9w{jp86+K93v zh8WGJrt6h;%BzQwVsj7NyF&wE!pjcjmm$@2?qyz{M2T`q>n1Eruz&j6my zH>SpmrRAC3k6*a_&Gv9jQJ7MPks&e{FcEHjoj zp(dBuX*-CO!O5H(#Bze1se6XD7Biw()N+`gC6Z9d~qZ}5j64(Y17_wIL7lh#d(ME;XF;z9M0lB z_`~BgjqyCqU=&F(96{5hrxPd5QaH!-T1W!tyB`BXNqrS%$5i(rwHg_s)t3`J>)ye^H8fyaXjXMQ!w0t$2z(A;xt2H z8pcsQ#8@x{&5;~QQ#7XS8IO7S2XP!nvII%Fb0jcyH-~!vg5T~y-zk#Za{j1LgGm@U zhV+fZREt}7d2a~yxZKro!|xA)M5f+q%rBw)nTVv%{QVBzYfSB>8WH`&gItuHw5{0C?%U*NgR|>u@M5%4q;QSu+r|v-s&)x;1$kx zhvdsEgE23YuPs(6fH>m-U|XZHPBxb1>G@^bjUUu|Oo^eag>-4vUnUd9{bc!QMVxfZpyqIS@7ACO%RXE2uMFNvDV~lm1jE`e|O$_Z~K!oo3C!Xy!*(R?T4RR zxPD>a&sTohdH3hN3!h&3Z1<7JJ7o>*40QVYVI)oP3{TNGf#EzsF@#}Po`e}a zI@^}@k=}hzaO!TCrWq^n?z6D0iY4R-NE9Y5>>FFb$A}Seb$r|l3HRRqbpO)VOP4>v zcAxrm%!f1-6DW2qDzIfFK*;x}wxd zOOe&Vn){Y$7k>=!_0<_&yfdx@Y;vXBg&-6Q#p2T70bpB8s}7*q$%xDdOG~v>I(@*W ze#-A0&%8R<=r*G2SaixF1j$*?Tj;O*5B*fwd?UU4HmP6 zh@}{u!U(?8MTFx#OYt<1ce;o??X{~c*9se&OT2hjZalnpb2m`2Yw%vZ@i@ncZ z;=6XS%RfIL1&sPxJb?+>R$C z#!w{1bipo$<_U)5ys-<%F@j)m3TL{|@5M}|67NdC_s@L2{oaGu9!zcj^kZ%F@vXNPcyU}bSd0!(EXET&$Kp6kG7L@- zgjduBPO>aXkSya4u$_`IQdL|E7=H+)*ug|gyX<6qC@hQaOTr?HM5y~#1VB|CnB{tP9+y@EkDu1=zg&HC_t)1Kj_#hnDD8an*7idW=I3|6dw>6n z=ejULrq#hA0R=#MZOZ&Ntqu+rTNPz#w&Nwn;3Q8Ih8E59Mk*}KI_@KWB|;2W8)?Ut zG+gY$&M-92lQczM7I+24=hSeDk<&Th9Y$6*+zs}0&F&+-((a5TwuylrV5qj8?s zS;2!;86-)u7(wF{!{Qnp#yfeivmD2;41*o4%P2~7=_$JmTV^BC8H;b~#YKH#iJ$Fy z-7hJB+Bx&V_WKX*e*J8I>vhk2zJvGpyije~Zut57`25;L*&)T+WM?bATAXXxpCCI+ zB{^MhMciE=BG7Iy+IVAr|C_D4Vbhb1r;7d|8UZjUjj9wFF9f|JdD=T%8bDNihp|!PqYfW}SWM|7!6Hq2mUnq}t zwSBEA=|)+d!Q9a6iPltV(Fwa|#V3+ofa=ySs+G@TBOZ*{w5pay6TLEG!xh!VCFG*Z z@v*{0bH3qq=?_L{@@2f4nvTW~YrF^$1kLaajde~rLbD`J;HW4@8%?AcoTdn5#PXns z8XLv31k-~(f+h$GCs>x%czzP&IFuE(jUvz#M$iOH&~16P|Zm znW84yO1MkA9;p4x?C}CrF-Tah!wqQHN~vSKit_|FDs-2m=dZrD`_n6T%m3Vc?70W7KC^S~^Skz+|8)C>hwrmI5XKi4 z7na1KnerIHH*@2*Zg$^!Yv+acw|{ta`=c+^t@GO-zp(M_wU^dUU43Kkwa@lHxVZP} zBXj-R54~{tXJafP;TTHh%KP%7)f1;E)yxoAx3OlFN3LF{Hw(|U<>qDSp3=VeSZfNW zsqX3QxB^@ni_Zt5dl7K#y+0IhLa-66fqz$?3dM@{EPyc#7r;R_757 zxO3xpvp&=Y8K)VVrBFn?>C-C=M#$AEYED=28nH1~A8hVl`uW;JJC8oq+WGA3{d1>M z`(M1a|JY~UjD?*flT>OfTJ69|6B_?d5-5q8r!tMDc(Dv zaGbyy-blgNwi5)#lN1IG)HiCzip&m0vfb@iJLk_`yR`H2$NR5+itW7c$Uq5;E(#D%Tm|QysZ4wkkQVhw_JcBb7jd6Ne6R#Lh z+ZEDgvSq2b?XT&XgZd>g9wTU^hGsd6$6**wPr;%AoM3o{!#VwUdLbLla5zs=1n)++ zd3?MTtt>SdYBUzjbd&i>jK^7?COkFl0i44ripFuOqyGYdu_Qr|9M@BLXMiO+ZSfhB z#&{lQNRsu|%@eSAB}c##lzMf8%*?X9G}*JtBY<->$59-kTMyb7kfeB)r7*H>`Ic5k zz38-_*D1U_T~9awg@=cuBQBC0zW(Ok$KOXb-z)Dtc4_a_LwoOivH5zpo!~hJ<8hAj z_9J0gn&C;NBRS?tSm%c9Z5t?@=2(WtSO&vs0;hPkQl=? zpghe{9L9IP4&w`P$FeWg@-@ez7hMa!{_N&g+n;<%|84z)6H`-H->+Wz>hIj0+uy!) zeDC7VU1%@KQ540pw5Q6CWGDh-4Sk*m>1A1t#I!Ls8qcu7q~;)6p)3 zb$V*KF*TX+^1oGE<&jbEsK>o`KiPU=_xtbGpW8e2=GId?r!V~P<_8Wp-Fj(UoST}P z8O<$KmR%0JqlUxo*i^3yj?u=JwC*RsR^Y+f;&kd-1pMSRT;NHh)HojVaa{u&&DVN|)aT+nBNe*WyoYpp$^URu@ zT^*@PZtVj>b=E$FQ(fxU*$UyBjsf0tg z-+TUaWc&LsRyID~{9*5rv;W+C;af}8&o38k9c_KSd&w+)R~FN?#G+GWac<|Kle=I2 zQf&J7&OEaB#p5G8KfieW*{yH(zI^oZ$J?L2vU~m`3wFJgj@ncRbhr3E>&4AiQg{6G^2KOw|AQCn>;Kw+@6?s2H(uQT z?5C~Mjt|=do}fq1qEH)(7BjBLxj~u8M%%}W5VnrcoC}^x;PK+WkoMn0H<`C0s5t2zRx*AT7HfPorLST)b9%mfyXK(>g zdh3^~i&O}R(^*W_Q`2~_!{N?_zvb_MCi`z(xc<)lyFY)s`{2uC*G~)EubsSS>i(J8 z{fE!)oc#LQ_Z#mVu-p^Ga6)WFZBN8#Vm7yiS44{O-iGC=woSlEO1sxd?4V7!*_B9D zq8(O(*?Hu}t?zc9`7pHp-PRX7-(K21_0#1`SHDnp-+X>R*+2W>&MT+I`F4mc73bOF zV5S4utrxC-@b|v;ceY=6d-s{=_P#w!Z~VCN#`bq_Z2$Q5&Lc0+?wtDZ+FO6yI@7~( ztkr4PlZ9pjPsfU5?uOxNFX-v_hk(53y+?DYsB4oLoMcIo^EoBTQ{Bs$!qGYO*|;s_pi8YehUiV7O_FWl znS)re+{#pzLZDF8`kKhKCMrXNNi34XLttiRc6uzcRMe#9VZxgs8Hfpr^V>d4zgOQ!(pC4=*v(bIH+|`F5%~5wQhHCinuAi6*St z<1_SBfu71@iMiO}B1ETs)*%gnis5776&Bhp26L@oT$Q#E%zR?0wt{G7$5_dUk~5^V zc%a?1MGr2P`36633B~0YKR0xsRg!Fst&A@b9x?$x-4rK==T-(4Z@J*^yEb3^@BI%S z2@l`xkOqdtwL)ydB?e@u$YRE<<5!)x7enxj)ma>yVvv*MWYD%FdKMD&U&o zUykguBGX=fwvw2dBNF5KUq)S9RAJ4PoOY_ztKc%USg8!UuXQgg7-m`hB^nF1XG3uA@K8n>cJIm6M+bO=ylVZ;Z(yv)r{OfH829t}&QZ~wF!M8< z|FA}FlIIwjW}rCb;c}P|l$xGE205-4awT1*h!TQvEXk3`#$wCY{l!1_&wm`-`S=^9 zv#A_sNStRp>)J3RjnfRlc8CTgp?;F($%8HB42cmmMe`U<6AXo69POEkhsS7&U@+F5 z=ou%tZn1lDOZlE*mokz~7msHXrg6NR(c5wvG>a$X_8xkowD;y$*G`Z8&+b!S_H8}5 zck+?q^=Df9zr4A1Y5VQd3y1V4BzPJpSc>9F7Uu|(#dvoOXq;sU5@%_erdftz7)_Y& zA=ylPBm_ugU>c)~iA3IXyq80O&z8%FD;K|3?m+;*`;M9IPrkqQ{IzqJzudj>{PqV= zPha~ozy7bm-M1gzd*SWAyA7GS;1HKL&lLW-^V!?@l^+Ine|&ZC%{RB-`VppsHaf8* z1IbZ5MsOsQOy|F``gE^K_Ued=FZ@9&>FxABIr10x#A zEr)=h#sIIAfXIj-vX1RFIcsvxd2}>6=b5zzAtb$yLwXm#C1Q8ejnMd9 z-|t#yol!U4Rn^tiRlAJv~pPNca6NBgPtX^OF zP+PoRc#(fwI{UHsp!jCs8+uqZ671^X)zhV0FMcMqTNqTtRr>bdh8b6gUlz$^=U_%N z9d>jTnSWTlvFrQ)E-ioh!^&lD{f12Gxj@R6Cc_I0lL=4zWXl5B{Ck04-;_PoRnf}w z*H7ik=fK)Uy9@DOB+Ftz5t!g7CI*oi6=T?aJ}hd)eYs zCA)Uu*QFbKCV7`h@%E@aY)tD@(NV!!6*pp^5my`28#2gdbI_7C!%Upf8~(I*ti0!9 z>GP}k(%!?xQ>9lsOGh8rg^wmfPd;K!Ys|su*qk&=`PT=(kCslIEPp<*dT9OR+EU@# z>czj)<%_$;7y?ak2qWAi%lgJHwoOJy6H%kdDcKhH>fZcKSK;vbSzqlExB5w4d=~vxAHY=-WrnAnqLVB&sb_aP}sNf@Ua4MPURf@@U)xzYv3hi>dhB-T-Q&`;Q<406YwgT|l}}qtA9H%6;5h0Q z96GJy=1iIA(vt02ySwt>KMN059#)^+uN>a}^_}?6Q9qcMUd;T})7P`rcdv%OE>)l2 zuY77vu5uiF4V~V`-=m>G3w9E`#Vm|dlUd*erhgYB<-hs`jsjCaX4tRYD;>KsUO3#x z(6`zbl$sRmF5W0pcIDFv|H`{R>?l5{K0lOOIb1q>sC4j9@ws{BNp~R&Gcu*rZXGII zUU{ki`+wQ1x34HGPfko#jz0dw`sY9YPwn-^wP$^_9IM8*n2s%epV#MQWf1IXRWJpJ zSjz;Uy3{QuXj^)vlA+6HDwGHt+iKk1vCJ}gZUXL%XiV48CP)*HzWxWcb;mH%WuK-!wNv34#*^=g7n*@?cj;369ISsfD+lDQ|_nRhZ&?rS&7$FJpYmiL^`AF3WZ&P=Z@|9<0U>B~}S@Adkn z(%=_`8II5hGO$h)9pZI0x)D+fn?2(z?fk}&GFU>QZDbl zyz-{@;?VkHdDo|4?Z%nHDQ0BjaU?6jz%HiYS-O}1w6>>wYkB3>zYxdiraTf}0A|j) zAVtkL;TYE1L?HjD4YeSCw~n(cI31x(LPqvjAB(CtEu=OoKiC|Wa}5)Jb2PTmgT~NY zh@{7OW7Sd*d`V$9*oH1XaK@)HE$6HfvTRf(2@Qd09C<+k>fXG`h zrIrY>(mTeiZp@+Fkiut)*aOzr#1IZ4BBdO>4QzUNR>LaC;(aFE7j~8oJ^K3o*MC@D#HD@b)(!}8?Y?1Jk!mkt zA&pp2e{BLF4HLpp3|r6t5Lip~DOgI}@Wqp_PxCJeXIGatmQ(8&2K?3M2g>*EQ-5-= z9||g~SGpC1>tAAK~Q<;7e2 z|14Y>Dm}Qgakp~zM(xgt;;BN5-&zb@+Jfyr6A=yL&ds!ssf3;6u!WXU9)=lpP?ZoU z4kL&uuE~7I?_q|}2=Wx2yCCOte=hC2P*|!xJXX1UZ{_Lg^De1LI)}|%FgH3X{YL)i z_-Fpmclz?ut+hRcJF5>WXI`%z{q0sGVi2&90(G4wF-lGWmckrY*I?;JziXeDNag5j zPifD+^$)cN_t%cPyT*>e%ZzwYRJy$zyZ`iy+KZQ^Cl?C$nd;tmwL9kvUrNhweph;N zpmhBc4{l}aaI0t%rDui|&N0U#n)Nx08JZKnFm=l|(fXiApwfZsTw?*>}7~B;| zLV#2tz#Bo8c?*L!m%!~Ef%r_K#2KbTdoDx0ZgpeO24$Xa_ZQ( zt8*Ph;8J5#vZOQ{kOuxWQvl2mVl^=|`12FaxgF?e&3LRLCS zZIGrBLp9&e7Cax+bXGUZPa3o(9B`8G&&-S^r=U!VVBtme^y}im-}x%Xp9FSH)eooij@2vqU8UDI3fDcAU9VgH zB%9kwW5_|YxgDbj&7fA!?{;%aJJAUBaEQ?8oSt_)nuOh#X3>qa&hD z7zBuB5oux&!oJw?U*%WF)(_QQT&_O8Uww1-*FR^Ahu2RReki{E%lcCJ*5O2O$5uVE zxy!&5!_@-<0mUHD5$Du1Hce7Li+ll1a_bo$&BhIsQD**Tsg3>Rr>{$2u2c>_EAPBm zJ9MaY^J8-Lyx&o}B+Ev<_3m9nSKJzc(zL_8t^V4j)sN-lCn`H%Cb{V9UH7*nmIIc9 z6h&hs#|g`@4CDv_jMzLt*|aoV`#!2;-kF)?^K%l=xtF^ReW&%%cy|85+ z<37EZVli#BRQ?szN;O3yLxZqoW>L^-(FtbU3+rWRX+Uc=f&sqKiQ%d z;ub{nxFu_HLXUVJr&&a^6vZ)J(|C0K=xp)bpN*AW7pvDE|M+padiZkr*sapdTc!8s zibvMY{#ehxRP>m}F#rwfQQak^m{C=su4yor7TWnwf02F{wxSwoB zZt(V#gkXd*#qsx(p`0-tO3XN0D@1cc>0P^4y>z&|`$FMC?dT6{OSR9ZR*n>2N)zO4 zE}MvJa^AG6H{_rOid(=?G>aG-@>>w~P!XdsENVb`-xyYTe~-&T|h3)-}X#G<+>W6~hcmlL+e zkVVFn+VPL-iyxRBJ8ZQp*Q>8z?AVb%xMRm}HTgHI7mH_i^i7(HlaZcl>iVtf;;Y(| zm!)p0`M zRaxEz7L{m04;Vs;5g?I?#v`Z$6V8NQqqL+KwwF~lo@yzuwu)>O9E9iHznmlPr0X5qrBs$>DD+%&W-!W zCq;hWK{^gl~V4~xLX&tY&RQ=MI7M} zp%@8AJBJ`kLxyTa;k33j$p#oDGqbah;LR-))9q*{6r^dc!IUGxlfw}Tvs``I?xtC$ zAgog^iSwmcBv0)@dDCvLGvw`nxYeD*aC8QX=|n|T9m0%Sxt!YOSKjhz*c;nqz1S?tp!c#6`pMOaK`7&}@Sd<}%8_L~rRhj5`rMXey&+N9U*7>T#Aar+rKp7#0c0*(SxM zG&01SQl8#4nbHQsE}yAg(CqZ|gx4S{#?mEY*C`~kfDI(7a~Ru2I7Y^mb$1}Y2>XIj zD#V~$FUdLE4r^&npo5Cq+mFSa>zDt>(L634{9*M;@mBTW$CWP|2Y&o?2GLoLG_1S#bcKBU0eC2WN=5l^t{+e`78KxiC}_(1^YWEl`RnBy zw`6K17}wKd>!DyQX>8A$wa(D|M?QO@y!Yw))70v6`QnLIg$6ET6jZo&QMw`yu{2^C z!cdq6+~$0Scsj!o`xMVh&HX!)f;#)!cCrOx8JggxtLR%|&KoUl1qfI?^K*$I#h?H3 z??~N{Pg`&XUFs3uv4b*B`eGxT08#i?!l;!gr(76y{+)OAQ~rv1<<0t1ZRg32Q~7-> zw*}WqM<$!QYXMWxr8^8ObAg2X?PJb}bVsGdodf|wG~pMvssT^ZkFs28SKP@4=Unh z47U%|*r9LhgGn`x%T9(UCeo%FA5_>qGvly*#3o%9jX|o(^O0CGDvqTZ7#LEZ5qdsp zP<~6qlrTUFQ{n(A(ocL8t_Q#L6CVXJPu{nS6~1R;#^!^zqosz!6w8D4l6H3GxHfOr?jbSXNXi8RmjuRI*jxp_O|(J>iKr0z725!(!J z9kPZuW458s>&xagZLJKDk1&H6NMk_Lm|-c7s;8>= zM?Oq56s8bIHIPp!l5-kBhNDOqvfCpWg_>%uij9Z0CgGa;U&xKoS z$JSnYei17@eLeTL+U*Z(4<(9f@so%YC(k|7l}?}kuJq(qb#ZB9dHwQ_pC7Hg`Zd>w z2R>p=jD4g0FaJyY2_$Y2lenYVv38X|u7KBswU2IvmlOT~U-1;gcYq z8=F9krHe<)<_=|s6alYlhQuUuIGA8IErRSIVdWt^^Gw{B)hUx5m~P6NND*mCpb_Kv zv^o{^bS@rQFc^%wNinP!a(Y8e*vpwo7!x6#b8f1Ib`L2yZP@B=eihMV)RppT14)%L z5pXM0N&kd1k;p{nXNMHJM7lY(C!C3J=e(^kdDf>y=VbGRbbhw#*_p7!6_#*9?Hp2A znt9>fKYAMT`MmVc^`?)vVv8GPMYs@YAJ=bp8d}Gj4T|~aoe9s7!W`oI$0n1^0@d0J zNg|WYDb5#-`obRRGFp`2zIxV>&{!N&cw;H`h-R$e|L1|5Y$M)E9@uPrsq&yEQo9YU zh(rlEQ#q65M(b;DTQ;gONM`2(5oIjUURm4k(qs*}(1I?OQMRDoX3r;ihxLwMNG2`H zbg*-}Mdlz$G~EckZ81&LBC2Uzr=D+Q`arj_AEvBnc4SDQo}5}}jGpjBU`XN8PPA9S zlrkM2pZ4~dUbOzOeB#!3t0$}Pcdvg~-?z56dTc4~F8y#Ozb}7R4nJI3ES=l8_Pq4+ zZvM&lm3tTShx1?5wVfZz@6Y|IcI85wwA!H`5uj_8Y*dWH{~~%t9N()z4-B0mFqWFZj}x!>Z>oVtUoO*wwb$p*(q*J z(1_Z(Yo&vC3dd!*u^_|*&@@BQ6wA^S1M56`&8EyDH=jSOcyRsVUv!0+Lv5xotP1I; zqC9mkPwylxsbr#5&eB-n=JoFQtV2M61UQbZi*m}P52b3?uKxJ>M)lLK>g7Gm>J9IF zvifE3#sPEb$fK3l`2)odE0@LTImksM&skC-wPkpl zF6YsZU{^DMni_XKJinHySZgoObN$YZSZ&6s7@M}XR3ZCv0J~JfnfCP8!vmbuxf5uC zw;_{wn4oTw7W%jc$Uw(IuO6A08=dHMnZ}>3b({_@O?fj4^ye&W7T|7}cb)@$A#>%_WsTbw9AHR#OKWI;~b}*)! zaU#CHWqfuxS$`S<4eUrp!X`A$uzn(K6V|TpS-C2({G~!sArt2V3S8^3%Ap=1@-b!NAx4GwI0AMBE z#SFjd5w`*l-4^xYY)VI)*01=y<;DGh7{Gq_cuJ09|R0x zSc;-)B-!tXaEJkJAa~xDuj$A8$d0e`9 zt#)@`WzXHwf0W-{p8KQqKTC_Jix2ZpN+)k~`Aag2pL}5v7Emk;A)+Y2F$_&H0-LB| z|J07%OIM%YTt8b_?nANT_SMqu!@n%0PyVr-loksweK& zZY|YrzF#OGIneeorr?~AKlFKVSz{@lFP>SuzHxW$>Dsa4v1sMk$NUwZ&6DC+d--$W zUHQ?4^#iL1$`_W#SB|cpTt8M@S}L6TWBzFQ?vqwk0HzI2L0!M*>2`FMa!76MqWq~G zh;1yo4TKMF&0*z)DCp9*&+?xr=PJEFu)bJ3f2#O&B7bZ3x-Fqk@vf92trC#p4Jts` zJU6Fxa)Oi73%0Olc-n>?(Mh+sJxH6GCG(Q)!Nnu&%8g%)I4ei?=g(DMU0c0SetfX> z;fym;xqeq%5Ua+Tpi#1*^&h?~9l!te;l};a&Qt9xdJ!XzN|v*7t?=TvTXYB&5FEz4 zI0o6MTi~(dna_8g6fadyoi9IoRKEZ8|E=CxJyHGPY~g)%|GV<-eU;<4*50Aod*ggr0{m_ia$|WzP@p$a`AHU;`s0LZ~pxX zIa@2D1kz4^{u2kXyd&S}EY)#b3pNhnR&06OQOB_mauk67ilgou9B7%y$h?KsyT;mQ zv{{2WfQQF@fNh_%BrQ{ppUHK^W`B0BT^O01Z{Z7qXJ*qO$#x3A*j|%cGHOpSl4EC3 zSKIq)?b-hn9&Ppc*sL!7v|-+mm=q3TJZqfG8O1f~=k1d96_*C=)y3O|bH6Mdd{(-8 ztbFA`@nW=c`So9a_j_yQ;l7o(zYrG{o(R#wm}F^di-k)$UFFS-f9B8E?tU!)aAm8f zSP)V<#$NnllmX>3C0(P8G2!&ARr9kfbYh%%l8wQ3n1i!5D!NrI6H;N1^*{?czTLze&fn zC?Olw%yBt!#d6v)142}h~7$^oisIYQKF)@?Qcn$M`&2Km_EGeuwQ37K|DlebIz4kT(6tieSqK^m=NGA`55NH_e}4W!{%GM` zbS7SU^$4yVRL9qse<|VH-)8z-PKyIcS75rW3oGNLXGkNNkEX%qmL4|X)NkOY0SGe~ zAPUN*5CaGS;t=ejr%90}g`|wY0(HX4Z>9H4_7)C)IRC5i z(&c#mQu+F|m3<;knk_;fl)Mke;xfg%E*Rs-hdFJjadtS-9UL+2} zT-?2o^g7eI#@f&gkJm09(N^D|UH!}}Q>PuCbui60*M!4a8pQc$nsE3$FwJJ{qOgmx zDQhw)B~#~O=gg@@2g6ctGl6fxjT0~)i~fwia-~}?@9oOYjZh)}%HDWRonwr3GVK=I zco<$3SjV^5-k6si7qpde42Llt+Olc-c3>*6X{m;3E9>{s+l5XnJ?SX?Db-;RAD`Zy zmnY@M(-CfduDdA-@7P3hM(WGaW5*dTsREf6ve(nygXuKlyL)(XFDB)9A}}7BW)e{e zKg{?XEA53@*<0OvbN!LP4`Z89&!i&0X|>1|GeBjTftELBV%iXy%=8Gv>Exzn;x;hJ zCUD0s8Of=~*;G#jzs(KED5W0rSOdbGMV-^EH>qYJ2s`U6;a$0lxrT>Ng8p|_ZEL5e zwdsE?lVQO{4Chf!PIO%s;pV3Ut|+e_6&W6@@1Z3%1Faat=t95lD!uV#(<@1#7T8Gg=oZ~rs>q~ZNv0}v}bHq*B+%q3R{GBI!1V< z1sc;qn@j5Q&cf@jH~*{p>dxO%a&M1;glfc;iw!qO)d^ZLkk$qqZ^T)UF#YJ!(wU}`F>bg%|24zO z>zgZnj9cBhZg^WeL2|t!+|&umk{(h_n0yUOE$PhoXS6{)q{yXI=EjaTI~yKS1YHhm z*s9we{r0Fa=I%2%F8eD}`Ss(K*ZQxI*3U{L**0=-w;SK(O*hyhLtZ_nOA(7N*)YLV zQO4%y7JLH1JBEUYrcoCiw^kn?4|%1dwh9MVkL)PEDII;hvOHgT|Do`_2L-nfJdGsK zSk{Av6dt?IH_2}a2MIzPtj8+~*r90#AQm);uB9Tm%_KdZJdFRUOSpKV#|HeP#K>OI!8D&XrUDRok~% zJ9w`8W-(g3aJY7Jf4%41#MTU^0b~Fr7c*CUym8^jPd7{ZujCJ|e{y*NaEnN`bq}GKejakY2%E#}n+%G<;Jb6|=c0GTza`D~TPAPxqPcMko z?E=tE&%g;w&ar9bGvia9mJ3tPg=kipb51XBKP2OG*wVc>lBJcBy`xgr9)77^zf|47 zxAx@LU!B=izRHo5gUlQjw};nY)riZKXdfjss+Mb0Fg{1EP5Qb)X_x1m)J=)t@TB?w z8$K;5-;OWj@!Dr}Sz~TUp$U0~xveqQ4TlsN$~0;zQ9aKGttcD=rtTR8yp=) zyd#5|caYEzPj_M$dglI)&lw^x16A!)y%hif;1CVkgy-M(p-8=G<#7AYXlHKlaFdo? z)E;0Yhk-#o=j$hwSI(8yTy_PXEZh=A=$zuHJ{(yMsfs>4SpafBb4TaqqLI$fp<+5q z+-6Tr*rwgXnjuASj<$K~N!?r^7xen6A%)JjAmj3CvLOj=@@}X~ofzgzJ1b|RPLC_F z%_v!SI_Pvey5W-n0>Hp_@RQ+iKfuYtg2UJwB66fOsbT0;3&VpaQj~gp#Du$WwE7!w z^$1YWq4|{F(dm{(l=L?6Fs05K4GQaqZhuI+-mQ8!rLj#+dnMSnJl5@WEu)=_hjOYm zy?f6dc1%t8?qD*d7Chbp2>0&Qg^UjHy3}L$8@qDWvl_RD@L-ZbNU;zDmTAU5weXUSoATsd2qTIi^?kb7HG>IYXiVxjh?IaF zMKd&_0Nsa(7RPaf!vFyUAt4ymMZ3E4dI7_-3`f%A0EZLEQTCILx!d}j;g0BOA2Zw%X@Eb94b62|M0rJ`|{W4 z6UCFY154t4G^PQ?V2UCTAc9#^_xvVu33nR~ZL$a&N0bfwqWK{w(>|i%T`-o;WyVH* zXpVnTFbrauREl?*%BFIpY5p~-q%KSwEG~OM3gXMmd()0_70CIv4f6qlS&jl+ec_ZC zmipYh9=IaBf$0MQ-mq+u5jIET%8A(e)8gm(A3r=8s@^_S`Lw6JYq_@TA+@q|L>|n8 z9HIb_7^a9ojA#I*Dd+|P02ISux{=4+1IE>eZ)Q{)d$d8;`$hUfAX?gBuTK%GVcn2yvv<6Qz@nD(??S<2-^;dX{2o zKoAWGCXfRR;AlP&)CJ%er^XXtND;ONt#ppl%o`h+joYPWh$=lb>qJb7)(n zW-7hgZKyun6^~axohG%%FMs@SGF|=fx_Ww99y^lEGg#eaDcyVJ+E}bT{b1L$qWh=( z_8D_p5Z=G~KKS)rptvNH%ZNCRg)~K23>X&EO&q>CPiRMYHRd0!9QpC{%j&&1`KP}t z9I0MExpMK()NhJAYtJ8LieJhnUY5^(X*I;c2(vn`Uh9eeurM z^sE`;a{#l*|@QKcl~Vb^^NM&tBJYwyZ@Z5hha)R zB%mRn0Dv4rAwMSiZlva8PiKjOMb_9ub}LFZjCaoM!A%y__(7<;02Vm%XJYFDi!~&aIq+>z{s| zKfZpwdT+7zd8hqPj>>}@h0on(j%08;o2F$7Egtyp*S{>kI#hXjIRB*ba;cAp5rwA? zDjYUShm-w45YcHL8dBs`sQWDmUL){XkVW0^=AR*uMg+3tU&Bm#4+p;XiLeXHPcN-5 z*DhaP-&K3}sc^pf=-%3!KDu#iN*_pc*W;fZR?Aehwp=@ZzqEX|a_n4r@qPZaw)i|# zy?wB9@uaeFxpL-HZE^p0U!UxoLc!S~#oUZZl@gquwhbx9vVk$bzrXL%otlrj{k#*Y zWDHE1OnkO|UEnACW|cBMSNm|JcKKmt?_&N!_34r7#r^BI3$K5tLgn4>`slHMe?mOs zGvjP`?LfVEivhDV`LU* z=csux5geij=2%eY8UD9`lkx*1>_9#`?e1^%_@gXFUYU6ypj8c5+NirE_&kM-rEPBASY&V(sJX zgog)>i2?0!`!6uwqAn9IuiQW%ozcsaqqf^}^f2zTx!R#r&P> zp+jq@e<>~^X_hQt{ZsJ}RegVBc&j%v=2IGob>0yeQslz?#HfgUNTK4FJ!)5TlYx1| z0zIUdn*eT`A(GqT?Q|@G9&be(0&ekZkT7S3jI)NxIlnl2W>`O@$ZRw1r5=|ra2B9C zmHL(pf;<=WaI6N+K{Avn<0k)b^$1T^LLu%r$9+rO-kQ8JdPfTHa+40GhBYY!DVV zHsD^jVY+ut0-zCxa6^&5lapWz&$N$QIztrAVuT3YXnhkw%Z`sL!}_NA&`L-sTwXb+ zsC_s?mtUXDzpgCqFMYUalCB*92sfLJ1=T0H5kJa_TYxwQV?uL;*8pSIGHVi5UwZd? z{d#Thm-Y8QemXO!shmDgJXw6Wdi+2BzVV=X$ z&@2o1$r-k3|CDw{+>{&d##YbQxlgt&&O0;T{xd%2>15YNWxk0)KqvwM;hGXBE4qdzb0d%L#RR=9x6clVT^?=&DmK1ySz7js=czmQtJ z`t?ic*{kyXW5o}pJs&nMmOp>azpP%nwsN_2cHl-(>7&BlweyAZzgu5cl+Nz|RrAy6q8-^Tzb3~5$RfhAghqg7Y1kB269TcK zdz-W-EVucAP=s(4U^mwX^ey6-g8(xaG7O~Y9t(-ytC~$t+9!qUNp>unV|=3t%eeS^ z0}P@OA)M%Yt318@&(KWu-95bataA9%%3@&Sdf{U2+;a8G7x~YQVOSahie{v~IzmAR zF>Fp>Qr{ee2*Az7M)I2j6iY!su{7vgaciLNwvpjz7dmBP{0rk`LEEu4 zx5y0D`_0fAXd4}}siCT*U=uo|(CGbBcq-i4Ky>?=CE2PQL>w}F(P}mtaO$U0X-=E7 z`8tWEbFR_A!o1%!H!o?U-F{!X_G$G^_4hL@4o?cEqL(UdDvQb`l_v zqF9FJ>nviR)=gS6BJ(6ty#AZ@o9hQ8tHtc5VaPS@y;iN(QT=2rLnhqfS}_X&%My;| z)f$fwtEkGgceR~&R`=9yT=@F*zt*2r-(RV{-&y_g`TN4-%AtGZr*Hp~Q!?LTF3m0& zJiZS7{{Uh-OOs1(8v!}MP#EAI^Z0^SN7DXSSTIyof)ToDzd(pPN+E65v2(|Y`_`UR zPTwrNDm*Nn`tRSY>|a^_N9FE`)x{nom!W8uW;iS@RZIv?vkXPaNfk4ghM=wPz16ry zm?MBA7}6}{0F5bDI@Ok@Se7u%mWj6RjA||#kk6vUbMBY}^QTY0Ag6Yo$VfjHFRmTw zvA|6D0-6}f^;~3Xw=U=JmySIw-`Q6_y0rSXwsd!8|JwEHi35MDyxd#8aOs!Dv-uyY zcdpmoeO!CHy>!!*cT~$8`OHYy6&6Ox-!J$^iD+?S+&LBq$Q)P@tN&}&(gs~;`kwcN zEYs=*za-iJ^>f8nwFCD&;o7akfBnY!8v?)qnlzKoyLZ+e z4R|66hmT4K${NTGh%KH|Z)$Jv=FbLmQHCx&t{ylB@^4CuZ)=zLukI~>*VQBy$1sFsy3pwczXK?d#W>^NZo%9s<}D$G&QC>v#+mo>v8q;i}1#s z%B%CW6R)Kzh7@603bM@!rd6-X;IIZ0;+-&sAw@9VOg(SZn+tjZ;#vRE`sL7A;o$0# zU;MRvYESWW;r49dbLqyll_#nRt6KW`DVC)uh9F@(hGS`QD*$34Vll_^TQSw7+Tp1R zpFgRYTs>TRx~y5dx_ao_G=v8M1280zX-Z8?p|sRqy8P+k+EQiLt{tO}%CkLvi$)ZW z|1zCFv$aCRM0!&Hza$XBiwr6sJ72y0DfjdI;p+Rv{E1)wvGnPOwZq@A&4tXS@yTJt z5lk@6lBTM&U^}~My%5L&OwlxiRQ*$tTOmU|*T(Ys{nd}B%Lm_Y+%l{mm>+Iv6?UzE zGQ0=M;i(0ipVh(U0<3lQkpJd8L>%*~W~HnoaE7w6K!K2D}-T6<|W4pGmxxcFE3^ zxY&@exMVm;2{$n9dks!(@dK-7E-b?o+&wIPVDtLkaiD9B>%SqEOweDUuS(9uEu*DU$v) zqX{~t!cvn;@4P!{_RmCIDT%;TY3e0zbJD2i|BBPj2LS;HF-(J?nrGa3DYbO)>coWE zFyr?$MBJKtd3Mek6cox*G(#Y2vOTqyz*OONY3Wk&?)u%emxW_g^@pR?3vbeal{>{R z3AsR4NFl;-6lSFOu>ss%9BJ9abO5mwwP zrbOYd7|Kg1Zy~)h0#h#9Y3KP>WYt$@MrPAF<#ba8N+7_J^v~I|6la^Tbh=zZh$SKM zYg2?pMa%qF*YX(W0uatn(wEeq!#p=mSPh{wlsT=O<8?2I^MZ@_YJTEol^~gLT;D|Z;xEOlg!f13%+ehOp~^q`ID#xHzg1GQMHZAC8M=|y7We?#f8&tr5-^n zf@?OHO*e1dURaECJU5{pQn=vUxUm(MA{QoMv5f?ILZPX2`)@Qg8#g1DcdCUM^a!?K zDM$P7nA`8`9F6&5OM6x7`B{5%a$1s|);6L`Wi$U9l%!qyo*1EiC`nnS&rD9hezU-5 zLuj)X$taw!|C3Dk^lmZ7=!~QOj}1qs)h^du2es0eT!DzBzv1$m^7GTK@(&-U{@I5{ zrC@_DV!4#juhcj@G29LN1h~VlPMm1VMuCLlC`eG7;!uVI6W3{m7zRR?1*mRP^c%Ut z00v`*ZB`+P9{7`?x#+k6J4Fa5rr@-a;*d?k4aPyrU3#RK>S*C zZZWv_ruyhY<;oA$t9w_Tt)I&NcH_Ka!M<^;a_!8F>fzt2HH0gh!k4omv&X$CVKgMr-V2^fY(EQebd-IkxEtaQ(n5VvUjSobLX$N14UWs`5f(44D?yh`s{c$Cr2OkJaTc)P%!e%I)w&9T!BSG|;u+1eYaZ}>d^puUAhcYdxJ@~M3lYE~) zkbgP9@-{cctDKIZEkU@X*6+u})ZLaT?T9Wc!pN)}p~WX7kS@+iX`_W}gt)LNd6`%zn6OU0~E89PR?G z7y=>UP}61Eo^L&q(vTIx(VQleNp^@mH(z&%Um}Mw3karo0EcHtv17ph%Z-QCgFB16 z%C~oV{vRwqd#x&6Iq~&L?eK{mvNV`1VIapcKuTMTW&uS3f~2Lz1_4bYf)UpU%kG++ z3BoJ|yG7j+$T6R?an*RaVr6AVSOz{tNuH*JmwK{B3}!fdBtdb=C~7*G@e zv<$CBbgHR~(-_Mxr^_COyy0xb~FH z<)w`p7m;2jbu(s9i2F9=tS3i7Q*n=X5;+o`@*B}+UFgu zD{mWwTmviTx5-Dzv510zB?xkaVmO9|-QP?%PXP_c=Ica=<_N_Bf*{+Ir@&&sV-}-+ zNTF>y+HIEE?2w`n?HZ`>_hT_mC14|HumCqqWDbhuoI!_-V0wY^N-z;L8I*iZNio8Y z>j$e}_Ghct4*&S!$u}`hO68k(xDX*rXbkDPe1jAfV(sJ$>&o%MdsqHoW$&fQ-`Qm?5^lznDnIsdtIY&rkK6&~!0d!_1cK9}fq4gfqbqyV9X)bzM|^PMS;qp1)aQY@sL7PT|E zIX_GeDI$)kz{K{Tt~!0QFbfH@eQ}m?eX8$pj7WW_C%84z##t2#qn*iF;=B`X+sMLv z)TxQJ&kZVcCO{0ck$K)_Qy$*$^*{P#KkKddGZl35toDHcDGW{&_#D+RsX1G$Ny61! zc*bX3ox}cRdfe&uaZ{zHeJrWa(<8c>nbwQS3K?>=Prkg?^JpoDn*S))xC)Gi7job7 zJd}e8amlQxAxViwboLTk=??i8%!yPd9h=94X7luawmn(3Kgzgiqg-c5Mc9)cW313h+Lt+%TfD21_PCI5-K@G2W`h0726#EP^amm$vA1fD+ ztX$8Z{6qQUh0^XHYOmkOVW^VXPdrm^WAXRn4wM6%q)Km1yI|W%3Ro<=5SbQ zE{l{eEqTfZ&ip2{T_>EZ-)$xgJ2HQb$tkvA)pgh@8bikGoa`*q?I`f`w<~8_1ln?r zxIqTNx=)K>4j~R>M7L)DF7dl9TN?|7)n4ch$A?92&V(QvfxZkF6E)oGT>zx3 z`&UnD6?3J7H&-qM%V&4jj=%M+>~em?>Y$v5a|xTL;~lpy#2NQwN2_->6?B>tavv*T zS%v`sbF|FY${`xlG}E0YpOjy6{PO|9dNbe{5R?f3pcxjigb}Sa8`sy5ue=#^=q=%89W2WH87g!eGQ;N^&wl7||5LjC|@aLpX|K=w^=BR?%J@MG**D3|J0f ziei9_{vY5Vg#f90Lz{HX4g(I< zflt|&2PlRnh~=bR&4Ylj6t1h#^bv7RkTOZ6gU(++T3=jUte)MyRb~_MF+`BJ1Suts z^3Mc&s0aG_7p7c@!I?3+OsB>FUj0u`Q4?;;Ya1=OVvx~SDySf+RG?Fm6$&A#yeW!U!^`^{C>31Q|>N zj;g15eyeX&sdPAEsyf$;yqQpadGxzKuNoYQ7U@F5&93 z$Kuj)xQ*VE)<4vEqyMTfbkuO6-a9?W=+qa>|*ZR5WjaAw)#+KLxdk4Za?WUi%>xtijX1_* zq1hqDLOd}mc0j2bBvaSMQY%?fuKjm5qI?kJe7gzk7;hF@%^% z#QZZ1LnDUNVG4<$7);R=!=Qeo=mrttD24(A06LjGG@ z@GWBgF*njryuTG&yp0HOVX%MJWtg=$L&M}E{nZk`HY5GhN_9Zy*LsY37*3g`e{Tf( zPh0F`4MVRPs-DQkmF?qt5yqLx)(L);zsd`^&=&qXwgVE`LT&%usBSnpJ{%YM@N#b3 za8@(tQ_IM$)r|;QxwS@GNZp~7N~dCRHRB(_eUez`KQ^6CnUfzT0rCMsGhvGaK-rtVS6JMl%}KZ5kj~(wUU0@|Qk&*zeW#{g zqco;V*y7Usmcjp;w65*(7B75#vwr+Pif1dk_7wINum3yf(tGG}nN&93;fx(xV;%Xr zp7guZvAI;x5#ya%Fk91Ue&OxErFp!w%4l$WhIfKSvp|NsIFpJw?U|PMqC@Kn5Tq%Z zp}%=<`gSH$|D@3?`KBwUZmsW*R-fG}UEkj|!}wIWxb#>4_v-l*`2)36d;T0>+g-Sr zzw&))@qGE+yXx%^`Rj%Axx#Yw)uGl*&?DakJ5?4E9SO8{@ZJ3AKVjaGTqEMcxtu1Z z@kOZ4Ddi;8EO2^PAWot!__r7RsZ>sm$>6c213@VDZ0z{Nh=Vp7r^HbVtiv>k+ zBXx93PmTD76wdH)sILs3{?lcen=h4>7Y6YCKlniab(yn%{r<@6ci4G*-tlNQ!lXQj zxXQ=%&cj&r6DfhyBE>fgmaF&ocNnlQ2n zW`H3@8X0^p?d(EgEZyPlmJA~3?QS<&XM!HnNc%UQznzRuT3T>Z-wyZAq_c&yJ>d^! zBf&W}8BtH!7YvLwFy2>hXd{~V43g>$`*u5m)ek#jkx^aD*l&-d zlW@}2V!-badXNi?o)9rv6*S9_f<9vrY%n{g^m#L?NXvkb7*8#bDB-d5AdIfEOi8&S zdbL0oP8o(L;)04yjMeYyRh1=eVrEdRmV8qm}*deC4Gt ztEVbwA8uT%-hJ@9dXPe2PC4Ey7q}Vfu?9MCY9iolJ-(b*jRBA&Ea5naF@!Wr>Upt^ z2cmjsa}5%frT|1p=%kOBVg}eg)4Y_XF~>0&@maB)Ba)>;if|NR0A>ZnYCKv_Tq;8Y zf*^0SH|N_0yt#H`o9@7=TK3|;E3s;;i^gwOMN)^?Zg>@I&e z*TJJCW8GntqYyyW(b>lcBMdbcaoxUSw>oOTGg)IluSdpduCeH9n)iT#SoIE*O=|C- zK*^DYqS3JQ^c7A%)#g7G7w#{=$=_T$U;ViQUn5T#g$>%Nc3uabLWC&a$;#gY0pbDU z>MoBimL8rmR;A2gh*By506Rbi7~>$IJm$J%M9@?Rht5dp;H7V8zCN%{w6Aqx9oqi= z_Ij7TB6v>V0mm4_fa59VFok>@!%&S88xt%rfEc2+z~umEK$yR;1e55;9Gzw?5P(35 zKspA}5uOsn5NvZ`4vqFDptbX~CGl};l}uX8L|=lJ)NUD{(f4ubmMOdaFXh`$D|cs0 zA1*EJCgpSc@+Uy)*2%(=yQR4|#VaQT^(L699#o5FMRnLy>on%8Z^YH@1+p0-kpKmR zw!}ZzLm6QV@&bTN5O{zHlBXR-fUR$zs2%sRbtl)L#hKmI!L_(+fZeM!u! zT#_{>7gje0f+2T%yCHA7zqR3hq_JjgphMI7%jLW8D=$xpI^ePRyz!Rz%7SCT))f2Er)Ru3#i2 zD5L>XMne-Mm=xXNl*G%}gkW}1t+xLZvAQMWn^NHnM2-K7=3&dktjrXM$VuB42l-lg zJG@mfTRW0vAWam zkFU%ZZ=A@@m(HABIT!!gKw;3eVLYns%vk5p_4nBkv7 z8nvxV$dIm|r|So*SOSd(j98UqE#lu_OON-Kj?e!+|LAv1_lx_^t(`3Gc_Q1sz*ER0 z+Cq~sBaC?y;Wj=@z#$;;jhqX0rAIYRT3TQE@Z+1yrAG&Kh3jv=n_hkU&&rLRzbL={ zU@f0HVXdy8_I^+bFpn{kO2DILyIbET0}BG87&p$cI_+(*-80kDk3{*v-5-`-m*y@6 zOFNGjFTKt!6!*T(&36~MRD5Te(v{cH5diUV8pAcO`#ms_^jjkDm{f z9?z~lXx{EzdHGxKYgz76D$wh5bZAmznf z`43+&Z1!*h;{=8v&l5@k2Zg$z{#AJ8&b+LUgNPvlgifMl565ws*0Q)N#F8W%9Nt7L zArv8iDUyXCLd;XlL)bZG46WFRBbA~`3k#d3;S-Y9jkibHX;A-@-| z?8|@7zYuSR&K7RYkkL4;?X`!Ux|j?F0Y{lLgba@9)_!o=4*gi&T{(ZBP8WB7UOlpM zp>pX~?r!ecmj|o2zP!)hET6euxpu8^|Db2>ny6EQItSG?fl;!(x%h6GQ`4ogM2Haevd8ZN_F6hGdWM zOD75+KFgfcTVhEX?eDWsw;ati+EB?l!jxj3V*+YBlnZyyRL&i$T>t#{!k(9l2lLM= zhvt6*<{3?OSmQmA$B;(|lTH?n^)p8hDBZ|f)L7-Q&Z^?JW~PAJI|CXGl3ul>Vznwh z##}_M4&gT!UT`b*w{;jHT=j0~pAp{Wev}wp{k8dDQAOzr!`XS_y zK&im!mgxNnLL7$y;UNQr2oT9*AQ|HUMf^tIu&B?wxj2M)jsi@Xl))(A^ha8y0EQuj zfD^>b|H&Qy@!iMd(p^&rmT-n4 z6G$EX+2~1Hn^607ttLlUje$ZO6I+=HdpWU`ALNEc>$`|V_Q+i>T)fu}Vob7bRYn3SHhb+;n$DLnUW+v=F3Dua zLLKCxr5Cv?g&PkF=MNjoPp*Ma6sSz z5;`(8F^m}n9gg)Lp63KcFm2~q>U6FfRU?T_kM-r(i*w4~7H-~Ke5)(JIAU47RG51_ zv3k>5+hQ%YOqHW#Ccm|)5Y92799A#i7A0`8zY6dw;%tFKECJsi&T~(7oGXs}KJ3LLjhOgzvfgDF52QZTbHzUAEl|QQPKWc)TC%v57)Dd^g@zn$j zf*jR2T7P%O0eJ$P9)bjpLRcfS>0-wxcwK#E0>F$Sj5%DDP}(BT1b`9YIo1X|ChH|4 z!9pxn7}7&VN5H7A2?3q)$s)W;ZHT)7maS@Y!XDocojO96Lv@Nf30~P|=rwPwcp0#A z??6cA_c~m8&^6{88|mU7J@ub`x?x=R(folAsb-eOeFwwlMR$xeyKCe3!v^R>y zpkQ3rBM6zyJ&77%}AOR-3Rz5A>t~{ITgg_=7!JGhi#6yGt zFI0p7>dI_*GHr#!$T}&8L!U~PPMrEjIDdWZ%9mS>rZZNJ6c3%dUwrfK%bW7^v-!6p zh4+W@2bT{d3OCLc9v)ddRJl60axPmwd@uK=xZ_EOoVKDH+K6yD-IDEM9dEv|b;+uV4 zIzfUC5NmC~mC49|u+LXBmHF$H!?(5i%EDDw;r0CTvEMAs#Vgkz6|OIIX^IaIORiZI zA)8V90Xm?SJwt}+xNMgsV<8Kh9+g}g0oH_OJig&jYa64(!!h}{zI*-K#kunA<#cJ! zT;<)~)u*NVCs!91FD*W=yn5R**Eq^}w0^|>yLs^Cn7$OUI92Hgw-ep#oV}i@tWu!~ zgnQeP{fiK-KF`2Zz|y=N9Mw&Zn<3m_smJQZpi0oL_CDDzZ++$UQG?Yd`)O7WR(8!7 zZe3n|4GX*8E?z0$c=7$}^UA@O-?YB56!g0-w5{WCZ4T=d1Y`4WkFH;Dcc%tqnfLvz zEMpQtk#8NM+9*tGcx7^XjFQ3snjcxnxaNl_Bfu zHQGmUx>W%VWd~By)+QW+UA942;q8Ia)BWF<4?Y@fHssn=>rQYUXKRZ#OC~tnLG3oU zb7?ZXn3%{wpJp^G5ye} zHEU5S^fTei1dztzPW1YtZQO#2jlkNT1}&%PZ$A`9{Y_Q48Gl(0n>9M7>ZMTuC8qka_mIMiV>ZB+=3ccFo z)oJQV)JE7{GHX}2KW5~$^}iZDh^Nxtc+B7Se89`a{D#T!R;?6l&~H+8uv1hkm$(&r z6u=vc)c>rm02%!eQ$#obWrJfep%4&QPl(>s9!KJy4*bHpn8@f692j==hk{alltMs} zz)8#=iOxi<5JO5~HDbCoojXJV5CqbJKbZ0yBapS`29)(bB0w0&5EM8}c))lfr-edF z5CoKw7K=vGFcls5Bxl;fpS|9cN~x#@kVbVWTUh1lQ!3*2J|ib%0x`sUr)GRgg|L3R z(Qi)b6E39!tZz?KN=4ejgaM1MJ1;TE2oMkegh0Rv6j!ahvUZW}ONT~a<;h&XVtb2O zq(=|{76iyRL>LeVtSSv%$%lIw;2?m2qgY@(M2uE}l^qQuh*AmxBaCs7@{}^lmAA6~6o%->p@HRKO2A9HY>mID(Q zL$KyWYfX}XdCX94y2}{g0RjLDHCCE#RvE@|7z0dEHLVE`u$+MpQU)l7NPsOy87gee z*is!4`S75IKJ3RLnW}z-cd^dsF+XjgSw6Z215Mf^W1y+WuXZxejB(xp)Y(Ae)>va& z^>A=A6U|U?!~-pI%`|K@>cL1|0jZlzgwaGKYu89EHJRw7oQ)=y8m7^&FwX>s;F#4S zHPQH@Q<;9BvDG}|3}^dBr&AMSEjAiBgEo(3uS%(P>ejF`?dWd?v)g$OPPK%x8!}p! zO(xqaK^x3d+F&ronw3PdCZj_YXsITfw6s=%Sqtl8_3=r^IG-@5EiKQRRmd2la-`Vp zn5PX$QjcQwv!n8HNBQl2`LuE(NKyXd4~0k9O0&0f3u`C7tL%JjFFiQjvKey-F#;h4 zgkzLPSg3AYGB#=%6IrXcS52rnS`(DGU^b&vkhnlc2Hn~ka&}y)ut(I`pX3bTA*Z>k zm90quF3s{-8(@1pA&hA?Xp1ZYI==M&z!WO&+M9pw%DdU{sOK`3aCnp(9T!A{Xa(5_Lg3pEuMLpJ5ap$cp zot9^*-u}HQf2(ruac;hJ?BsTl)s0rIZryE}o2i8aw~dc&lVVlT9}E~KCx=?OsH@VhaX=eZ z2c~su(ftm$=wfo*s{AVM>S{=9doZd53_e=R{WicHXuxeYwIiI2u2CEEW04I z-MA1#zBfl`lVD7g)lCG?b|eFh6q#GbXB+xAjB8yG+F`BV+c4yBM#1dXhpYpUpmW0( zSjQXVKvW}#O>b->O>XaCpbj}|kfRKdbxn>(1R#d1VrnOV+$LyO zCh$BK_|E)(P$27KE+%bwSHHc#4q2B2!>NWub^)bA?Uht(bxu2t+P+4WbuoVFLh1Eu zVd>3xfBJH7?MCt3zU9v~FRMJH79hrRm}By^(u^^{^N{ZZsf7^mJSLzH+vzI91B5un z3zT6>u)y(H9s<`R07fX{xeW=8sDBEXr@zmpCL3g)#tj2+ou*q3tAr3**CQHnrE(u; z+B;^S9vL&MrDWeeBghy$ew&p_K9oRs2bDikDdw9SL z2oY{eKtzNQ$3w(X%t3}Z+QcumYEzhlJchK&($o!ZH#lso8S7dpxgXEw7pC&J7N4%| z${*-w`M0aDO1BP|PtMI0AD>-4^2_qo^ObAIWNPf|we<$=remt;z zzI@?CeFVQIMgU<(X++MnsfAcjt3f0-6ff|K#yDhyi zce=2!d-YoWbnZs!+P%V)8>QW+ZK0K$t9x_z3U9h>9Kpif*>GpzF= zbz3^YDLBFOW`{WV9u7*rnH>II+g`b$f5e&&XA`beTQH>|AUHa_=JxLwpOog`&E%f_ zsqk)Lc~-x4tFr6n56a^C^OMe{H>J6A;{1tb&4g)Y7^_<12B5odEN;}9+dHMQWcmgz ztwg6WnY4w|R6W(-t8!$9HUI(UaT0X)+f`qeJIrNo4 zQw$K#L&nQyfFw}hc*wP~mrf6l!1RQ?-P#`L>(}&6)uG(=eKBp*imDCOBQYA}0Nb~J zTRgkZY^%(_))(Jh8z`RHy*gjG`?7HC!EoW+vp>gK$0U$F5c3o;T1$`J%3=*Dri{Zx z-frCk1po-3bsKay8dDB3f$|J+j8G0zfs>;#g*+jQ2Ljg$P4zKzn-8ZCn*F2E02s0N z+g!B|ulCu}1GW*R0-J~vRwHBm!m!_wh>a-~&OWza?-?6pUMbn_STw*Z6+jKvH@B2a zqg0GdjD}p@96A_df-t4Rx<hB0rE>g6*Y)vKhwuWRZ^#9?tiy(s{H<9W#99^2-(7}qrWWAy(!;0^T+@G zNAbygM=&Da1bAPf<}fRiWgMF2uV5v?VH>jt1@SU_07gi;^~0^+G0fVKxB z9#ST-HfIeXNQ$79M%rwn+cr)BN7OjPer_~vRK*Pr^@}2-J9=v(CR;t@g~VUe??P%h zg5Qlh_*f@*%(zma(t-{@Ry`hBXFaEmyrTwlX_gAHdnYOy4p7og!2z&i?oR-%g_a$7-V>;k>hvKy{Qz{01meD?4sJEf^x}&jmd84;B zjcOKS-3;VWC0g_ipqeq;=p3=+#ab zTB=I?v?Q!@QEDQswfOkbf0piDFCKX7&Oa#cx>34zc3Wldeoy7;n@y6eibEeZb^LPz zLX6`vM+C@on1cehX%1D5ADFBOGdDG$RPjk@pf^Xih1zQkbSkLH_Cz= z8<5kcs?h*6#+R<==L7%y(-iRcl^v{k?Spu_WMjM%&^(7g6;*#ELoN8m!1+S|z%YOD?;3 zfALwiboQlh?fUAO{A~I5{%`+TT6na$V|k&x@O1G|`R$&SS7Wk%yTz-E*Z(uWbMKgdpJr02n0DBlgJMv4+Qq5D>l3h#HB{hE$X2f{>TX_OtHI$EDR5r{ zbd5Csn!?RLrzsz4*v=(i!JFj=MyG;6a39i!oaiDpsCVeqn~KkVvHbsWuZ z?`RxL*U)i||Aw;hfy@Y2D*BVzpgwCDo{&XP`wg)zjOk|Z=}BxAHM_AHEIu#3Ji2zW zc;RyK(Z1!Ul><*JCk|KMoGM;>wfMGtV5iMhy!a&dp!|F`|4LMWEUo)^NR^e81jZzn zTyzX{9ijfP&JbYJN`-z>RO}n^I7kc7e_LpqQjzhEbeRKMlkO*fFHd;V#D$X+lmwNE zKypCzQ!t?NDHZ)<9{8l2Diu*;=3IVTuiR%;#U0UBw&xK;HZh&i7z~`Y`hH)Pmbw}M z+LD$UZ3RJ&w+0kIn6?20`Ua!vDeaI~P%0vUh}k#QgaQ03?9o0w9G)gIM-5;bs-u%r ziSfb6ph?EwnTq>2%xk^QvEbKP*R1Jilj66|=HhVIfr6XaGqvH2K4woF1{;%8WYk1M zvCYkBDLR^&95YCoRe94Rw0T6!8XMjHgQ4Wc%l7s4I>x=;X%K3E<&I5jEM`fwlg>VE zJZh3}c&oAUI$rInoe=G2VcGb2kFSn7XuW^KMQ#AWOG4K*K1dHZ6Mj7C zMlg{wD~uYAAuxOnnFZf7jGbad(R21DD3 zD=ZEjaOqkD2O_*hh9{s-IHuY(4uMN&tZkwH31;BK9c;89WN!Y=86z_G+VJFn4jGAj zqOts&;=wuF^x}=BeL`5m01ydHd(tiO|Gk#J@kZ=_pF3`y*~AJwlt3F6VX&z^*vTms z+t@a#;Wy+8J2i3}XIoH%iJ~c@YnqK(!VvmZgIeYy+3}{f+Xyg-_^?)TD;jFM$6(#6 z^_a6JCtZ>BjAe#8zakJI?pLR6eZziIzt+|N9Y^v;H;xd>D5zRc+kn!L0FLJf-(qx& zI*CEv+?L3YBsJ)pW2aOM*_?G2om!o}39G4Bl#9u&R4jd1y}7(cU;J>Yc;VysUv827 z_5UdxnH6$3OE=z+buzs{!V}D~8WVPF>^h|!;&6@DSe6HY=P(6yD==vuB8njb6jzZg zd@Un*tLY636jPqISeiMRfPmBO889)uQjr+3k449&=H-xJ z)+iN2{Z-qBZfHskv(`bS!kwP(ofsWlALoolsjzj8A7Bt+f$)sOkOzVQKowdj8$V#r zz3(kOI9ECK>MzB&SMsyQt(XcB#|XDRt$25$=EIvKHHoG#HyR`UPUpe%w^6{AAk4dE_x3{y0g>oEd zFzB?*c?uB^5v*DC+hIkB=OAN%kS$o7d5i=BKt=$jlxOv@oHkZ1%y^zq##(I6hzgzA z8nno}0SOVCp#2~@Gr3`ep7C2aVaQ=`wL^bZU_r#fN1PJzCS&Pts-Bq`(vyI>W>?+Z zRy|&K*h?(cCL0TizPF5}nv7&zI-g%>m$|EMuO1i~O^zEltre^LJKR;Zn%W~{0r}sn z?=n$)i@MWiB73V)v6KMzil-HS!V z0*9Jlyzf^sBv-n!`U4yEFpO6rBlr9`w-nDjjbzkxDNlW?qla>4B zCx>%$r31T?OS}3i@9q?y-dx)E8+norOdw(qLJA2&5Z98q)=w?Md39r|sHjJ)pDRc9 zuD;1VTm4+Qy03EWs-^sH9+?07yYjPRxx4Pt?Q6wT`^)p^CH-5x`sKsgvHbhr6yNP0 zD$HN$#A5<5fjmJ_z#Io5sCk>~T}it*k?E8D-(m~#nd8m~3tO$jvPP@rvxWKH#-#^~ z?@C8*lrCQEVwkc4qvU!#lj@yz1zH;&pc$1@w!Q7h9Qc0mR{!dy<%@qa=RXziJeg2- z%W@c^F`Xl-=A|aEezSGh8^KBGSae{#NSRDt`5yiF_S4FImkwwmp8nPvy_Nyam5{Ac zz5HgFaci@Svs2~MuPP7jo3zVwMzZvA^>XFJ%`R=BXurbsW%HI2B`Fdz6=_9a-Di zzx{{8!54)GPxAA{8!vwI>*9lVrTbTxJ{8{HT)q9jrI&}hyab|HzIDt_4G@6sZ3 z_(8O_?!KUG&4mj`D+k^eUYx94I=?nMv39C>;i$K8=}hJAslu&y!KJ-l-j-h<@6upA zX;QV!K?nfP5h&DA2S0l@+OD&AEYRT-u05%IIRC5S>$mx%ilw>#D&5^vd3Jnpu6XHf ztaRvj{%QHj{XeYiE}VPb<)yv4fK|G~1=O@RX`?zxX)VqFzddzm2k*#c%Y5U^@q?^q zpnpj8i)5kQyi=P0Ecvm0JgUB=OweHoC0k1UgBx>k(?q2ycg*APi4&8KQ6ZBYY!+49anfGa zpET*HcGM>-<6>HUhy1NgKT~5N6MzvBYN@C4Uz{`caG9m_`x zC(h?CY~RYqAW2Iy<+CUiLs?0=jZfHAc8x!kRw^WmT%j0C4D?%+3bji}`v%;i$tfAd zK|0jiGLDEaf#VqXe~|%qD2(KfmD#^kKJPETyH>e>?3*s5MMGgmQKQ&D zKRIa_R4S0$H!Y^Aio~Nnk5bX!+Z)jiOhl)=jU+Iec%#+PXkU24^*+?7ubcmJQ~Ioa zht?d0DS3gqu#K&glh zT3TOFG#D_=)EZ6mGCep2F>O*%O1!Jqq2UZP{)@9@CKe$Y*+E)8nVWCD8|wl?@@bWq z_U9jx%F%=HcU=b40Dgwg8yfM-%c!fjif=zJKU#d=vwEoV;pKOw$G7u)Du>Rj?dcnA ztwf`y^0VW`9+taMTsU7jb8u~U`Qg1E-yN^qyr!%i*;P7nA(h*iKl7JvGe(&3^1YHG zo7?2H#-`-HWVC-PY;o-qDhA9^C+7K>pVKN8!>K9JZ<%j3U~Jf=*|SP$wc!q z@-uv(aExeq^-NlR{c(%0mJU@8y(%C7Tt2?1bav0`T=~v{%8vW_Lw}p<_SQ)Q9*_FM zN`==PG-x(iO6I9yn{L!L;ND2Q@8z^AcVKkJI29Ub77h>Lpkq|-!|1qh%s*<2W__+! z9K+~HYCIBGD!jI8hL#ww9h))rDiy9O=U8lPT;<3p6$Xc8c*y4UrCsn}rb(#sG)uq_ zP~f*hlTf8P-U9jo3%Cvapv@+Rm5QLs3J%GkLBJse^}nP`nGuerKxcJQ-m+S zxK%iQ$WuA_^dGs`!juyb$1}u4S#35ATPGMp3=!cm z6c~VzqOVV{9PHzpf183V)x4*4is^dX4yh+rOq)^!x*C*^jvnx}sx zYfhwee%p*wve~I5m4hMYRMXk{4}5tQE1vljEMJ^mecpM^ z_6STs0!4y+GA#lz;yA*0TC_coTi?Nvu*F=}@+w zUs*kD)6&foEFW0i`G@5L-~D0rxNh<6(&_S@2isR~HpvFm?)5KJ7hNW+7qyy`BB7^u zj8CcjLH&TS?Y6PFE-kuKGvLPEhz#O2-KibX_v5F>{e>Hs%lAJ|EZ!@gnk}8#Ax@rb z*Vp%i&P)UPKtv|4KhTSkEkXUJ5e8a`sDvr4C6R4q6KV%X%E#q5AdwkQ0Gn&(*bcly zQR=p|RV2;08zlYl@o-k?^T-J;;pxSTOCKs{UORJVv$;JhcYd}syV(RAA2!4`d?K}_ znAQ!1z1iOIhR3Nc%NVEZ8&0n#LFbuMr87s@u7=7-FE@rpoJmmB6&b-xZs);_F-UpX zapw`%wv2v>T z_G;zC@&C%73>A)Ci!VPYp1)bSF}ukY#CSoVLJdgQo(>E`$`M+R>yQg^6)+Yc#9QOg zp_nJUKp+nR6*vwyD3Dq=Ac8Q%6jsxN*5;`xx@8#)@@QSA#kBL;KzJSkjiiYxdWSj4WIsX=q#R?M09hwt z7gNRqh_)u|Vu9x|M+g-Jp63Cr&*Zk?dc<)6(<*FmQz^=jNK6{^%r6$6{Eiu?ebgx~ z3TpkGWhsXtG+>w9ZH+KDPKb-*{HQaP4SL5Lh5tTwq18u~BR9*t?w1yBXi}hOE*|DbS-ZrKZ=;=PpnGWA)RIZ|?k2R(@N) z^~b`(hy0V`o`bCLcwgbwotf3^zgj((UOHQOd!_Q`RpscF=FPdi-nD(DU9-6>OM4g3 z|8nJV;mv|If2#8SaOw2vmHFJ6{DTp;QT36vYo$+*SLaG+&lQh9tZ#cVIgusoq!a=U zBY|;D-~mEB;#y_B9*O|v0N@ZWP>cx2S1A+Pr9ByZCEzgNk$^hoGVFnX@_-PGN$Z-7 z2{F3a${_-jXJQis#sSdKq~r*|)|EXD)r0D~Nl%#L86{+W6RWC9^+a6l1YkT7AP>Gy zc8Zgk(M?6C+!n+nwMQ^v`@on;P8l{ZoM^jobkHlhC!{9YZgNsO#ySW}?$W2r`SZUG zFW)PlJ6C*mP*kxu8tp12joY2pgx$z{+C`;ckW!p6v`9IvrX?zZi=c?g)`*M9 zLZI*Us1o9c2T@pqCxTL24JlBMxHKw|HYzCz*t*#^$-DrxHiZ`Mg@vFX~sl%?r`PIM^t=w=f@9Ei+8Sc!bo#G-~bh5 z0Md|QNHHVw0O=mc1D?l1&A8KLwKGToLxcm2<0us%U$sNY*n=Pii11u%Dgiv|Yl{ic zXIM>@8JRG;?W4%9RHRL*3H7jZUD-@c>y!$c%Nj3|k z(8(}B00b0a0V7O+AXG&>IbgpGkUnOZo=A;-EsVa01B`JLR8!Wr%_0Z{L7;>{UOJ7Y zM*D$R%IK#=^T;}y;9aAlI!8LjjtGz!AQ9x4iU{Bd&+{G9O%M)1AaGEQaHt0g zJYpOW+92^*5GOEPAD^#cf2i+^o70h3cD>KPS()8ddiQeiWAWL8(vw@|yXPw>UlpG0 zDL;QZ_CsaI*`>XO4>#-g2Ud0zPoG{rBaa^bDz1q3+?g0tj$hvv7!V+b1rC!WtPCo(TFO ztW@-M#3mD*4ZA{yF8JgQ*y8e~eP3SWjuvNMmQI{0&CM;|s=R()+I9Q)f2v$M0ajky zfBdkcba&U%vj*t6-r`;MX!S?1)tel7yZtcz=TRm7gw5NRWWN`8I?}}%4i5Ta^ zxd)495C36X{(9m5)zbZA%9Vp_w|(W4kBX0<=I`cSR(9>qKh)*l8yanf1ge?w_eomZ zUfB8SpZVKsH}VHcM~^Iju6#Pp#n!GZ@6SE8k)AJiR(DrZiZlXm?Bm&x#S|R&c%l|J z+`tfH@P7+K?8ieWT7`qxox)egvYq_x4}be|yYggyFcMg~S-!Wg z^!DJ=sg*I{OOu0qX4JCvF_%v}xpJoR?6RF@ez)|( z^v9Ja%WsQkPOaWvof}@hynL?PJ5$w^;GN_tGD*ty=?LwQ*t>iQuQS5SZ=QM#R(2H^ z4z8Roy}DF9v^&46a^Y#^>aD?Ww;gl9V=$s|X<0C(=OiUV$q}nJYn}#e_$1#rOzM(p zqdb#IXvg=2kIohPV=l0rvD`u#fWEfX5OYr-YlDdR6I zC!hTIabNCy;pH4CT;EAoPnDkS&mUcy!^=09?zC1FXYnD~ik4n3z3rV@ewsUyS-SaK zy84i7eKaEf+^&_!`Ms4#x0jBV&fNcg^R2F zw;YHyqEv*PygLAcejxcFrBtY>DxFDx(_Tj_K38k>@;Y;~;9rI4s-jXrt?0}-zq-5h z@U*#d?bPb0(yPy_S4(#;E$u7pn_oFzIq|k|>DJ%NkMFPElRPeux>m>C{+1$`^^FBu z%3PD}{j*GI`GF2ST%0dmyg5*Myle3|+d?lw3{LTVj#NuAwiq%kMZxyrm3)ICV2VUA z8Wt7V^fP)6>D^E_JtZm@?O76#n%1qK3|d+x9mFvVc~A$r{F`D3EFDI(@@~HT^jPlQ z>aobmEG<1bRyubsH=Da-DIa|q$?x9601Go)Sp}n`N`=M%!YW~4S|k^3hDo28)b`?^ zZOV^FnG^R#I}F3jVBy)_%JJFq&IhH>3zg@meth$(y!U8n-{sYpmDfj?KP_MGGCSyD2Fln`L`RNGbmxB+H{CLDwDQJeRx%~a|)l+L{wr^qT#hGJjD`T>4n^F-A%YU7=fC>Zw#*7FY|C43h zpN{e73}!Yq3gr{hcTFa4BKBycwMq|`hk-A?T6taGw*wch-N@Zpe$(yf)rVq3ptWwJ zN$*$1*sy#gSN@i=F!#(*Ja>8VZ0XMPNxXD*vUu@X>3+Ay@U&Z!QM*TB7o~jfgxOar zChZwLFquZiXBvX?CQxd}R3t5UnwL6my7_l1@^c{H?PmE=xn4TG*ONcyUwl`Y`^^8g ze0xuE|3mxIp)P|m6dX&An1)+hF$15+C@*%tzxlVqj+e`q*6vrHzAnD*HtIkV^9F2^ zBBRmdmJ}rHbeOftcOiMTY;nGF;;no6_R1Yy`OHG;-0sS?V{6BYkM3vI&bX*9wYsNE zkBk!uTd&_9k&3=aYp+^TLfmX*k|ZOf+Z0*f2Z#xI1KF|G?<<-ZDObReb=y$0ATp>k z=)=v+fVr{JOEwaHDCL>)Ov`Qn8(@-7voUU*@d-hH^V*WZFg4SC7RURvSvT>t@VQF^UbE!Vke*RVbv9Sj&=)aoWsa&jx7FkxPZ&0trRnG- z0yfaR){LkL*SxaZu`?|ji!`3_Ca~sTJfN;h7w-CNtSbiDBS zakt?fCO)fDfy7fjrBuu$GnOt3)@;~VtQs^*bR$2*`V-`rUjA-j?os8;?xDhm=WEwi zu2t?m$(<1vFR#sZ8P{n4fMZNL3&W1|)Ks6;TImlbry}D+)Z1;e@L0;&=TG;Bm5O1v zbEdgcB{Qs7i+k&;cqs1wzow2;pMxqD3DrQrAGGva!I)m=rCa4>RXS~q|7=pQBRVeO z{g6bzpU>SYetfces{Jv^4kms^DBOSi<Cp0*8^&M%v2b*M`ToA*fs4P$z25fiSn=upY~}F5FAsmYg`RLRqh050DYTAk z{DY~WQjwmPzDv@qQ7Xd2vG&g;`J}yZBN1Ij$0j#KE6H?b15J9QrWqUp#xTSX zx5k=rnQ^5eG!#zxhMlNyrb{GQ&Bxb?SGVrel!TU5A%Rj_U9hFdvMRD^3z21nw)5)R zlnT#!yHlxXpD~&8c$JDlUdL%;x~i{qT5#(pl!}n`rzhkU<;@-C>1bb8R1k8iY&60| zS$L5Zh<+bRBcc*lFg{@#9I!&U6u*8hJRzz`$_l($a^B6u-p2Hrns`_bxk>k`{JaB9 zWaOgXT4LOyBfK%381~dG9d%b`KZ1_1R@b*tw)IdqgE}FZ`bx!sNTHX5V|NRFvrGuC zXxJ9nFeHnD;I{FtX}h{c!Ht+VYU&aMXSO$FpiRQx(y2jxlxuluVG!$d0SdgEym}o$ zK8f8>4m)1FvA4f)<=~HRKIeDl&Ut_T<&J4QQh0T^eDL+^nJ*tJH!u8bVDiz7F1#@) zH8e?VB$?h2h3olY{mD?w*}owjHPA^br&lk|(Nge6TVGfYS z+1v&_7kxrWRLuJP^@&Ayvnyp3U8ao&IL_%@n!x7o?H2+fr&{g3lfb46WE0-0mUp+C z;1t*P;-#~5UtX5y9#x*-@BZREVo+cLLKs2-a1|E*wE>OB-odOt5(#bShn9E^>@Sy3 z4N`>pj<8b5A;cKqQ5&k%i4p@s&Cwwb_wMI?hEcVru{>%+HxrLa>hBRCBaGu|6G`3} zwbQeOUC)nkD8sEDS;cS2<)wTYN7!qO&CWz_h=PdJHrCxdw_}nTTY6Hw^!XP*CBJg7XCyX61IA{7H9Xe*J2Qq7eGGS+?>!I$4sbvK ztiz1&fgB|qgCQ7AWh0guoli2~$1HB?dV+xQ7&Z8!MQH_p<0~w@DBe0- zI(y?+OAm7Iws)T7kfW5RpdK^Q8tlMf0dkDv`A(CZ0fsQ*xGe=c^gtjmK|qx8f`B*y z2)z6(hnOM830T-l-e$c@Jw6@x)V7b7;Lpl|{o35kWcl1XnFqIRlYQjTspXr=;*#KLZJX%>;d1)^{TBr~2<|L^tffA504ssYE#1P_nK=H;sZH(D10TdW> zjB!K|7)QAECBStKm+hQ9zlTza0cfnk_Dui*#sLmBvZsp!oIE2olX(c%X~twXg25Td z9^itm2@MOY1Ja!U3z)|QG19UVl%KvRE__awukZe4?%LYP{EOnN=Y``>I&TL(5K{~h zrdamWTi?Ag5-1j6haG_zI9?#EPD0-`(IQ}&5F${3n1BJ`>Tu+CtSgnAi$ea);@Pz;qIzxNczt;5aT2zS__`J$5u5Rwyf)C=+N9NM z4`%t{4(%=NDjc{yR@wKoc=KH8-40dx+^)s5qNXP&jar*zCCUYg2zu<4$qYW&8caJ( zBn&97-dM~{P1V2GKa?cO)|d@sMx0s`N>wkzmOlMJ^{=6EPqdvb#V%GMEkl~v*iX?P zoeo~xqDzgt7?M$=nu8#xK#EjEXtmIwXVjA&Fnq15sA9-JW8A8?m?l=*U0odYWzFL) zZy4xJda|8gv92hF%yMet%7e`6Vli8REY^sTy!}oIL1|)%{8cKcDzM@()&Wr zi5A_dnM=Hra>OGJ3lu`ia};4g5bE*4U#k?_{Rw|K;T0nYBnUpNNpqUS=C3p|oHaV8 zTiz-aYk8#}LJ5PcmZ`D+HuXI|Rk%OD_`2}sZGP`)<;;VnNB_~~?bjtzzy!)D!hi{U zEnmXdYKAk~ndaX{wb?~GoR0#9>*odO$gxtT=LQ7h*5fgx>U=C3rJ5iBe!ay%5!Fbl zc3FV~rot^}Vz6@H$XI#dYVq!E%daXo_il0+@_+~cvwBc&s|F~n4;@0R(^1$1vA`3| z3w0f_TPQH#DPc&U1R%oW&MF|}1dORbsvfX<44j|vChD|UHdh4c`Uwm8`nT9nv=9do z4;tU7R;7M=EMw6OMOqZC{NC*ER^ArR9h6t@1daiS8(hx~7LlwMy<jzNwHt;?cbr|hx_ z3}qbZ$*g-)vOGpvgm^=$K1l<_X^(J|QLACfU{19xk;19#g~to!`=1w2mCv0l9lE`= zpZvA_@K9yvqvbn=Bga=3zTDbm*CJf%RMNChGU0U;1}WKuzZqa35Wu%&e)0G=Sm zuRlPcARqyD9<9vXT$**} zu9Pl+{MF)z!tA-F+l$9lUmi*H%bJqW%3t)L_~_o+(c+~&D|>{M`}uo+C_dTu_x$PN z$9-dK7s?;b6(1j{I?(=&{6^b6pAEUo#Z!9=4=$}fSi8P@Wo54P`q51J{;n-)i^Tv{K&rpn7b_>O zEWTKN`W;ufG8=am=MR;4&F4>Sswv7w)c0TnfIuiCgy0(Ug`B1+$EwuBK|#PA2RMO8 zfUawr^rtC`P=E+g+>r_c0m1=@5ox0v8}rsJNV2Ow7KnJl(_@k~Zw*-E8FyN0A%y_) zfP-xY()^zPtX!B4Cra-=<<2kP{oDB3qfM4K;c3;3D|;#u!UKXR?RY41fDpp-_3-5` zYa0p>B91@|FeG^WRK%V1LjkXE?bTtbM*4S+^3NL7u1%H2FMP?-ffXg@xrV8 zt3Uq!$M;8<9~R!;)^=AG^=hJ-nid^36Nc14+g;I^KW4Ftvu)0dbkiw^eS%w+vUgDM zwk!U(c;D+%5_k38nS3YsCaOtyKQ<;6UUDQfAsu3ooI-ROljgn4hyH>{&Q~z)^ zf4HO@L}TmFh1`qMmD$3h$GXfv3y+U29x~>x|3~Hg+5F4$$Ni!{sG_Q_ie|swGBVNL zrT*5=*vzRZRfq1Z-CMg;`S7{2`?VoizIVOwWN-QXIZ;1`Ez&l(aogHk%w){N0jpu8 ziuMrexYLu#2!n$WiK5%zuZ?oUZb!U&Wog%5>xXzFnA2p?h|;QUU44z4iK9ii(>e`F z8QpH{4p65WY5TInXahnl(r$;b77Y!dhOEA2)pp7s+Cb)XQEXG`$!Onjk`6R?!H(K3 zpK5t~|0b{A7<(Zo9{b?*PZ{_~ngm;#w)OI3Gj^HwH?J5hCF5%^fyymZh62% zHs4mqdo&j8KGGIj%j-^<%$tmLSEe*E=dJ8uHE7eY7hCE(Kr3rn+f$o0)!RSeA1A5q z4QkB;BR-9Mi*^1hI@O-Cx5dq_lJ&8_I8;3JEccdQI{M%JKZgkgnzGCzx+WUyu*+?x zjo0j8bBH8t2GvGDbe+r1zwtq9;=*Y2x|vF`a&NEV%iF?(>&2rl8k44z2bywK{vt*x z&m*2kRQPFDmSHh;DKR)?*P=vN?2eCR()P_?*wFH>iJ&#o^0K`qjRQ{)w7s&hGP`nu z|4rfITrjzEr*viKRN?mLf#UuXU0xrpt0Rm{QGd_$+7Q$ zQ@r_7Svh&vymn)v^zvY5p%Nhk0LN2VuLFUM36y}2u6D*#0X22yu3kulF(VLi5b}&C z_57YPUPvBLo)Eq&j@OTEux(QdOAjQ3^1`~B@Qp%bkf^0cmiV>>otKU!X^Oe^Z^r~eIe|h9G2h8?B`^j! z!h@|C9W*9jGmqAVVyPA2eBt?9nJ2=$tkq%ruZo`!=XNh%EbhKsnyvc(Tb~^B$~`z7 zEnS^m+POMk+Oe-2*C6N0dYxcm#21vX1!_Y`-O1m*`+0fS^TmaK{O3UV)_m#epOt5D;J!lV|U88KNqi`FDyJRzkHOt zp1=R)ZRyml`tsYbQHVKRn?{P<{o?G!KNmji9A7>EyKL@Z{&eNSgO&HopO%i5ZhbDi z|CqnC{IEXMUt_Ruq)I+i)>i4*{-{k#bo8qmEzgkmGg5e_g0P4bx@2=HG zCfhrMW~^RIs>Kdqrj{B2y1$|N$Y~>W-wLtBY96e1{h^_Tuoy^u)24#dp6}Q9PRl;t z&V#678$5_JVpZhhrL_x{g`?lu2V6_fzs%?FmEN5xJv&;QfA_tVGSNBZuvrFlpoKOu zkfp|Ivg|5tqBCe2kJp=8*LZ5caS>r-DgirCD#jgFi#QUXF%av^zCHu%iQoMmU4Pv< zG#>ZW_xhgtcEAM&QdA|{A#7Eqvc7D5(pL|#YTTM0ZM!Yw7;}cF2V+SnYOueNzoEUg ztlllC+iEczOabG#Wnx5BiDz=sYw1*tF4k6u*FOABH3Rj=t2ZComf6<$3)XE^)p4#3 zB&+8CYI(#IC)ycP{UXSMb~>qwch!y z3hGhQq47pyDVIi;yKr4r6V}COSq4lY$}2jPeKL@=?WVReF-gPC_0FhzC_-yjJfpj{xL3z6!~bJ2?ocLUQ@;^p_ZN z5b#*wd2U^cqgW7R=@0=HI4WSkx6ohe+sH4+4d%h*02&>sInq5r-K1Hm@bm&-Jp7G9 zk@bXmt5RW2`ZF@rmlody8doaD936NsJq-~C3ItHXm>@t7a8Q6e+xS`K8xL(9M%(|k zbR<>&{3&;3dkb?Wu!)nVEn)=nlol z1J&y5YpjPLp7NL{oWMgwag|IsmWfR?S7F2CHD1Tb)@_G_0WKl>o!N#b%n`fJE53)O zt07;_d-}vb#^vZf2NM?SSCf504q}c$TD3B?t{4F`$OH}v()AKfSe^2#g$#?blSmzxHhlRQE1q=xv9w1j9S8vz^?eE_45}{cDZOf`kjYq$1x-->z9Q zn094+LP1I@F76TtqKQDLi?0oYvca6YZ}&t)zIe9NRYHL{p$o@*R|rX8I*3G5 zWHbdky`6|;UHsn^)f(|Mbc%YgZf_{vUi(X;WT@K^rP*oow<8dzecq%i?(K<>Hx`PE zlA*rQ)*ogrDZ$U3Bo*%;^S40VdCvoxpiooJz5eB`T-rSUy88<@tb0lz_RwBuKGT1;l7nca3bDmN`j{m< z;@W)F;~gr!`nHmt&8xLy-@2t+(7Y{eSEVq5pSSa>DL2cMx zSqnj5+!D{YvZ0JWv@L}~!Rq-q7u3#sPE+v^t?eA3`w zi%;68h%!0&7`(VAz6^aUQ7b(B^kTK+&xqE?Q)>t77sm05kSTWUM$nI@%Q+UHG$uFWv{F=3;HICQ)D`Q~?FVt2u2%93ENG zmSCldP$_B3=cWzQW^Qew{G{ZqqX*U=(d)0g@~uPvSwHe-pLxl|UBRHx#t$ev$s99dajd$oD6b>dj{+UCi|+r!~KKX3m2+B_+%;cKfVL~t+ZJ0lY>o*!t=YP|9e17%( zU#hno7amowRvwRA6XHXo21$OZ_vXFl&9_I^uC4u`tDe}}+nihe{#Sw4{zF?!&4+i_ z54N6PYwWvGKXS8naGWS5r@a9UD+NJvGoIkkgen7@(maA4|I4ZLFUFJ;!qb^Fn|WHV zq80jVND_&-f-u+dBCHz8<0J}q;^Yke(-Y;SRVbi?gQaOl7F)cKH7B)-_#l^`%Fv}o zof%PfM32<&F4W#Uv{j$CUcA~|s=s_PL05!}Q6dl{WSnF>I!O;jOXT)K8DZB4Q3wUQ z9lM9y%<3B^U#LB4PYql&S<0~?ogLCHP!!MvhNAROlRdr`O?#kFAkP-@44aqQ8A9~h zfHfo($SgTC=cU(>B@xO?x=cEuz-W>sbnY-LId%<~#ubo+S0pNl7zs{GA!0032n-m% zLS}fSH-M-^MGzMXqAm&Qcj);0H&m8#`jp^4g zv3}*==KTp~ZiM0_nACAjiqGd)h(u#1qLW2w84u-W!YIi|(FL6(zw8uM$(%z;4b4x0 zAyhkD_Rl{*MM=3(pvaWG5D#L|z)7FrEpK$pOA*2JSre z&cKL)Z#ae7AS&cI)1~ z>b*(2Jr{7Qwed_+C~#Y{Sq;B9D2&>unkG5o03eBzB#j}&&o2#GG@93V%F&2Wkc+Y2 z6v76#LFEt&1?5bd2u-k}u*@w=iK+uY%Sh46el}@9MKZB2rMCH^BgSd<@UK>%tle)t zy)cO`L+$3S1Ek*O87|fXwTgfl9Z{xq^UnI`*1d(+gY&gBSJ4Ryw#lU)uTC7`B-5^l zK091`p0JK6xq0;I=8N@{&DR&JCz|h`ZQQNQZNB*N%W2hL)^4@-pIf`LvA6Z&MC0bW z-%U^{V`9u|mrlnSPl^b0)=T;2no#&X4z5&V6ixyFk&f%!KbMOiie-75oYzihEbXl? z?q7YedCT8Cv{*eX&~kq)O-wtb)}+^>w({n%=kJY$+q)a@4>sQI-MF#x&KQr5Gcaa= z+)|?0c9uRSGy7cJ!u?J$9C0Fe`2Omn+SB{lzl(-Rnnf=?!ap9EvGPlp#LaSiU(|ay%pl8@GSG6dDNG0H|7sc zugzBGGxZOb8#ga+d|o@Xd9Zr z#91FT5_wF@AG(3A9NOHksC|66{?Y$m;l`C4<+UIFJf`0gc9hPsQv4okl$8)2*N0Ld zk(Gpk1dO3+t6HgM#ZO5=vnc2g3M|Eu8<0LW}(=;IA5Yu!DcX|~tB^0Qp zZ7xR+#)7$RJt8AFn?0qdP>`~gTrR|-k?>PZx0|se({$VF?f%2yh5osSpi>T2*%%Zv z3DKevFYWSc`i{^8|6kH2QV*inN_Gt)Zb#s4I}ry>CRIwp5Fnwzpx5?9ng`3t#o01Z zwwj<{q?MAv-aQZlY8ybOd-oIkFk24DRxC9t@!s`656X6cvE9vd*X3!U#;>xo+Lu?M z7BPPVdtI8c6kx=jAM~nCrZBq#{;%s>UpQya^aCz-a-MPI@S(B?=$D;(7wXG7y((hH zhI=>RqPqchChT5SZbq3V16epp4|`qZl5b|`UXJFxMpcs4RA3BRT-0z+cUs#gn^Sr7 zxL+m>#tV5%X3*o#;Plt^Hk7E+)=bgBs)O4R{Knpv=ZCx5hDBrHG7*dC$~$)Uj=f1| zEE=(Y=iZEk-HuF|)e>jfiJL8+eV8Ui`NGhOD)Mou3f^)QIP^T2TJeEnM z!cp-q9wKCyIVb%>X%>6dHg#U z9n_W7xSw0Fx9B&aDw9!RDKNW&fs)Xd`hVI|{XchWck>`S2QISi?;V;bfvfhJ4u!LII|>=ao@k=OoQxacr-$?Z0DQ zi7_G+sG<>AkcLGCHi|@%69cPRlH}RwhkzuujM=TGI_p0VC}Tz~F%rEarvWe{D6_IY z8^i(_e3Q(xK1plyL!W36i350OMs;*Wxs>@BE{+6%NV@+Pis6{SW|zhpGqlqWGE*QC zBUEC8aZ>n(NQ-|3e1nK}{{X=-KXiiv2#x{-q4}X31PutB*G+t2tkl2j?ffJV+81Ozw@wLV>F2(5a9qdijjC>2&=Jsw@{$tfnlgJzO>gS6gcSe zwp66m(NvJM2?ZJGHEw@C&@-u$2a5{@lGyex;})4>dW}$ES1RP&;|zp?3?d!}<(MKd z0wocgAaM+%ae$$1{w7{5$I6}RkOzuTkfZ?uaRMR)z;Q^m zU*H%(Faje;iUuT!ksa?v9{2~FvxjsC0OMtzz)RD5yMp)WDq~Jp5$MMG>*Q_i*zA3X)t)`h`o6vEi;at4RvtEEJnUZ3BUi)LpM+q)v#K0fYJci|z8B&xC6W83ZPLU9QfAbokbi>(Mr#ajPQ2c2|V z-d}H5&)|Rgdtu|!G*+EmdARjt^-b&3yVbiMdh`9p&CcRKpq`i#G(J7p_@VoE?cl}# zYrZ?scze)R+k3WhruFJz^T65KnP=4(KYn?)x@4*^pB@Wv*|TByox)aRNsGMs$L*kAqfDQ5X#Yw!NDI1S2tkVF*9e z1#3sn>BTBRIan8rfpyVBPcSW?1nh##Bi=|LAQTi8We1|phcX?{Rhw8O3j_jAp`asq z8HrXX@T7A;4ftY|g(rl*q*wPf?pkng%cW3J7Pu3RB|9NY^acy?>L49edwRoUc zi+H50n6^MxEoNFLA61uXmu73v7m}&pRF76qXh+nELU4%S0N?NTVc><-yYZzkg2GU=8*AgA?-cEkM@kz0`-s|$BVz97R?MR|rFcKz{GtBk z5U8GBJ+Zs?YiS0n_h!*r7uQfP%)8m9g%3GU_ldB)M7MmYFuU}q&P+g9% zpBYm-B7^&+WRaC-n~6A8WfP91i|iZEvLtTfR%O~%D5-QBez-^N&9bNQ<%}Y}apiB- z2P;q49@nqGk5;a3J*Y2#X}&(Wd1>uPXiN>|`EscMFu%nqVWr~*XvP#i1uHRT4MXij zgNnOiC9^FbEb>--ZU6c!x^?B)ch$GQwKZ>_sU1IK8dFb?K8KxjLKMw2xTZJf25L@*4}9Tvy07#f!A>5hKg zDh-mB`IsIQB?n@hv7lek?41WbtBSZ_c+|jC_1TNX>Lq;jWc99X0s)9}o?YP#>EWaW zBaZNJJq)=KRoFVxIyqZC-8?f}JM=Cfo1hY?CC?4095jkSL2WN7Ly&)XooZVtPDE6k z0iFURg#(1f2=tq`<8SxGP#gSCex%~s&B|U;u5smB<;ljO^}DT4kN;L4vpR*cS`%Vs zC51KI5>trM7Ykc>%k;I5ELRRTPw!oQC0#w)crrJpz!{?Cld)0))6))Cf>IS%mhAyM zw;EocQM0194{Bjxci-@ww#%Y*|Zj{1|C5TH^(_W1Y+z;TBZl2Xxi;oz>PJ&)1f2DF3oL z&S3?x;ZbR;L7!ozcr8ku+Q2P3XaHt@f0^p7)klpdduz`={G##dYV-4hzobK3_nRkf z(B6%sV=9A7N%o8&%=REFfi^0~N&IfOTPO&-QKn9*@@j+vy&;S+RpgKuftF+_6wV3- z(@E_ZflsSVFiH0xGiv(h@OV-iNZwxD(|CGCMXp{GuU{0%YY&hAUO3LzNo&{Rl$;&0 z--#H4sDlk|p7z;>78pm6zY@O)W43YS#>_Fo8_^Lo+ud*&MoaRWMfFQhSMHnEujLcJ zA5)S!9muBH=-qNkl~H-eNdzUsL_jU%_-vDyDr(gT1uj#OxhLB|P%jh!C5&LY9hRYf z`=$iw4DWg*m#4B5tRy@Fyjv(JM55EoC0jyIJB0!bv-K8`EDHq@kqkufF|wNphKYfv zUc!P_5}V{d!wm3C+?pK!I(G9&^X7c4b$YgPtA1#4 z{YmTMhvvJdl^+_%4_5Dw5f(9N4j3plYE~{%nq@kZFJoZu%o$W&pzK3y9KbODOo}01 zUuEVdr#*->N3$gu=w&%8k_%;G7+&4KZj<>G)sg~Gw|W_> z=|bFQk_rX!T(q-mx(f~&#dt2^;r`Q^u=HXi!rzVuh08IN#u&jTr&|%oVk2M^b*wo*U0cj^HP0hx5{ zsY*+*tQW}=G%>oxz3%n}O=7>F+2wI%?pr!MkEuMac#cyQuU0=z^VDMUfIUSWWid!o z2w(RHL?wlo)Q0h|9RqO&l}FmRR)`jLBr9#*E8ph?%>Z5P$t%k zhQim8J!<8ovwPGzBECz0D31x^%M=osum_I%<)Cn1Fc_2jG>)Arpc!^;=7g7tIBAO| z#usB|WACJaWd^3`h^Q%Q6q?FT{ou5>bKzP--3HA-WIGppk^xM%AAJ1NzSU#R^C!1@ zmeI&aF&IS>5J5?-O}dtKsFT;K^9aid7y$RIm8Kbh`RLNLHpcW?;wD(TWdR@{u zJ-c?a_ThHrRr|%L;PNCzk_6es?G8l-MNo{QAqqQYy;3NiVq$?S{ATP=3K>xWH4hC&U6(I5S~!7+8tua=5j8*ge43! z$zp^|vNE1RAq8+qkrYQBTC+`0VPC`Mr@0NsF)!?Hr5D29+YKqiqDiozhIXbhoHj7CsM zb$OnLT)a@wb_Ao_&Z6VOxoE|Htxntva>$B=vT@yO+q@QPow#AFFFmMVySje4e(7@U z*_qn2dz+{Jz!&L7TA+(EH(zF9*N>kcZ=4?&uSGoVu|{mnP2A!pOvx-WC2k9mm{}W@ zlx7CWZ0ciyz(?dg1w_gGoljjx%FKj-dPEGE+QOmDGu0oon@^et?=&9VS-<@=hkogM z>umSouj)tNw6306z1W<+@O?jZZF%jjwz=^5&xOW|r;UYIt=ngs7v`Fu&l9zy^XpIh z-__oo*?7CPclE{E`^|mzS05F<&4nFarnYpUJDGQmXIndXt=pgcPC5fkh2^J1AqawO zOC<_unx+wo=8FWw`Ekct2Lgn`5S+wOgdj;k!#01$*N3h}5gMR?K;Ve=1z;Eo2n-(z z3zZDx>H^;y(^*l13XKipEGQU6X%fLn&Vu5|tRCB3TEDxscje~V+1m0$Y=@181{6u5 zL^saWP~di)Bng7-Mt9%~K#gONpeYhevUcDAA~-~dZQTVYaRQ78CpNXcs*n_Z*Tj)CYnph>Fykm4+CCW zFCH~soiO}c>&W%h6RYR#wHue#KDCa_)vwIgm+xm==Z;pF!p*z)Rvs}nHjCUZN@W6^ zxUz*VJ0uGV<5p$F`t}(lGlq)PA@-=W##B3WN?*I15)=aBbV;rqsK44o+O6i(ep`pn zuASSu@rT;{(r@JH)ki;@F6`u}j98wdF4{m|%D{a0#CH8n6wQ)LwVbpdyLp5v+%w4fm_O3i0(^i}W6bUhuLU0P{M3Mg{O&Q=Q zhCz(#QpXIhSSSK193T`q6o+c3`1&@AwS4JI`ea&4vNHB63zAZKCnXriAc^BNAo&+3 z6hU#EhNIRdK$C6U12vIiGlc_^L@@+GF>+fC#W0BTuTE`$ISOk7nmf}uBQFy>>cId~ z6iyNd$<~7-#gs9`RfRFQt*!M!wsaL?qmH8luf5qkS2^@8p$%j4{-3znDG8@-dK;ie zNC%`)5<;A&MhM3gz-XKRkiv#GG?jx$fBD}XRN`$@2199ze`7;%K%fYMjx)=w_QrM8G}l)}5M9-`ea=X~n}LP8oP=>GZfAf}EXRvNAE zM)6FaMyneR5fcTuu}&)wcGx~hK=v2^VZ|1wA?%S@4$psxU=#(>$@JPO3?dLk0S#!H zz$qM3G{0g?;Uq~RM0-t|JV2o@kVX)XCKB3F*{wcBThEUDrFQLMN!z?}a_!~U=(i4C zDF-|~f#@qFatNR)kFZ{Xr_;d5a zF-Bd2t{g|VMsZsT_YGGigqmfc;!ya;TrM0QQJ4C&4_kAnRz6)j|FLy;VYlvYtFu$< z_cjmKKK{U{LL?fu2ZQmVI>N4rNmd-Lg+z_YW3iIM9Mo_$eXS(#6uBl2m>8e#VV#Fg z)_dpb0nC{c$t>+{nKx)6;Rx|&F}l=D(xHIeNaLdeHQMrR+%a#N;-b{;<13UO{twDd z6*=91l=lD9SyH-qKAd;Ec!&U^Q8ljMCjr>Kn}zR>SvcVSqJtvM;U2bM6i^3A6W9@< zuL*9i`Y0|jYGu>i&?m_V=}!p-yV2cjOuo#XGVWyR5x4hz*gfv%p6){mMNu50D1UG_4B{9?wl}sh8xx8Gk^mG95dZ-s2^6Bd z@eolIk|YWdngg>hh=)M-p`cJuG-J{Trnhg8P%)Si3ff+rWsMOE1qFFH?a#4c^`?YS zP;jYdX7X{zE`h*m*UJ#0fR+`lnQa*jC4o^PD`)X6DQt)990ReZ00MB51}K7|6p0{Y z`v{sBVPARKTHd>HzrM5_{A=UD&5h$*N09Z|`q|~isfF5=&%YCGJh#_B9OdBsaFj$L zP5=b$7``-)PXx1vD8Nw)r!WLTPzu2?Y^PX?IKT*krYO99*0tRVvJ1b52n|S*#2_FE z3PFicQ5GGEj+)WEY%jYaC?8PX<`csb{k3rt0YU-_p=p{A_>STL(gcJY+&dofLZw&D zKhyLcQ%i&__iv%={L5#$CrWcAp8bTTc{Al+n8YgK267A_X*6>46ngleCVJHr00zib~|NX_3*ip3-tb_+c;M|JS-@bJ zQSyA#g}9reVk?G>!oatY(SD;eZVjkMgh*^R0x7wp9aFiBug0^g^0Y@Q?WeVK(rV(` zUJ4WB9#Tz?aknY^VU78K?NChFIy&f1z;=r>F2#Bd0sPQ**x7R!xOR^>FAl}K+R{i| zd)iP+0asMr@t+utZ|jn}KNA+6i7s!=&ekv8U0-ay=ta2O^ZnNT`ni*}N00t6vw5od{7m(r|3B)d z=2uTOU!1O7`uplx|DIj^=K+k<0O<}ua@G#f3-n8nI06ZhCQu3hjHcVSOk;uM7(^jK zktnvkwE!F?s1Y#}vG(afXDP)2%?+B^KI84cuw5=y%BN3Ff+RO6XB0v~E)5MGL3J98 ziZmT4>P;Gi%V?pJ;PU1(Emy?qQRIKc6e!0^8 z{K%ghg(Dw8n6ZC;n6?pMOE3rv!SaPa`kq+7^luycTer_|{qVQesSg_myC3!;SSUgv z1W6Gj{Km4UqY5K$>COGm|Gf5E)Vy-Fb>qzDC&lKQ=EB>R8~?%hm^Y+X*(tLo*uVob z8^$3wnG8ej)dh^7bvaXg>YMpXSdfhm4@&JeH&oDu5bK4h6xT}qmN+X>LPyFI z4T3?37?fsSNu`vafhNATWNg`h2Ev|KO96-_)43pu>N7bAUMxD8= znzuBfcJkfoyKxxMbRxjbHKoyO&GG`xzd$ZrY`wj>erEMS{r$nM{h37d&BpW1_m$7h zcc0buH*eM+MVlWEacZF{e)PB$$!0l883mNFg_9Sp&tS3N3DloYnbi^v`cs(;G^&7DC`hFw z(4iU5idCXmV$ zcK>Z_abNA?-0H`*w;PLV&nKvz1>q#@=Em2t*{8z^u~D7&%N&zPgu#@SMX4+z6a(Z52^Xb*f(~X;zm(Az* zo9{pHtSqcJcdtEf9AEhLkb=ao-91`dxm7t*U;gAQSpA;b;ScMJ zwZ}(#>KsdKyTyIGNSPCUguljjW`xz#m6P(?$pekoPaFFlG#B=+eyD%k?;q1yVRMpA z!V+*eX_YF)E!vgmx9h4OH;&bA{qVc``OhnN$4Rgr6odk;8)h-z7-=;}R7HqOV}r0O zwAw1`KUiebwx2-`0|uSWNa*=hsmg5g%C*M%1C1BwnxF60mu~;Z=DGFH)%#ml$8_mT zNRj0m{&*Y|f1&{JpBpqTp7^eD`rgXBU)APskEvXeFdN4WlLzXxMzd2W7#Bka7Smc? z|0&~=2P|c?l)w;~^=BBJ5wo*#>VCNS;?nxFwcCyP&#i~IHWoKdHTQis{B`ZlpPPqX zk5jrSw$g3JlO`3n=o}JtD?MiZxpsW@aP8LX*3}Qc-TctJad-XQ>cje{o8SGS@@#8w z`giMx>Mv#+3rEIOBcHJ3kev|gS$qG_oHUS4NO@&yH`x7CAn3ibM|QZI_7xI4-VI4j zfI-JPbjjl}=s1E8VbB9kn#dI}vrw>Ip_EQ2kmKHzCP7kpwZr+X_;aer#Cf}b8qIo* zIY)?*8YVrE4?W%ukV9JIUO(e=|IY{rhb2-S(|2~%F3fsnXE->fvt$y^h*jBfYf!|o zT>`c{yjGLtfrS&m?un6fM$}Q`yVs|Bi#auTo*b;4^J8w3ihHTS-ZloN46{*Zuiza}%4IafX|*ewP$4#+MstwjafO@N z^(qLyrRU{YTIJN?Qah&>l->a)I`EVFURuhSEIPi zG#L+Q?Bl!LB=b^g3Cikv28h zzI9`7{ltOhh0~KlZx{kL1XRAP_@ne5kd1zF*z{+vcOQ z^@Eq|%b(YtSMM}#&HiU)ZuM+^|MAAf>%^Wh?VUm)4KbQRAxWS#io=c{%P3UNF5U)D z2}FswSJi)#D1j0*MG$SMQRin|_c$72C`saNAagfFA6lYz#QWd? zp;6d{RQ1q4%KlRq^G;F#K~YE$Or57YKl(VIMZWx}NQxx3`vYT@5cZl=DwTc4&M67U z0Zq_kcbDzD1i50IqE>IUo}T_TRQ(hn5sF4B3d2W;-V}wQBueAM(0cD^sY{_bQy`kx z+gXxFIK(ib^_TjPqizW}N?-&^LxdxL&aH!MPq)sk9&4O*ukNqCyMU}O{)@FYY(f3t4~`;-!+fiue{j!vT5{H0>I6`CXIrx=Gr0xj^k0&ZYktn3GQ2^B`6d^DSfFUZEyvS6- z-J_Qmh%1vy*3y!t5LVVU0>+XmDQ7`hyGJ%oo!ns`12~BiG|G=X#3_s>C=4CBi;*~q zq9}$=wsa5#MNl-PaS{PEO5g-NVjIJVHrA|tBQOeTlt!EmbVry`ZQnjc?e(0i{$R0w zSgQQo$9TXx0Qz(4giS>YO%}Zp=jC5MXy^;ISX0x zmppXGq7P`=e8C*^U2oE*ai$FuLv!H-@Z;ZN$%vuC!!>1GMvTvJpV*wy$#Z<>jK1Uz zjkRUC1aJC~d{R3nTuRa+DyNr@w{rX*g=B`)Y-MH#Bd6E*q9RoKjV?UN?0*wxM8Bo) zozikSDCe58nS?Z;^M!Y)%=i%qnfwOcA&8cXB?2pd?J!9F;w)yGbRZ~#%HVi#{4luV zs7etIb2^|%%O)6!G;;*>G2OQefHGSSxdEs6fZv@7nLSd+PniPpbkOCdl4vQ&Hw;_K}2lGVI(g;nk>A|dQt+BmhJ zir4_B-sWhSBn^Yp!ahOTjc2vFr7Hd6f$)?{|qxZi$zrU?_5CbBI*{fCP%uB!C!4%V^#G+?@TGsyt|X zI@h>$sk*drXZ_{Mi`vP9rM0u`2P#X=h4(w?AT*#5NZ>sN6mIxc3oFK+{8@27t@|~G0+N6jWSZ1=v6OQ4^yjXvyXQZx|G9om*SdW24~~s?%*^4EaSWmm zfnBGbUcurd67_S6#W8>YtVbr;jY@4GQXWpJtw;OUuKxJ(S@ZfrWw~|Y&DNvfw=j6< z!v&ETQ}mxBBV>CDMF4?QG);_>Za|QbBI#lB4x=d`?S{+bm2O9fav4~XO&g++op*bg zp$LpC*pkN5mr&#Nxytd%qF{Y~{blX`na07lwI>INAKyK0oV~qqY6rQ->1`VY?dCcJ zorE}sAfp8v1t^UXB#yyJ;Wi!4c zFF)PttJ=%ciIvZZ>h;yPE6>)KHcr?dGqR#jc3jCPwLlBmFgFd zTgKV-_K+?S5wjTSiqmvCj+aIo^t*R6zcCtbV5xENc;)b) z;{Qk*yXKc0%_o-|udmn7JZvpK`j4#(TXR2ty54+xZ2j(!Z?CUksoraxd8*&KWA4t) zF?M$I`1O@rQd74Vb_^NGHmFGor2$D&6oLW>XsmZMHlEl6g@8tBnxr8~(ilb{1o(Pu zIx%WZfH*{GK;Y_bdh|)b862_7sQ{|Kjtr;J^D4;+blY6EKB#~z=4K@j7)3XYR zhYi`HUe4X|UOd}6R(W1K{;n~1rT*Yx{mtC^@z#~u-!wkXXWjJ!^YvTjrZ><2wt8mt z`T*K-Hu2sOH+OxYXo5sg8jRxom;wL*8j@f_>zhUZ0Ea+$zfR#0MNtG`7y{4{#6J{l zQDJQ z>TN%Cve$YIdS}eX*tBv=k5>^_=g0Ads5+|nFgJ!bR5=&Yl4~EUa~r2x2cOiAKh`nw z_v-`Qj_;CTbbatxTo@K^X|fT8fwfolXJ^;1H7;IB)DJ)Y(|Fk?Nw`l3RCQ0ob{bM zW(+ga!IUK)Vs<=+>t*VKC1U)R&KHS;+{2Poig52xnejuAmuR$ngOCmQFz45fgULMU z5TxWLdi)rOVw~oRH7bn2T!cckL!&1oo>z-=v7RZo6ZbqpcGn7i=J#@z7|NtO0lId& zJz$Y5c&RVX?O(gKdF;O$R}cO8`RK;w`kUh$d)H3=-_J&Y=}1y?ni>d5XB!+?`@L;Y zmz6~a$1J^VaP!pG(t3~ZY@|hxBNTxGngTRQ006q$#n&42xWW-pp-Cnx(;(itaZ-6W z8nY=x@)=J1QX0S9W%TL2SrMn53bREyeB0jmbmiA;cUm`}Z;YkA2Ph3`6eTbeMQIcv z==L?@*Iuia61kGG|1{nIOBGUMqUjL|6M<3)jzMBH10n?x3<3fSoe&h{YOOCfT3<4U zRoP5VqG2gZngl{g5+PYKHqADta2(Rx{Qx*xQ*-aa`q|Cp|1H+OoTGOzoFIy!kOVj{ zndTHk5tM=m9A!8GjA{q1Cdi2lCjuu(3P6;kae^RGqU(|{Og%$k2*8L=(DTm3PUMPC zojD}h`Gy@M2^>NS<(vv&<-v`3?*M^BQ3^vzz$DZR`;*+8_SWO$wPUycSUp$$Ve@M1 z{-o|Ke#Lo};R#Esev+ zS`TJxi%*1&`Rm_$^G`z@foS){g=c=yG(saJ96n>vg0f6EdUoWskTo&lv{{|%+YH^z zAtXo|p}W`Y{DO}n5TOYIBY9&f02+rFL6g`hDo`4}e4(GGtO zkK~gCph>J9-(lQ|0Zdzx(ui5!jWW$KvDK!nC9wA3uRp$<{ojqVt;Gk8m#+l%`7mN{fzD;AsXYn^byxRD(`Kfk!v9)(u_H&u~ zJpmj?9KU|*zZ-MsoVEA&8t3;nuDvZ+A4sYvij8NFO!a-oT`YrO!i#Yd2MC2AkiaNF zkOV?@gKkW~&`EFa&j?D<7`~kepxZ+9)ui%(#1WE0F)(tDQ4nGXg;7IBdjYCtD5}>) zM$a=J=}h2hTZT2+vKfz}pkft*ZZ`mfB*hJ2vFF#D`zqJ}*!;Zw8(2ScVCypZYs>fg z@9M|j{dA?F|K?_-7?TQ3wG*j}T~hKO)fW-H-;8+36^tNCXf#O1F=w2>?eB z^g>7zB!;#(^T`c${f;I&-B_5*Q@>jHD4JQU{46 z1{NzzJ4cf89aMa-X~d4vg=d%+RM!<4RrJZh*M_Z`|i)_Qj9x2?rjKYqEfakoDIsIhmU_Tp9Lz~;-={c~#< z>NghGj{hdrubs~=b%7KbS7&#u;cjv_w{lvfs55h_r!>#-)(vSbT&*ryeCrSU1?%Z} zLYA?Wuq?Bj5+UQ3lhC6gQZj;FbtYwS141j}p-}ZF6cT<0)#m$shONcM_1BWky_F>v zo9eVJ(-t!(q3X2AlC+iOnjWPpW|IS#bywe5??8kYmC69|VBsS0bZkfV)!h`>EffHk zsdGgu#-GCt@Y_;&40>k;;f}g15({YMN1n z7z;`#Ypc~~@=oiA^NBdRe^^ak6CQUC{W5JNvN`>v%&Sso#1FoLchyZqx_|Aad!Sqj zFI%agikBIZL~wwh1kOhcxoyj}sSdjb>^(ii#m@>T!-`6I z-e_E${r%>6ETuUxkqS%LJ_)s-98S+LDLA00}>@6 zisK~KJ{uXnphqy0!f*=Z60kyK7t1han#D@fKxfQkl1W-8%9P}tw4aHm)fYFhw9588 z9z)bh8k31~WN@@IlC0GY-6Ex_<0#0cYc0xW-1dT1q#KMd4`*v(#zRGUzUVTxs#2v9 zFWcmvV$?zKzi+o9k?_eASj^e=R_Q=Sftn{Ys;?9P~U~pCWon3d* z(fq9#7It}YeaG$@P2ZZ7In*=ul&o*;3~{)c2rc;)G_D@4Io3PC?+r^V$w+9A31Ls= z!h^&PgD@(}*k;t-xiL`uy*|Gy7tPKjwl_d>5IZyv+%i`T@$Tw73ius{U2N4yu9IZT zRFRtt4hPww5nrm1jpq8<1d~per4Zue1iZNbHyex?WMdSmkN{a~+X03w0 zFf-bX?*0c*)K(8}o~S(j_aEOr+kF0g^TPG&iMAWm7y{bL-TJi)jrlp(@2hA3h^?Rg z_r~K-$;!g!a$D~m z&27%EU-&H#d2OexY$EDQ_Zm1Q@cI2dPgW>s&3|m&yI5P=yZZQ#f7v?RnmwhMS^3!d z;azQMzINnv?dsjiqPF$w?H_h^_Zv;vtJ7PY;pts07LkW@ts{4;?`s#IWE*duRt^^a z2i^XEa}AH^0-esw)bK;jm<7HB`6Xy1WOdOYS2$2K@K5< z39(U@_CyCIvYB6$Ga{jY3OP-#KK>#s(E}nc6htx_2?$Ad@iDdVUK#?j+Z z|JoU4<#6rMIVx1F-TKn~iMidO{rl~`H>2x6tY2y^+}~V`?&9*-ZP%(0^u;alj4K<; z_(R*0)>b{femp{SQR)xqhDK!T!rHZ8Hs;P(kFH-@JE9sfI&Pf^A4H=Qmn<1IGjq}} z@rvZxm|Q-Tf9u-$jVG;RXV%V*$a-2eBSH0^{Sv+pJA=W6?J4@py`hzHa~ieIK`$Bwvk zwd2>D`>xe4TyEYyUwIr)Hy=K%9^P2|{px|rz1oAD&E+c$a&G*eLC!sJ;OO&1LmH)N zh<2~Hzn)Ip9%NFcGM1)OC$ygW^OLo=*BS5mNRT8BZk{GX40C08vlRyF2hKJYmbXs- zrFs0^+GSaNerfYj>-FI=g#^@E3oD^_fXkv5rvU~C1ph}eHGdrs^`8H#-#Wa9ox@IS zS&l$*nxCR>^--pNAUDp+5hldGvF2Ke=&tO#a0*<%1Im zDnI3X$hsl z*P0(+{;jgydi-Ji_3B&8Z`K#rZ;u;6I%p`f62#eQ(mq`X)2vjt7${Tre|5TGLt0ND z9yZtNpp($%`MbaPW%d2qjmj5I3Elj(Ik$05zIAgrpG*)J*+=BEXZPA%E#~aVfVy}`!dHk(Ofi|UV6o&FsVuU7EIOUCl`?}x`P(R9?RvEux^o6|Bq9_9 z)vR|OvNWStOL9_+O(@X1>{*k^jR9+R07+(Tz_`lRpACKXR}>Hg1QbU8BZbJV4&>BPu?r6osXkHRwBq+?3RThir zLV8A`lm>2CN^2*RfMPlwjq{KF_<`QJw{(%DYt)3RELZ1#e1Ar~^0skfU+e0Z`t^6s za}RlXTrna84ofnB&q7fd)9Etma?#9rlgjy%Aizls>XV3XxcRL93b_~$g=9culLYw1 zGz+;hN?;_30nqgf{O8gU7bP=JIcnwIB9cFTcq*?woioPj^Pie8ZmvI^sx3YE&+0<$ z^dYQv`MG1MbH0{`x~^0IYwZ=^MQa;!pwxmDB*n<3l^h#8WVB8wK#TpU2Tj%PlzGTaSz z3k6|wS;HjOm0?P2f=&trbj--?!mLs+5(;|z&JGmK8BzaFpW5JYN&Al^l~v|?X5~-e zWtF6z4kvGC%5By6>r344)s)HT;1AUByVZ*uw>C})YR`^0j@|lYZFV_BZN9AEIJb5; zj&t*gpkjWeUdB=|qOa4WP+-c)NJmhIAO&t8FwJwBWI&1?clK5d*1Q&(Eu$F5|CJOT zGaVNbqqK?UrM;@^zSgaSYgZ;%M%`wISjnZ!*V}C3tj(hzE?GQ1in714|Eg?tvGMHa z|F?Cqd1R@6`K@K`!UPqNsyGSWAoOvPkYH#gl9x`Ri%@1$I*bVgS=?on%Gq0#p4JEj z(U6#xXpR)s9-#n_Ot48y7=K%eRl10-bW2NzdOfY2- z3R0xe#d;G?c#0Az6o5h@RCYq0#e=clXJK9_NK#|=^Q^W&rI9lK7H$)Bw(uzu5*UG! z*grJvg)BQt>CsN2^@QvpPKwBxv{{@o?z9#U7ft%;qOTwwB@Rc=NbAQwwys|MZu4&A zJ?l4+U45QAJ!*{2@)uB61dN-Q8JLC#p#^OS2VeW5@N3-8G zjxMzpX15;5n)5eT-u+TCLBXjY66GXK2Xa8Bnwez5$U23B5<4nTjuHyO5xMC9r|vDg z8^^N6@Av&FJT-T^W_l*Kbp%I}2X4n0GviPj;+QGsfmM*I6jO?snK6~3wJMGi=W~?l zTRba9NtR-#y5~Ok|0>bZ@nP6|>+IjbLn9W0U?wwL;9m;zdOONp3~(IKG)+VL8_w6b zZQI16h{RsnP@2^mwW%l;%}^VghuarV#>674!=|^70JnF(f^Ci5j&Z^5pmU|~2yi>v zcA^;r+)krI+;${T5{pviU~*$I@kW&vk61Jn55*8mAQ}lI6<$ag zx6g#R0JF*BCIuPY35+Wp8I3=aELydhY{C%^qQ$LtK-4yF`%inLZgY{gX zVmVIbH{<5@I>BSJ$GS3o&+{XhG8n(64`w;pdrj~sHNM54^4hZbu#T?}(CAhhK9k2X zgjS{>xB1ig?C3VfCBbM~ZVw{DQ+-TV_^EI7i8m z{D0vx6m+CBr`F4ILO&jqz=LJ6&C1}*nN!h3{%cC%H5Zd(v;h(8dW;H`z*BH2^TF7# zLk9B9ubCg70oHrb>D?Xh!o&6$g3T?5KT=VaAD z*zddGpZ!$c`Om*azH43R-5n_CgO8ImPE!O*QUE}Lpy)2bcB{yNfS&oG+Z++9T&E&A z-&B}W4H|b2Rb>5CW6#Zh1xD3@AW?t-6vuIhK!_o2m*A~p1f~+Ef`ilt3;hs~(~?%H z5QYt)2ucxy6(u3WP zIMfXZKoK~O5fp|21a^4mJYE(!0Z5cY7-vegwupXHZ~%d#00Uh>Vb7&LDVdJrA$>or zj}AZx3ZP`y0l(|p74vF)w^;NY>(5^mukTnrS9#eybg6auQf>d0=J|!z&b^I$hgYA} z@7!*^`_Mf1KF06nj}ZihK@yOxGTBpf5Ev%)kW(svL%NN`rWl2i&1hqVG{q@aC@`BM{ec#%t^0 z2W80CUbM3_=ZUKLG3O^kNx6T*)8W{*|K3;)AyNBMZ=V(t9G%EQKo9jnLJ z?*AvTd-;D=-#4C~{^jhSntL7v9o4g|hiYf8e!qUPcKuQ9_>I;5{g{4h?Z9DGw0`)~ z>~DWxKmVrkZe{QK>DKL~&-a@zd-ut(!TQ_3`+U8z>lh8!kJpY~D1E-Ze2u6cot9Ux z|4_LzI2BZRRKNSAy6;bweLqyr^g~zXsu$O<$ICBjCl)Gi8#{OW>+`3-bmz$k_FwJl z^ZMfT-~6(1^hx8u)yg?n`El#brOJHs{Jy_;`(q10KmsLEk^mHqw+WOqPVxcvc{u`P zhayMFO{{pia6`D1% zk~jG|6MFT9Rmp=*zV=~wOw~wm!7Y_*mMUXX%xUNs&{Au0wfJ^k`%&tOhDM) z_VKaEpA3~lgaAXyjo#v&-55>d1c7u+MgnkvaLQKTu<%E?{%f@o)WKNYBeM2Y z>+DFhENEl`XFU$YIHOP-WYS5wVidryckFN2srdKal>spE2vP<7e!1rfemzpPPSI1{}_Q{h+13v{*ZSdU>w# z=|T0*+OdB$pPh&tp#%HJ9HWzC;@{#^RnJL9^>87Wq3o3(y z15J>)-H^rkBYf>+4HF_c+5Qt!7-8ByY-38vLsFu%adj2zDf!@Oe68Aq2L|6NyDbej z!}E(qD%N3%3J%0(hEiQhT5SPW?;FS1nsuxci$upZD^VaqY5S0JVbz**-bO6a)5X+g zCXJDb_Ga3o!`1odBA`sl6cV%6;T24%t4q51)X3Fcle*T6v$g97R<14ITYdhE=BE>r zKZm}UX6jDfDIw*lvn(r=9Bpc*6u={Xjy^>JjK)a>@Z5*?t+RIdad}Q`Y2LhD-?OxS zq48jE>-6rw$6CkFEk9p=G4eh%0B}IyBnl`B5IBOO-Q|~0X&i~wb5Bw!yPs1fI*~AO zDl~zTfIlBQ}wyqYad3{fFckSr!ag&ZJ;Rx(CxK;t2(0! zcj)5^fsJ_rVkAkTm@q>N5CDTXLPLzZHA|C@VE337@6N1FyCbZ<*(Hse@DeL|fW=fH z6<6LqdUlh&7)1~Y$7qUQ86*%CC1?baLZUXg(To%c$J&cw+i4qvC_*DNi4sWnhPmMz zZYYW*NI(x*a`x%iS1La=h9Ve5a3N`l#t}#mfFQUX5+tVd!rj5XZb%7|xI>Xs%2-K< zbXgszGgi*DuJ2quq%ZGjJbESEEhq^{3`0m>=0CtG3;=-O!q9&}K@vkz1RYC6BCz&# zPk;gtr65Lh=~F|#*KIO7i9&Rg1~eH+D_psqTGfK0tQiLHJ4b6Y2 z*!||STh%l5JMXN&EuUOpSiAAt+Tq7*PyeI0h=D(-tM|*h)*df^Y@L4A*n8-&pO^YC zTZfK)`(K{=&Kq)Dnpf5t2@8Eou6HPg#OsPy0fweAH3TC$G^?i z9z0(@tzA2!uYJ7M+_MO?lKP1UL;4OMJFWHUQSIIPU$pKnG>`1sx_&c31B3twO5-?$ zD1sr~#cGTT#7K63bb=F`No^)ji<-4^27R(r~dlx{ft6{+1V2% zgK9W?x6U8Vg=aasjLMfDN#oLxym+Z!ukCI=nXeq5{%!r*uEx2=`nwzbjn$Q4@}*36 zjLVlwS}b{XE`C$O6@yAy!cyYR?#ri-t4m)#oUdKGRDHejrhf5x^V3aZKSxKxDK{we zftdg^XPcIru}ULh=W8O}0`#oMFIq3JwvK%Ip`VGnm`eqVn=-qUle%=6nQV&Vd5T!d8W(;$BND9Xh8bf$FJrjUHHe`K_7z5NZL18E)aGWAY5&;B;(2x(+ zgQ7SFNQiL3Sta=pF-seafyC^LH;&Q9Ohhbl#w5TS)CR+ljmWYnk~xh|EXrFq76P$| zbn8*MEi#giMM4N++YAUvfKW(>WyH(JYQ4YKc==9YNY~%pcUAVRANE)0TTkac-{)X9 z+ATohkRkv^Ap}Mt!;pwaEB>DViW|B;$Wsc(37`CZE^mg>T^mMV^unZhRh*-(P~I(bIch)(Krp!9*Ma- zc5Bb~xXk}ryFz}atUo$f*;zlgu)3#m*}VENTDw0N5C%{I1VEZb5rhW_hY%FN3D|~{ z@m_xh0ZNlJI(k?W1V%v|B@r6n0HGm@^6}tMfFXba1kT}45!5F5DSV*hI0ziYv4L8{ zRC(k!G85Ab;wHnBKP#iEZh%u>0S}rA zOPV7zPmC^_%9WeK)I}YM2}Eflj6(b`+cl6)o7EB)n#$Mpvg{L(aIewiP;50EU;eQAx^d=t`#lB+vbiF;>v@{ z8Cc(cG_$RG{Tp5*1j7We{deE5pFsb;yk}*hetYg0zh8YGUcR+@`H!t*S3~93+qZ_a znjmP1;y6tcI6@*AiGsH2Yvg82kboc|O#+DG?Xxr3=2R;Or7GZJ5gsul;_2?SYBVMm z<@HXV#v++vk*?4-^02et;V9scuF$p-zQc<0qbB8ast|JW@vgRntLnB*_u{BRS~n)G zYI}Y0O7rmb>fYv#Gwb^((RLm@RXc3~I@S8^FH5KDH}^FTT)@^Iv<{sM>Hg>QCo-k4 zyb8*-8#R! z@|r)N37i5Hf)S9Q34o&{iMBC3y^I+7tn68R8LRB5zOO&K;A&nx*}8SF_GG@7ca&u1 zTYkr%9RX+>U<64J1O-U~CE9n=c5{o%qj`(;>tI`K#}PW0Om39E^Q0DwXlGm7=c8TO zWv=#Fr~#@7BT)(^srIJ~7Uc>fP(TqBCIl*4dt&8f5-mSy+-bFF%7dMEq~ChPv%IhAXimkfM$vcFTZ1Sc^~yFOLD0AHd!gi8^3XL6xGNx zqecR(5S@&he$XuU@we{k(#nqN(e?d}my7j%FB-R>t}V9qJRgyz+UC)#Ss_xVA~rpf z>mBuHatB8Eb?c5*4ax%nY2mIZ4@a5WKeQ8(o;~S)WbyTw^ z)ec#3tnp=#;Jo>}CC7-uqLe$IoMHtPy*V~>h)OYB{CcPmes0*xrPkwT%>xftZ#U-_D~Fp` zkCbTPlT&eio3t+@lW(>t42?~YMTBj*{zDT6`B31ptL8tidN zm0c@Pn%0{~>*wna-Uiq9RPTLTJA1dh!(Tsh=<|!p@zn?GbH3Hr+*}9DyyZ*6!t9+_<%7*t#0tFDqyC3EML#vDeh7$mk1iIzR(t+liC%@H=(E~xwb1aq(IXGcTm7SDh zQ{&Hq9Qx(M{?@box#q{?)yr#Foz)}j4^|hKmncxVGDe|HT26q@SYRCW>xB7JVcKYn zXM(=rfZ}>@yw>5|oES zyn=A~ZR6&AxykYC)vbez)$6NAwl(+O ztUR(c-<{6P)UI4^y}a4FbFcaK8aEMInpb6tyeVz}@h^=Rr&n%Kwf8q`ci;Y|d3%1Q z^1OEYMD6->IzAG|7KR2=3No$|#WQ+Xk&zjBRv{CMNW7@%on90Is7d?(sXWSF3v2>h za||%+J@3e$0#|c5O}LS_wWiDaYA^1rpR8Q@{46=!c)wRx-}h+s%7|9l#+I4nMLU^= zmY}kKijy^_Wm7Xb_!9@AIjv+6tXR;ogO5g(mTi5pMQ9l-AZ4AzNA-0v=ZQ+iqLN8A z-L3zsG1L6DJwVr{@wJbcAdeDC6iT?6^rB9`PKYK6E+uV7I?f&}i-|>!q(Q45V-GEjxq(V`(Jg2ZytrQ%ouXYXn3ah|($KVD z5+AYM=G;)nztI|!+PGFZE9Y#r1V+&iLgYUxf=1*)ArY&5w*LIkkAd3a<<#W%=F)jf zYxleAk;c)(tt)e5^#61w>>m&y`W@uSg*{xw*Wk*z!s9f$#-4WvBw~?9ZY<5(2sWeG z9C3?9h}~y4x!AIpE9o^%%Ecm?Hms5R#~UI3Fw=r+vFUV7po3Luk)ldU)w_;e^fM@< zvFW%YCeRg;UNaW@5}#BNN|(na7ENlWfW*amDaqoP z)nF2f9BcsKlvotXhNr-YDXjGYqnq*UCbcR#<9QbMAqoCDZX^q_7?-aG0EQrtB)d*E zV^49WY%e^7i|UZg5*lx~W7#Ovg0l@mCLw)rp~O!g=F=LX{pQ4}mD^(sg`zpk39&_D zo9#WL%pa|jcO+{cwTkAWyOopwGe!w?8EpjRPBL3Mnm14S%?Z78IPY}SlF}fBsK=uc zD8%;ak;?1!GmX>pYp-<6^DCzspB7uk_xo!Ho3vRhPsf zomuD1M)=1g9!sS4vk_?ZyF#2%IYE;Er)e7RSXlpeHM~+{Ha^3zAFQ8fUcLDF+S;y_ zJF2PHncJV2YVQ|XFFrP}o-WVT_rIn8_4iRS-nMOGQC=R5GlGo3KxLG9wOHhqju53) zdSp!bcsS?0P9;OcB99>rYy};k#287(?UJ9^dNDa~%QervDy%+%jlBo!Z|_uItY2E$ zV{0DRRbM#LI=|Q1I{IXUJRV^^d3_vg=Ip4-$6d2x(NvDeWb@3Oxio3dibYCbRE%i& zZ2v!H2xipg{^K@?Y#XynHfuI-inXRNM4(5tQ^n(xn7AJ^vZ*B0iRH_wkKiri#2 z6xmstWJU#<&2w|qF@)SSfq2wjTT=P%w`#{LSj)?uJ`-+CYULj zw@DH*hi(Lyw0-<(OIT8@y@9j2q;1ElQCw1hj>#n@5M&5UO6YB3kxfZ%NOn*kbF0K6 zQz2{hC!;yPtlb0>mrrGJr2T|gm68gL0Jk-BXiZLdqAG?`J?NM@)kDv@S=RKe4Ja-zWyrArQc`VmBFB6#s| zFOID5QvR!Qu(9VnTzTLrUv2Jr7x+0G`(ySfQ#|x3V$np&Y*jNwtKRx0;2&>Rm3#)5 zVjxv^PLfW$XQt_VNgW={i_ZDO?2HQ;m!F)o~PaeMP`Nl&%On{BIs{c(Y2$i3)O4&Cl9`F-q~B*@v?mHUzMGr>`15q4G0WC5)c%I<0OH!Zyy&T0&L=A z4p9oDNQxA8`v)|MlK>qeY+=5*L(>rtdELyRqvY)=yq#v646u?mPnKLg*|YCxarUFB z@p_>Xk=LgJrwKq{y!;)2Av7ci*t__D$ftq^6vP45-N8oEwGa|RD1@Xil)z95_CBr+ zyQWe!#M@Vi_fNPMby}1(Yz~1#XbMs!%_gonbqZCuSR{4&>9DK+rh76Mp)d+ic$f0k z$!W&l9qB#bTK&#Zk@@r8$_MM`7mcUKD>oko}XpZ**1^ON5oPC-ag>|#s@Ie7yL zM==^fy9aW*>`;=Ecd@?k;K%RlFX#Tcetmg?EbnN%JhpnJcJ1J11cYyRr{jc((52;C zqi%3HCyEt-M`$2pG>%ay=w3a~GmvQrFp456?l_ipug2yd#E2z573m8?opEf)yQjk* zU}U9Fq5y}0z$wm%-Y)v_zsh$uqZ*5MFm{2yq;cm=G`lUqn|TJ+pqK`lvp4 zy>@V4`9bw$?egB09rZhhewV7v%_m#e-mgBXKYG!P&n7O&%Qwo;|I~PN?Vs`HqeIo# zezbLX{=b~xuf448Jkq%Lk?hC(gQ@=R*2<;acfVLav3|JmetvD&_loboynonu_og2y zWK#XOcBTI0eX%=%H>WbJo@yOF;8|bj_A$Tr1Ba^6bAZ4xjA#Q<2n>f5z_);$gBT78 zibQFO02D^FulU#^kRdr`cLO^y(7-IT16N52fmLLJ#0h}ov>>03L{N&tNP1{D3I6#t>3R) zYo1%!8qE%-T^@CJ^XT&IG{cb+v~@<`HKcc9sRM0T{H90;tI?OwXM8x(`8dr(S$O-0 zU(xG3R4aS_@uzLgSMTaauCHDW>6^QEF$+Y}(rI_G>vGuh^e^a4%z%!kzrKCIn^lI{ z*i0ZE%NYequ)dFxkuBSGp?Mb;RoW&y{vyihjb>u0V%ys0;|URwv!_v0`(NDECb@9vdNNn1TwRZs*_r9V z;OdVk$g=L*b|KV5W0YqxFW36 zs!V|XDP6FQ@gahFZw8WA$>WNcX{()J%FC1#^pD#SNxx@wN7#I10XP+$`cDTK_C6kP ze)kHKNoMndh%FWkPg%TQ(+5MK#S);3jKjNM(fT0ek@GcwPF^w=w%YVcSI|-#x8bds z)aZuyc$8+7g;Q(kCKF)HI~)c@+VtWAU&`09qzb?$4Wx3q08qiCHYr*n-znO>nP}VhXfPrU7)~c9IIcw1g9~I6aukL0Boa)sh-mYL(VVRK}cA-S8C(zgiw;k5t<$#8hhaB z-L~fCxz_!s&6~R`x0_FnRWAPHch$q*=CLD{OY7HLPw)T5CM@j(3ImX$Fd%@TrVtzg z1PB4zC>(h5>Wy6mZqfG|l zo1rl|A(DA5v&QMDP`?5i0RUpX3m|w1dniFrfFNj++pmRbYfiXdy`iL0t?UVGonarJ z3Cg_+R`S`R*2ujxpz&#EeerE$|C9R1)0^}tN)srg$nH(lT*D?wqX5MSf&QG>cnRr_ zFZReD1qcKP4pD@paSYNJBm_{VfJ8_V0IEYQ7-0l5Yo|h8p`K-=sULaqKefeUzg|66 zK3sm(Sh~pb+bJN)@%^^CuXSg4eeP2Ad1WX1-TGm5^VIG2-Q~CGf7PCzBGk1j`)7Dk z3-Bg&r?z;vSU-1S{r>XJ)ia+TtlnI`oSm`OuH1CiKhD>ld|E#D7nZH6V>9O@L%JG! zcaZ7jrPYVc4`+XF%M;t=vwA%KtI73qe~o?DUFk>M6wrGA#@sl1xc>Z5w*j_fra>tZ zpfrY}D2-z{iIRNaOg<|OM&l?7P!d9v!f=F!ZKBo|%``Lm!MdG{MSbeQjGxx3@mYZh z4-k|_aU2o8)CSvF=rJ&CuR%f@;praky8(5kx;y2uBny<3mAK8QP6djzzyBq=581r( z-sGx1zgK_$a`|Cv{(fz4o-W_h3s3$D9HNlweYP0lp8*siBu;f}$v6EG8ly1^fH7|k z!D$Mo5t3}(f)%&g6r)#?& zRj;%jUs!%pnQuNjx4P4|_G)X^9GNA^ymbH=be??HG#Pcv$f3ABEw&4e3Q1LHc$7s) zZ8XsGd<2Wkc&4+G&e6MJYe%FtziZ`P_3@voi_7;NjmJAB|77H3QX0sqOv22XjC_`k zge&WprVXh{W^fm$2@*{2*B??L zM#*S%0{56~MA2IuS-50K66LWA#RD=$oLjQ24V}UT%C@@S#3(^`NAKs74x__)$hkKn z_uGoAk+KXjQ5VP-%*L5i@Ax*;CLl{|Y(#Ij;?+qx8tIJD1gtVl*E6>8=%kE$ z1mTn+84fcvEuJcGi?hLMW|P)~rcGMXC7^wc;@J zPE2x%rncE>9XoZo%UOu=rrp?c;K!8<&8x3}+gx~F-?Im=UpQ2`i8tpj{&(xq`^M8l zvBvuk&BOa@Z{`Pu$Y$USvlOJBTZCfL#jG*|bBZ8FD{z<{Q_g;n5%2#Si1T1rB{@XJ zPhzcI{#2X0QJMdxLsxmnVzD|UbYz-rgCbZo*1Qc#mfD{V+C)}M%sm-5kegsxi!%a}(sIF^6DUFu z5T)=g!h8TQcNHf6#!!hL&8ZG3vc$9}VEJYsb6Ke9tR~AubK(SrAt=_>YI_GpULAz1 zmm}qytnkAmSSR2zHLYpi=^mmz735Qi*k7oO{Ye(XDO0EZ~`STKtPO!C}>}^ z$IG5IubrvBTRy^}-(e(y0}^1J&%Ou-ATkd84kaK#0~)6h97QnP#mKH z-u`MjTb%Xvr)<~QJu_W$WCN^gicxir5d)70!$B)FGGkzChO&DFUN~h`1z100;5xhWQ453tQ5CZKpOu$u33wq(uv0`5!O_rMNg{v(RnlhZ85cHz=LS@! ze8)+PjnCCcEQ3M8gUz*02Nje;!xN_q&c%@_Ya%M}z71RT&6E%qo#2nsIXi7j7CV!& z%WjQ#o%s5|R-Y8btU7fskV($f7wkTLczk@WN@nWWiFx_CJ$Izd*txyKWc=vdgvRRt zow>+>=WZi9=?ar`T|QSxrS5!p5a#DfGiJTaqm9TFPIF(g7$WH=r!YC{l9C1E7HGQL ziak-S+YfkXdMbfw8G-HINSff}Y|uOi?hqa5{{Uxp`w#VVM_YH!TYq7z9$DMJd@niE zI&yYxU+0J(6Ct~NzH+U6pmFGBeeq!V5!Kv#vi{)Y%KQ3(%PUXHx9bPqj%3N!cAjo7 z-QNTm%i8_=%-D@h3F0(Hw(qhb+oIOUU2|g-+}PPjf`AkWH)OO;k+D)NDHdg=vq^hf zpB&&}aeRP>CAf50ylpM+uvy(EQ#4f|^+`TDEH^tcnhc3Wrj8lFtmzB!2|rd4i?(6g zMj~aq&C5%aozfLu$uW_#)ww^_FV59o9$vpzxmA5%-*@mY<>%$MTLjB`D(@;gLOpyc zsZxs5alc_`}-Em7A6M`t@ULiz{!;0t{Cgr6C3=jK(1j$j*gdT|vRd$THbl z{8U)EP}_ThuHLI3J+Sh)_GxG1*wWf*W9`PZMC0v&+SSLs5)rdfR$-jg+pBjQ^QTwd zHC{hy?busCbaVZ7{q&{gm811{H`Z?m6b<4C0Wbo^X#%GRNFeP~s@=l*&=?Fx6JJMs z9ddB$Qv(fs+e5GLYfDu9;g$NHYpZWoZovA}bB$M@TF1_|-aTyYyt;g+8=vjiGa(9k zv)TbY#NwZH$9+K+D=*v_E_#Nt0G>c$zYAA)1d00FJHK0dzIp>TAMXD{^)~ZoGfsJI z=ttXs7pcGAUB7y?_Wb2c{oeV;$@#SxNaOa?*3C=x+ov0s4wWxR8jJV7eEg``E>PkW zZBIGzX#csC&?S7d-AfFbjqP$IL9Aj?Hl&g#wX)uad%IW^_6L(zpQl%|WJxTt1Ham7 zp#&hh#e^bgO&9F#hXjkJ3n+{vFq)!B4o(*ZIF2B6=SB)XoNj%`Li6^U#)+rvH=76F zG){k7zb0w!yz`5{uFhAUl|Lz0Zt>D~?f*tvS3Z9JxORQ{-M6(@=Nd~_zg@d(uiR-J zKE%cDDx>~Me(r8{ccig&?;o`%ho>qBzpX7@s_niat9^Xm+1x4k`Fv6~p0MS+Mk``^eWoTYM(Yo+(^=R|twSTtmA4?j_dn<>% z>xb4aMY)Mg(7P& zc7EzqW6y==!99O0KdmhsOsvdRum454vMX3W{UTU>)4FnQL;(UiRYIS(g^Fr_i1i}l z)60VfKbv6G_lO=ik0TJl2m~L=*xhW5A%xu%$ZAXp-U?QBFW)U+mo}c99Z?sZ&z5Jq zoF;TmyJM`8!5Ytlyy>;a+SMzVz4mVZUx?=3qt$!O>n}$XgN@!uQ+}vqg(#+TQ`6l1 zHPdQ8?c~QH|HbvoY;|w-LB71ddZc#vxrN&aB#B`(z`7It=c4`gx6zUPXAGHLyd`h# zc-A=eq;~e{%8Ay(>FsNaNck}l`CV(rfe~$}NYDv6D@3CWZ~#%pkXtR~76nd8vsr%c z?zIEISl<_H?B6rB^0v9K@T(C;FxoKO#$J-$0FC6;_$(M}NJ*u3i^|OpEdOK5t z|JUixXhMjMyL_m=G}pLwQ?h!ndgSk---MT+x)s9-Sfe1OGzz4VM%M1Gy_zmB7#kPg zw{Csp!9CMdR;UE56-1ENv2B}JG=(TwVJc-HEf!HBGsOx{TEjN62+b7BgojAF zs2}qTgqKbEFEfdlFU#~xw&{W%N!(=1TBZh*>?iYfi>`1W?Fk4pSZndY`hk^aiPih% z%NQ#TKZhl2bPVT_%bMk(DTzQ9e=E-|-&xyLKXhoEzR5&=Di|(_MHH#l47UQS1*dJZ zr2%<~B~%yHob?$%f`l}RBGi9!ZeV^amKJL2Py5QJn>!yh=FZn2?O#6j>)PVZ+Tz^W z(iqJi9L~y3_yjVFc^bzS#z-_oOisgujZ27=J3X`D)3Q^Eo3!j{|_q+c6hviR=_w(fk-~Fw8Z=7*9D;7oJY=J}iRfO!5WLPY6$PGmh zX3*YQgG=q82!9$UVyKcc%5WTqB!v?He_(vPIxFwC^S9sN)dQ=~Ru@<2M(jUQC2feO zGu(vvldW8??K(OlL9cU`pc7%9g_9K#O3eAVSY-4w1xHug*&v~fGjVpYqFyXY=hez| zZvbtA*Bl%SnGp5n%GN1Dgh^L2CdHyj=8h#3i?*T6y(TLb$$TDeCXB*ReR9BrNbd?1 z60X6s8SjlF_8R8;e}QI+W`k3~RANS8ey)wf7jw ze!h-Zo{y17!6T0h=b*O}A!CTp-I5nm$>*Kvs{sY4p?1^DRPz(2^>$N0GRe?Tck0CRiH_%m2b|nnuSFN5}-8$%sWJCp{Bp!$dU}pW2Wx z(}Y+gOJ-TG@`1?+@QOw0DZ)L*>f#Cl3y8bPV2lx{$QKw-Fcuv1&X7wNfR5Jxhy%`sa>_sZ&E*ANRZywPM3Hk($;xq}U{}e2LxVXUPn+%HkLi$g^ z;uQ-5cZU70wdd9Hhv3?$*7LW`0}tvSZ;4iK|9$0cb7}7H%_C3N57c&DYg~J%8%4NR zBm&$#DNSB4*YjpeHFiC2?RZK3sB2w*wRU*zO7qH_#)W6x6!Zx1ua^(iULI=fd(*hG z|JyGg-hB7@s@k;nvbnUQc4WS_V@Ksv<#2P?DC1}(9L*OsY>b~w#U zR7%V97(cSEQwa{UP7;dyL-8K6z?ZkgHSwT@0jrCZCTYfF!Yq~872;4l8&TCH9|UiJX_yJfJhEVrOJk5{ z$9H|EwV9Bsr)qBIckH(iYMD3V?ksr%uE&^@5KL;bQsj~btyCJD9QrYXrqd~gN}Zgx z*hkkny0ezXtNHrU z$G^31y!ko&qxGl)O);LGnrU^M@hlA_`gi9D_!1*oOf$pvl{VTZsli6wJ6O1O$NA^l zx!d*Q?^{Q1)%WgOeYrAMIlHo_8&SxUm3 zWC!AV=e#5Vl%*MZmQ%qA04W3@=)kvlP)(}-`b6u)?&{U@!{&nvt*3j!#dPi3;@X>; zV6-LK<%5fRkV0G#!Wy(6xEB8S6hlq-2M)IEIpGO_%C7dC`!^4 zghKcvKm!~i1V#?I-^x3U$LozpYA0j)VoyNov~2=)PO{zcEL<1s#(}fTSIT#)=a+ZY z_8=b?8VtBJc534994aqL5C-ht8*xD1lNKK?%ax5P~2O2)knINE#bP zA}F9Cz%c*_(DS+Eo>2uP3NQkY?G3K8K%_S%3r=7-pf^SVo9S0F_aD3QAP#VVqX06N z?MbDFbi!yn-<>Hvv|sD&9RYqIfC!*4h_EuFQryf?1R^+&5s;aigpKd!&JDLhdo0E!YAO%a5^ zRKaNyAt2R-4DcQ1MhQsaC`OIxw2DFk!#Bn&1yPcMSZ|JTCksGH8Yi*#*x!^qxDA8b zn4WV6PbkZL&J7;eC%8o-1(Jvwm~k^XWzv=L3xNvH*A9QGK3IFIb=T*2Zry9VFGP&Q z74}tkwkvu0Z1eIS(m+(MwC-GAUZ_2O+<3FAJ1I6N|E=GwpSrqyyHJ1sC{WqAvba9i zZ4mzBtZWDI-g#C)k~E}f5@L`*NJ#W>7-Jv+0ZBmukO+VzL@-E#Hu7SN-sL)99D{>H zbxhN?L1)E;Fd+b7B!ZwMiU>_k6d({{Bssu)^d_gl<=~r`oq4EXZ(LSe%qFpNXW{ev zq3W^Po7dG(q3UyQ^~mp6j+76g^?OV8XU|s-*7jYW*<^M?oB|X@)BGOgC`pl!qJa=k zf}#%$sUcQ&qp6#n&d%kwCcJAitPDYswBTFRr zsmPdOxJ*-;fXBiumEJltl@}=2uUF=l_x`?lV}I?{4n_%V(5iGw*m>r|$zqs?coV^ebDq`kuyaGCcmaHe69qi9IBuOBs6+` zTDTme`vQ^jb;LHVxBbX&Fck9|dDf4O+ZS?tbPvoZtx-;$?VAj|F%2q#o=tcYBSuMK zvjO8ww)53Rz=&ZX)#>S>v^Wg68Lu0UrL24=jP2hwKAbL}s2@4^UABCxeCx~N>E(Bg zJ$DoJ3p=Z)e^Yz-pmy$FbJywR#)Pt93bThmZX;j;jn`?Wm&lp1jH#48B)9&drz-Ctvx!sa@yLsF<(7fySWK4tbOBm z`|bz8E8_uxVHgbwT96t9Fp2;)hIe((5n>)n0|G%HfkT9*NSa0fznC`xa0DO(jpdl%TtIlI}7?C}MJlCfCzkx;p;MUuUOl z*Pqsp?5N#ete;z`KRDmIccs4fL(p5fHCuW5`RQib{w5b@5a>qzfsjrBag-)NPoZaw zpcI-4Bx00ScnB#yg<>Gpzn8mv*FX@-u$2xHLI_YmbBB*@dDq`J8!s4zk`N#m?=1r~ z+!&C(+Z}j)uc?ixLyvWJ280NKBM8JPnnF;7Lc6yj@C_E61{B`*%->X7Cw(mC97W?~ zjv3&bwGpwjTv%t16rI^rfccY{B!U}hnZqHVwy!Vvt$)(5osZ1^J=M6i??0)xuPv?| zZO$$J+O@j-^OJwqF3&f2oSFPh|FyO8=~?+!_mQpI*G}zSKiYhEqH?`<e;pf3A7(#>%tWv1|3cr&^z0Beh)@yH{O~WXi3){uN747*pRz2o%yZKyieI z2#!(RHHzPbl}(c)u?=M(BS=U9ghWZ~EA;*Fbik~)2u$D!8sInzg|-0LMos`obLX!k zoSTtFluF_GO9e|a79_=*zHGMt1Vs@v?5>T>xm#U~hE`q)&t8B493iO=!(bQ>iEq58 z01%qJ06-kJzYB~rdnYiAA|Rv?NFz9cVk8at0sj+#L@{DxT>xV%^(C(~xT!{u*H7L> zmtU37{I>b-Ui$>l7Qk@&0%K<|X{RQKV$kZz8HLv3x1?A=vbHDvrpms?sqBp6VFh<> zXZ`S8b*b^{MCQgZ%;=_jodzKXNGpP-;6&p8xKiz+#(V2 z>?|cvCVlJH_4=jvI?`Etx~IPX*y@?(-PLFM%H`>7`Swh0?i!yeN^;Tro+Rgbw`YdinYIQ*=BbJq{`n`f4YFJkERdT5 z}6<>x~VXR)fG?bZgD(H(0}^Kt5wOmYl4NUD0Wm zp=7pvUAq=|=zLJGL$}hV;qKX>&@+;f5S+*PFGZ*ILM%VwU0NbUL=un4wfWI!;7Uy3Nj@)~wOu z5U5^nHR!Y+pP8h4PQ=*h>!EShvyeo;8M2FX?>O*8B8hMKr-)E)W`7|XvGe|DkRv@g zjXQ*LwT0At$Y^$6TD9Rbe)iO8P=RevahI#kJjy`FrKVmEG$%R~Kt@@B4XsqpsYhnNtC7-YRz1 z?YYmh9UeFlslPl{y^Gn_7s^N1j@n|>_l4&ET?1Zb2;DSiB{yS70w)dWNdb1{l+8mH zbUcL0$!yHQPpDjdkXbps^0;!gv2bVk?dP|(gNL&$P^BltK~x3^T-C!P0McS@pL#GIb2$tTWx0r^`S*^k- z>wHn;0X_O?1w*Ru!Yhle+_;p*lmKF}yFN42mkE*I><#lW-YAG;IK*&X!W#i8l16Zx zgI%N@#ZY^(;{&{T718cj$}Y}Q%1BWP6uB;1viC*u-O1HA>vxR8Xg3T82th!MkFU7# z0>P;EJ%+sI1p?jB6zMU@ZYYLf5QRA0_zAk9F!GY!2#Tg?l0-=kUy+U}sW|S);zO84 z8)gp7&|;CpV$FrycWDI;vbA5N(SQhwAppg33ZSGgim|=O zu=H^X#}P>42%u>|P=J7KV;t|-cZMpC;~0to1fy`8!T}_S_T_Lw6h@MU1cgHY5E{V% z3g|XDYGOm(CUJ};06|d{i9i(ZBr^B^<$ z`+q1u5}LCZhLI?w+D77`%XCRdlLXqnFqO}wfZ`N}x32{rb>Rd?(HI7C9LFdGp((m; z4dl*O2x%H8Fcfk)jOZp9M$$f|$Aq|v-4VSdY+~4$G`Uy;W7Zrg<;MUg_AF8K0FHH1^Hee5k~n*=tV8y2kZQaEbjdu>8ElsL$7# zZ46psCV+HQabaBIByE;?4NzIKW~N*ngNQISaVnB2MW?lsGkry62$`62ZUL1@gknyr zl<}v+z2ofN?nop}CPqlRGmJ`KKrO{eQ-c@no>T=>MQhF!$E{luU{n_S07i-mJcrP!&di?^!6WkmwpA4srK$54qG4QJmsB#uI;+Ea?=?uU-_Z> zpt4I-o>;1n@>B$wQ zm`-`jnnzZitsHC3z2qjy=ZEPsi$!i%vGC1s%pvwoIuK$!(o8RQCM;o7w^Ekha?Zzi zNSAO+ZgBqOr~0=Sy^@fbQp5z>$QG?!tUYOIXSBICbiLsI$~a*Sfo>in4bHYm{?>qxRnuvL>27X z8T>_?+M_8^vktxnm3k(}Y06DmqH2ZGAv3C+yj9=+W9{Mz@2tLd@_Fs;zU8;ebH8XE zzdp*Tyui)GXo_qo$0-eOCd-FKQ;9E27gO~oyX4hF7~NcWGa`qy%gxP03mr-RI(%C@ z@~*Z2ef`|t<+<{O=F$D5$}cfG3044U$oIA{!IdUx&^hA1Og{iudD5d7C`%wWnRmHT znY?k}UzMkShVg8VnN29asC4MU+QIdkKh}>ucWZ0+?pF5vrS)=mtaaw$>Zkg?rOMs% z&DkGDG|^;`%8Ud#sU?a4k<$inu_%Q)q2Hr5GadEqS+`Xznu$fTA%~Ya^^y?x>8wVv zNHWwAjHWY(pu{4J0=|h6pOh-dDeC_PV3OPIDOd!=f!4d*l@p)uHFoS8LjvG{ZYD%1 zVvy=NVJbHTr&VCM7-pw75Em%Mf7f>(ShnV#x2HzPsA`(`ert)BQ}@XLoi%|mtEmrqFot z?(^;X$BR<5b@xnpXXDLhbgv=PNLE|{%suZSeeo~uLWM;&oOxiaiOAtKEKX%Xrmh8ryG^w`f z7-8GC0-WTfyn=0FQOYbWju_%{Un%SjGPP9&#XqPB4LS*@GzO29dCk47b{(nn@QW;{u?e$dR3^WK9hRO`X)TgW$iy!?+yC6Sw72&3QsdIA@}w#o zG6Bs{f;X7fD!~G`Osk>DTb6eH&dUA?Wegvql_GHkH}|x^7)PnRg5Sn$yg62T@#LRa zWAEAexzo$XYlp8nW3}VwsxRyJFE@7Xs!lrT<;-l|q*;e)y<$-Sd2<+>pm1It&H=F~ zN6GUU8^I1zQnqI@5=tzZ*Gcqa)?9Nk&zZFb|91%oqR}1M3A_F_m@ZX>*unPu{3C1=g?_+(9|g_5$p(b*IhItq2(#HH$9#X&F)SW%+vrJ%LKFzB_A}F zsC~c3(|q{j`e{*hPxX;J4O`ECZ0xuhukSdtas6wcVHH~c9E&G)MwBc{qLi(-{0SgI zac{O{Ru=~+OI=9pz>4bJcS>U_$sn!g!LszB(hFuJgagIU=6@s&0S*u(DTeIQ&ukI& zs!)z^NWjBs0-^DE!xoIw4t*Ssv|{bq#>Kz=wYqcTV(q}k%7NN}yROyS6Ph(cBSZrR zr)ZppfQAHUM{3jq5ss5I00Vq^*BvQ1t9BQtlDJxu+0b3$1wL?2v0tgtX=rk+J$1{Z0FEYh+GH)g28ZtpT7i> zG(po0z=U|XW*`9(K@%h~9pDKAh#?pTM+|{5L^3qR4|pOWK_d!pyGwP!BIU8LRt5uz z#tCMah|3+*EZ745q#ltLj&DwA5@%DDsJqj<2W!n{R?gNRU#&d+R{Go2##RLE}%*rJ(r#&%(3UbQE5lIjT?;?`Bj_Mjt(Xo{?|JXRUeEpyG_m6ly=2DsWK%mo2;=M)S0<$rWu@|FuKbJ*X3>SA()PG3ZJh%yH$U__$3TongD?` z79!J6nCt&C$c5yHWGIpVOcxK!%gY65fFYa&TtP}9qnVfdrz1p0Su{3`5gdev=!&RL z8^+^~MApa=pQR_Q>kq?@f3NR5=7FWx zKPM>I*W09q5x?7iS%3N9_po*Q*6P!>7Zlw%c%*jgOzYF5)~?<4^A}s!o|5(F$7&Cc zZtu#_c!sZq%Jb^swUd~va%1UrbN}ha-LtKG7yq*IVC6ym-9zKrzHaYq1ptf?jvxdi zATSa_#E>*Icxf!*7ll&{q-ccW1c6bIL^!^6{4X9`kh($0DhZhTX^dl`|65Ar1mvC~ z5Dmy4MxKWt0?`;GC<>0S@mUul!ZN?$NN7T?ay}6PQfx@})l^cIMMGuSY>p5|@M}jN zeCu6#ZeD%;-_;$%=hzW5+Fn|UWj#EMeURcgR15;K2aov~wl-ScGun&du8Hi^YGoE1rCE;d-V47j zV(s1lXD~!kI5wicH?F_?kM+gXGwZMGJNH&Tdch>!ogzq*!Wfz$NkDIIaNP}Xt2Rjq z^C$D{LwpCj{lVZIij8l6g4=G2+wORjkj)!)(ov&j|D;wj005j~7=&-CJv5ECZ=|+v zp+HDLhN2J>vQHpQQy4{$@Gr!40Pk{*@vgC1R|yZNOv(A7^)(Tra&V{sGVcm zQf0QWRceBgD*`@tN?EEX&$&}VYV_{!D;Iw~-*|hderWgV?X?GM$5a1S+yCk3RH~~_ zf4O{zF)AAePSqCAw+`*^|HasNx*Ppr?M!s_%=+!+H`d0(Pt{M$rz(q$UDv#k+K0sv zb()tlXXW|tR!(Kj-z8fI4*z@O;`d2yx_ihz#-qQlotbIwy7ynI)mN=Ox0i1$KdtN-Bc})hBqC^< ze-(!mi2*R8YmBCFx{XXF+O&3v;Ac|90E7%6+l#o6x-2K+L8}DQ z>BcI|+yB12bK^k%pWC;lAp4`NMZSHb!=cO#*flp!f>>HfrQUU#0>L}l7eF= zFvAj^hBw~a9&#Wq#c9H_D&Iza6IK5cs73lSE@o+ zEDszLS==8HU&yKG`Fc)GnM(QwR|FH-QVFX|3-qe~`XWe~8VTAm=6IabbPI;LJi;yS z4T2(-Nk!O0Fu!1rb_xBqI0$;FmXRgsz#OM0gp#Kk(=!K4rE}Us)J`Vye8Z5nQ1jTt zQJB!xx&mb{W^7)gbaHPOp(Y$4ZJaiyQZ~{xxwomZJucY&xT z3AEm9GS8_`+*RhI2%f&zHS*xBlCQ(vHm7&1vp$ArfZm>&opwCJTC2Vf9U3zhy0R;; z!*seR;50vD5gv;vPZ{*NV61n=KaMqcY|NvDU_s|EC=4#4jK;a)+M$Q(fm=tHZBSlvC|TkDI=WKC zJU{Rr>ZwUR5Qy-x1_TU^69gbI8g1JCG~VmTEgfs9rFwfoL!?yWTaz~s3tmoh*m1MF z=dXYyFhuo;4A~8;?K-^jyuSN@s(NYleF9Hq)s-9n);N4X_ou?7rb56lG_`3p6C}h5 z47HoO)!0co*#9|8*t{tLeHkK*#3{0OJ;QUxjFBXU(F8ei#tce{yjoag_WK+|O0!yS zQw-%ifM)eNZTm0&b8WXSNY~#!{O9WDUp1~jYFysedVQ<*`qp+~g&9JMASj9yV56id z3g7@B;m|LLz!5=X-TUE*H%u4-F$6ITryxy35*G-Qgp)WES)SVkR(W)5WX2~9|2Mf7#TlHdLb`22@haQSL6)fP|m?nim>EufNSxzo*!R3wDf7^ zb@R^2zx|>0`9tf(KHE=op31RK{MtU z3Ik+jKRL5;n?v{rBy4so1r9g1|E=}IgXYzvirSgG+1k5{%U9e>cQ#IM-}>RkKogmG zx>4EJdUm*Wd2#u8>(aB0o%K^6zpY;D|FwDbMC0bp#%a;tG!61oLE5z$@;59 z^&dX8E?!tYRJ(CA+PHkTcKhnTHQ#-zUaTH!+`XRdZUo~m7Mqt|6Mrz+yZyG6Q;+ug zK@$u?LWpPz(cSB|DNa2I3IT>;FowY}nueeg{A-J+9-5eGfK2mfr2XGMf;N<$0xJW8 zfI<`n1@8{qmvT5oBksB&g=72$VBAim^bvz(Xla;DP;vDzF?g`3vifA4wV}Fi<;41_ z*vg&tJFSlgn=fvRTNo&2bJfCW{*Yc22`NDLg4FRY>yTt1fltRWOhb%j0AdhL(2&7# zB;a#112@MMLcrw)8#)M4x=h(<8)hSX3}V_iy8gr8Do<+{k1ij=ThA8j7tdAi*PorP zy?nj3laXx<>Z}J{)>9e6&bH%9**N7|XOX4!^L_q-&H^wJ({@l>RpQo5((jpgh_9*dc!g7dU4Zq6BWTDEsc~b%a_F@e#>mZA67EF?2l`2YNyUN zuidiNuO3`Kv$ntbesF7J@W^O3&!fFy0~wbi!KHg-a)DW?dALZ@6Xq>%+kjOPh0N^S zt!^_nW3yQ!z#&;&$mvr?vs&rm# zq$||_NzTO;LA$a4obV-_V|gUE(c8o#Yx{1TMI32T53xpeXU7O>q-jp#QDz7XbgV@l z#z>e`nE-3W?r=tWoyobO*MbuD$V>WgS?M2oi!zr+-pYritO}JGvqVd<61t`(PtDXG zph>#tMlxLR0Nc=u-f|p9y;>qT@~UB4-b+gEH5812EwEqCSxh;7QZd_oj3=WC6Q(ht z?lTik>%3u%pM#HpBtTsSbCe(xK@5>Szt{fO3*ka$*5K#o;bTmOQqkZ^d^6a0EgDoV zvh&3N#^8Wpy4rMa-&M6PTw8e{uI$WJuQl$xNL2RCwm$D)d$)F7h>8zV6iz_U;o2YJ z;sZ3%z6avv;-d(x9orb2%*98OB&11l~IQM_4mu zX_vvCgULX5*7>vZVv$#uQncv}lSWh2Ef&cVg6UE4UoB?Ut?3Bl$xq6nNOC_uKg7JkK)9oB*b7==>|0VqTuk{}5% zhD&pXAW4G8(559xQ3Rqp5sPL-7=vRJ1~!dh8X(9p?aQGV(F{ey4znjg5Ddg{tdsvJ z$!16Hy9!9gnPC0Npdm0QPec>!R}{8@$KuSSS?}Qihioos^#s}Pc``Z&AMK`{DpF|CUs8~+O(I41OgK2hgpenEu~1WLx)Vn1;Vo2NFC4duY}Y@SkiyblK9qw_SR zo&L_n{WvnuY((Pj-M{hkc^1fEprZq@2tCWm4nSX+&$Dx&EKK1!2$wv{-Ra%}b!Xab z_5~r)XC3PFyrhT|D8*vv?DRb0$@}G!GBqb1{G~GkeOu$~> zzu3HgE4}tSAzOYUZZ4kA|6lp`=Ar$+>b_S$^F#Mn?ZD;sFE(i>S=)VRGWVux48zbx@y|MJ7`m*-?regIxquRJ$;vw2>m(W9~ zT9cdoEK9^U3kh}2O+GG!QCRehNE6dVEMx~lnXu4udT}Ce!kx5Ni zMyY!Dpbn_a=)@vqjIoDlh5>*?1Z=w&vd3vtf1qd#wu5`~jnmSb)m^+J)p&93kB!$? zxuZlREQ-9hn6UB>)zbC9F5k$s_WiJYuJ!D=E5f3Jr6*Itekrw7`!iqM<6}{N^m#=f zhBgf%oPeXRci)`?^B>G*Vw9VoHFo~*&GRoBAC4^FWBr*A2d`ZqY(Z|$gdql8IB&+a z$A@eCZx?FUCsDe2!hR-e=jO~5cyn!?cvtyYJO8fw@i)zS&`*5TF;%s5A zcKK}Vw-ahA8G5qEB|crgJlqzF*DH@NyKmNIX^dF z0Z!oM_oi<*o>pJ|p>o>RI=R1j_MCO?`{ur*tusgebM5R;?~bqC8JXwA<`9q!=*6k} zI<(57KmGZCJ3p_5W~B{r*c>{w{CMr^^3K}XC-u`8tgY*(SD!cE-CKFN_PloF$oix8 zqtWK2H}!)bhBDwMfHGM;oRmynmKm*$Ug~zwI=xP(K&3$C?#g2G@M*uLvHMWt&e>nC zJzINI*(sT#3M!zSlg2rTnq*wXNirJfgr3`ne7sK4v{WoIX1xhTZZ2U}-?^`#Y zOfhPHkc>)`MlO$^svI4yP!SiX$m)ycqcla82dbYW&CiD#H?PO)$3Hc89hjnG3WGvsrTv`LMBbOTh<3P?kQqygMKPBu;4bsa1`#Dqnvq?Y#&8^?i0;k8&m#6 zq5^cGlHQ4>%Tr9)SsIx9(Bd~FS&2@IcGgBpr`$}~Tgf(ZXk#guLy@E>>iBBYRAzLm z{Sl#gdiu3FR^73&lWe{C{F};$wWr^$-)|f_&rC5ov$^7YezZKV5bJH@`@7A>C#IR- z)o$Kfxjsb!i-pz8>j!I>rctC~ zW=?`Kf_xGhW;w|&3v$}{MXwW}S;XF!NQBcQAbY++U!6^VEXh5;694Pk-kpsXyQ?q% zYvlyKx`U~`JX62-Dcjh0t+Ds}*4xFk&y{!0iy!`Ng4N)Ur-u!h!0=NtTc)`+!qqt+ zZ=Dh=S6h#FtnXR6Q@=CG(9^_C+2q1dQo3kM4%5l0=i-5&B*>1a(yfC+f$@`yFJG_i zepK6WG`04jasK=21)k+#s3xwwEF=~|8@t^Jy_uN}mRw>{Qt3*%bUjfPBL34-{htm? zZ*TusNB}*BfW+o9=e=S6Hol!-zTUWbu(|(X{pOF2<7a0Yx38?6uARGDe|e{I==G#F zYvN_GNSX}k&2zJPMNi`$-hVRcM4l-Ai*q-x*YGo)*B>9RJY4y_eqzEbQHIPKgG@Px z4W;H&L5bTz7^z7OCFRC~HRQTi6VQ4zUR7aYjPB6!8hes{=(77*t}BEH8CKXxA{aZ0pJsBgnj1G*6>=M9;Pn1A47Skq;1J zQP!?aaSLaY!J7ES7g>zFV>_AFHgA|Cl@2)YTFjgJKW%o}(XZtgcGP)^TOoBt`p+() z#2r8;*oA{y@wHH2NT^x#D=CSVuf?6q!2k8E^KO4ZXkVQB^+@1Ewv6NdV!(~SpPxuXX2hrFrMe``|?mKPEMnN+Te(? z88<77+IHyqlz$2}Q^&SuNPRe{(Z!U8#n*lczk%}I#{{VI&yUB=I@(7yl)+P+SqYpippfmB(C7b zp$LuEhBjkDM_3A2-+!%k>%MsXUG3nJ%-Z7mr)j3aoJ}JZQ6A0wP--}-#+gFIA{NPs z94l}E|FP0sNo9(#PXc8Mi`D6}I@p76$k0F_W)?x2lor?A$m}Nwn#2jF%Np}PtLx9J zW{HqxDEtQN!sgoJ%G>fJwc4-GS+b;Z-cJps1LTjR@Q50%=8w5&XkIz8{Q4i6VD)JI z!Jg*vOW^m7b04Y))-Kj=UDwuj-r3kYp&r{9lEXNj)5JZ)5fpS8r&}^Y7aiB}H-F<` z^~FDP%lDdBA8eeh?%a5^cBppX^V%-Q^6tj{*DJdxsabM|C6bLmyI2J0l+mDPPCY@< ziD(U)fr_7@Q$F)#%_bU;LskDtg2$uIlq{`4{UmAmYcRnJ7=`PHSDwZy$7*|j{G+1z zTmM<~&eMjmC&s1L4UtOBe zl7&(@y)e9xSyFzF#xs=U)w?D3ET5_6}yuqFpp*N+Lrc66A(jD3vXYw5&TcQ=(n6g%s+ZosOc} zdC@Jidfi;`8=l@2F2vMjNEC$B#7jA$;?(k(KU$&`yr3N6A~9RcuBTOUftK|OZXf#a zmTN0ndB2?m;=#*it0V#S{J5I>gNtk5I|F?$FrUxL2G@k#1*GD_Ym5L(;Q|1gZQFQ& zHDTzrM`)X>L>rU*_?qUk%dIOH>vt}#FV-&{TVJg0-%+fcIXHy4DTg?48-vZ7aOAZ; z(2W}-qS{%%DybTSzL||$%(ML`btD%-1DQ9C1>Z>I+G12JiW3SQ?kpQRZX^b=Xg-ni zcI-f(bIzVhb;X_q(AkEy-8V)S>k)_!Y4Swpsg82MgMzW77L*t>HwuGsN{8NyCmm3w zA9<@>%x_xOedqelH0xB++^O+DA803s=AAPq-8 z_L-*z;dqItVG9TxYxiGYD#Yu5KSNMBgVUhxc{T#GAqhlc5TIU#yAJrFG{5_OY9SGd zgH+BN#9aNM5{vM#azU+Q<;zG+&V*aj?Zd7Y{>r}9y|t^4|E#kMVrno*0SZB!$K4(S zG)^Ic1c=w&eg*;tQUDQcfX75;Mus8)pcsrM00j|7GZ>G@{R{>Wg;9uLIJlaqmj@kV z^>{aR6}=jkWSf&MDoct*>d-JshLpsTQiEJ9Dz%*?qNWA0C?6uTZMTA)Smbbrs7WxH z85|>N216vm5y3DNLhU;hUYtz*)|>6?NAb#~jdRPN{7Z|g7gj!0Zdz830xnX9ARuCB z8fS2-jqs(ZQSaW-`1uIoG#~)N5QPDZAgDHLqaaX*!5~C9i2<5{0FVTL1Rn~8W&&{? zlb$Qd=W?N~z)_qsSv$l7588|-NrpfS4*A4@p=dw=mOyF0(FDd31671h@e2a(mM^$8 zNtO&`l$lI?o|dz+U0`eq1r{F?f;io}a;|p#E#~vr9zJV5yxw?nzkc&n^UA)}y{iXX z7jFs4Mu*6Orl~fDXoR{HL5#)$&MzF01PnzJI5PzpWriSejKFXbAe_NT0^=18iliXI zF_PqhQE*%sj8X`v71q2z737DW_^l?bRH-QF2zsEHg}*A?B&0Kw#`2KfHY+FTsAMwU zq=(QP3pG*c+?~y57-^ytE_!6CY&e!vd<;R!k zJC+g)T*44xo!sNib~FTGh)K7vgfS)yeG_2>VzO=97BD6yENlmKoa`T9cRQbSm83RS zQoHx(BmJm!J#>j7X}7r+@Y2`9n6Tj?)y2y9mFtb``<8zEEz>-DckPGDgXa4itBcD| zsg=j;mnK6;>UZ8&4zAp(-do=P)90&|oA$Mb_3H=x`pSXov4!e~^;^x`$F_zp!63qE z0@4r>fMzy#267s72_z|s#1M`UL;x~4ML~XW2~G{bB{&yb(q1<^0FPWsDgCPG62FO} zJX&O%5@53Z57p!K8y8mZZ~qFQlJoaJc}l9E^?Bh!Y0rU!fX8E84Bl@lf{J34Gs z8B>Wx0WFHM;S4llD2f8@U=Ks66Nn?4LKI+-0Gy%vsQzsC`sY8j&U{L4v>j|lkqzO- z(euChMg83&sga9rz*O`6xQ5#E-RpPPc7FlN#BPpAamRp1u6KGSr^!(L-96>@Km7FW z%yQ4cpNkJks{23n>VV4tolHNWdo9G%{|f~IbGlWOSVWX#2qt>RnOTO3h(!`55P$+j zBQCeP0|LggW$zHe1Tr{HLuM3WG6N|BClH1(A&g0D&*hB=-_<_eYrK8#s$IX*y7=iI z^}`2iXCH$Ay?V2O1kl(M3dW) zDuxMvm>x>bINcg<`6hmxh_3Lb1ZaJ}Frjo+JT}}^0R)9>mND~RWvm@-d_3Ox;e6}x z{rdg4^^a%eOzYm`%Gr(m_2=K)8;ft7Pfk={);}DroxD1sGII`+@LN?x&qt~69){x# ziQ&YT-x&Qrij7EOxm3Uzr`VoYL+;7vV{?rMJ2rN2oUh$K7yDgxU-Q}XROQvm-ultc zL*MXUP-@JoLQug;REKie(W=DKMn<(@QMiTtBoiA~rzlZ1A5lW7gWCZ~y&XW~$zF0lUlTAUb5XdI8dbqXYT;s&&)jLG4`Tpwa z^VXH4jW_#RM~_!8|81XT9)^StiA7=DQWzbDp`j{SSr1CgVNePH8w$oe;;a!f z5FwmE3}Aj%-)*&!D4N%IHBVexx?4R%SWBymts{5WF8^lzMC0(IeEr#zcx})1l}l4} zDQ5!Bh)O8ux8x{7J55hp7lI48UM3a|*U}D+hGaOQcZ)?*8I%wG&8G9~~^i*y(d7F0C)akay!>bV*v<7D@|DZA zo%c6xuASSS&}^LiV}0+@+NF;pm{-|cSP`)B$FXkRc-%U@YwcX~+7oN*?4#z6yY)B6 zmR_u$s9n0=c<^!c$6v4RoSCDE)UJegAUbD`nGL6yUS3HN=qOp z78&f)tj@u{`VQs9A|2adF6kGHo)+cDD|q7$z14`oK&+&r=xdE4)LZ zV3(DId`AP9zCrczq7J??ezLdZE{jSMyw^2q2mg% z$lNo(g{I4bAJ~%d{-b8{1Ow6-V50v1vuWU2A1y6>joC+*ZPFxA@dwwhKYO}#`#X8L zartiT;Dg$|m({yJeRxvebK-9+d)6QRwQ>An@rB`01 zze}y%U)%N5hvR7N#oC?;Wpcv%E9jCQcMc^n?zod{CXP;9XUPF%S+R(eI@pF{UT=4Z zMX|g=Uzh{~U}h)JU)k(en4;QH$(`cuz4fQHQ}0^0PcjoaEtLqkM%V!Ca{+#uf#qwz zn2=vG=p061NHtksVJO7|82LPt=N1|?1@%d3LCafkVCiAw%zJU;wj2APz++0U4jaEicxL8C4H#c$?VB`k1kzaYs^Fzh-9`SIGtnXyd$INc&e~{4%iV*{qC@TA&~7vH=R@A9*HG4eGm~P zAsl*R;M8MEcW#~p!gu6Tm{RRYEX)dKHLeN`3Cs~Hn_yPm zU?OV12&#=EH`lK=7jJ%z5F>;{s=_3_!!d!_8*8SAXPe9=V!j!^{aoO1C*r@#rCq?sOCo#mSl@kzCs zF#-AfeY||9?+nTkHk36a5sd?!M*X-KJr4TUE0-+GFAdEr?|=Gu>8JO*SMCKW2di(J zr{2`}?5TE;OhOSfF&r>BBM?Co0-QiJ)rZrhwB!)v~xpPymsD06-v6 z1qLBO;53dv|4J@S5@o3OjSsPkGbBy|&<)?w3$Yqwd_X@x-%snjOb`@cFbZRbSq-YX zg3^nzTD!fYSlfNDb@j~JuG*W!wP(BQClAhy3wAOlEH8-xhzOb@g(eP!I0G08G6Z+# zP`a$%Ej)1yz9^H-4b2_xP}b5YXTmi1{aAl=YRt5t2mm1h-G~94SwUlfq-c^6icm8UQZtwx(rAeBF?-l`uzwf3fY z?(zD$jZ5qIf8H1>+Ws%PcI92=aVWU9xO6k1UAeY;>=!G~K>yFxH?=1(tNWJj)*ioU zecuCQ4o6dIecEsGt(;$ZQTzVM+MfEmn~K`!N3ADso0s;gmJhTp9qPZi{Hc25Fa0Nr zEw=IyP|F{ikB+V1ubn^AmHqJ{SAJc;^s063MdQYmUx200^<(cV?|##`dHhecllxt( zCs!^SRo`}pgx`&V6H=w?Nr6Z}k~9fujKU$tkVH2U7_TqiFjXf5D6&mQ4RJ`~0K?iR z?E>Lggjc5-3?Ldq6bXRP^2BT|mxv%o_O%6rSrfxuq~9gHL>0h1=`=h0)@Emw(iMh^ z(0S*Tc1=DR(;5ttJ?ibTMMQ_C?rhO z0!pl{t{^i3ZxplpM_$(GX3d3Iob|3J5s$~DxWhN{ZZMNkD?(iiZ`VFBk#tTzDMT&f z%11iOU8POpBb-9247yK;Qxplsvluj?Q7vFd~;(;iM8viV5bVls|aWH#&J z1hJ9hQ$tP4ULzecW?-i zj`4m!2?!Fm744mq_dP! z1lz2Aqa|yqNBc#)qMn?3Y`M_y*5ajPlH!&Dta0$1xbpbdhHta3#`l+29@bu6X~#+*z*Wpedz;0RjaX5o zdtjAdTH*@B&={nO!8WU-agBZuI7Sj><5O7pl2l1&SIpXNc#bCyOdswsgx63~F|0?8 zx2;Pq%0_BT9WBLe^`&quvL&>JJDk)=!(InJR0EO(U@+9NBSu4_Y;HWDM<3eXFpUX& z6x#UR)O!&mI~$~pog3U#$q_@gl>;Gb4yPc7!M0NlXDdViP!Pv(O2FZq1dt?{HbeNN zU67<9g_8*2kY;cM7)0}VoZ}3IXaW)#2aA!wl!(%&N5Y&KymWyu$i*U$EtIs!HWwZj zf=;n0XC{iJ1P_3NNT}q5SX9uZz7dJcAsP}stJ$le3Rs ziBnQ^G0x5=)rE{|^{l_w(#LG-(F9GSVc|y6nc z7b{zLE^O}}OLo=Mr5`J|8aIwMAAkIVpkPvTJ9rYt6M6{4A%z%-)4X!YKnw#UWTuEb z1aS%@83r&2Z3-xZV+S>WxksGTh2C0gO{e?5oEvYgM&7PB(K%>io%%Sy7O8axpCRBcV0 zoe>=iS+<6E=>adsg;c4YR{Zq-aC6VcjeD#68mC^(FTE1i-(2nfHCDN{y?OLiuyy;~ z>Yd6iY%=zx_3l>V{ejx~U28A@wtk`dpmF#1+TC%nREGB9-Ud!Xn#K`Bkrath3`sNX zpih(VmKehTipB_>fdqjwB%mlZ++_s0jhBM+39+cGcPKK^&h{#am2rnbEHX>-odrl^ zl3B%~1!x(<%XGZWx_FuPISv~zgF3rGCrYAeR?g_k3w)>Sv$H>d#Lt-K`(GQ@j3h>Bs+EIXTFF*dL?Bh(#)` zBJ2(eU`6oad@>aof{2g=gE17OM}m+*3`Y!s+W1#KfXK$9c3jg@^hfLY)5e{XjVqVA zaF1AuAM7DndbM$S{jqU*$J(XVrz5HQ$t$_$ixc&`-#0%V%6~!Ux<>o7f7i$b>v(0( z1eOdtasx+*V3bxNU9$gdVCU^{6%!-5|99k%m2*O)f+7~3SX7)XYkN1bI(s1_6N{8a zVnLG1_q^iGCU;3JDuAd)Eiin6h*s%hj~)RaKs3{aWe>r7FaRNq0}2R@US;R%%i4}l zwOtoBPSl?7WtNXATKjHQjwE=8boJiGnO{~Ot=?U_vwX2~f9YB6^l|R!YGqni1m_>& z`h|;?hx6-uSI;(HUus&bjJ?<-6-=mv?@_KnF_m2FJ)~R9{pd zwf3E;-#@>0u=R1Vb^LPc?aP%@tBdOg=9@d;H{a}Be!aZkBQ#z%=(34LR;{ZChj5BT z^X?ucsne?}hWug?Qs_+K1x8?`auGSLHgt{!qk~T{Hk^E=$|&Ov_ruRjZ8w7&Kf;&d)UW6I@Ob_4_5ZCA8j7K-Mo5s?Of}J z8k&1^6AW>ZeavPt;%SsOI z@eyzbL*OJLnC>0=7fu+TNgYsR_}hKr$IAEILNN#!496*=dqwt@aA*DPWMYK_{GRZ& zD~~sxtR4Ezw%W&w6FS|IPY6w?9zPu5?~p?e9P7{5CQVO*A*{oLno*k*HgjOuHFv(` zD#lgPsix;Pn%{lBb?Zd+dh6hw^lw_HuGVhuiq)U*n@~G7J$+xt6=^NMOe|kqzgj=N zqyF~egyJ#_;bF&FI2~!LvcBiPg0)wVo7YaPovfezq50#P`t1w< zT|ctZN=&GnF>M4IFC=D%=SSKdGz|yUa%ug+*?zyZ)#DM2j%l%AkvRHV(s(hlWyL7tM7tL!Qs~12!M*rBZlN5)ZO=(OyT>DXPXuV4; znzw{|qbTIg9E!*WeI3V${%?&7NK!^?*43MnV|=1>v*f^=Org~I^|OYaRR1e((*Crx zU{~=6c3Zt$JNbw&>~v+9V?wEV zk4NK=I^x3=-R5Dw&xmDSpN&tNPf?F2PKZU(V$XCKQtY}UuU{@=(Xh%L;NJ-*_AQb` zJxazm8`5!eoiimg{DQmke&w~Xaqs-ni(+f>)y9F5O+Wy`^r!Xr@}-9xPgicN++IJU zUf#9*u6632v3c_FFZ>g#=_y#0!vWt4+HBGgC^?{JQty+2a;$(!onlcQ`q#Qs-gd5?ZvIet0TW?Ui;K~zo+@&V{P&2^4s;@waZ6SQ&f%{ z(QpLR%nPmLf{ZmP*I)}63rCi*e$PdVa?C}r1GOqxdh3AJE`}FUoFrQ;mvTtqXkAP;hfJUzjicwc zukTnt(LBGa_332&_J``b=HuPV4_2pPg(z^Ib=)rE13RnCNwFw93E@8&h#}e4FvbAY z)0GDH7e$jaAR+T}N~Fd;A4>Thq(Dd3emqzdubr8q*XCkwmx>0QRJU7U^+-91@}hK_ zF4ZDqi7DH)n0(fzn-z9itIG%FS@q-HZy$kUulorG+L1+9+7S3g-Wc%#TA zlDR-Mt1v;WSmbl7l97;g!W2+51y)4S8IgpR^G}LoKB9AS<^)Dy7!643XANH&wT1*{ zL-Y29)rXSGzU5ENJ$IacS~*=i_k80}<#Xla`mXxjqw}>F52oq0*>cR|o0XcyA|)2f z4sQl#PeLsgrLt(&Le6`_uAx6>30W!t#UfZ_oK9L{FO~QdNAAFbIhA(0g;Yn{zS>Hu zOCJ;dx(_BQ=P@aGFBs z%g?dKTNb0e0fI@fDC1?rXk!JN&mtDdkvghfh$VErvl$_!*iev1;vrf8xvw*fQKTI? zvvf+ed9=>3C>EL6^GS}hVi6utCfR1gg4r$>6?`_3)r?VEOH4WK(m5r`fpwow0o@=< z1u!_{@|&IIarH5+V03@K&RK_J`J? zi@#_dKE1wk5-d8t5E>3{$vF-u&9fHyf|o2$w4WCi+(4%li;N1$9^$ww-`**u8PsiV$!{nImQqtoHBGUE}< z;iv|ZbMg2BXg?OgeEVNpo-BVek*%5gQN@vch1594<$>x5Wqr z!x#yNfy~yyX2lZ`gB=q?5-?;XDca z6bk0NWZJ=)wWZyX$zx&i(VW&JCMKJAPzp<4xCf?$|M&Edaj5%<${Syhxg#B)3IW`` zHZ3=ddhY^Fg!*fh9Geo$8boK3=MjaxGe(z%VA^5!Fooa z@$I%0g9h20*~n?TJjH4I42?kq5J}=Ajc+|XQI!ATkE_>K_BI!H6_y@NXe-TN1R@~` zD4KwX#_0AXjS%jCEbI{yBtsywv($~k9wERW%}{h7a^LeKcc`!kDam#k$%}ae-agY& zr$+Nrtkb@Uzz>q3F%pA-1`LA$MG2uF0Y*c>FihX=59+K5;2sB^ z|Au!$&WMmlrpNnFz5%h8qf5**I;=QOQy7CGOkhxFAcZqHMiP)as!6xqBeQ26bazkW z9oVc@Aqxics(?J>9~xk7Iz3bl0ZB+<3`26p*7LXOqvpO(^)uJS)l+|5J}f-CGZbvE z7eD~rN+U=@QfP2zAdLZ&>3l=^c%`JNoIBBlUAnK&g6b{b~KoJ4@}(X|1n$;G}f@l5FL5cPSqA zQy%hEUjDpsyme&nPd`5PRQ9#bUtImLb}ioRsIkQS!@kM{!9YX;oT3>VVF;2GHh52-tP)HKzlV&q+dF$_YyV=(b9!3d`* zM3UHuw5p1xH<|hmrEJ`5WVF;0b_-Tju_mvnxtTnx-}>M<9Pd;g_wx3gT>SpA++VM$N8yw%QkL_N?l zb=L>ylPT%szMlh5WKMb|!CaBkdJWR^G=6KQtXvy5Ql?<9x5gNgxDGQ&%f?QB3D}Yu zT%{DsXRGvT zw|+c3ShG6YzPUW>FZj?PNOvFC`>t{5?8@!+C)GXr^>eKYPwJPRR!=lv-~PY9UA^3T z_;TeEweqO;=w(kD1Z-6ZDS(p<#Be}R42D61?hVYA%yOHN#By@IB&R8|QsZ9D_+H3T zYBGv(+H6t#TuDh@OOG^Kw|Z@TNA*?x@~Nf8_5I)0pPsJ$a3JYh{^-yDVnRb_2n=Be zkdOvA2@u+}5x>kThYSE1La@vFz-PcA3?Ulg%!pmyC0*s!29pwXrtkOHnGg{K%T73y zIp&Klq;*_X@a)sZ-OoQQ9un392}Dr@iBY_!8iZ(56~_ruPzj_NL{TI~OrrzNP=Em# z0T4hGPT+v<9#C*~K#ag4!tpjTuzOJN%zTLzUIa{EL}o;J*#FtxB}Ye*A}Epuw9vuI z42CF%qNqLxWPb#=m9_~Fp+c(228TvaHk2*J0K_mIC@XvXmhYr%*M5uzH*N?I;0)ZX zG6iW~);kC&NHY}bo+^xvAdTTT!Z2pKqZ9%sD1spn1uzCNB*m}8&p^lkiooc0yt7HP zcNWIq53kL(k^i`HX6;0EPjyFY$B}&N*t5dQ&BpVGJQ+|jzR#CmZX8m!K0j@qS&aOH z=PPNd#P^w^cI^FJCk^A@{Gkk+oU zqjltb^T=ZB!>Q(>x6R8RnrA*#KUDWDJwweGcN!lLHTT`Dzk1btf3U%Klr|%+Pe9DcY~O4Sg?L_<;ceQjk7AyIDWi# zZ?~>?`Nr~@|Fe9)+hbceFu*W`Lz03NO;aQdA?%+0Ou;}0Ap>y=10>1N1c{SO`#5Tg z2L?J-h#62@_aoTMh}84QErUWE1qKKT1BmJ#Df4X<7}%6a1|aS-(}ni(pYYk7Lu*XJ z8R70fI7Q=-2HbU~{$TO1nYGJO`|AGszTLuW4Ma2vX&e$1-&%t~2mruwLhxjdWH5|k zFgVqT!3+gRfRiK!0fkcp!2nu-dX)hLK~bHsx+k9LTg6mywD()1RjBn0LHC{fV(sJW<$V@%m`9$RX9 zLvp?}i))jGND>PUE__%PWjbLD^-RsF?a9DEJ)LC6_eE0Bj+A&zoF=CXr7>;pjX}cd zbVt+@_89mqU()@ljMXul=F}naFZH_BXF_h%oIkABc>D^!eg_N;ZMEBNL{Kwr$Lor! z5RPOHm2dJ0jCe#4ISo(qw`RZ_a$#ZS_JPgnaacNMNdiV|Ecr!-yTLb$Mn4=azJO%- zxZ;CxmoSz6xC$6;gh3gTk%Um~2Xz?cyBo==6vfIuC|HTE*tTzTCX0@ zCBKHzUUuteRXsyfz!;542pCxy_%d{MSG^&w^h7mUPgy#UtR9ca=H|^110ZE@qZKz7 z&(tnI{k3N8ZR5th+JRm~6(Q?%)AXWn&<CW#OXWwgA-%n^N$pDf> z45S#m%|Y9VzPD9Y{8BLj5JZ`>fbxZC0sx3ZA=L{KG($mzlMGk$vP*h<#Bb*zg2V}oAcZV-ND+Xd z0idTd^dLrI6a@f*lQ@7hO=AqN?gdGL#2`(RgG+N|v1|*B<-8{mNugejJ;r;y7*@!E zL+9xFI}KRxF#xE}9X?BCDlT--Oa{dFOCRzJjSCN&SDtSCP}n$OX&gDVyuW$pPVKjAett+0ySw` zVH8bc7)=0-rU7JVp%b7Pf}|+GP{cI6`SD`1Z0igb$C$1@tn4skzWeR!hw7C!0Ri_@ z66RzMGvxdB-|L^Atsh?c*gC$$U0Zznr`DBst)utqrykYrUaj5SrTo^?IPhrnkbrCQ zyZio*4}>C`uK9|_I!T>o@~yy7LRyWeptTSJbbq+ zKI6ILxAjgkwn7b0Pz-?~h9NhNHb_9c8+Bo_VUFQ|`Tv;v&h5sLYu*3z6g+)wx9zd) zDue=xb8R0+iCGdeJw7(YAX3aZIIPY&=bUq%j_SNtQ-RWR4AWcOB}RY*NUA;dz5S<& z0#pU;O1rAQ@7oXohJ*|QNelr!L>XSJ=PJMX(fF-DAjDE4jHxU#$ z&Tn^x`r`4WJxh1$hu@Sw%6_+cq&QZQfmAy>IIl>Wacec%xGK_L zazyO2UmmJo`@C|a`t}{?4HOP@hF_YRjrj(PGk3-1dqUlwrZj(B@Ynv$z;ak*G0a~H zwuSs=gN(^PGh`jrzYOLsf@eBpUCy!>xt!{5&=kQ{Z{M0X5wdpnEd*A)z4dNE<)@29 zNOHr834CBaR?Os6ypJpjuh2T?Y?`EP&Uv4k+?+uJIUgA&L)}QktvtI*6auTlVHOSL z2Q3<5{F|{SaHu9#V;Pk4_~_xr3`DXH-giM(SU7EHMtXK?$(4>u; zaF1eQRdlS<_c?d@X2u}NEyBDr` zuVRh}S>*z80Cb*!)1^+$$w}d0025&OZT0%awGZ`s7nXN_SG)UadEe6I`oR;p@$P!* zhtjqB-o^EYypRB%oZn$2bYW{>Sb&6cW=h+M3^1#i91<142D?9H1$}WgfB z<%S3t5FTZ8@~l)cixP6DU(q^xbjxS`P%0_Rr{-G2M?nt)X*R?Lq!J%L%z%-NMty|L zoAc2!r(1}@)eSK)(RMu41zl@val_&0DjBv98RtDYH>KuyB$lQ+Y22fTMU9%YIuaW< z2tmfEgqw&zfNbVsB=5{kDMTU=G$EdlYA%HOHP9)Rp&>)Eoo%eP`=v3ari8W6wMP3l zJ)djFHJ?gyvfEg1&?M823f2uK_HJ9{{n`4>=e4)H8oL&2`_3$X5)(p)m_>kwtq^v7 zUKdSmxT`JDfYAB~BbH(?*^C-D^1y>-SPCPOU=YbNGy^H22nCR2C`{1^!@dv&C}kfA zPf$SQq*RhK28~&hAv-Fb06_wRhL8pr5F~&MXoA26!wEFb-YNZ1yL02O+Q$A{{i4GJ zNimp4B#SXYu^WrxaYTn9Lx7ES0}DtR5Cn^w*i*5X0TYOTn4(B_!}tt@L^CphK+FI| zcCs}gwx_%;TR1npCho07&Q(we#Q`8?n~4I@_BkdbI#tx0D9#3jBLPr|p&>~(*SG^w zI3UfC3`P`9^Lv3RX_pK4g0Nn}=>=0$^n5YS%MmjGLQIqVj?mbByL#jF`Yu)d-V4!4 z0EmKsL;`UDCJ;fAEMS0GfDQ^08w>d{A^}WLBugR)2@*2|O92|QLZJX40Z0ZSf<%3h z00<1lBLQrITY64`A(_)~u>FB~w_P|)01T^t(l`Ny*o;%D<2e|4D~k+M^P$nf0_LDM zp3h`D3-lrJ0_KeRbUK~~)~RG$-k%pXz^)HYPlhOs+plzm1m*pE&w3e6lwhD;;GuR1 z0j*Q(GK$=8s?0|+E|aOfCng+4fbm#0t(93@uij`6db`)nOtLIRYBZfRZt#Fm3eK2y zsZB%>kOv5q>l`8p1`#Oe!t%Bv(y#ym;Y?BCVX-~Z*$fwsA&`i-vf_jgh%L0pQR1Nk zJjHg-G*r4X~T+(7TDi0ZCiufUFZUz~J+6Qku2kbWSOJmibLr`P#)#fB!~svy8Jb2Uf zlS8EXxszXK(nK4xFF^yAU@${66oTv+lja0LBMcBrV3LIpu@uXYT&ez^(mvVTqiwrb z&6qA+rTu1no|brh%oP;U*dMAt(5ZmF(Xl-PFN`UhKiN2Uv~u(~N(l(&H%s_Q_44D> zF@1M&*OlFRT;9L5cll-g$?Fd0zF*#b3&Oqg0ILG`ZZKQ8`J;5q6`LF=Vd>hpq4kI5 z#m0>{>$^)QtB*d~>W^Q2CsNpajCFfw9myy+XY*jDr_1kuJ-K$dartxg!o|N-U%sdv z|FCpVL`uBv0@;|nCe;Fo_!0@Om^fxhmLl0^i{WaCvou981VM^Pz;FG7x%Tu}>2>wM z(fXlXzeHOFwZ(m8>6WE@r*{2~yn6U_{n+u{vMxEZuABitr>bj4_qR zU~fiW6c8J)ygl2v^86Ro#n;P=YY+a~c>Bu8(He*Ue`$@+&w2t=!cyP!e`wtMJlEKF zY<;Kv%csir>y<o#$RdKnBFZc zyIjBecEs1jGFG=O?u_b`R!x7l*@YaMoOU`by0l>KwTCx@#xIMN3!h78*PaCDMik|; zxD)aIGQ6xUBX^*LuxM<3*N5`G5!t#~x5)?j#u8D5PUq%)3Ssrz(u>mF(&A*}@`tq} z<;5?Le|-C9?eK__{aRTBB_q5vBEV{_yp*B}_tiOpA&F_4rT>*WPbg5vkFhT*_&JRa zH);pYG(PQV>^c5_^2+MbduyM*JgvV!*q@DCF9V+4?_~+h^$2b3d=` z*(a-Pf3*6cer|E)ZT-{L_1(2Q_iLYzM3;9o_T1b$qS$%f6_eD*ST!#RBgDqF#)m7K#_pHZ7kBCpPkvuIGU8oxe5qlZ zLhc-}SUhSFESg!pxpJrUL*?@I>b)c7?Y|mPl!3|Gss6k}!c)ao$@1;exlx8r7Ug6x zVI9AH1vSK!MtB%6-(5Z7TE5e`d#bT`^B=44Y7d{RpUi*zx3y=r7q6TnUSx}rulHq% z&S>~r>^?0Sf!X;5cmFF{;vT{GsqDP@yGfWV-TD46g;Dd1Dy;KN7V%hZ$*h>hK0J%3 z1WP6BZ=ZT=moEP=wRP##+S%%x#|qPy>aDYt`$z4o*G9YtP1@|^*9GZ}o0S3KARWK2 zzIsu4a%$~kb;rfh#lMXxR|}ZfEMGej1jn<6h<>-JarSxj*tN!^$Bh>k*51_4Kh!Oa z{Q3o*Q%$?grfI&6dY~^bK`&InfCBV?He7*E<~8}{vy*v+&njpI`O>@6>*|#cjeFa% z!d$*rd4D1QKWhgXM@CKBlPQCki@0%V$7ElKjX@o}xCQyGAfM5+qi{)v2m$6H<%r6r z**Qx$DHn$NM8^vmBE+bQ^nOM)rtoz4(icoAxluR2R$)+VO8d^WdUMRyxb<)4m$kb) zs;?hZK3=Sycu~5z`f&BL7Bx=3NUm?IzPU1LoXleWloXzu;$4%_RLG1JmuIZ1m`N(h zaNWpwKnn^BQVFG!2i^VF;@H`uQCqr)of8s6KG5+dc`GrW?wh_tFAb%WN_4PL93fHI zT)>Md6t?#dcmjna!2JS+1WAn{P)M-Mcmjn4Lk$QNTA)-CH~5>Ln

RGsSE!J13Q- zBdP_nBWKZ}G4u*syBt1wFzO9PJ5ma&87C$&P)Q}xOt{5RusaIo?&Zc`v>*M6T(KLwy% z*YOv{bjMPj8R%co_VCkf#Bi_wwic+1WU0L zzz}>La2!lo=1IMSlcIOK`~^EFLCFmNV4ETr)#T?{i`9YpKYD>pIr~0)0?{-@U`Pyn z_S%sVAI*>?OA&ykNs_>jf`CF_fgqo@^%%p6xt8xOfc1p{B7y{>YF&^d0Y$M04lsp{ zvPnm);R_-OynW4T!)5OLUgw19Cu+CJ~7s=-|`_PWnieB1s6~cua5% zSj^BQO%f0xn!&gYTO6Q*1BzrZLtxO|O?Ic0$)TET;v9Vf5+p+cvdvo-LTIx9(~u<@ z)L(5|hVZ+cc9)Hjdyy-n;#HYFO3tSYd7YJ4NGNM8(veB=x?mWB#u&7P-uhvlEW=<- zVoIzc5KB=MiO^U$&j}hc7*L3$X#h5iLsP<>ZU`92Ff?l39)-xB3=q+TIo4LK>BBv* zUS2xkshqvDzV{dPkGm`PUj3rF<9Yqe_S(@W-;N|*+kA0xdi9nqT;P`_W=k9GhUs(@ z^VUuF1V!-JjmL+}cYj}bx7awdy|(x%R^NYe_3=Oc{BIRy;}8pQ_`fUXURB=hDcy6g zJo(!%lIy!2-&WskTkQnq>!W2qzP0?h^7dYQ`6(>js2;qve!cSYS@(AJ%C_R##fjw~ zD*N`A?=Ri`S#|r)(#_R#YsY&7UHNuAt6E(0C1x*^&T3I2`3mpVgv|CVn{KVY6ceGBqrRI40eBOyT5EXk&yyn zMAI|^q5}nm34&(GK_&+oO@*`3X^;455%lSNykTN46=rfF8Lt3>#t=aa>Aul@{Zjc@ zZkUveO$Zv^Xk6)%O^qk!0Pt()0KChmoL{BZ;FpB8{M2l3@I$k2q6OzNkdv} zkS8gYrijiq{fMCjF*Jg3<0Dv-U{F`yqJLx|5o9o6n`$4av^Us0O%#KZQy{M_3o^!$4+G;J+{sXk>^xU=O5n3nX?2G8Ss<;?3V+qO2wArth(c{*MH*-~MTV!ba+75mtkw}lh6w~^ zu#gceIf-+EIdE{eJ@5qwsjoGCBM8*rvA=TuV%M)C=w!1CcJTSKsTte6IrdE-KtCtT z>590ofF#Y%Hwn3erA&GnNB7mQzFxnydS&^Ch41UnUQezZHj$O1r@KYRQn7CYs0lqG zLuHnRl)wK~>;{mWQn3mC%LMY#tX=R`YS&LU9$q!A?5H1ox^|~>{qge2ME4!cfg!KZ zDsRRh0(tJ?opaq^nIP+<1yIlSgfQB9b>A;TYaeGFJUp|m=!rzVmOeByg^E))m0J_) zAe!w%@XT?iG1a}$fWT1rGBjeTB${x~gI14HBqpVjg0nfBad6657arKW852nCk56v` zM{G;GJMo#OIZ_C3ex~L4=V*x#M9+R(&~X9`k_!PCICTTNI;Unh$TT2J~$Ez#j*^+LIRUC#54v> z+fft)5R(jo8*5LBLWn{nq*z7>`C zt(9T{+HkpraK8k@5-bBnV80MH6~LQ8)oi&q<9E&>qWhlrF*aV7jJY7ow{%y8A%7lj+SNbUVK8P>8Opw(D7a|Bdz2m79yp+pEtX zl`pUCYu{UYSbO(y96a^q`O3}jre`(>%S8Z?kcOBAY!jeM zF>s8jh{7bGSd!TIOTZ8`O9L(_cfjv5=Tk*6We-RtMeJGN!**%13)>}|D|0SvmuznH zwa~L^t<^3B-0d%nRx0FLj51OQB&LFqXzPI0HItmp$LFLHS(~;t=b1IeNZFJoCzZ@k z!I2Q)ZVmGX(e^UY#lVQxIAhI^2?eg*dssR4w07kF+V%AvG?FwvJ%|aQf?I{AV_{#i z^NAA@pWpBEq@|LT{gnr2YrA%p&#a%N*Pi_L8y;fz>C%NQD~H$i{K z7$|4$ibyt`?NMzZ2WEOFGa=YBAO9SjQn*##h4!c|1b&{Elgdh2<6z_JiN?)SVeTJj+0?+3^_w^92e;Qg?X5psZ0vqex⪻YtPc_ zC;nJ{_n>?@JVO8SZltnXD3=_snZ7x|2NX3jX%J}hj%Kr-fx55B?u{naDa z)-U|7^8Q@;hw9mjja_G}A1_sJd={&5jng5O;An7mI_Y6~D0a-C<~ZC}qZ9yu!mMb8 z)=oaI-aWZ~w{*7jxOVeUXyv)QvHxWC@Zyh)XIBphR`ym&X#EVT?Y^|Wy>jGz>2>Y? z1JdYkwQaA%$=wsJ*)T$6u8WFJD zsXyHI>(V0*ww?I@3)>!1M6*-MXt;-Q<%PpNQ@?fmSN~Og|3JOEYw3P<=iBHe%(bH*Tyc-;Dr^4-SqeThHT-d^|AF72$o`&@bV zp>p%a(Mw zeEm@P1H#(6xa5iGNMWE9C`j`eD(`KU?H2MZeHg*=Wh z!HivPp5`zKI^>e9-jovNfz;2RTE4r!r~IsXV*Bc;5v8Na`AL4vUMl5^u>4nHW-|#r zRK{(67|wrb?EAV<@IsNi4c4MlD!~hCzn&jo+#gt&Ov$AZT_E<&U@ra9)CsZ|6JluC z^#!GmGEMQL=4?I|zb2-2#H^EvfL1Dj{`h3dpwotVPnh%?4I!1-=Gnob_%9TmQgHD@ zDKiuF_5%3urox0KCDXya!3^=@DTH6qkPWfb`%vV-e>k&ZfgC=@*?k^ za2R<)t)=^uGILHUq8!KYMPJmdk4)MKpMjN1j0>r>cRFqazA>6ej7Sy2W=?`UZWl#0qBUknKuGPck{a+p|ogBmD zZe|?QdQsXQkxHDwN#Vvf9VAN7aozAFbany-O{BTHm>HSW|tm*q@PCFpJ8;SJmAoz18h!DsSGdocZI*?cXeK zD=jXc`)y_W`5)h188Jeu7I>E~wN`EBr6@XQ;G)2A7sIg0-YT!-d#e5mKgNN|Q5_5;SPz;GYnn&#__AQ`#WogMwvD2Q|jF+rz4r*C6j)cE2%(PfB#Dvt-uNdU+1^W=Nhk{ zN7nXM_I$2?+VNd&`=}}3X*bbfi%jL@rCOo`lp`lC?B1PnH7?u=EL~i=+PHUk{rJj_ z5e4d5a@J&+6Byxm4}y?XGF32}W62Q9XRRcH!gtUeyR|I)X*d zw8pw1Duq=z1?RA&IkU zRfsO=VXB*C(K>|&j+{&H6QczEXPwO9^J*?FGO&AXLPO;QU{sl*ua+s1Hed*UBko;wo*3^yyL5Oi=ICgjq9pUlGnJ~W%5v>uWAXuS9+&8*%dDj%OzZ=PKHq5Np+ zx}j7pNt_(ODYu)z7bNL)K>*3G0MNTkr^!(-$>tumTe|6u-soJg*f1E0SuJ*e#c zpj&&KT|2&hYMkby^vwEw_F1XK%1c%y(n&Zel_Zz~U6|tCG8*MAy}Z^x;njx20?RPoKzCDGRjB< zY*a{Eizua35+T{7eFPV(b!@R2G8Ak=MtEc>$e}rjlc8D~a-+FW6g|j=+OkC|$=Vm} z-$*1Im7@My<`YhHI8RB`z1UdMTbzc-Jm6b<304MrGNxC#J^e%~q1Zfm zUP#^fscdLdE8LvS198B-)>69t@a_G-Khw;V36~wB9*n{z}M75SS5%3 zA$C)8fmi4PgoO;xv2HQd4TU;E=T9Ae%vIfJsy zw8d?3bVm0f@n@VyIkvYxOoT2tQ?Mbie1-A=CE^Ri-b0fb z6~NXnNLl=|o~a&r-#Bq}=|X<>#_ak|Z|UqGm#?jzwEXQSp)o>TmUE>hRGh1f17?-# zj{7DSPG*MYa{HQXlyoSt<_{bZ^zrL8?{W?A2FZ--^~x-6-Gw?JokAGq38e zUsunLqCS#{LJZMFKw?N!EM&+|wQP#|xCM7<;Ub@Cuv^1{g@9Jp_nBG)sSl}U`k9Ry zDo-T_K68CndE3v|k5qP_Xxus$^GtX~d>%p4EF=g3F~P6|AQ20`g5>BeBzl`J4DOxP zBO~DqwtO-H(j$XNL_-3#x}Xs0k!1iwA$oxH*gD@5q{DRf<66eUp*YHg)if_(x|q?Y zr~8SH-uj0d)h9QXKQEoEKfP;Tds}~UwE2iwoKylpfSES_SAhHi7zToNd;}paUy>ye zB3rVwN zgNQaYu~T5g*jF9_03rbBd~#d%vFNw=m0rJgvv%<0LgUhr+M7GS)UQ7L)7M1m$#s9Z zT*atJ$wEAk&ktdSGLXj&O)Nl9&V%#Zw7h1D5TS-vc3-NW-Br2qymn#RPaK_x zM+dEa-n(+*`_kpwu^o+fhw8Up*AAR*9NM~y-P+m4qeJUAs@GmM zj_$En_TOupax*MXmS_V1X_93iLja2EU=VnK$-byTEzBfK0Sqv~QUD=@7!oz*0z_z@ z;v8=pQX~Uu@d$4uix3GA9$;?LA*>BAsKvXwGwx48*0huyBaSH#={(N=I4ev@$+A^lE{Xf1AjKCelj0L zj6XfBa6A{8H;-6DL;@+HRfKzf`GoerRzIw~tX+S(bWXky|FXDxwQ=-R`C)e4MMUph zPAqyRjJblIK3_OwkGKb1;or$>iwA!8yV9|6eb?vp-Ma6crT1U1E6bNgxWp980tNzv z5g;g*L<~cGmB$}ZLG$o$$wl;8SD&{(&FXV~Uq?U^Z1`HtU;t3r+MA`zzboA@AFW(^ z@$+9rD~mTrd>xHgNYfOJSVTaErI;qEX0s0eeD@bj&rLaf3xvq<$q*1j7SdwFCuSIe zq(~O_kDfYKeBg{h{=li?kD4393kfjQ&vjpWRNZs%AL64WO)w;1W`dn+ee(!wc_MYY4^>c4mA2segU%gv;m6{hWp8=S_ z2)ARTbjmjm6irYhO_1C;oU=0;tu0}T_m#f%!?(X*e*Jy@*5hhZc74-6y*@uRqY-PQ z6L7=EBtf!b&O8A~77&1d13E4lGmK9;XWB|F!V)}cMF{g6Ea7z8v@uIwt>I7iG)V#i zFtC5R|MAoA%7>Sg^ZV;hwktXFVST?`yd^UuZPCFIG;U3OC+9UD}PSNA^~C99+4xQ2JCl z`0sSpxBeQ{j$SO?UVYF(-}3cY5=(n)?{0d^`_>P9d02k(+*wXssfn50_4YBnj%VoT^$lVMr+Iskn$Gm%0Nr?CQ$q=v0YhlzQ?~-C#c^491RT{ClueYx(HqO6T zxwr6#%9&&JYo8lW53OI6S8gAVi+A`5mccaMn4<*eE(iewDHgM0a~C85ge>U9L>|ep zWe5r}BtR5_H|8-$cDX8Vu%5c346jtrg=4GFwZrApo|T81`pK?qz&7B z)A5$`-#*YOq)hE~&?e7wtO>Vvo=SET+moX|pLX;B5M!R|aF5f%IUnVW7^i!{8_to~zZG03{DYRN4%V&d@&02jv=hfzQ<67PmVn*BEnlYxFvYD(y z3;I4D8f6Kk!b*xay)l=_E_G*A9JV-ixG7E1*&+gnEK}Vw?V$QmpFF2_dfqxMv{0Rq ze0lv-oN6Uu#$e>aCk>q6Z08_CWbx<81OkC>T5FOBI}FL7GuDHpw6}RN%L0<5(BJ}a z>u>5GcZG^eC;ZE|JD!8s(r=0!Xo997Vj+WY$MBn4+0LoL5y$Yan^PFgeIF+S z>b~#d;PAR?lh@9zZI{(fU8)^=1F7|!zgoSw@_G5d_ai=yB_IV!yy1c(i0PL4*Jc;B z23+X=cK3d!X5CH^?*Re8vJ6FuIuA5v7zUFF4=fwptWMl_0FI2B=RMd+UcM6yAR)mJ z19EQleQ$nNfBmkszkcP#bmQFiKUXg7Xxx9@IB~Fc>`wj0i=VA5ntuFrWQZdH2@=p0 zrjf94CrQ!>k(d;Z;15{}LSoDa{unR}!O#@TK!RaOf}(^2_(O~dz_Mgh)}$>&RQ#HC zVA$sF`GzX2G-~V?Ch6;`fE(>l;h{}pOGOAFCIO(ZSd|k1L6Tya!Tn&r)!{Wcwb(R7 zt+h9Lw?%?dWZXcSLWzt_WheM;03u8_gJJgjkBuwW|K50XwYvZEKk7R^{ZqWMAqg0k zW*A{*P>2D^AON74*N7m2A%ogPhLPbI35;mS5){J%L{KaONVuv2K_e1UO=oq~0Z>P4 zy>B&Fep+Zeys&=f_p8s=p43i$o|9G%Y+HRte6O+89>_R3#V@5VIk`!Og2Iqs5BJ0%J zg*PiN%b!hIZDZ%1t<^`D|DB7{)nl~}*Z$nNb#MK`%BRwczb_wOyVbpkB#i_2yvDz{ z*50q)slB?`xW1?H?qv6Nrt$W0rt#rq?fuUA^>b^7b$_m%eO5cWz43Zi`F-WY>&k`Q zKYl*2dVaNY?!;g3R-YefoL#J3eZKmlJw=UJ#%}4DQh2f2x8m%oh$5O{NI=mP%^*m? z_F2ei5zz@mu^2+kV%*#}Vwq-a+f6Q3F>SQ!J>5%>LhqjR7e$7i2?|mW5EK#{dPowp zEW(2tqD;U$7q^O!I&(&(k|(3{8ar?B(Py#%^Gb+^Q?s*b@Be{Tk%ncfF#XgmSlxbr66D^h#)0;@Z7X~cVl71utOo5BmfB^L0}pZOy?|Y zFbpiFnu8fVWUZ-9m9ExeT&+u4ZQQh$_+ccVSt!c-UqMZV6LVs3@L-RhQ@By< zP-bKKEWfy-ZE}8ku(YYZ#lA*mn#-|9A*t3`8Zq%)PlP36&oraZZ9=TIsMO6nCRyHs z#gIwP1u;Ek7hSas7j0E{pl+OHqg@tr={pnFIJ&L6g0qkbhhv@9=1}ccf5K*oa@Jr1 zAG)P0TG0N;si>E+q&(4Cd(K%9`O=Q1{gIxLS^u0jWz$%_n=|wle(}g_g=|1&occ-| zy9P~MNFz_GP}q!-J<#qj*v7H2QERitbmokLiEEXS5vJyUsy3cBxknh-zF^lndN#(k zcqr7=yxD|>XX8Ew^Gc4TXti@eUlctg9&Y2F9XM8A*o=LR&MpaPsC89#Yi82NkT~WZ zZd!#p!23eB=qu82M)>Aoo?Nf7zqo9K;g`cqGlUXiVR78bwH>twm*l@$zEFR;v%dS( z%9AfQ8`nQB?e;e}cG?}*HB_h9%QS(}ytmM+MMQJAP+Pjcb;*K&RIYEzC9IXZ{O&iU zBh@oUs!#S;9z0X8?B97#R0!9v%*fRirw-3ZCA7oQ znxAt{rBs4iyZT!STiSh`ql@c`H&5{T)XAC(e67iQ!+qKrC{syX4Kl3pfCm)B9>_)N(i#)ybc5>p(&E2355Ifb6ILe;~UV>)hcJB z%*JxgH0j^)Pr|wcu(7OLD#^@}8-sJ!QH&5%(T#p(oy}*%@o$=ZQ(nu|hU`!(@%!cj zP8su!L=p>`Z3cE~qi?%68fn3qj5woGNyf7A$2}(39Ho&;78t-3n}LRWg(#Ft<`dp{ zQ^3_eE0q{*fJu+i_9ZC-VS>N}Vi*J=rYKQq-|GFFeNu`n2@!@gW&w>E#FDLTIN^gv z&dLoD3;-mCfME!h0RSUBOx2elF(xSj6BJ?*Ln68f0ho{=0w9{ENB~%hWLXG+kk~JB z%}psbBlnx3a^|#P=bFHnzzl&ACDgev1qe(qZ5&MxX&j)1`xR`5-EZ|OwO>6o>yPm> z!~k@Fhn-$kzUY}QT@mY01fU^_+QF6v0L5%m;J3Nx6X;G9pa_H*FoqiS1SCijvNU2K z0FWSC$eDpK5OAZ~Xw;|gOEN59-|CXLqUwP(~WKOK!) zdVk?g6;s(Mj+c{AFvw#S(*^DkmNp>_+=1qF&oYUyUhmC}mIj`U6_mmGDJsjzIH-M5 zjbO6vkn*&FX;rU12q*)0)&qjFz)EwH$jn6LE<)s)rp#<)At-#i`3)*hCN$N8CA6h# zr*iJ3V#?<4rZsa(w*{m6WP)S4S$lGPkzjJB<7f)11kb7+f!0huOea`3mz;{pI^LwP zP;lC;Z%dAFbb{w+%q~{e5(X0&3vOv2iAx2ivozaVj0`9RE69b-NCmrWo%6enMl+Su zaZ;MbkA`%9Z7;DE=P_sZrV=B>f?+Qz*SyE#Rd@A*J!us^(=Qopn6~!k09n+{VZ$Hn z{C$+w#Z6jQUj`}E|MwK^oiBvtDiD>ax_OYgrZ5mUgW1W=i59p0+o77p)jh}Czv?fy zw|{v`mutuFEMH!~sI0wtP`P(IU4Qs&?bh0d^=qZ8>n)NJSHE~_>16Hsd5O99`lHIM zUi!3jrSxKT$2Y>esGL32t$)yzj@5VET)R+uzVuErxqfElYVH2#<#$^*CvrT|oGJle z5k*i4Q$$Nvc$CU9W(b-^Gynua0v0ov;))z|B#fKwqw> z)-OK#!~c{PzuatGIh6ROJ*}viI8V>Gc6xi`!>-!Nef8(3mQFSHK3`faU#LHS_xIJ8 zOS{7LQ}33Zt$nP$cq=SxOae?G7E%LllHzHh-WRc~lj*_EQM}I2KNy(r7 z{Qq9qZ@AJ&p5V$f@uD-=cbu6rt#9Mq7FONhDcm%5m{O$H=Sb0s!2&}Tp13Jbw&(cT z;xDSVZV6vtiFo8msl-&6ak%U~T}^TI6%P~UT+Qg| zUWm`3sx6tg+uOrX{j0hxSswr@orw9iuAOz(kGx*LZL6Q!x3aDB{!;n%%G>2_tNThP ze_ndE_EEBR43p|o>YOTpGtqHu7?$6sD=5**Itg zzFJOz`AVzV_nYFTbn(uv_l(SLlS*<^bd<)7i*|9R7=ww;EjyhnrO>r|(SZ zd|k4CvB?DrHkz1TFetoA%d~-XEC|{o{oBgnJ+-svsynZhF4QiZZ`}Q`cDr%&c>VH& z5$5so<>6+6(TpNVhDOsQi<9! zq6Jc9y!)HUnG_~hIBgx>^bqdB2z8UbaD>t=%>D!oG3XvzuvryY@Fjlyu)~;N zzWa~AEZ-VYmfx#V=NI}jwxsQ9=u3u#2cpL3W92i`^)ve_@1L!HF6~}FIHC~NugELB zIRM#6)HtNO7&J__SK(fvev?MV`AIRE&j0MFuM{4FZXOw74FdRsekH%glLqf}AdmC0 z{z9yi#wZz{6Rzct7gukQ{eR&iX7$#rc20PN92o~e?G4Q<{rp+N;`7@z^8_z#E}kfO zj9!I&)Q~V`Cbh_EkEs$NslU5t!n7W%Vb-BY#GN{If36B+P!Cg)$*4gvXODUL zPJQQt)vJ~JR~wIC{Fh-wNm2ePNz1!ZT84B%2x<2;)4eoml0v;O-rfTL`p#pdox(=k z`q%Qi)m^m*pRLtT_e&SIj;;^h+BEb$nXI0cy zhdN)qbXqf2dG>bcYW2yj#^Lv-`u+AhK3Lzf~FCPFaQJ=CsvRA z3}zMN+!8DneVC#0K7U>1@D+j?^W-P9(qk7B6-sU^MAqiszf zf-JUq0%X#i-HVpl%)!JgFY|!Xpr0v(I)heME%i?Q%B$%At{<;n-M;o=>2{!Tb$eyU z-O7jr+UH=Vj58tfeBKO$~FOML=gla2r&jNNwbh5L7VF~3in7741^>k00IO_ zF%XJqs6vJ!0Yr%H#a;*Anfa-qqG6E61cOh3PHXGnOde-IS48uA1D?e1_Ov_t{NGcCoFxh(K!CHdVSa0 ztJ=}K%MZSWfgbaS^$dokFd*qR2UVbF5P(7?qyalHte|w>wAm#KVP79zJ#FLq(an>{d%nX+7J22!Vf7z=UOV-vw*6K8$z_Rm z?NIf^@!GBPrr2NBdtrN5pJ*yqx7YU{l`fxOei{5-ezFyxrx2^Q~%ZG1k*It<$@9wO; z+ZtWHUETg5vHZa`jNQF4NU;F0G$l9|OhB5(G=o@LoZn5;2mnluHz~3hk}O3K3NIj-HwErKde09$m=t{B%V&64Hq;a)$DZrwsndu8YrE zAQID^A!{6x=A5##!#b3s8SZkPwR{ivJMsCgebb@~+UQ&|M&CO^G-w0MlXXTYu8w1{?(k52=oM54& z$f)vERG6JvJ@M)Pe7RlQd*52RKG%4BpUADgs2+P~Z`{4=XpwQP zG{lLThM7>ootd+x`q`Rtj|f{+t)tz}WH{YTkY@~D0nTOt#N8+!VM$@;=F)Z^Rnwo$ zhBO{uA5~LT@Y6HK4pGyn{-(P$ZS9qEUMnPz1%STb9ZKe$G^wQ$b%@D%T1PKhLMpKZ zgYsOo=Y$}vH;K!(lo(ttifm!gO+nok|c{DVCjv#HhiC^_FSrv z@^rg$`w$}*wzpu3?FoOXn6TvJI%<;QJe9N;6f%bUn9||o+|Pte6zTKEWZXwoHhn6i z79yZ#?VDkr0tcH`*tDAVr8z?a>LPT$h05qi9o2=a~HznNNz`PvW7fjp^ zmzq{``!Gx4jrQDBp%9ga8QfG1W22BC(DCHBl-KLIi5u=qh`G&Mj_-^x^?P`BgHbt}~K-#3m zkXMm$bQ79+EU-?(+)3h6Mi+`ck1ISrXVfzrQgjdvf~---QJiJw+wl;F@J3;0+gg}1 zIvsCEF6J;s+h!6ci?(W9oGcoPbe;AArfAlg@MY;ukVPFGzrAgBgWGF}7JWVlWO~k> zruof|{FJMg*sQrJrz|>xFxm_Z*VgBq3&?#_x-MOllJ}7{w~$+YdbZ};$=cn0s~;Md zj{drSaBunG+TPmU>nqRKPAwf=+m~-YR6G6Qzh}zN%a5vi-`02S`SJ6IKh=+)tUWnb ze)r{b`8Sbo;Nw|b^_<%inseZQ)ldQyFS zX?bUP+sc{Bk!>sYasANswcCj?$evrbetA)Qb8q?WKkG+6+Ra4e@$-e+ouOP$-Za{o ze;F3D42x)lScDK{DKOUjO9P6948sBjkPuKbq>(V)lWLMPIu2ML+q0#K+u}-MOKL$o z6VkebxSpHgZMH944Qn#u9+Ru7sXsYe+qu7VY-07L07vtEv!eG7uJJp|`&#hfApRMjc5U$?8_M7tS|7}0Rhigr6#Lgxp(CxE! zFB~vZG!}b>^RZdFoK&I*NoB56c0jF^O0aG&!YI;i^SnqcgmZA-#kD^qn?5Ru2kcK$ zG@vLTW`E<#kssea`L=TSWm ze;O{GTt8NRQhT`9yMC;8=1FDOCl0@t`p@xuyLB=W#wb&pbXf-%huLcrUl!|UA93yo z0r#>RbzX1ye@`YB;zzmSc3WO5anD<{L};2++KtX0*K-J0kLuwzhSIn|qDL6`R|&LA zKHaQW3Esc2J*r+j!@DcYe2bI88D|hV2Q&AG*m(Y;vF}*@@srxUx1|f^ zPfLd!rFUZ#=gCg%U%di#tFfW#`y#>lFt^YB&C~%32p`y6-rJ@CDx?VYBr>T zDI4crChBx0^Z~?3C251MgVPZMM#qxMH0koHdYa&Rja;ki9DxpjRL{*9iD36iVN8T) zwBPhq-&dH5q!liUL+=zcSM|tMPp$@O^n+J^glhH(2`g%kq=8`>6D}KM&v#%wWz()-POay!rf>#>;($ zZ!4EBtZ!4-&%afUs4$ntrL;r~{v4mYBd3gZ6ZZS3i@apGkjji`=@Cc3IX}8tN8;!w zXvKM9e(L)D+Ue6HK0M=LG%jAsR6Y#*3vkR)a7M5U&-%&r?UlpVE3e)(uD%~pSX?%w zS^K=6q*JKnrltwGSMx8nIV%u+{mS7R>-R@>W_jA@=d&gX28}D6AFz^O5vwPEUb^3S zbxK;g`s1hbjVrrH6qkaDc{1XY^AdeXi(FGI?l00CP@9B%(!u2;jcaFqQ@UTj{jPfD z=JKt|;ropTN7tTJ4_vK1y{lc@v3jw5x%_Ix+sxvWHl`?!nl}iGRKilOKq%#xkLVdr z4+TeejN*LMGuOR}D{>B}smF~7*n&R=(~}I?(-}Du9{txJe7k;W^?mi=k;?5$^*7tU zJfIq{Pc)vN_|y6cZSec`%fG5!xIU^b2YTwHIVxCM?bGew$&GJ8dbL-d3AD5mt_J15vTG-@D&k!Cyxy2Sj{0a?{>HfEJA*(Vli*5RZStdLa zzFG8CAKi;c?N`P|Hz)H?&{|}6)10t*mM;72*YBCkl_R?=ryo^z9|Ql?SMT1h96qA2 z-8)~uckFvh`NIg?7|4;7BcQ}mNrvX6SfEsr59)(1ZllT~sU&KiiPJ)+jwHY7J7A@P zQb{ovG#GRnRp7Gdtjc*JEtMpuJR5F?e=?PqO1zr5cLe3AwcoNS&JjTjaE_XhYe!Lz zh^B_E8SA7^s`*VOp@0^e+hMLvXAu%O26hy^0V0yFT=7^s1a`a+voRdecyQwU|hwqx~7 zecOrh({EP~SMDs9b}b!{Iqg~zZA{_{P>=(mu@8bAY79t9eR2#i61aHNFWNC&b z``br6PTSi7c!lxp(^zTawGmHT&kqW3FMr1~Ub`9bZ zGuqx6F*C~^pJtw>X=Y}ghH08Ur;F=4EV_&LlsHqFlB%ce_rLRDx+0Vr48Mqcp5Fs0 zN=O|KP#7d|1o~R<(NPu0mU#~{QN{sGGq^U7{CII+gt(J zXxOL4GKv_c_X+Eh<>`n==`yO6qwf`DCIP7V>fP3dYoA{HVRh%)m4BpMS^MMV|28$B zUu-`-{Oi?+?On%z)job8{x6|F51v>$*!z<$Hun4aqic;HcZ*l9*593MoV)xlOW)JY z%X|KiTYdKR;30n~u=w`VlWi-{R<14XS-#M`b@cB)-S16};g{Bt9e?ntb?wscC4X3a z2V0lEZ=5*w%XH)T&F0H%zwWi|RzT_bRw+Xo^=}n-8SU&#QN846Gcg5E7M-x`k?f}|*#0^B)l6rR2cwab!cO<#os$ck}I!R}!tA7;WBX9~A> zJTta09dF%#-gvzuvVN+u{o3;0_VZhl)_DwKn;RuV@vieY4gm@JyA+@F0|6kU5$L@? zb*0B>ioz)zLV_kql0*!@@F5~`0*4gc z?8cS9j${)H6K*d%7v*>!p@fwK`*(Pvq#|KjD0e{NBd!zhN<|j4S<2(y6F~R8+=KJ^ z7ZStZ?3D32X2cz8&waqpa+{DhOX!Fv=oz}E8Q}v|!Wm6Msp)^0nVB;l(pj*D>d=GC z6xz7eo2n3lwM39J?h0#@h+Fwm+RDVFJT1U=n~;b8axFO81wF_9TkL_5JZ-PxoMO1N zs-M#dSxjcH0w-S=NO4_!%ba}&2&dvXI+C#^?Xz|QWm0GiZrAi~P)DWeGN=CWsLP8c zbi$0sYmK+6*Y&TJCY-R<)$X@XfdjUh7D}Rbv@RAkTA4(Zj=Ft(=j(01O0Mt!i(J-z zbAS2l%IU`W>$3K#Cyu52>yI^!yH~b-F*ds`VISV{cX!1SlN!2m?e2)$$k2J>U`xDk zTeYqE-ShQR^~=XszOUap-|skqVFAcPLPPk862ZI7S7^}wUZmWS3j(s`o+qb z`hy>TDQwyR8d4O2(KxSoHz05VCuocoJe~jokq8HHChhL|%`+xR!j5H05eyD`GUsE* z6N&%?BFGVWk4)TvK8HM=Noq*HQn3GMNFxl;LISz-I7V)kV@x17E8KUEoR`&ig>*?u zu~TJmg28EK;DCOhmh^V@C1@Sq+kSF)?ZTgze*i1j7N0eK+BwNIWk`}_s6M56j66w` zBtsAcLPECb=J-Vrqh~Ws34|jI5IDeb8qqYudtbuF$s&kA41isb-!v|@r6QMRUA@x{ zn-YEH@W$iD$34H|c`Kih1%rGqwe}qP_r|p+ruDt8`$uZTr$g`=G!EYLv<`mPe0}jBDz|-T^^Bx>f8X+r zK~#JD{$H-Xpv|e>TPp|DakJKfsb@k@9l`GBjmsaln_S4v&lF( zgKthw3U01H7$Cc1Zd*Q|&NDPl5(I?{T|#cIkbuU!)D6}e;G)tpAiNHgRB_fikdA1* zZa*vS1jsq^5oW^lCJ7pm49@UgFw)d!3jiogj0TV(0M+yPGL5W4V>FIqXmhn75JLeZ zAbgE*g1{M!OMqb=G#&29#G_{Y><7j|cL> z)l02YSL#RZFFvThJhFPLe*N(uM$+eq!t?1<%Yce-Sixvy_gvQj_>Lay(g9P&$iw57 zL=vGPi`%X!ZIQxV_F76lmW`^X)$v4;%8t8wnu)@_FnX@&){?+0zW&-e3w^slm%}oe zO7^iF6G_~j5qo>Oa%TOg++KY$D2E|eRamr)d16@#YJ*ZQ zv7j;W=$uqr6(Hwp3#37vcGMK^L6nh)o1Y8jP5iX{*5kA5JJ(*U-&59aTwHwIxOyVP z;_2J7&T=8>#3~%7zRlC|JkjClW1);*I+2G@$rNR=C>8IHd0#dx7A4`)y;VJ;>{a_#ajcpU)PBB(Ib`-Nu=>l6-XFnq+McrNGERQ|Xh2Xj1u%k-%umobgCGfd zzSR0=o6O5kEY7%c3Hw5#ko89liLZusTU>8KBdKnl8F2!m0Af@67f;l0y!-TEfw$VGQV= z0mrO4h#=0;h{8Ff{z6Hv9+QxUQL!jsiIToTd9#2PLM*c9J6)qRXk4neSmct%D?GB% z223dym8>yOB_4CKy#;7N(Hn`1MRt8Ptgu7lX4QiJfHp3j&0PSFK?*<;Zk|VJfMYZX zh1>$WJ;E)h{X{wk@2L>+f%UV->d)z2RPY-MhxyZ z&s01_BO6TI`0 zh7=?jNO5(j2{6GKK+x^b$+G;e08B%3(UC8j{ju;cB390RQ6~YllFuJyS(r|2x|aZ} zvY?|=zW!yy1XlrlT0hHC058{n_;ZHm*PfREEQxdizjjFGp{$Sp=Pu?qqD=N~&AQ3K zo*u=3q^^-VEQL_bTFfo^C6h#I4m_7d<2FJ-{Nb>X6dr8ys)O zdI`S`mNRTt+Tt@AD(RNQZ%l;X}!6$cA|Oe z$JW_Hjcez+CdVk}-`_a0qxIo*konW<gZf>ap_DcfVP^SHFF4{l!j#UeujBiP;nIyjBqNtu`m0mzC#RQhu03g8dfqyAbNzl$wtNCDAIJaNIQV{qXpW{6%|Dl% z-FYpT@&|_>AUhq=x$+sOX6UQNvP8~Lr>vj4h^?I*`H7eRr%DlS7dP3MJRZ|0U0Hs5 zoniUr-`cOwukBhq*4}&X5ABa<|Fe1Xnkk^0l9vJ3vcl;yD`={j6wdxg>hp=`DF`rv z#8B@7?4M2F*OcsjM@~ZVHpKFW%G}B|?kkmSl=o>+Km4ZtY-el#sg)D;T^Bc|N#+H) z2?upi6>rMh{+OHpm${{P%kNqTcDDEIsK5NKee~_0+YhczlbTX!!xB~mELi^E^ff>! zw6VNcl<+2S@~iQuxvm4`d4qo>s2Eiz(^ssOVTb-)#{v?K#UG8PS%n>TjkY3Fe%gN^GM#Q@9{hQ2|Hk?HyS*!S8aE%d?jEb} ze#5L?YrXn7LzZT>g%d-V)nPn0UXY4H%aY|{tvC;75yG}$*(3x*eMZ(&T{TcSC0FAc zrvRX6gi)Wp2z)+&mgE=YnyNvTSD08~c2hEdOiL`Pj5o~9&t1?3s<7l#TKMPs)Qk;2 zNhzbF*;1RB7cXT?+`MeYsI%gf@#eF7sd4jm>;CSwE3onWr;U5-J65l+ziOPkvwXd^ z>-hgnDTGw6We;M5(#P1{{sNw1Mcb4Cv#vik1(gmZvcMo4=P^hF&HH-^^H3 z)9J@a)z6$wFkg;VL;M1-t|?<`=ohIQ)+dW()SbXtk*>Tak_sl&@@Y+03yDQ)O(J5i z#4z(#b$AZ4K~NaOKeQ^VKKw+vJN+o8NtG-aNZ>*4#Svymk3pWlGg^ zHDuO?#(4MnBtHjUzWze{8=`skdi%rUY3(pKCl>j0p3zm#LfKqm5f$-|xPcLg+!3)T zP}PG81Id&v`V50mFfmZUpBEvuH$o2R^sI4ZRtS0L_~%+3lehVh*J%}U^Rsb&)2Z@nNkuGlLzISGZ)(VJ}Z~mn6+fM?z++#%!#9F*Ap$*#v6eKDo2K z<2|!}#F47MJk@;v^l#&D`!rFK4ts>`hS$#;chA>%o&RO~{P*qKw*xaYpw7mLU@d%t zW@NR{#}V}ZtLaOGq9zs@td+PwHQrvVCiaE={B}#mt_)Ki6UT6wXF9M&vZu80B`lZe zjsXS@F=21ihsGT3e2#4-sQ`b7cM00q+rEEs<3{W39cAO{S*(5le<8NvnI> zdIcyVE*4Sg9HSpKsg#6UVRNcvVX??kAjnZ!Q@`F^b=$-ui_L2^R%*B|%C`zJF|L0A z0ON80g3c4LsZ(N+(oA?a7fGF29?FSD*`MVUpm)K;@(F-<&bTa}0C)! z1pqWT<`h5=0#T<}WODenE>T)2*@$EaD=ULvQbRPZ4;7&-YAA(eI7|7-%XlaA>laJ_ zvl%;o#)~q8-`1gKvY0W+&i@VNa@VIeLt9egBpIuVTpc2nLAB4wOn#41*k@#pjc#jEsc zbL6+$^wKz`(pzV3d2Kin@eka#O=$U1CyPCo4_GB7T;mzpF_n1#@IOi4kz7c2K`R2} z80ZvMiJX*ssyz1E7%#`8q$lRR;H}k!Qkj&u46{kq5}Rsz37pAE`MbkVD2X03sN}LH z0&<3r74)CW=l?TNe|xKOa7Sz3`PTVE_18asy>@5g${#I_+piQ~!sSNVFcJtV++kZv zt?OH40!*7^m`Ws!1%RR9IimZ`Jy1wkh~ZsC_xnj%&S2woqK(sk|MBM1sZTdQJ#1cn zZ2x_Kj0@3mAjByIC`eKWl89s|{PWmEDt)Y)Daq86t7xM$UJP++S7dy$tUAo8o}Q_N zrDN6G_M6s)hs*Dl_D^%JK~M-$1YjUyNJP*~2eq?R*BSx4CTQ2$yG7%3qCq1FaU2RU zkSGigXwz~XtTcTblv%4Ss;xwKMDWwBVJJ4>Q+L|QRVvz9$s5u#TmLxQZ=lx2_sw0~ z*N(1!zkXXUPc?toyK-w``M`fQzdyS8aP9i?>(286d=_GJC}3F6QQWvNAVc6dqJ^l| z0H;X+0Gy4Gga{lX7zW`uq6kPs2IqH|04M^3kR-rRAG53?Je871U(|dKD`}1#dWKH> z(gJ-80VGM1WO^*A@xDb6&@>IvSl`x!`&7w7A&N!eNX`#gsm|koKokif#p&1P_fJci z=B@{;JCEy=ESnKkewF_&P9o}BE zZNW9EED4_; z)ek;z-P+f<^l{}CY(2ZNw6pd8#N31h9tRYOLkRhWUjd{$zCakE1%ak$k_JT2ZAIgQLz>*B`7 z5&z34qQ1t#`|WpE%PY@X?;edLTyg`Kal!5G>9Y4>{kCEhk{X?-Y8s92Li?c&^F?$@ zX^ESERu>=yO7Po}EcFSEAzIY3GgKAEGXlOGha;8sYHBDwBa zCsj?cPbywg*x;YUIK;^DFsX}Yk+t{vX+}0r7SRToyFY^_a(SY*vdLB(IehR` zFjP&JwJI23<1J&Rv083T<}x1Zt`)*`9+xX3#OI0U^=W%8=HN>~I7?dMRDZ=+=3%Ch zY}wgyG|ii>m-p>y45BbEmuBV2;`Y|Lr+=+qfAH^(pj7?)-xVg z);so$&Lxkf3mPr!N#EFGWCG8Zih^7iYfWEF#Yc5xyA?CqW~HyFyxy&_S9<>vRjimY zQrTWGWY?Dnvg2)Je3M5cLDCrPu;Io5^AthSB!l&pJA3=P)x!^%pJS-GuZFw1WhAM5 z8HTz`&_Ijwbg;SOU2E^I=KjNf&6zhIeLW(KZbuRI6rWjq%fMq_?RRBFeF1#2uJ)}5)#o2g^?sR1C@kE zIDsLIq$rYxG>$-5<&1mG#StWEh)6D#1Ol2(C1Ia24H44q8rmf_A%@7{zIh7-kvWFV zu{H(1kcec;tIX)7-G!G;4@qeiwcM~*c^D!UJI~KOib%#U@LQK4q69TYso;O4Q}{yn za;!&1@I@lNay4Tf#C1}UmjOWym?WbNk(xz5J3$24Lbmy2^?Zt!YY?F@5X4o8Wap8Gz5z~KEv&h8Eu{ev{*Ovb`V16M9= zjpowdU?%chl7D}HcIox%!TP!H|J}6M*Pd+Ldtz+v+tCS)a#vb6_t&rQUfb2U^s*OI zzk7G_Nbm35%8PH;_crc5-Z=G}WaHHPjU$oOr~kQe((jo{PHCJxYOLQozBO73O+$vl zF@OL?;uNCLY`ZK;5CmW_ngR%;DH5ajH7W6qJLc|Y)78{su}(S{oL%yVjE{7}rMJw@ ziAA;Uxl|!B#A^|;D3`2GrKb!!k&mB}av{~s1eJeVe7L?xn4yvg=K95*7X?G1puZp% zt>5}}>&)rK#cS@h)9Z&-tM4t#XIdZM|DnD2jgo91Isa8}lb{Tn^Kt}wNpxif`-u*( zZ77l?z^08z5jX=WieQG<1~yqduP9_}p^*}-z5d_d;|m)H*3U0rU;9bd&oCK7nP`EP zXZ!rK=Jvgs=G#l_9~O6u8++e09)8bXig_Fn3=VM`M>s}8h9WytxmOIC0Sj9fw3O{j z@OBI+6DrBgdcu=3jUYrl@;I5vcytn@Sd{8tdxU^TEQ0!UqEslRN=X6LNWVQqI8>tq zABb(5dx+?G1{vk|%ma!+IKq1(x;zA*`l<8E)%_dC*3YfpU%%S8eq?!HGx>AQze7IBJ(h(a_&U|il5PU8?#Sm#v5 z+pPB(ul3|ExY)KKo7U`GLiUjgx1a_usF*`b+!W+kfM2;l{b|zpejt zxq0JF^Xi56!|ifzW9wbPD1S>YooMYpwtixp`LAoc{?+}b`jMX^Bg`rCpU<3{2uC*L zv!hV4k%@fvMf=Q6>FU|~)ARLRmz#T!way-E+}UkgI@~_6uW{(Rm6P?82SV)=)1-eC z=6u5A^qaJHoSVBpkqazPG5-ADe82Rdz3X)2{b_pXVR>a5S*VtmLRQ3r$^a$omJr~O zsq<7BSIVuZmgjGa`K1Hyz?A&$L`sRstjWgabS0BGUBM(~9qQvI2hd2s(13xU|MB#n zPwh%tyu8(2yS4gw>EXt`_1(dhd#x)so7W!yc1rEjX$xRQnAMRq84ubWD5SOrSwF>c z#=I>!Q_m!$t^{upH=dyC`m41a|5f|l>Q&#@Yx^4~J}$mqI^KA5YV{Gj1q70=x|IB# zy|&|DmUpe*YrH(5Y@Ir|a;m=lK)`xp>gY$ zdHqcL$cOs*hlSRM$L)8=|7Yc0^WyF)ZJKe#S>Xg^5AX!ZEs8v;4qN=L~`g3+f~adU1q??RqRffQ$H8OP~LWKM~rkPe7NNS~LCG9sOn zjvy;ykvbjex2F(Hx#018!_}y35P`~rKdt)yH;YN?se`{l!?>(Ws#b^mf%3?m!Xyav zc;y!GY(Oj`v89{8TYLTu_;vc*`pbi@>)U66^UD?ES*fErfoz=FwS$dwm)0-TPaa%<8E+iC zw|cqxVo&?vgXPQ3J6D&_|7~dxw_1E`0NN6@xlmFpO4vavm{MnPf$8TmHx{aP9Qj-|r&6Fb>rX$d zKAoYDSPY8}IYo+R+?+TfH(qd71xqYFFZZaDRWf28s!_4&6|rc(%&{NZ#(-Z)JOZM=G z63$$}UlWUBn&6igeC%GcvB({;<9T=*xr4xGBzMrv7`J0?PAqcz-L}msnp-Hy^<-Qu z^0-NDc?(<*w)!Jx@#II86>)u9HxiUvza$Z)x7>7ZnUbc-+z%eEM^8c~Ud_!8Z}+Pz znz$aP$06F|Aa~m1j&^6O0Ma|3DFj?&3C#dC&yV}89T#{kh6n|il)W=oGJIC&L z2&sk?F;IJ=|G3Apm2_Pb95?~a=kOaoyKtLT5P$Y#Y z0?@;cRdZ67<(PhF)@yR-O-_q`LeChyc~5_|_QrL_5o2Yb zl5sky_3+WBo2s=3Yx`Dqw{|>|FYnxVIH`+BjKC00(7b5Wc@o1Zl7^U27Xd^w5YP-h z6B?DE0Ru=3F@Quk4iKdHwKL%6I3`HY`6e_Co^I?~=^S{saqZ%-8}F~L-)-;tA;R-k zl+2}_QkjbH-KD)72U{=qZk(6~WcS#Np$Q@xNJu4P?U`-$#?muG`^LwuBg}^z*HnnP zfAH7JvF6K*^J@>AhxV?XUwN?h{@3fb*UmH^9>)9Z7Pdgfw%>eX__lFnNAuME){9H+ z?=H2^?fmp?^;G@+!EL=IezJaJ&eV@xZeF{$dS?A)#Hpw(;R7filPun6AXelK+I=A(+i5I5mSW(raxd1f`DO=pnMKNGZ;ya zX&(^LnL*s%AZ03=Vtg1P)zkYXTefN|4+lQ{zk1G#^=RE+3At2S~ zhm1jW5KbV9fIZd;uj~42Rwc8B_k? zRAf3(7A@1!=>5CEp2UJTB0(5#!=?e!%@w1k%yiGtK!KYROp7 zwCtm28J0?77d@Lr8H}49qg*fu0ym{rhY31NAHukk1US7Utt>3%U z+WxM+WA{igQY9y3&3!&yks>)>C>fsWoM1)~^GYb48O)t0x_o3oFn5^N=!H<#+9aLg zygeJR+Tr9yR)=Hj&!hF@Cw}+G^>+i?W5HrmIx=?BZI~!Zpy6VzJrzdgb_js169GQ; zfsmB6DfvOw+kRzkUVN~Pg{)qPb=<&@f~#wcQ^%MceSCFH8%{c6iV4taxegemnE*D3 zi0LN^6i5g?X%mao_N1q~v`7{VVo}&{!!WhIJ3g#pQKA+FW;R6IYsV_aT3%`3fobz& zqD_vG(_Sx;1r^{?0_elEWyRhfm15qX){MO#lFF*7T*5airrN9A0;D?Wl+gTeQ3y6q zBV^aJRhWM-l`iq9{nh-W9?CBmL??`|NSiFBU%tj(>Xd@JG3gRi=;^i8JgtBMQ@&qG*w0gX=ZrdktAI%#V}}IK*+Pe?}1<8^Cl#T?C@brrW7~1z9gantvmj^nZUIi6 zH1_YKdo7+b)bg2;s7|xntp&+2uIs;BF&RSLb)D6-U6azB0_$84_CVB-i=wUteP0U1 zJc>)sEdB7C(8|rP_?hP;$Nc7p4@*y5+n@hO>)M_6ol}=`XFf`$ZkI z#tDjs7{nln6Et9OtV8LTzB6r}zzK?>XabRlATb7`C;G+r%7ZEurDUvP5ejhp;xhw; za`$R#6roIXnC)HkuSrX#7eK~u$G7Ysp9?_lhX<_R+3?59?|sdex0fHZZamcUfRMYX z3ZRgi$FKO7PHj9;7MCulnirlge(b}511tn^^UjYe9|aJ<6uD`)F$mENz#st$NDmRe z5ojkq59})hRVA_hWylC}>_F?~59@nZcNUu0UNrYyX+1s>?So|4pQ-0XdI}+LNjV5F z1j&#sSy+&}WW&taUuOM;)PST>cOfPfiwaeHvQ$>Zbpp6o1)-vodc5c zg}kmEXdXTA2XUpo?^5gG2XlMh_NDi!_V%6r_O;tw^s9p(`r6!nYXs^_{WGAhLvN4+ zR0Itfk|YqA<>7gVK^j7=uN3>GK$xOG{`voZFY=Rd9mtFHu2J{7qq8Kwa%A=P%DGPu z>gRW_Jj%82-fHi>s9ZXob1$re-KWu=c4D2wqM za^+U@$Nf67EWWY3{pL#Z_?;OFFb38MROGr)RL6J2F-XRr8Al113T0w7IX&t@LI5&&tfSFr- zKE#bWyFjPJqKr%fNGt1?q+KBvEmSLkXwHQx$6JZj&f!eKVHyeRM*gN`Nz+1MICog< zu1g*Xmi@Vsma~jOtmE7Z{)|=Z^AWf)za->Aj!|&k2t4f8_S~3`N1h+@Z?E4uZuv9{ z#N&lU(>0%wng*z;M8_Et*yfu{}8@8(q!NZuT_{iXT()%vxRbDH2v$q%YAfK^$M8a6{9I3@~#k(pRh z%A50V>pxy-?K(OoTZ=5u@4Z*2{U@uC#i*e&aG+yxzX?an7}IsrmGAefv@Wl(rmo z%-YMu=~QX6lCX|{Y;4ha|>QG5OD(e=l_U%KDAe|g$)soIg+nAfqF z|FmgBuO;O9!QU0LCodm_G<;nd!{S6B|9=5^&ZOi4m&#l=32b@W{@6V8GO>E;KUQBY zUR>NM-!{XpSBP*Tigd-pjq>O4Qq~hxjTg!6bmX+O&?dgIeQDSF`)X_ZlYedRIP~v$ z{nCd|4`wJ7O!z(86em&z)n=|i>2sG$#q%OXbtGWkB*mhXQE6Z&Z!aXAcDY!D#Q`y*@5AO#f~pd^xngGoMInfx-ctP! znn%e%EM4&lF)JL=t@>47U?xJOc|Dz&?qZw;;AMOOOYXY zXe6c>_e3Y1WQO+yLKb|$Xa}Q;YM>f62V!`|gS*wEIh9M9pr*n<1uR)YOV&uv6qpB) zq5wAV-TKe9<$b&x_*BWQLb51DtQaP%U{rcmR9chqTI4A>W;?ifGcC6Fob^q!>LNx~ zSeA!5x!RI5C8AN*4=EMl%cdo9vz?oJQ12BWZeCeBwf185u)1~oBlGFjLhHcg^+VH4 zJX=~V^*ME75fP_H<(#50tBN~gB_(Cnh(#G6miJ^wel7x-CZvQ|i4n=!mF zS}}=O4UT4tjMqm6G*?DkMqEX#KR#P-@GDv_>rQ zYCM%u{;ce^bwUz6U*4zEdj~A~meq1}Td~a!*%xlQa7>Z6QE6zw0 z(;6FNLTa%{A-5`6j8Az&EFy|H?UfUwQ=sIL`J)!GC>6{~T!8`UmG6|2uGOMyQaPNS zc8fWo(@9+(Kbw;k^y*A{1D!RRY$IH(if=TKDhxvNB3vJikNlWRFQ}DL z!^i`+LM>;SNagCZ(#%Y*RQJNG=QlJlnaP!KcK^xP9W{G|OX|Xt3RNMk^(mYRs3{{` zC(;L0Ql(^E$S0DII+Z;PSMMuZP3lh%!?O#?(2-Kfn_iHz45Ojj7m)x>YMP3S(_}+K z({IF6aK3*FF|&>gR`J>FBlB^JkW9fObwH!9f2y6JB;!_SJ;iu}Q}aw^LdE+XVA5my zYIOm(ke1O-s2Xdo&*=m;o{4gbA)g>7G`;!fAe!TA{W-30<*BXj^~8XJ(%ENi{(L2m zr4$2R?1bjm7JRs$;8Z)z&^F0Vb0P%N3Ezc7~2ENV(Ml#(&>>19B{jJ;|F(JD&PlL}JHT9h)OE+WYp&0${_7-bfyn^c^n4|yv!7ZOUeM?cM)bR7pHV-(bFe_6WQxc}kL zOYfH6Ebm`GRNrxU?Z|(&&t7OhI&GavqR0Lohg?#~6~)NM5dYxF@JH1sQ`OVMP5eV7*Zz zO%tpvaGaoMnxgvmMEzD=`6ynxvvyVYi%vX0ZkL3J#BtC&UT~4?IHYLAz#c$_2f9m< z9WThi1>GK5qXk5vJb7+jz&}48R~o z_B2ZPx{XFOjz|iQ@r@&?Y*M((!mPfM5i~1VC8vv8hmIuHpD*rcUq8NhX6@kWp0(}F z(vi8w*$={fHV+7l03=4!fUnaK1ONwkuV#FF0}NpdK_E0!pCN{T1fT$eAsi7j0yKZ0 zK>%o+MBQ~|BB@lL2NIUDQQR5P3$sjpMBKupl8iKD_EbmT3+lq7!AMcB5TK(j{nXfV z^1n=()uZi$*O|t<)9aVoSH4rXzdQVkjr*;i9@uODNFAi|(w<+{&)#odJ?Z&o?atcu z(8k%{EPvPgnaxUF`S{J!fu$p@L$_CNx6bZgJy^f>rup#Q+SS1m%^P>|){nQFd+q|w z%8&l`;q#5}c8Hb^dV;@Ryp|OGskf+4=B~C6y>e-i|JAzvX8q8oS8E5BPORN*Zh!UH zm3PZ0{;l3~lPH929U63^cpVy`pb9B5-OO;@HVxvxMwgfe~&7yc>++$Dox^D`9*J#ANMl!-n;_Zym z9=ltv)lVetN)i^?0++Z;*@H=4UL9m->7i?Zgq=6X_TDp}u6=r161R3;8|3W`1|)jb zXlAuEGJ(#A1Xgy=WHG8&urn)$qV@`JUfaIexVCt*zUPOf55M0w$js!FMn3^)(#*lmv@O-9AfJ6=20I)A76;N*XOdeJ(xCoN+UkZbn5mP0^Jm}BWa`#3X^ zNi0(*oeZt2z>-*$E_APLLng7vYEi|LZ0>ME&*$}QOx#K0wvB|+#YDJgI*iLb;lAj| zzSfm!idM2gbB*;_N;UQr(v{t+N=cs^$!cy+D4&=nXU_!35}}|(;%7Z5#k6Bj#Ve^K z9XGI^E12b}u?N)^Npe9hNTg0Nh727lSPIHWE!v93YnU#5MvJ_HYNtG7hUw2^xeCJu5fea)G67cX%A=*4Kkr;<* zUCeX2rrpPNj4WqCv}GaH1t1T^qxXDzPQ^3A8dNw<;55Q%nwLyUVi?8H9dPHkEkn{6 zO+cKPL4%6K5QZR$BNAeOU;qyIxTFx^1VWI(I9%$KA{~qB3l={QrCJ}#2gIUCGRkI8 zlL3z;FBVlaCa-QmYX$D9VpH=ZA}K&ahQI(x0mO6(-@N>2GP?e>es!m~{o&Z^{l)zp z^4UC~XsYAE8)Fz8;S`OH^P)#dYkl$=2`NP27){{}Mq>m`pa}v~^Ei%?3<(*AqyYs8 ziUeKC5JMrFh8T`v7$OjfI(o+QqWR7CCm2X#48hO@NyBdPMbhY(~z%lV1crE2V}q1mrVI|zqI zUxU)pNQxy(i193h{X~p4KN^>=rIXDEuj+SSuO8YsE<8^tgfks4H@sq0G($ju0RhrA zq-X>wyu-Uj*3B;1^K2#_R>!!FHx%(o517>Ys=jH>Uj4T*H zs>iMz;a$UkQ)|e2bLB2@OPF~bg*_KJg1l>2wP3*pTC_am>m=?}WQm%#v;_ioy4L?} z)$125JQD79i+LE+>B&kc6Hitr^RK&Cy}dIQ9q>7$nV}FBhkUJ5V#ckpuX{VlL&1}EQ#P>TtWilx>CCg@lo2Q37D4Y& z+Wb!5>_5G&U$|&!y}W}pUtFKYF7vZO;fP1gijc&l7zYn7FbK>wy)~obFOhitz~Y;= z`-}T(tG8sW7k55AT|DLZ{p{_Xkx*U`b_X21sc-w^(*1%_JB_~teF{R#mIMk_^+tD; zn_D>_@s%lcg*P)zDBW7(v+-Rk?H~~!Vm^IwkA+28_jbwPA=%8Hr~9~cKrRrC0%>hnSAr^>%#K8 ze-E|xKWZHMq5bqF4F1LY|2n-s7AOhvqE=q9eh}asIXDqjf)n9@E{n%Ho-^YpNfJmP z@BgV^I?_J(<1aql`E>K^#T$+LSL?UVE$(UGI-sfFJhT3N^W(kt$sb!k{WwDrE0B!4 z;~H+e@bN$7wP>`W*0=*=QB~%unfzakzry8hxD3VkNYJ9v4cFg^gb%NBRB6mI^0zG& zBdtl>5PJV}`Bg#S67mk9UBBGCe{}WZf3$zRvHa9;@Xyeq?p$`3)>J}MkkW`nfkfFB zh~!znCA4BuDxF|+<*Iq6CKd&YE~hE#)!@?7cmuFnupp_G%7k$N3^{)+L^9du9}QV6 zB!OWV4SGJU|3Q<=<%^k1Li|TZ{na^xr}gw&^U=N46ODsA$KMxH?O8v$ysL5M`}M=^ zhi_do^pmH=RVkqsoLnysL89olnPwR1n9geRjD!`|ILys9)MeU8sAR#c;V(9#C0M~P z&`PbJE_}MPalL-|lB0R$P^xkCTK(|lztvwoX+FB&c)R!0ENg~dH_HImf=o^ zvL~W(yV=Y*quehR5wz1hWfVJ0)JUinOzBKz{_$K;JLG{NvU5f?U?>XF6hXp&7Th7Bx43%MXClEGs3SbRK7Lm_3=3H9>6r+Le7>z7_Go%b(3YrnfM zUVm4Aa&YlF6IeO&C&vs$$!2R+zji!VwaleaS(H|RjDOL3e(HaNOJ`Oe$=g5d+1NKj zPKAn#6Ju58;u9$+D&$ewl8xD_vg!0%Z+yZ^ozIwyb+&AN5t z>B{~oxu_Y9kA3M8D6oREs+XH7rdK6t18x4l+_*;voj7BsFGO2VtfitaL&sT0|+$$fMKx_B8zbzh`Qj|G@tz$b!l4G3kk=8X9 zoO#EPDD z*G{ePHmtsw!T7O)h(2!OL~1$V3i7Ar;qd~+H8rVOpimnJmfqDLz4fi%S%0|kuyN&M z{qD`+rzd}IJURO78OkO1$pI%yh62@+Ay}Tl#HCfE#+6^@81=D`FwAJuYEa^fS*~`P z5$f%=?_uNR$Hq@j9nJU0>PPOhPaG*P?{6L1(Y|)Jb@bK7{>G*KGqf0!B&&f~W}(P! zHg6%D@g(gsuA9k#rZ!$qt2$`%88v=#L7=p&2P`nVe&rYW#)HTH_Jvc+kLzzvwvOy* zJioQ^VCkoobIY^ntWu~DqY(E@(n~&cn}1YHGxy;X4xxJ*TZ(p0KpWskFx?4MzPFD&24WqA62w zjW&Li`J9&51Q*I&_Ps4?UNEYFBCoWE)e4@n%*@1(QX^M4BOPEXZngbokw8f@Yx66z zz=7iyo5yU`STxEo?wH;k=~yL&I5Owr5hu37Jz-5SrYb~AR&NA9t2aDZ8q+X^ss&4D z{M?}tu3}iAT3S$ge@>U!H9D)gO4W3H{o+az`7m18YUg;8Zc3R-lS+R&gU{MY;jE|Z zoZc@bPAfz-^0c!Mi--8SW@}u1OTgJ5Qj@s)J=7dO9bIaa8jV<9r*@XH;8#w4)Tm1rzE~;~gpF;A6%&AKh9#x_oo#aP!;`^;dUPOD7f@ zhfgi;URb~OC3x`>+XxO|UX;ius^P?Fgf(12DyR6r$jjxOiq&KF2d6hqY@94DAN*aeidru&^oOAkM;y=updd|SBmpS^iJsOY zA0>Y1W>28}1v#+AwGK>S<h032g*K{h)gFbpybK@R444+iZ` zOAJs~>2U*ixsWAie}m{Y&A^X+55z{0G)V!5;PTklo;3FyQ!iidL<>NnX^Nq69HV<` zR$SRMj3h~%AcWLDA%W2dqp{ftkQ9L-$dDAENDMMKqHun(PXq~yz{w7KzDFrkr$QBI z@y0)g%$`)u9qJP9NKYn_)U%21 z1&M^iYGn`x=*{Ng^ybFS=Bp2B?|-LSA098AleX@>_xx7X_+ek`_4UTl!|f~k+9zKL z_cXu|1#l9_dAaZN5QB(-04FJdo}Q-xM2H56oTaM?91t{tlNcfyh#-VGKi730kQl?z zB-J4fOcQigl#&@7=;z=JD_Htv3%BzgvC# z50!pyeY{$KvcGZcM*aPz#*asqp3e7vVl(O+_umYB>CcPS@3i0ES-b<6cGUM=Xk5C} zI(e>s@oekEhyOLT&R;{#_a8S-*ju;m4PNl;63Oz{ZPDRu0uK z9&Nn4xb#!&-SyVP?MpXJtv9#U_WZT|U{~wJE_3tTk;U7+=G_v*o}dv%Vu+wHoFZ@x zCuul*Xbh3e!X#4^4j=*;Nst81Fc{f6p>L65ugkjAc5@Z?6H>(>5*Y@6+QWjY5M;0p z&7Kxog#ZNs+?<+#y9_PBjPOE)LD@h{p}P(#No;VT)=gUzD=QZ`Yf$s(@d=v=fkCq4 z5`cG!0UbXF1b{+I48#}=(IhjQax~a%8XQA3LIk7{hBN&BH2_JII71);P2kgKqZMsU zTboFwU%lD7cD{9T$Huw(fvc-m*B^!cHl00R(|0?jCvltfk3FIGj67hnj{P1tK*B!q zh$K_Qa=^}&K6ZwstXmD}!KtshH-jA-&AiAKE5+g-Th34CxtAPz%uwhk)Nt-JVDCG8 z?-XbJoI{)jq-)xIF~&VshZDMzM7?05qCe;ShKD6FRgv%TmN#UI7CO1r!&|yinf1tK zDr#qNuBI+}p$_QMGN(QdIc?w$Y0FkRFWdmVGm1&u`3g36Mp^uB=|0webYuD8#)(-E zB~vZ(P~O8a#TBYlkzgh|NYXH`q91XJAakgxY~I8YV}-kiV;qbG)+R1 zpa_Np7=UEYndN64Cu~wq*@u@~LsJ~XNd}SQ-n0I;dTxE+?^bsGiTZQn(SdxV`P10} zB3JMTfgppE7=<%5AU6#p2BOb!m<7UgAXpB>1`!EMQZBqLpv@W};a!1XFbDuaL+-9% z5#AGIR+TMMi>O%J0%MSBYw4)6mS^Vxsg8|~VVn(OdHbZp2F4I1CFFkzP$a#%J@hPU z9ut(I5s48*&q2=A4FWP0h6sWr83_MB_TIC*jU&q&-`DySSkCTf_Su15RbACpjb~@~ zA;AO&fF!^G&d%S9&HEW%y8`7wlcC_?6pHP4lats10k>YU7X^0iiKw-bl@6o7|2c9k8N#EW# z_wCYc&YRkMRjE|U2|VFZp%03M+J}d^ic-~(!;Ay4NN!VLQYqL>%BAl9uZ7#G1Fsj( z4!n7hx^kjVlll5a>d;T=$Jdw6EFYggqS?I>ooi+i_0^cZNZ=?G_=1O(5^oSk7{_B+ zb)<1S>nO>k(3Zk^X3W>;nw+7!ij@H<5y;xos69_P1liiDOHe$<5W*9VP*_t@;t_#p zt?Qebr5G^GF+dT52y+-A$SKcK0bn6_;Auip>gm_%eUZYY1QpuG!dcIoTYpL3{UUwn z@ZWy><%d63YdVzxv_MP0>WklNknVvIr-ev=$9yB90I#i~-K<`;FMK`!)0$Sb_xgXP z&K>`I`rMP)ALoDcF8sK7ZsGA(GKi&r-tSwvw)j);{C9YK@zK(?<*VsO*E5$t50{d> zdA+)C;hW^am#OQQ{_D-JsiR-Gl4oBnoK#ebX!6$|Ge5paKDd>D7cYdEn*pv+TL6nPVr*n%2IX|C7D{c=7i9FPSsXtJEMRg0WH0;#7=@)nFYCm#{u!8b~2@@bh03wQWx8)b~|HkZM90Hh!m`4CZ zj4?tvC1jndkEy$s6i^dJ7{mnBvY0{206+k7l~Tad9_iHvyJ|~TIv8;bhOBTzZv!@M`V=O`f^5crW|nBKUOq z#?pcLWBKQ57bRs~zAZ666-|WlJ{>hlw_+WG28%c)Yn_3$_f)k{PE#gf zD07%Sc5!{(iF>22&i3hXS*gV8Y^NTvi`FPwsc$7cm@xA}$9g)^$Tic6T;UqKnjILz zoU9oG0n4!RfVHb@jHzS1|Zbu3=V{BUyaSo+vkrNeN1xOWN*BVl_&FQxkGu@6tT z_jgy4ef2~`vo3jY!y`_`@>0jn_b;AG-96QxdH6VU`GP%l=H&cma~Ct`Ze>3|St@@< z+trKcNOxUAHD7NBAS01nkd>@H{UF|}z&*xAyvn>|EBh8MS^q2f?9Tjm|HJiWemInQ zaw+}je&+gV83Wl^uhl{6VE0S~4VloBD6){5oKhMx39Fdj+7zo;;g%f*axatgtea=z z()L(oN!r?~k|ZXFCAquZV_Z$*u5j-#mQ2QcwH-dM&7Clqz18X6Lqmms@mJbcQ=N)DNQerQGLXAUrIH3oEeM1oyg-Cq zvh$1(HyDsI7t)Zq&uHltrG!Y1AeH3FbaDoy;g$WVqX*}Xzxg5ixHOS~@$ka-$Y45(ENc2oR*eii9DC6z7S)6pl5JG6D(Vn;;KU6N&_mAjT7b zIiANnVhWr{jB;zIPbgHdhmF%2Zeo{|PGYUUI=sTDM&&n|ot_@v?owbD6MHnOXiVp` ztxX}PM%AI?J&usDgtO5+3k`heW_Ug#v7bYz$+F5Fi2|4Cf%(oN1^g z*%(ETK(?l(0s%sTh(K~L2+SE5Fr)&4fJcc}ALBbe4UboXX)^}{D#4yQR$LK0AtGYe8Hks@~pV`^8YT~On&)Y_KQ8~bNjLv zFU{Rtz53?0W9jt&xAa|2UNTPL0m3NfBT$8&V4h+iAfUVi)sRDsQZCOM*JuqgiXcxo zOgUj~!tg9-bF0=X=$eLx5fLhg$uM7sm&|4#w}}08YAiTXKIrtCJKVfqnXgQ5NR$&g zdpDJyY*s%x;_Ho+ZkZ^s;tv=)dK#0IjW`CoiyC?znzE^g$2mG;!TH0soUJSpQDPY@ zzi%UjfDJ{KG7y|H0cXfJ%hgDeqqCY0v?=p31L3`;@ zE+@Ahj2E9s$;xzg=#M)4nX3id8x@}Hfd9`wH>HNy0 z^cU9`zQ`{hDNWgL&-edh?g7Z$I-B|Sb^6flF$R?=IEhLz5Ak6}ELmiGUCj2*p_70N@~MW>;qr zF`iPkc1l73P)h3Zq1iO5PJJH2pY9wA4+VS!8r5{S*Bg_upK&?D{=x+)IUBo-{!A#b zhIxo{N{RYx!;EF2eoK>tW!Wnymo6H;H5tpoevcR|wq30f9S+g9HduEqtR6}2zcxE} zX)1l?$6ZAPI_Ci-i4S`9=Jn9>=c%vnEk0TPYIo-O@$8fH$up1V?yv0$<-8?4o&eFc zF~||@LINS<%2o*rH(`w%B`j(}V-~fI2F~R^6MZ(Zj6^n!Y*fCmKY8iWzb>9kU;F%@ zSI>GrT6(&0IdlJd=Hc@{N@HP_A`JcQ(<~UB7UQy~-B!SQ0uisdvUGD_k206p?!V*z zcK`O`tAAd2lsR)FmVI<#>2@QgEuJ$+t61Bn6tjQxEdAN(`NInb|2g@~fz+|j8st3U zOW4O{PxLW4S6ak38S(k$-Cl!fYj$7=4A0nmJG^#5`QqW__Q}a8fa^g|FZIu>554oB#a7WcKz;Vod#fG5PS@ z`7e{FzWb;_tGlBPzOtmA;gB*LTI$L5#HYHXJ7q& z`N+S`T}pp<+LAtZGj-=g`qjNpqm_B}4h(QkWzxdz$t!c;X)_1DPh>8gnA=nNrMt6d zc#L&S#Uo@`xhh|LpV|Ly>c?*vU-GO$SBnGMUaFT9@C^^o42{Zz<0XNB^=5Os8O;a| zpRyQPKKk3Mud_#Pk<^vXR`)ch*QiBar+zRa`)xH-*j`zDuw!;Ip)5iE&-~BJhn8NY zFTFDA|F-&V>cz1}0))f|r+t+r7@<}%|G8fm&n18P>d(ou4^ua9G|1U7A*aTRdgR1- z5v|!`U|L^kV&=BH9ZhfNo#cY;-BRihY45}r9?rj5zLPz>Cw=$v_?vr~Tl*GH$kHlD zidtRKZiP76h})u{n6yopY82PjR{c$T`(TaK+0)OmcVA_HxS0BRk1cuq%Repd&)hvc zxO6!4`X^KJ^5OKkTmSakvolRpw@qlPc+zEb>$%FFR0?06)*3q}!yzxxsG?&PM1dWi zxOPUPnv#&M)DE2P&`z@MZmUc3sJu*mZy@zR$Wfyc2b$;}3+U~rc%-c^L-bGaZW~vl zoP}4vz53eUo_etVw_m?m`IRQ0-cH_p`LE4%u{Ner&CU)D4OVxDtOtddOB%u6*B%K^ z&WPCABSsvO=aNY#3mk@)ifs!aPT&YA+`za+>u(_3Gg86)C)tg!zF7KZ_sZGy3|8zxYE@Ta)(@K^mg9L2({YW;X6uek`YZO%35{wjs3+6m z=2k!i55&z_)7HbxtSb`k^VjIT8!)xhJu`Vkn^? zaE#*!C|q8-t-N_%f&OW`+Z#|k#b>|2xcFK6-cJMR8?P*L2eMbr{hK!P#i7bPL^K(p z{mKkb;nXh=vUhF-=AL99zp$oW@8PpwK5w88Bm_AL{eXQ?&Vd$Gn8C6S&Du4po}SnwC!-4TXjGH@Nb!hRi%n}Fq}7&w*qz>3Y_h2N*5Q^DOaIbZ%MU?k zdzU97^;W9Ky;a>le;?sHH7bttN*;!%hgjI4QF(RKj(8W}Rhhe_R%5Yp2$jn^+aZ*G z6$Pwp+Rj*O@G3&&s+bT23; z9Gjqf5ritX7tm{-HUtwIRiAb?U|bt%U~+aQ!ox~Z2C~MY7OyT3uU~%)T z!%Sfd6tCA)q=Oi>)ykq?*<(E&1C5K;n+8Ygm96b^*2<(1;g!&hn>*Z8Dab2xcJK0o z)qQ{54AzO^fXODcS`He43FsvcX5B@RTO+_~Qajpb(3Ndnd2n$wBsnw}T$6lVG2;*_ z2aXk;BX&m?zU0#fKhvnv`wyzp`<|}eQ7@eS?ZxYrtE;C|KV59g?ER@|$Ez82g$NXQ z$YTfr;}{fpjul6wDrl@;hXlRDQUdXw*vQ22bp0L})r|!v27`(5iax;M-r>qVhz<0^ zvG`zBA1ppv+Bf%TW#96bpC-TkZsAoTd*)>3_?JD&^Vb`+oFf9^5C?L>SBMud7B<9K zp=Jy*L>R5*e@_4hcmWAQY1tS2X7cS;^t|tOd$ii((JR>_z$`i^nDnQH#qBY#{dCD`MGK@;dCki_@5=151`yHhpV6^nl!R{a` z+&Qg4MZzEw08a?0F|cYXK#mHCs|pU(wa>J7cGbho&!E1ha+lRHX%tJBLge_1p zsEbbro!N`$(?@S6&pul|vw9+X{Lu1+)b}SA&MY09UN}5|YW{KdyTi4ISPeOVk-!1P zF=mvf7;%LVcqQK`j4;3)W?VDltcHYQ!T|vwMj;`DW6B{}l*a-`@^NByxgrFy*Ddq; zHV_nujMV0f80}^QV^lBw#^RU$vW<*|+7m2VBj#%5`rqcxq)$BB%Gj!v)0u;h=^t0W zoBMHM{zgo_^wa!LE3Z>GZe{k|TsZTurF2XC(+3}Be}0udav^i$Vd~=3<%5ftQx9MK z_UhWFsjt2-=XYrNtJTXRb9?>S3$K&sE+nttT6`J(m$^L)#|vrXu~;j|Q^$Wz?SI+# z=FaNb_T;?_i_hOYDZR~JyJP7~Upf|A+LJwhJi+m)XWvg`9=|Fj__w7C+5JDIzJ8H< zabn@bSnBeHxpS!}&-!}RpV$jKNdv|TUD%&~cBC+V>mj5-m|@BgMU)AcCju>m{58Qx zq2>jSM-&2%GRz4O)13HUXH?citvvw|9$-R1Ez%o~@`xc0R7s9m`*5(+2WktBuxK&x zGRe`|(HrQQHrt);eRA;xc|>>&icB+QF|u-?wuIm*hbTfkRuT|u2nY}W5g@4{BG$G- z0C0irr-6W2+X5IMm@)zd3Irb1Ah+QG(b9kflj3VDA}_DMc1)nhE9pH5$=% zl5p;y&JnH8Iu#F8>p_!auzyIZ1C0kwU?VzEVlrWJT4ELI0+--KzZkB=hoEY#2eE`- zNe@bZXct8d)u4*Voz89?ZdOHdImR63?s42$P15mwvjGFCXuXcHS%jRS7+1Uf#eqmL z=_rJpQ*5+%aw7vV%t%yUQ4x>1$Af>*82E=HRA~%MX8U>vpv~OYZ2y~MjeFiv(Nr)r zxVKDvG_0_xn-J78~qAtk~XTleD*4L6c4E`})g@)t{(aAx(es)+}p(jmr zS7}Jo@#KjwR}ZLG_a<+?TE4V+EOqObrC*cZeA7O%ax?wQxdv*IniD8vgmIK-h$EOQ za?Pz*LG1N~>Nj*?mQ^%!*6y!ppBixj5C}%qbSaC^(>D$q=00!G9*%JgF$Q_SF@!lz z$i)z^mt}-?)!O+XAP7@|qqSHW7y^XBGAUhg=Qnbr?WlKl*rKn!`I~@j=btr?@v^*a zU5<*aK6UyE{4{y?jx}@qNb=ByK!$$PO5>lmBnTKnPY%V4pVoY(3fmK7s5eOm2RYls9ajz*Jm~@zG4{b-MLpHXP zW?AOpc(7waH{+V97~jm3yQxEWvxk04oqb$q0C~nSOnCt*p6Ucb1k6w^?OqKjpqwC( zg4Wnz06CP4eBv2|0!JX>m@+w~8m-M4f!cW&Xwr8{%i7Jtp${~@#I(8B)g!Cw}yWv<>Lb+sc!!U{Fw zSS|<-QG|I404Z=SG@%{wL;!&2FvXYw0EqxLz}8pxNKmW%BZGseyK=oLiBAe4qkL`t zR|q+l<66a)i_8$U8*8txp2^akllcV}P4tN!+Gx*UuaC+~a0vl8WSOqLnlPr6;}EYX z3?T!AV8~EyBMO8VGF()#8muNnIRG$&6!8QiKxwVj1oQl{`4GffDp5~AtE&>Nyk6Qr z_cXh2-^$DMku&KNFaC@hb5vLd@}jE%4~*%dzbcJGXOg5Dc86xIRcQn(lLAsMSfO@7 zoxxP%ipU=&l@5~muX{{Wd24aivAcML>@iyV1G}nDkonJ}uFx18D%=cQkwxu7ZPAHP z#TVsJm;$)c(H*wdDm5nP6+f?CVzAQ~Ge9S_(XQMr71N_7lOZ#pgTcCF2NU7SLW8_>a#~&}a}G^SP?t@y*u{ORO9#?N&oBR& z+4oDSc)yI`!4fgsIx7pZxI`-=vkHs~phM?~=#@zo<{oE%{w#a)_}ohwiNc81Y~*2A z%rWDspiy9x0}gN8J5%IRz#YZ`!9B36r1Ip!;ZT`-#YJLLx`nFns2QTuYgD4EkBbcD z&*zB&&TQ&0a-vE287vNuYuL~`ZZ=FrCb_1#8vIs+*f-f9=#@N+K#Q%QbW~F~jJOjL zxt=FzFjzpaXT&2*H;ZD4NL5N7vQ7kL=`5wFfO0BhO@4=f)9Z6qKMuwMeP)Am$SBcK z^Ic*ew9u(oUw5-S3woUBSqHyD8!HBQyGDvU7PjsV#ZYfG;i-Ti%uz~Lkt`61FrhrC zAX(@J&|u~b15?Ve-dcc%W_seg%KNNmaAvg6+AYa??OeimSR{TcoMdg;^WQI?Uf!E| zbYgh7{nLrmnTzw+R&MM5JdNkh*NpTgfbu*bIfGQ?PAovgQN-sQ4i)xc#32sgJbh(D z1}Q>wZdn{yJ1aAq=WDE@TW1IZ4j^2?wZQCsiLNTHg`kBpjmpudK(f%*rcv1L1!bL1s>zIHc&#S03jnn&hV{F zvvA;6>iY+)du@wH79ad~de5Devu_@*9QvdpDwAP|2+sh=7^Q&H++nd{P$pssBf>GB z2?$UQ3tT;_g&e~f;{isP0*>PW%QGsd2>^spz<@v~PZ5Wxpv08W=jw4x^-K)c;!4Ql zy9!z#fIxs0=h)M#2oX3yxwQ%~`5G}f3_Z%r!`?q`maL88pmfDCj&hjtjL6o7_LG{E zUtl~3ah~$Mngf)B5b(Kkv;ts@DJO79ph7c~pXWHlI0OZO#|ToMDouWf1jzFO$0|7v zIKXO?9K?8KDg#lJpn9J2KVyM_j>S4^Q5%%}Vb;NHzz=lxv7&K0zXf6+o}nmeF*K$& z(CKG7Nl}-p!);*f=*#a%a#{mguq4%@H82lGy0txYW<()Xf!hGaNqof08<4d|np_0D zKH{2o1qR1xja0eD2nk!TJ8#1+#L|PI?$Xa(KC|t?&f*g(vw?Mri_IjOCpMU}5A}4H z6fY%OgE$|X$-CIpBQ)^x-D1%^s!VARbHgb_2i$?F{4$mB8U*sT*V=>z32VsY_lNUl z*4m5)!Cs@I=(eLkX%I9_m++Coer%d9i%H4#$CXTP*U7B8D*(r~r7(2?7Ul zTu_aPix^@Q^TL_{W*p;ritBP53}{r^JOF8SXjJ`p)?%0{T&NP(nFj`(agE9jLkZo` zI3Ekkcn?sHN-4i*q1=V&Qr-hh%ftsdhuJaW?;Yt;Vn3*?5wQk_0vc7o@9P|k=OMU3 z4=lwidcqnNKc;6LBc49{?_y6#Ks4SYeM0Kw3vc%6>!kxj^EVYZ6mr>CP$=ZDpS39S zA0S33j~FEka{}TC$eHAdmjbwaZeh45wyWrEZ49i<8?E2BR#|spIV-sKE4YPoX0Jx& zM=oL+EBX+{NAS?lq(P(NCUzl|j zXH(zbE~Gc*+F5egym&tKVt@Ad#pD-<{*wCf!C)}+Z2ztbcXV5Cd`-EXb&0-FU&s=6 zhaB#;@zJP;Gp|l8o>~54_4v~L#bbYOy7Rg;Do?zhScT%DU^HT!vPa??mEP80G&?%N zagEA7#LIgIG6s1{S#Hrvdqz!oNGODPUp9rFS-z9J|MUEvE`Itg@69-*Kd~|Wv}i1-{jZNlgIZ}_Dew9JEhz&$)C>ZG>gZRUw{4Q?9FGp z{;Bo1t$)Q+z{fV1B^VBUTnGvHcul_8En&;YVbL4#Si+*(W(kR*kDPvwUG#kvj)g73 zX3GEo03PGq{{aB9|09ejA@H9d<|*L`(B0C9jP|D*z2+w}ZjB(&BN@Vm>ZY}`BY zr&g;QQHEMkKz`ur!e3uwR)FYt={zqm9gNLQJyII`4RfKu&rA1dtdJBT~hy% zC~PMBX4>srQ&42@cX`FIWvz;pdv$($%x$c0zt80MilMN@8z@DpcqF3K5(s=W9kGf* zpBNTHAG!S>yM3Xs#V2V@jdWg%&*BvAYHM7h>J>fS8p#S)_qtg{OPzr}q8}AJ>qL+D zqmV1V0!taF!AJC?9B)%)zNM%sP4Nud#L%oAU=@d?*xzdjWc~a>^=c>_bo-p0g{GG^ zc6C8nFP!{x>bJV6TdSS!u-dw&U0Whym%6MnNz$$<*lNpcNbLdp)EEi(?Q6cA#@+osEKK(~QGHHugz8p=`+z=CZ3ab>$4mF3~m}ig*hWU8BMd3aM!2sp#Mw*hWQ0IcjkL#AB;N1Oh@f z%3}fB1X1LmgE|PZ@tg&6R)FjxD>{PKo*^oge3q=QPnw$s#nH*7FLLFSNk*D7+Nq?@ z>k^uRVz5Q=w_07;<{WO17_fw0fB9Gp+e+$m{$+8;%&)*w=NCY8Y1fouG>Z8b?glaR z==7iTjhpfZlhS*I0D=6UveSJ2FSq4ao_Q+LRCj8jZn>gVfBjqOS;2+f?zc^g!HdLxA07&dp*1;FOr_u%o&Qsyj+eZx^6^%cK+lhJ z$Dog0qQw(-$=~Pw?}~!IP)#N16G#$NBA?QC3dpDAZ54#MtNtLA_Ne?{)s=#!JxZEM zMRTgRFO^E!V|fR3Gu-NaF5|*dCL%@O-NFaT*R8GnRo-@093+V+my&>}8nEi;RsLg* zvd%B;>a44uD`s8gn^j)*6<$N-7c%dXa%U>ILX@1{Yj$(VS41c?VMxHH%1HKt6xS=P z87VkYu4`?8qnsu`niBC}@_^JRjhJkmDvhJM#t@W!2;@)n>(U2Y0gJ*JuWa1=IEo5K zyQRl;YEN$p$%4^y$lM0g|Il zR18|2qJ-n8!02B{o;%D--tHu&vD$Q?9Ji*+NOD zSbJWjS5&W-Msqrccjo@PcF^*PwzaC((RhdacG)a0+>=`z{)&v+vqnO3t3OscCl?N~f8D*7bazpD=FZBh zzwRy`{nkzme0dW zO+p+j$jSpdLL5geb}ZO{;6M;CJ75k#95$W^z-q%*Ol%Bbi`^ywhC_DG=nQI9=5{n&yhDHOFESDB?$D^lhKX~iXhhn6z@j*l-aoKn5_JR& z5>r-zF&#La-JHupJF7l;OXx;v-Idz1CSjl0_m3||$%jnv49m_<3ZPLBdjNicf=$qo3Am%+he}YwR8(Ssw`OoI4E_6OZ|3xl zYHM?}-DLLzZEs^^a>+VT$DXVknI(!gWQRre*x?pEc7;r&VnpD&r(BkJMT*>)d4trz zhz04YT4@5+jSL4T47e)gkl-5f`^T!9u2IF^ZsPHKteev*p+I}TMX^^#L6^C`T?AEC zdrOx7l8DOxy$hE9Rv1IecHatP*aVZjy129lJlavt?WnzEM^>JWE$^Q@vwCgm&iv)y zUcX#9vhX67dHQnhK8Xw<$UUDi?Z8_i{}a`wtdplaHS zG0`Tgh0;n;LjnO7041#9OooUugn3qbLaQmq2qp~Ex)WOs8Gww(2-U>{0pcm)pd?XP z40_$ZT>lJ;q0rh$=4Osl+fy%1VWeH&#l3Uq=T5C2O`krH`RsP~{-N~ALn}wp2ad6s z`4{CJ!j;o>)*qa9`<$Kbpho46b<)0>T@|ybA@Wn2m%GJa&>vJqd|pd1xn@|#~X&#tbX{kN49bKlSHFBP3TAGD9hN)P;jwOrTQ8lS&2w}0vL)#Iz*XZQSC zmU{VPlFd+6=-mC(^(!kE7LPfy4^Gd0mb~_S>D=)&BOkhv;u7sewQz8 zX9u-xs@lIZ;JSRbZv?I@2r~t|4z=*Qjm)m79>;sBZWE_iKHm{&wglM+3fgT|r^Y73 z@fL2^!tGkPT?@C{fs*NigzmPqM}HT3hhg4ARv)}We05C1?}hKmeUe|Jx`BXk0%;r1 zkoO(JdwY{bisEfk5K6hRzaPqD(UC#NSkQ0QB8_Tz!a8al5X<<**chJGs6seY_C~G7 z{sam*iqKU zl_jI9?@BXf`Eo-Kb? zRe01#T=vFAugwx`zF_}^)+|)N=!yk`8dX4QE|fworR}A(Nfjl(d1$O75sMaWiklFF zV-mGRp}r+JNXh1$A{;?%YJiib?^L(#mh@ifBW@d z^3luWxo4#+{-JaJ`!_G- z*$*0=N?1$!+O5>*7c$RZE*J&++4(?+u9uBVGNqh42NsM9x<(rGl^s7CcqDWR67%!O$Z&1Mj%Ko>a_s~Vly@b zK}H8>%`x0vg@p8W2SUCf`>X;U;tGkna0?RokRXxw(j32?@_fgK(d0T~ydHh1ufrhr$|_wSQRa zbxh_93WrOYNx%|zm2amgrnXP%!ZFel7N@j)lb@j30n6|xYmhqZk<_Ym)*WLVfykh? z0ClQWbYP|j&kCsUQ}l2V9Nkr^^Y}(R5n>&j?O@e8;@*M8OyS?ijh$5=dyLLuUH|M9 z*)FY#`MP$t(zK~_b!WJMF<;k4{J(njGkU>=loTNRo+&_WZ5q{3c$oIZbnW(`sql7A zIP;)q)1_naaX#-Ir5?S{UEOjQYq^WHbffppUF?09SUXE^eV=>!cWJc{q9&ADNV!c{ zYx7mluV=e~ivFl}=X#cXu=A(vafW!fJsxNIIw{c}uUv`#*Zj@C@K~k za#14=#vy^&1VC)a&e;TqXaPK=$igv(r>dMQlo$+(_Rh%KQPpU3iS~%c?Q`m!K7Z+PS4^};axM&# zPt}Ew#awk|QL-x4tmt;S!WxwtQpjOUIVyGJ35qij_l63UyBwIrpf^iF;~sc&Ia8`%i~M1y`^)8be0d%%f4LU-!|!uzGfY)wH0(`udnUSMBT(=~E8S4J zwWQ8{CNNlxBj3uqFeO58Tkpe^3E$20h^o$AU1LbA^C_G%2mN+Yqk;mhQ3Q2vTMW6R zHNS%h`u$K5b_TW}84(SHXq^y4eo-p`4CFln7`ADK4UTWR4jRz!Gz8(D?#mWL@RlKh z5j;87BuJoV#1h?cIDzOB-EdrI8~Z@vg7?yuY8wUjj`yU>^+k)2_^nS6$z6H^zdc6f zTr0PLjF@7?VNqZfhe)x&99CktIG}^$EjDDQ%wn@~oPc@k5D1`vvoafi0uzu!V8|)} z>szz-7KXhQYrIL8&fJ_=s!5N|)H~YoiFQEOrQhs2)jp1FsE(bwkuI&tFk=2>sB6S% z(6NI=@lM$Y6l~p-9bIwc1>Wj+`Os@4?4MRH zXJl%0mV_p#eyFN6F&u_IrPB1?$^O|yt+Ivk|*sArq zRkr+qej{N5L0|WOO9dHyPY?z29f2CZiR3^(Ny7YTDn* z-VG+~n{4FoY0kzE!!xyv{QYct$f*nPn_}wE^;rW`f4{z=sXtt0>DLY`So-vBVTL8v52yt)@yA2B# zOewZou^n-giWb4j3l2N8TaX0`Ky(O#gF37nw1`$t;1DDZMwzWl-x)%k8dc}uXwflk zeejId-=Wi}5U>~~EtAo*?z|bWP34?f`x8NI#_Kn9YE*hF87n=GdwPbuillw@o%#cQ zyMmkhd*%Y)-`?Hd{)w^OIPl3(yU{pq7?E1yHi{Q09E&TGNf)G2jfO@HCPT+)_a{9% z(fG_g&;Oddb94UL!k*;w$Jt-+C-3e1)AE)7O`d(S z__ZOm@4#Q??`J-LQPqmcb+thsoQc({|1j3N95wOF_v%tm7=zFTiWi`62`VW!>8rL4 zo|JBrn}<*4%~Mra5^Z5g8!}+@jt{KEaA6w*#MEyOcWYFHcy!@_*q2vsTpATLQ~Qh; z&raquZ1Q%(?kOAnK!K*W-1TkowpPH&+YUI{DiF#UXbOZH@PVyEp}2M;a2-?HNTdlg z%4;+x*x+O%NGe<(ks9uVF`By~sxB-=F*b*y?grQt;m0h!uAPKWsZ_zWg=}^E)=n>> zVg~Bm`?Xgcg*QdlkG3|MRgKI-v#mW+c=pbqT{}Qfevp9J4(Rvag_$9i_hhaQnPGr8 z9W=}LTwZdFMT61U2M?6(^tmL#(m*v)+LmBx`7YT442`39yH$V!5qaLhQ_R_H0)ST0 z!bBt@yA@yoIjjy&q>LlP;SiaPIuIui(I!GsD4LhHKcJ~NN#4JRrWrGkUQbxCfR9J2 z5(hRh`Dy*-yEum3yguNVmE1W3}{vrmH#9)j8Cz?`;31y>n2fZy(Za zCe~U<1Nj{l+z|d(Q`c#-!1V)gwKbw<+qizTv5vAP6|0qZzm{x|HST#ej2dN6{eiXZ z%;KpsN*C{dHIGNbk_+(~mw;n3BYZKR&M9j^5Jtz%k4-LaNQs>p~av8iG8JO$Qet#FQ`& zY-7YHCX{hJCG`db3J?>(0l?~x2ow+xAft@0Ga#5S$_qRPBpuW=3WOl!LZCzBaR_$4gH}P(q_J1Z+ZFY=!>@&XYj&EQ!B`mAAjYpV#xWRD0;E}sq;MniZ)EeS zjLfz%k{DteLz!CvM_V;4JyvJ$Oy`G*tZZF(zMDZtBX6D6E#K3QiEfQ5iX#JETHe9D zt!Yz%jbKW)2OAj~uev`Z==ZECCZhqnC0xE^B0p)8m+xn<9_st;_4(A5YpUe2FJ{wU ze!XzPm0)E{i$$XvnwcuGqbMLS&}tC`t5x8b zh@V?bvw}AUkw2z03*76BZ2@E7^4){9uPGG0?!jB$Py`x2;w*l2;;drBZAhN z#}mSoOma;Ug9U1&A@=DKE8lMFIhjxOOD7cycAm zw**QE;|Rr&a6HEVk(RDjsRc+77BHh2Lc$YN`5N#H5W*A2Q!F5%87rH%Lu3;nW3^4p z>Z(c`7&XUx1Y335*pRoL0j;cwsy1LkD{Y`&OUyVe&T3R@iV(vH!?M&}n@^@(`r;@@ z=B{Q>zD^xEvT$_yK=Rz#^n>f!y_Zt2pXfPt>g>McnP2|&+p~RtPk(u~lu5A;{bF3B ziq4dt&$>k4s4rv*yF(7Q#p)3?s^z;2*LTmI3unH1y6|xRTITG$Z{Zlf|k9L@ZE-L!gc`AG8g41TJETQ$6_WxcIx0B<#H>4|_`?6Qwm&s@jeRBh(NhKsihh+CJMiB^=`zl-a8* zZQmGU4r3y_p+w0&7yu3fuDCVj|EkakND(F+hky6wBc#d-viVp9Vmx9HfNdNQ$T7n6 z0*~tq2**PT08fOv1A-AEh+$f9I5>iGMt%vuN$ZM|##zUVuCA)A;^Q4bfh9t6gsAdL z?uwkoeO5JG;#_Iik+$Fu|;H0>6JA2{4(vK@A z{$uHM_R_)fte0RgYQzZ`5`yX4@)029Yl1Mc8KT4t)Ch860P#HKsK60{353ZI6~;jx zFvJ7E0OY6yZ&89dWINtwpd1_~9Olb7tk>=9^m{GtwJbTr^N3MtkcWb?T{2%~M)JhC zvu8wGdZ%C}&%QjLy!>eOi#Jyasn%l+uh{!H&xKi*vAX86Z*XlphPX!l=D~p5%Jo$g zAd?1-@|JB?(!7UeSw+585~5+fL5;j&-+<0AHK}9Ug*D^{VrOFwo2waa=1n#-slHXX zM1F`g2np+iCCZY&8kT_I9e^cr9bqzsd_Y?5eb7G;PEqkKE z*ssH&C^LA74lx)M?VXXJ+vhaeT%tYVar>M)r_Wz{+!YgTksRr)&MfDO5Q{J@yNEOY=MSu@BL1L8wfG==btwfjRQ7UKbUR()+|9p~U>?bWw>M!N;yM)WfHvMxZzNJbyh=U4 z`2YSbbL{)S{P)VilT2W78U>n0TDzgw~b645OEwYFicUMj)#;AJY=~30H`6)VTuSR z)T8Q9Lo9HJAgoB%@vhtBwVZFTy(%vdiW$d3Lyhy2*ssT`ALc3SVHdHP?Sr!=;io8@ zd|j+kE@@P*ZbwhT9&IeJN`}WeGD|Sp6ouAw)IBbH;aJ<(6mrQu&o|bZ7?8azPKfRr zpO%(q-kdTW7bf_MBzAYy9m;LCpmMh@=B`nVIA^;ng{ik|(AVSYbk`Q5|FLxRPszJy z)AvqhPw#=Bm_N$wzn{H#D0%bq%z@XHqGmGQ>5iJ>{f3DR$pnsP2x1;_4Hq(nkYIvf zJx~quyg(=N@g730m2y9U&nywc@AKtu#PK^71g9WCX0MzDr{$ie;7zVJZYGk z{rCB2D_`0c&ty;S%j`LrK6Y>EZ0hCS@&pTo?QUPiDhi81uiKZ?YX-$oXl?Xzvy8gp zeygWmvO?+3g$wgfGT)p`eRn2%>*2p9pX^^fpZVq2^qr>_Vy07EJF3X!j6L@#Utq%H zv_yKU#KCBsc7}+)#z%p0B&ZEK^@A~E)t7CsZ9RexIl{Bts6YccNlw-GaxC5Rj#m|> z7YAm9L{z5;u8|3|FQ9L?){;@dcCj}yJgrpAvsxmvryGN9Y>ru|gANBVQ znr*|Av~KfOp8hd;^NaM^2UX?y`C-dYCsQgisPorq+!W}Bvt^pRS$}Za?Q?dzgBn$M zs=ie2H_(JQT`ic~yI4?BDogi61)jPhEu0DaqTyZ;*ZTXkF@^X2mcbr4NtWd;_VShlrs>PUSlhrxbc^**=R7&trS&kqiFn}O}Ji&|rDH6G! zFjv6woFHH#J)}5;0h>nQWCS_JF#r+bD$eOS)kCB5dBK#O6HJyy2QimF6xOK5Toy-9 zT;YVK9TF5u@9??wa=yo$gYw!29g8G?KA*h)*xXRuV~BXd5x%yxM+9Pq0D3@$zY#-q zWj)Hp!U6f2tt=UPf)<-NB+r<`lm`NbI4p2D7a|AhZWKJBZ0-D5xiyYzC;OT{f)k1v zPvyhA*8BOlknoTS0>@RKy@I0RAw7HfN%qo(H!riFUs|}@-@UkZaepBD_0Q>3Xa4uE z=^J-D(#Ng{wQHm1C}s>Wgq5qqVT2fhpjvA%h;fH;+R1hG=^~wqHT&(CeG4}h?xt@& zO@6cYk7(iR`3rw`c4uCEnR)oxRPz4Cxt}+5k`O2pFl92IqB?WBU12)wosM`|VM15f zGm5i$?r`Svsr2nz>BHw5O=liJur^!kDIoyS9PeU%EfDbltj$i^{CtK5D;2>!C77cP z<}>CA1ArmfxyPL-o*pEVrg$DIpwqlnwp=TYJjsK<&OM#Gm^pUi)4vX79v)sk^=ISC zsqELUYG!Cj41^pr)`-~?tetJ<#J>KyU$SSPFP(s<^xE6gJ zJGV-ZqiWl@^76=v^vO1dUAm+FJKGOplL4)r5q0T~_HQKQvakdc92?*};MlMpw6t%w zpA7b|X|m(BVs5u&wrS&n*sFC9ZQ_hmsiL$?qk>MpucNf?TvlY{hK0 zVm8+sv$@mhG(QB%wM}ugZEYHr-WrKVC#LdUiL|DKMim|D8R#7}5H6V4tK$QSK>tia zql$D)O+-6eBh_eIZ`Pd-7pUawd(#P%H^5FptllQsLj8X|EtBqRm{Fi@M$BwWni%4jV!!p$T6hti5kOlb7mo2d_#}Go>DF?6v2fazR(0wc@4BdGhGO z51r{3U#EXOpStj6Rl?d1dL0HwH;Hv9yy4sttX!QofvfZkkk+Mh{?WgFn!0;;eV5t?Dq1$)47m)oN9DBt8(eRXiMU@nFU+ zdssaKH#XF>b-E^b_PFv#;xO+s3qq{k$Gw@?`!mNbWzHU1c$U0!`_04un>xQwIXl)D z)OOeNfvs}GtT#lnV+Pq%**ffq8)U1c@j{k;ZbeY}^Qv*wIij_*=@zDn%l#enrks%a zAQW)%A?;A8FI@S2WBy8$(;#Y!@Y9t}yM=pNgoL-!Ww(5*TP25V6E2d zQtTIx-yKB#)qP`fgPH2Y?J-?{H?>&@JPIVDaJrg?w7N5E`D;l}&diM_D_%?7xuTu4 zSN3+D{#@~yN`Kgw4T$XQ&foDCTSf&g&? z2NWm}Oc^M9;Pyf^{w{fCIDlGnNY`pUY)zMQUHw@ z_aWgiSR1!`{-2C7jv{Vj-k)vew${~(b+SgoaW-9*mk)OgiQTfXYe1SJJ(X5FMlM_! z9&mZ4N7J`Xy!knK@6_DUh5HK^7jIV;+$S1`bRCV`AgR%a$=z4|Jnuj`Yq2X=cX*8N zuV#uFnxcwcp)(x@d#xg-_1tJ=N(O(w7Z+FdYN!YGCq7oj+upH{F@(BCmy8sUYk3h{h##r&&m=&;==+dAXFew-~BJ>{0OjLGPLG&o<4s;UM4&GGQ~h z62e{|>JRTU=brbXPg~wQE$^L{_s;v~z4Km(rVo;l>MiV`JD!%R)F*HMV%(@k)x2lc z`#)tQ7vciCJ#I3k);51BuAp7H{O{RoU%z>rz5R<|!UMC9xaD^Dr1+ZeWsHfm!$vp@nJfH^G01~A7Vt7sK@4iSh1U=ug!VAG~i z8EJ<;UPf*5)e7BJq32rqt(z;oAEFO=4b|~nMx;>&(>QM<}Khds=~GLgsy@xZ>4}36%1T7izD3HAkQT7$Ws$uRs_F z0pO*{8nHaUHBrqd2LOZ!^L*W?cm{X?37}X(oXBRf5*+MxqW-vH%rDToq(G@FSChBT zE}WY`o!);ox%ZfP_1>TVeeqT5`(HBm?kxV8-v49FXL-V=GLwGk@{#lB0+c(ThJ6Hm(hWe9UqSrsBL+RpnwubrtJ!!fOlq zLw!PfP`WmoAyHsrzw|HP)t`kPx7S@c2ZtRP;cEY~(dmxyxYjvR z{U&Y{x_g`UVyL}WR?It_C1A0-J?^l(()-gMtfbpftCo&tF5O@Jb~N+o%k<4Xk?6;f z%)KL-eP{loA{|UUe_mrhuG(lfvLPb|35A3az){9CT)iLXVPS@OfiVIA!IWV6h5JfW zUh7y~xebN819H)hsJFK_@`H=SMrFQ@#Vs5dW}4l=EiR|aHPx|> zLgQ00g(7VRZIHK2O$Cf5(>gM1!);3Sp9qgfn{9!=zjL@!fDVn-IbZx&cF!y4!Ua?M z#od*s3s;tY$X>g+_=7}#)==e|I$coALky76%;5q;fntFOu$jX}9hRRMW%2e71&w8h zc#Q)gg_5;aBrmc+_LJQIQ|A6DVfpFO&*{%UTiW;LM*6|$$)EQBdFk@p6Wij$-(EE& z0fHDZ9#V$uagj0#I7$Glf8K!%K@M>os_Rt91S|-c3aDaxGWmPgxh>JrFq6@34%>5$^ua>{cJUpsR@BOi6eq#YsG_3da8D?we znLT@19N9hn(cKZm%3} zc+iJ{$AUlvSqm!Z+&I8v4)YCXK2HS1GgepWhX5f8G2|QWsFPNoPuIkbnmzj{dG)iE z&y2}eF9HjnFCSbwkbQou{9(9KF>Y$R4GbZ%cUERI$uCi(V2mqnpv3`v=Y9U_@=Qes zZAGcQB`i}io9XuW$yJzXH_uhBN%V7*eA@D*?QFWLO$WGkhSOTU>o>w#m0L~vs;$PDD3xj^(o+35Pv>`VZ7|ZR`8B<-OMOUTb-;wY=AMsCfDyJ=osT zZo1>W*kt|Ex?*uhO&W|9JOOO``Wq6;K?I@96Qqigf$)%EBFK2!D=8O8?cYi}BR-z@JlWfB6JQB}vhE!7 zj9K86yHn>P)z@7mEDCqoX;hvG-%LbQxO^!e!EfnKBpmTXP`N}p=IyL1$f}Q+z5R{r zE~!K!WQuyjqo7tTBKr8SaZ) z|IglgcPElu{p0`pRq!2$vHe)PT~*y(UHI|O4+4Y`2uVaqe(W_-Aff<8KlYi~$$55i z&S@v-9L^bp!n}?py^G(G0MUsCG-yV%J9B)FSKUqZ?F#qas{6U0+XhpYM8jrT^JeIU zGgb>Hy4Q&R$R{C~Qme+HHem#G|FGog9%tMV^YxEPf8*B%tkYsUN@C$aZ++`Hk$-$R zQM~eYes|&B>7j26x1WddkI&^cZwd?+o?a>4KiJr0N>NR+n5GVueP%#(g-LgI2B%}G zQKzzP04zX+fk1!@RESEB3^`>?1{u>rLwv$6V=WB9hPHxb06`2*BPCmbD2xC?paFdk z!yv?Rpp}9<9W;X(3~9`99K}$CG^)5m2uB!%vB>(n`#Npru2q?6mcy8#SwSJhIM2N-|WB|=#Krq*+*cRqE7PG8ean*)) zH5hW)2c%{>inTh2IJ)0_*~Otz;#7L5vU*2TzsaAtmb1RU>FlQBk*l-YJ{*|aw(!IJslw~y8!Zro2V+|K=YXmVFkbyPo)AV$-yXPxf;450-D_UTkp#_$i8~h!fP;ANhPE{M|SiZk>tFv-v#g;DV zrY{C#u%`O#7YQ#|(;oe}I#cB+g)*)Huw2`b1=TL8EbGwZj3=5NO?W;TFXnRRt?zw7 zyQj_i*bX?RIM5bmg5J#zUkgrS7$$^^#QfY;c!|_p3z`=M`;UohsVQKLl+6FRi=n> zdXODY^nJ>yY|?SMsI%=Va3;F$HXUC_X1Q5no%Ht_Tw|T7uUnX}TbQp~n02;=`S{Jq zS3M`zbL(qs^L2d0Nb8AU-!F zh-R@5Qf@-|Fz2b3u4xV8-4&Va9GP%gdXt_JMy(n$jl^cS8VQTtpz~POD%w9%iw_Sb zxxwDPuv!IlnozBPXFI^+yb0BO(O+IL_0tvh72RxHnslWwDE2$YJki*sxGt~M+L7_h&eG)rb9-lxlqwmA+M3*ioE#|sR zdeE7KUTMkLip0YJnZ{_&qNfx^et)w?ktk%=vj%;=*NTfD3g1?^`{2Jm{E$2I`p?u) z&o7lOZt2b4++Nter?CBX?%LMEx!WxYBNb!m>Zle*Eu9wm(Kd_LQtcm|_6=C$eQK3` zWJ2aP)+DB8)GB>{gps-H>7Ot#odLBfrL~D}$C@b79II2lb?I|FVGAWLHz_FM8g%#f z2=3QvN>enV0LFxF_oAuajs5+cZc5YNGwGNaQmbZ&)y&E~IAZ`@C-Rer0N zN}FO0dvf(Fdc(A|lrMj(md@P$aPgmoH%|(ij+s6jcIQrQ`QyMp9nRAC7xG&kEk2vQ z*uoI@LW9LWEnce~D!$N_e1_TE?<w1rSG zS*U7NtXVw0s>wpkGb3V`fLDh(U>Qw}3H5Tre1P7FeBJ7xq{}{2+MQr;QvRoqde`Nj z8PWHC>!G#79(7-QPZ^x;`cpx)Dx0kP6DrGRXKE0 zcK5h<8I7-2`HGu&MT%!1E*|dw{|b8^{C;6mam&`=hketfw`Uh#<<1`-5_~}GOtX+M z0AiXZ2m=lxti=4TkfsMPh6rGWVHnJ^Ec=T{)0<{GhofYIm>EffQ9W^WHEvFnT7V`@ zW9HH7l>g#$2x>E6nhvT}$to$nOuT;s%TvXW?2S8iXfU}2**%@ zWzeBw7ziNEPz+`WV4>(Piy4|F9Lq77!&vy+x)pvm;0;ozY$CDJmC~e&aui+FD5GNI zuN}FY&lZ1Jy!!q@;qDK)YkRGW4+5E;orUw;iighszGl;xJ&oFIsqHm;2-d_?*Iq7q;W+QMjGSX&V(jRVhHDGrMPyGT~YRDd%T(UYo z&47ig`J7Srlr8L^RI6wVITjri(}2q1ZAZF|~9X@VtX1rBdCqSJ(K5o%2VE zo8M)hW?%enx^(}{uLV!rmpgUE6Wvg_w{Py?;{8Zz>w}HF(d2FE0%K9z_{y!xpg-n_ zrQGRIDiCseB7U_hb7k)Q?5ong%h^Yn=eeV==WoqF+t8L#>(r0d8MV2?xl4}(_vAL^ z9jdX;9?=!kuqP~i6PcWf!pW||$WWaZW^NZRZ2s5(=5D_E^XzGE@j?^to(_#WCx~ul z#wyxvb*MI2Hi)jwNM*9Q#_I?(d-MI9{OMz0;iSuhq|*pv8c>AcC9(3SQ3n7N!Gva^ z;xsC4f0x^LriZDX|hV=h%tYXBBJa8hNwc+S)mb}R{(9FO=bQSNf)`*PDA{wa4f5%GT$iF@5;y}q<*t4^Gy zZ60sFdfeWyUzn|5r2!YL+PYI%Roxm2uBcS8@u+9HfCYb-TiIg@{yxxm|bOzx@55=l0RLZO0aNtPYafGh}vn zX%0=RRU`J8i^pmu0qgo{4@=x$4*>}JDKGZ<-GmNMevail9_VE_hT=HnXJ`)lXs_1| zIm|*#I4|%JpU+*zXnlG<=E@9GhS%~B|JsMIUH-8@CO!>mj1j9GenPV^l_H{h{4>zM zmd+fQyEZj{UxOER{62SKix>t|AE(u!()w}2Fw)6LVOJfhPEPL<1FI@RC3;Mg$mtxC zLcD5n!O1bU$Mn~Q{rN2?b8nv{b6a=MAId%1l-qmDCD#>QA%DbIuNU+K6I}zNadQ+X zyz%|5Z{xW`Kjh!;nA^4Z!@`a1xw(`7$K+3bFZj(0`j4SFL?fCo?Hw?uHQt?y_gdTv zl6vR1W-fZNyBCj+6yLp>y*7Vx;a%a#vp)p0QUq`P!ApC!#)OYVWo~t);$2BG#;ziu z)!$9Wy>ao-^5xqg#dg*g!xM8%_j|*h8JT+;IiPcFR6GGHk_Co44bs`mgFjzCKYylp zd`D^TYxyAs6omj_An!>3Gl1rs1&G!MHI5k~o!UvYYR1tyIW`KXoHEbMM7qrewaTuu zhs^_h+Ilj`Ow$2ZSGVM%T|YB2VCuIGi0%kN9HM!#f~4difCvd7HZ7v0rI7Ag7n%Ii zGG76DL)}TSwC%*^_Be*dqoGhwS8_$hs#%z(Up+BJRFd{?1f|4uQYvZULcRe=2$`~4iaHK z*40CC6%qJN>hX9|{4D~jyZHDwg-vIQXK&8l%)VUMls!1N*H+wrIrrjj?!lp0=D4GD zWXJ5A7Sw38r&s1`+$(d@Ely{s21*B_(h=q%y|2#R`mgM*+1tf?*9*J9fB!?{5_EUoX57nk=Pd+o6i;!lEnP;gArZE0{4;aE!7}fdH@w6nZQj zTCYmI8O_oSEFs0Ex^OMG|4d(YcZ?;p|`oZogkk=kqI>@)76@MKE(Ogk&FV1Q_rp&%cWn!&62!tdY@qX;HD0vIL_2_i`ZEuU0Kw$R9YDxtQN_JhQ8~ z{{TCfe2S<^m{{e(4ND%~u zi5dXXm|9v03<)i`rG+Tj76AT%I z0WTX~0GFl-VJQ}~wL==gW{S6DWN^==NB7>}&pgf^oxAbj=J?`?4Z-5W9r}sU773XjcZX13{YNC6n*yvpfZ|Hu^x^xz{-*TkaqixU z>~*%d^+oB*@$9?Y&1ZkgJ=&2wUp@0{1=ugxFt-oV-xR8(O|aypcdc*w*B!A!MM!Z}XEcxW_m1}2NE6uNUN}9e3H5&k7|Q~TWq`#i#02Fpa^yo#2`Nlp$GbX zEbZeEPICM_7)b3Fkw^?d3Q(q6h*34_7^|Y7KR4?i@&XbZV8R zyOR!DoHgV@JK)GG6JzP0e;ODPn(m-l6(|P+WKqhsqmeHWhrmDUszkg%zdO~_rLj-U zi0`eA{I73Z9*ZEYfS+(!q~Z+N4U(&?6Qt8TlVZ9|V#sFs-BYQNAvDoBA%>;YLTaLj zYjc!@j71C;#epv zi^i>n2 zvHuB2C>nE|5}=}krXXZFz_Gjzk|92ggrXra?I{(Q@N!ZYzy*j`E4>_v57SLkpL*R1 zwOxhusT{Gf0v_&j;k-OmS0 zCu-VmcDu~RkWSJZvP~LrchV-9-JbG~c!Moy%r`jLA23Op>I_T}n_)EK8L_m|+K|3a zLrWn(lQXo5#EnC}ifu_ZS)D$~ripiVU^1;w@cxdNLzwqxc&ZbKO^h|s>vH$hH!c6k zJ>EWl+yB$s-QmXO#Xsfuit?|ds;~nB3b2SHEFXPZ7byoRju65K5_)(*xlyBbYE;um z7ZS)oL_t8;*MuE}u!uvP;29ZH#6XUw8Jho816*1M<|s&LLI7rIg2gadi6R9Y2N?$Q z@I&P}Gd9^59vE)guyrgo!f=4*`yf?xnpJeI{1XINOaK8;GG8eYLLMeQV3oCs#chvE z+mDlu(!r?2JFbrZT!Hj5uUY#18GWw(rg)=n-twef#*qpXO;bjppBKxR#`04!4 zKaCU)+zV~AWnL9-)x7X}Aj#e->{NQF()M3^=63${;#BeBmfXvm3n$;-%lzP6xW^Xm z?9Dy9k=wU_antW>DSGL&*g#g;Gj*Y)S`{;O>H5t*6MezDhDGB<;ZY~=f?;wDbCDs) zyEHkbWPEhI|JL(sbOeT&nt_o$)bnf82@5|Hv2v6)Y7TqHIGg18l3Gd zwtD(j9RNdAXGypz=?GwFPcIxy^+&ljoq`Eo+9Gp?xwz5Z|WL}kBM}2 zqtlAMVe5oRoby`lG^g120#h-zzUQ^Lsc_@U``5jTuioD(9em4XPW>x;JDt5-+Iq}p zTil!9`H<(31^nJ=Z$x0+67f{pwxq0tg39=4b*xO)&ZO+n=bE;Q?v-uL#DvEClaoL3E_Y{lZr{87i7UldhkAzQ&SW;{o?ghF_ZK!l74~|>?@x$j zORbm$#L$p~h{Xs~gkhKbD}h_!x259=nNE;Q8X42Cl3|u!x;7T>j*4rhb*Q?>6GPL@ zcPv2IHznJx(`X!biwQ5PsUwKNh={WMRJ@+u_&@n4`xkeW9-S`UyB`Ger5|3Si8!6hkQ7 z%65$*h+_zVfCY%qNO`*kDab;W!n|zSdXAsI39qkk>9DK|7mlpBZZf_X&qT{QSat*G z9?(e5H8a@QN;l)UID_JF0ncq2jg0q(2VxWCV{CZR9Po&#W>)LHY>+8qV(+t0kBu2( z?dcCntMS>yj4Zq^F}r%L+LpSbsc$tf{^5Sw+M3HUHPkoKBgcoJR!#KUrzZ_!w*?N@ zcUoq?DeZqgckRQmF3V{C^3A#LOZWDA^1Gk>dj4VZ6S*s4P8?${>ni({#SO(oEESu| zV8mdG;>5K-tBNbWxYsxT;%~i$%_ocJ?*8=pW^woF{QgV1iS(d|uqW}>d2z|WA!iI)D;zEEOsy_d)-PL?QCOu@=pHOq}zRA7YQ#$@A|MG^&pU_5YC%}!5xc~qZfKcvSNkCJ? zJ69rvMl>xK`3X<=PJ~m#ZlPVT94rME&J|DX&VPR*d#kkf$AufEw})o;WFIRC$5AW- zh-0ygaHeV41?A;qDF!2!fl~S6ek#`68<7<+zwO;0Hq8Hk@=snAukQT!@16RN&i9W> z$8P2h914TNtFt`kO7Tdnp(BC_M{`R?uL(y400vWp!gQVEu6S3{ZfnS-QJ#}bB9PR} zyu;q(p=CXe!qH2ayN&#f4!|L5$=oxFr&x$^6om=ZfL#M{h+gv1SOup6V1hA=C?Yt< z3e8mA0N#wMYWK1k49-m1M+N@0FtPXf<-*-d`5TY&`|mC6${d(~oqKsackIObA4in^ za=ED7jA5dSB;rO}Z`vfbJMw;f#F0RDMK^xqzl)E4WH)Yfmd>0nK7F)tV`k^ZjeqRQ zJexZ?e{>_yO_t^&*Ym3AbgT)#YVlHW-;>h4$GMjm=QrnmJe@oLrm*)+VfWd>?PHmX zxOivF{O0%942#EVX1N?L)A^UCsXznymM@jx?l%NM^e|Qr+OUR1!}v-&rp8SP0BeEC!d~@oJ^{GJ9SqkTTT_S1pq^fAf0w zL1y>--Gz&}S6g#iA6OSpE*zM>Te^5Nvn_M3HY=o+)M$nRh(#Pl(cIE%l_{iV3Tr!O zChhUg-q9Y3ke#{H*XMTiWzGvl9YEeu89^5x=Fe=-oX=mlq$m@i>E%j(%d`NP$jCIz zNW1IkiTu|4i}%OpZst!O6pCZwCVOSXSvaXA28S?%FiTj9#(?AG#IVO)ww0l*moHwM zhb~Ai~3M-)R*!Ef+Cv(7LdMIKOqfsBvik zxk1yQUdyhTUbzHL?h8oZT>hd#tXHeFR@+Q@gAwTusZ}0B|9XS)gRyCIKVt259$Gz& ze_S&W=^G6ELbE&9tXuU{T@KXd{7z$PVt_Q4;>j5z4sX3IPp7AeEKf%d9*#6h^t3P2 zs5Z#-1UT6+)w6Hey%*+s#<(z%$@X-cR-NscW@o6_+SH8+B*wM+F0;9*Y|r3FBzvY6 z6FrgEYl<|H;;9)2vYEsn4U%@`At8mn@yXSz|U=S(_n*G!DIIp6bVnF6@R zI_aa50BKNmA(e9gX^yl#3y{|<7a>Bkbbv4vrjUp8Qh;y-1_%c|gz{8c{`AF31QY18< zK$v9+O+nFN((3rxg=ZXge=?d9umgXFk`0ZD4Y)@=T5)8*Lp4P8T1OIkF<7FVRNx-2$~ko+Vi zEC)Fj2!OCHmZ4bvK>4TB$lh-o>hE;v#A!~#9`olmZ~k5J$kxKiN8e;m&7Ej*D*E-f zU&HAn*S#ipBs}2}w-!n@YS8Q!hk*qhJ|W-P5Fo@5juOylHeP3q#o54!L#6FpPmW|# z+;u8pLH%>}ewqviw5gcGD+d1vf4{J!aQ5x{Yx&E2OS{f?L<^6unEOWuzxng*xy6tC4BNB{gi2A7UDEn1)cW+&-o% zhjM9%^zg8dD6!rbb*P-<2GJEGGbpTyA^1Qi)DDli1+pktpJ^~nWpa+jh?y2$($Ygc z3~ut1xG8IxVq+uIqU$dIa32(1!)cGb%T)h!ld(j)8tnZN*#b`RGBjwnI%+nyX9o+xAxilIvri#8I1PtIyE+t+v;>j|@dNIaDK?6cEg zG!$;VkYFeZ`nf4EWcnT4Sj}mcJwy$oCquCd>ZuS)7 zCVcm_9urBB&$y&W65==aGQ>3<*9`Wp+^v9eL)tEzadKLhjvKyZovfN2w+bKOqjZbs zF6U33&L94M@$Iim2Oj>hxaAI4x_So`w_I5H(N_+U<~c;l;SymRUrSsyRpN^GxEuy? zV0f%|%BV?8aql)qYFv`DD-TQ5_x25H$4C9rM)Wf#Q?Jq5G@HmTf?T6RNm=Qg!_8`| z-YMbvSRH1%#>`8aI?dFjT^b*oGBzt^y~YJHR+OyGQD3JPu06qpLnjkF1=@U;gCY=r zXt;MY*yrfuj5g8z@`{hm3Ph*MGI5AtKC-G zzP)&Af9~Cl?9syW8*}>#JNJ}!+|FLi9Lk@1Id>?#zpr@XMDF3`MhdnAPyhfxF#<{i z3E~_=f;fN~WtCelF3JF_sw1Ap@N%2z7I}}MkOW&Pn$J$o(I~H-teSa z6$*3?lSK7QUItRnj!sqMU2B4et!zVIUE( zxNFb+v;4Eu#jBhCZ~pb~3g<7(Udrv**He6SX7PS@pHRM$ktrKzmJzXZ>|Ac=mFxi} zIXfVv31AqOVknFmibYaEqsS|faO3>W#gl(GW*@6J3Z$N` zYkbwhdURYXvwCvj7oBxg6Jc>D<|$-d-ra*<3umg`K+)NT!SLwtm<# zklS--_GxCv{Hxj1yuRawflz?d0%|g4tln26^Q|ELg{J`R!}*un{Y15@mS48Mi&d=w zs;sq=Rr2~+P8+XPajWG~QqzEGvAET;4wuP|AYVXk#5%;qa=pfpHqOFwqn2SDB)`z) zhc)cbuZ68Xb73p#W9`Xv_!RZ5ct4iQaS-2@O>n4JTIv^EzUqsqDz%1s=@*$$@~I8y zy00iz>5$J~Q7SSLGHTSS@#Q}zO`KZQle7g)-Ct*rIIRRrGm6$EtEBR!!i+Ix6kMCGQ{sEEaE%?w-*QKfDbbOd9WW6#*YGCFXTK_ zz!z|PywL4&17CIf`{^@9R_4P;m5AcSNY)SLGr{L&tenS82BY@zu-4uL+M%fmQQcwD z<;rmY5{4I>p$fCx5?FMbM-&#-JDk0?1fFmRIhR^wPxEx@CPhy)MJSdwdQ(V9r_~S* zGHSFk@+GS_5GfbiuvXt6?e3QjSyymUFQ78}2s$>)MExFi^$z-tqv4O~-ENNlPyk1>EasO#sD&2!c^#_? z8H&oZ)UQk9ONzPwI#h){=ko9F=1!g~UENmLa<%*4`4^|7e{uX*Zr|bg+nIa0A1-s5 zQ-UF{#Uq=q4O1@1|j8B#>pUqv~{oDEP`-@w)Eq*_Lp!oE8;n=hM;mxHNhjiID z#e-K%mu{3UzMRSLsZl+b8Lq}*EeKr;1!f=4-|Vu_AD=(6aQ?&9h5HNp=l918`(J0y z)aGy{Dmg9{=k(j`i~OAvi#z6apPIv<~?+4LA13BjV<@PddZDwF*dfWJ*2TQ zNPPjZvE@F{rYQS_TGekEDWm+;?#bY=VU$*@rpG%6%09=GFQQhBdWIYkhjG0f>CDVT zHCEEb30ZEoyEozeg@)7Cs7L#v_-i=rbBEIggVqtw-egEE-pNgQQeRqFE#=mSnh30= z$ClAkUqfqOWN2*-b<{61w6=!*`B9-Y1e%GgL9XqgwUrJjug(n{K0{QEifGiT{^5zq zfGHU&_lm|5RjW*8ngLU1SF%T|Rt3YpWlEv16G{+iL(5d0pCHt>@~O?!w@v-dl7D)4 z_G!=iJBvr#6oi8u2Lc{H6`} z?e%khKkK1L6+->#gK)g5vO2Q1_7bOw&KyNVHXRL_kt!5KZiq%b2GKqK!N{~H_j1SL zzS8kS^Y{BRm*&npQ$6F7=j*YINf>j=7eQno8a24Z1ZqpS24|cRzi!Y;55=wG0*Dov zkzvwDk_s}@^Ly~@h2QAig+1Fd#|lr*&7H{K-I;rJ#GNXfzbfA-*3w<0y$X#k{`gJq z!1edHKU~jkIwX2-xwDt!Pxbm)obttQdG=iP(H~prQcB7U*P$9S)%mWtSB962hr_>e zZ~j!_(DD3(JNfJP|9kGr+`;0HN3$=B+h61_Zz~+QwD1Cz?*7n%cq5F)4Z5Q;cg!Zs z#9%VrCoieEPL1G*aDPwX$o0~*!!5`$(K9eGYPKfFjN-0YW{ygY%3NjjohdODQxk(r z#e=}tsU1=3=Uqp}=HBJ+Kl$5#>$A@n&ID7ro990qDV#h#f3ok}%(IoBeg+mqWl}6< zj7aiG0Qh-gy^hrDJ@t8%| z4O6Cp5UuMQ0a$d$p0?YDe$`BeE{&A<*E4!+QdnkI&}(=itnhVmdaAKeNXK0%ad9pF zT<$QIwmw;S@Ll#!D{8^%@bnCtlBSeZZsF0s-srSg|5oJbNxBrInZL2YRor(ud+fKl zoey$n_vg>tnm-vYoPPR`KYi;c+}<|({5SH=M*73dXhNaog?-sm)5gNHNB_wjFI|0| z|M5&K-#ep~xtcIc8?=5Rr@<`~hEarD-hC|{ThKMlkX{pz z+~d!c_YW3M{zv8sCH_?n#PO~uC#FhkFzRJiY#F~wrP9o}{8NM*(DtfTaZ@OylX^)i zRhMCUN~cy0bvrdI2-Z{e4f?FUaB0dh9_tK6WJDB94x>9U-8(R4(#mRmfEX4tm}0Bb z@Jl2#^x){gI6tagt$g05a@#XrIt9lPV#leHswJjF`q+BsdP=OEc)%>y=;24(TE^6K?qvdqixaf=?V5&eVobt{#^>?y!eQy2+u@M!;BK zo9ercd+EU#mlS*8yiZ95%)$b}En?_g^dy(=1e4;8U{gpsnweNP?0Myb8aYwc5f5BL zA!}4?{d%jd&!RDFv|7E*)?U^%r6^2`a({OAx(1@H7w$T~m9mCQgnVJv3hPPJ05c5YKHYGzkWe%s^~a(E zQWQrqkQNZ~OGl%F<5-p@G*PO(+5uP$Xh1NJd#7cbXMOml+vgMSe*Tf)bw2m?nydOY&}bz$?V($2$~y^GiWZJB$t@Idf{96)qB zUVO4GyLs`4?74r@@$8G@jazdkGDnK%k8$%i|KI!x(c_vwlwLn8zTBz#bLOUC_SC1b zNhIUmWyGgiRXnnP{!H%Bn}tiI>!(V`Zo=H|+kLrhmlpQUAI*IK=fc%1y29=Yyx*>d z0*A(kBak8-10Vw!BCL`9iy&eXH66Egb4IC{>0Uq!Rz(G4DkyxCb1idPu=S6AS-Uj2DqWV*O9rE*_%BUA0Ep+xdRt= zYR49D{+8#0$g%HzbY=Z%1070xLW9EKi!yf}yJTvXa})r@uq>U8nEDaC^ z`75F>pB{t&aR_43s8;Co#);0@$WnIzmLd=VOcXpPfH|4~L}BGZ=^cO&1~3dw6gfjN ziy#Cnj{~m~JWYfH2E&xj*|hi6!6Hl(7Bk|a`^J8?YA|XInS-Jmm1_KeV;L6FoYecG zCtVRU(PLQ;Ec3W<;^6y>vv1}%&F&s89zR{$bJ3hVUN~?*ck%S9d^3O$4Kd3i(!_8x zm?a#;3TOd&!#!#8H}uO8MG?dRe?Wl0FbZSc0XT{fmN1lZRuoHd7_pqd#7Kr30)h}A zyt&mpPb??ZX3o$M#dS@`Z9$ovu5lD>jy;yOus&Bz+JbgitMN%MPjqp{K5nE(#4?z6 zC)4AJCdQbi5Md}FC^KDeEz%G`hDA_eEfSi8G$2rUEfRz4}P&$lgx=E`Q_nSmspz z{JGg}wO^#g-d0nzhZ>0zuzM_Hbsjc*B~QDZ<9%3{s`CS&3rK#UYsIzo&ZGnGiD|y& zmZmY4PVO-jUml%%D|wgEpz{r}a(*CYz?k%UC1EKEEWXK_ZRgW6nr)8sXw^Y&M9nxX z`g?NB39L9pi!LW()7m~*!BE7n z^7*}SU+rQU$Ln3j9MyiLDkHaRUPvq*R~h1E4^tHnEaRF~fBSnVmi8wDZm(bUuYXr5 z0_FK58K>J0p-rs{26||%&Q2+W@`PtLUM>%3L=K#9oYzCKZc&MzHn{r$dD9fch2qE zIR7lS_wMY?WZ~tj?86nA>xT5|2Bu;uWS;UPwaV`@j##DAa*!azLEec^G!)atqwY{_ z`TU6m2m^-aw#gAT7S3HS?cbBXakcdPW#;Vrr~e8U&OOYZ*;Ckm^VbX8UAg0D$4hT7 zy}u*hBmTI<>Cna}mHH(2;JPON>anx|A`~_Lp8hEj@XZJ)L`YDEIt8@zws)ty{UL2Z|3j zEu#Qsq<8mqbp>?&{Yuiua+@wz?zfUJ$3FsXU$$JW)ehO6x%Af+1ZQvDx8z9@rcT2g z{odei*bZLc;ho3v)@GF1k*CfNX zCmH^tRM^_*BQ8tSYwJq^wJPEobuiOhSF*RfDf4=?Ea{xE`P_&dXL{7C!7wog%R9_O ztV=&QrB+3I=>Zq>b@b#$@1wFGAujJPm9rlKMr}`jEcZuQX`~bB?r}8Ga3Tg1Zkf!- z@pL@pT|RaCb^=x=WOqCnnptwZBmHrort*Y8`Bf7%aAqpgChDHDuB18A%cmz%e>xfR zR_4-5^s;&YSKfywR+x8|Cr@pA?4Ix^-6MWSIur@bRL({L;#JyNo(8g~(Z!KiDB;+*~VCids4M%(jFrt$W?j|)LK zOf}r24@CP2?xJm;Vd-9-liRG1>&U8i>l00G);-H_*3lP!)}Z61|E+)Muv?IH}Sa9ETI2U^ z2k+0ylu%~q`C5q;Ea@qr6SQF>x%abDT-7$c(C|xYwq5o!miuV*+X#g&F?b@7S9*2?JK?A zZCLX6 zPtDydoj$#|x%A>q_IUBmwS{Lb4vpE?6B4JRth_(y(@FV21Y{#OOUJM0ZXPY{KbGJ3 zGV|0h|8TN+d1v9|51Q=h!jU(necL~Nsx+7nXw;`xMTae&Qid;;YS5`xnWsYLpqMkF z2|eQ-PsY9C-*u?Q(+Oa+Si~tW9V(-kAf=spNuxLprB{1Or*9Xw?#rAg-rrL^xqb0+ z_UWHGQU3cEE%tvX*e}0UC;P-jgjQrDQVKG@a36O6VPW^k{PEnr)8Dl^xJw4o3@w2f zlXxJO{v|w)QP!+h4cNtuID)mU_t8^PDrt~i;fNwMhXDoxtN0mMUm8uv$PgM~CdBk| zP0Zt99MdSEsQp5QPMt-zdmu$~kRdcdt$a&6XTGJoD?Oy~D^9W8v8yBAzvRAuJHP9v z7cXbG1nu=&bBQ}p*wEtZ7T3$v_=va^Rr$tn{{-dtN(qjZhcY0w=N0+vu^ErQQ|b%| z)c%#j#t&Dmq4|R?3Of-PVY(*cw3M}O>8_Nos=?v}(`LIRW%l(=noP+~wF*pIjb`s8 z*Cpm=6wI|T4?WC|nr#k)$ss%CIyf3Zh9!^>C2b#hTHR$Q^NofnH#=ZW_6@65E|1i{ zM7jrN)H3}xo$O;xlR@2-POaL&2rZg2QQM$#JQ0{CWS9}^yM_#JuKxIVVmu+bI@K>+ zH}(0mBBH-R9}rv-I!oM!7CX2xf1B3nRHDbs9xmM8=KOp5KgAQzv)gnN3nw#Iio13# z9R96*bLjzv#uneq@1lw?FX&pC3+54xi8zu&A+>5cBIQDhxzwso={vh!TFx3unr0Za zD%uacPE%~Uh4~=%02|H&Ll}7FhrI5lOE9z+lQmkMdS75^Mw6z?r1{RKv6;W?*Vt^X zK5G*N85^b@%fvNg3?Bc`L{6%HYoEQZ)6w;v!D#=kQ)4q~H4b}s`{is9-&uv^%l)Zw z*?Mgzqo(&eewd(*T`M18T7|fFv+X;rrpsv7_iOCkVj<-j6u#xhf0WwQTkWfF*`G|; z>tb!UzE@+_8;mx)b?9S0K{jyK!dqASfpx-h&A-{CA8OZ&`SV8cz3o>LbwZmhP2IJRwVcGOnr%|idXtjL~ORJN+*+^_XVb%{NTZ3L(*R*WP zviBKv+BKqPlf=JU63?pF^=m9T&377IuhF9EH?~vZD1^>GQpinis^dR@yeXX?qYjx>gQ0I;v_rk*Ke&bGr_V=Qe+z**d=||8$SOc=~1b z;osk1WAz^nSPPH$twvD;z%hs>kmZy5)#G@gA%c*>G%NB=DjZJ?%Z#4$1c*16cX-*$R)AI5m zj-_eBa6}?r@08tVkrgiY;_2e~($;s2FMoP-B-&Ltykq`{`P*{`{@?$7xK%uJYGS6e z|F)8>h{h}hFefK#I3g=21QY}e#z4x(<{S*#48!t*UU*@iJI*W8Uf-xo`2c0v06SE} zNzsKdvtL|lCEmbWAQXXsaDv6Iut?3Oz<|-w?U7lj8Usy-rsb9@;Ao1%6iorywVHo$ zwDA3Q%in={;gK%)?6`&Gx87;Aayt-1Qw(7kT5;(j4nPVcwt>sRPzV!13Ci4v*Di|? z4H%B^aD-;6BwxHaR&_+m`6o`Cw$r{yG}IFjm>NO;N-%eFZ*kYvSn2#3-NKQ&ZH?4# z!B*V!B)j+5xoyuEwmP#X=={|!`G=cKsDXPVYNhn>#Q5CV_wRBKp5(9ZpMRCx^6JCM z{M)yg$HjB!W>4pK-}qyDJ*$>jjEfJh|EqZV@WS)_hZv=PcD2X?2C?45ScyT7b z=V%#Hu@jorz zROOCt|J}#AhDw~n90m|0!ePQ7z+gs+b6B>WGRIa2=9U&UMF>X$3>iK(UOghfCiy;T zmWC_~8Kz02-V^BbrL8WjoNb>n$EVqm?v%YxUTXjrF^CXOR%;aQpZ-sHxcK54z3`y0 z`_1gW(1-Kclci%fi)Y?7QXVXe83-tbt*<)>1tFv%P-b8601zSomkhts&XK|t1Qccf zZxp25gY`HD`Mzs?mcfnx%3XZCcszT#@aTv9q1&p`4?BaIn_O+O^EvT6UDIB}ik~SP zDkEB%DlcPbd~DFG?{V0~_oN3@Em8&BENpP5kIWdvQP-x(f_s7k&=C?jp$!hmI^_@R zx_W{(+7=Oq^Xm}>E1c%=tMMtGTR?Rx)PiVZtCJeMj zt9??|fsM_d|HIG#UZL}LgrCLET?G!`QcS%DT_ zlr~+N+fur4;{E;qS-e+#d8YJoQ}Nx~e`W6$c3sQgfByGr4ckt4+c#tKkI-W00kLBD z!K1jY0OSBm(SUB!g3bhtWFnY|$SkZ*nf0{f?LtWNH<&8kx+)&qKfi6^Ug7Y??33*6 z`9uHvhuQ73H~(F@dT?%E!*#||3}#r4R#<0%5Qf1lC2;j+*qCVs0tA>=RvDr>0ysiL z215=owDK}zD2xfqu7b(gJJ}hHhnk~irla1(5G^%LK^eN{BoST{`QGy<7xpxC1^P!q zT?sPXgga2WbUJfAxBqtj%C`L88*|S~H?GcZUpQYpxZ|IN$6JdhPW^WNXy(V_mGh++ zuNR)z8eAPG@pz!yAX&MrzRuHjRwLazk8~4RSB3RXuYhl*uptZ*yuTa<#$*(m&*Vth zKB%1u);FGo^T+0&ly+S6M@pA=|D$d869T{ih6q^O>z$)<7*GHrMs%80Jx8_XxQDKw6$P@X~-}%%VAc=+>MVRYP62|+E-EmHLjtn4(yM;V!)X> zl6(EUc>giTZvAjx@A!3b_u0QLyv;q^`uBQWQgIq_`kCmZBNL zwnEL1nI%7frU9l{2C$T}sRjf?1R07Il*4M`Y;7n!A+XQ_dzyc9d*Mc5^X84+Lxl%h z>b9|AL;WV^5Bzo_b41yLkoODvC#>T73+)a>DwM~{?>}BV{bu^tncc;g`!WZA`1+xmOu{B6vIHsf3Tik6K=wz$sgZde0?~- z^W}$2ro|meUFKXvuSGGcs?phIoI%_JePLRnPh6T&uS|#44-F1!og*>njdFBwdLn6| zY!-Prf=2$nSQ;qZAdOs3%@}&+gcw2AdLkevmUXXYI;%CM8kI)S1|n0O)*!m-92Z?k zkGVr#(dw@L%P5UdQ};3qQfW;f=}iv=hhr-#9&1wjK#0F;wfsTtnO2zS#h9=5vC#`# zuC~!L>ajXR*9I)a-@6*F9A5Y-&TwaWS~ zSlcrEaOf*P+-hcQ3JvvjwQ|>}{mVfMD7Fd)G zzrsQRI7~AP1{~Y!PXR|GniBzvoBSo@2w`c4h)y6^M|~kY1+n{+(Ud5Op3eZs7fOKx z=VO>S>hn)H>>heTh}RMF5_o*mQxk&5R!{5U?wjt{s#P8s?dug%W+;;@*q!=OgXo%Z zd_r^u*?eOI$P=&$V{{Fv8!$B_x{~k)N5t36LFg6^aos+}uC#T~RKHK1dgJ(16%3-h zYvmstuOGIDnNbM^fm$`$J1)Msx;p)xzM-BJCAw37@u(w|n4AfFC%vOq(F65hWUAH? zbA2(r=z*r7a+9Wnq^CfSGd$$#Lb0xXm$b`h&Csx6x;?$75wo~dP(GA!);0w18J&qy z7HQIBVw_$jo1gOIA<1Wcro{P*(^CFd#S7LBY*&uGd~t8spZun}QTfIjkFF$?mQSV1 z>qE_Rn^bau24lbyPxmMNscJ>az3ULg>2~sT9DyOrh%!BM5(S?m0vS*9;j%Rmj=1=4fUF-UA zeC}oTPGsS&IJY2s*(96=)fnyUae>dYnp6QqL4XN@9HCf_RZ10*%SJ6nq!>V!#t$Ke zBNPV+zm=bDW~!6wleEMP3ubU7pt=%!mAWu6$@?Rn8tL&$Tom2|!+c}pq~n8Hk0&bD z|6LYOC{|yq=T1M%KRoQo|M=SWAD&hZ_`TEKh(LQJ;;FPPy|j-OOh*}LOCssFrNyZ; zvU;V8Wa)B?`H#yQ2Y4eMF$-xmlLHcpqaZ;-Zz&b=`xD}qq-v>|ER7kKg%D$a0A#6E z(GIYHrD+xmUaf%B38ur*c%O_yoiNB~(L|WGIOG#hgT)s|>G9&W*A49+A_NhJA&TgA zKp{v2idBZyb^sQ$kYy-F5pM%1NNAcyVnzcrI_7BF=y8~$I1WNN^qUK%t(~IlD-bRQ zQ3%sgiy51dwU^m@?{B3`H!tOGY%gp(w|IVbf8psP-@@}AFn6->=FNYVj_k>AyXLPi zD4-~e5ft{x3Qo_Iz_NmNK#F4lK(vgc0eOV{hrPvZJL}7V5rt?h3yu#_ev7OWGy@Re z0FugJ^vcSx@T_>}MB&Vj#j{&yA1of4`s0V=su|aZONDbsKAgzkxLLY?txv|h3KXau zps7bUxdwP9fe{ufrWI2;klCgx?tJ>s-;}N#{_A9BbN2N6XCF@ExnsE(Hwr(VX~K@m z*}sYz?Z6DjLIP<-00bD}Ri@lQj$vqwS!sYu;0h4~A-A;Bd5_h@3HDO1j9 znvxfEj2g5#aS|%ZS-SP=!$tD1%#O_C&eDdKH_JV4Z`d!)cCEUQ0>4sb;;X8@sAv-(8;^RHG-(x( zp{kur3jVe)hscdfvPS)}@_5@4es3rcTH4+$DcbVDej+&V(#NfDEO5Ig+xn>OywvY% zz`+*LyGu@p3}~1B3ff)G)Nw>;`ZoJ*oh$8307?+X zFw+%9J^gFw9=H-?Y6M!%?ST^K=5+57J1Hj<<7|NSY}dhF+X zw&B~^Jh1)Phy;j81cHQL`;44(hC?amoO8}O=aZ_$1oCqn(zkev1VCT|763&_clN2S z>ZIAhPVa=C?wRi2@2A<*6LF6de8b?AMBJ}@<;SypyERi~zZ8j^LY7QkHPuBO|6v5& zuSXnxdp@i!h<<%T%UO>l+!%LBYo@HkzV;&l9QQ^z4|-|)zWVB`>h(QycWQ@T7b<%` zeAm2vuXg@nuJ{%2H~mO3C5Rr+r{!G!%MQoxcqwo8^2sr~5=_V!4%7~8YhHWx|7v%y z&ffZ;5n9&Ch$%*pLswRchq)w@ZIQIbtV4J=noRHbwTAk4F3?^!n zgHT>w;uEZP#hHDiZ0z2lP~4TWiof)IH@?Z%#&O`7?~UoX6x+c&~D zX8ByS5`-)e*>QpLfKg$Lk>gxB2Cu24HZz$Lqt*=n*H*J~Q zws4_)klT|Z(({@x$%ULS%DJq&62$4i>`5;5(GdK|Q^{B^Jk4d0mLTN`dp^%^np4s* z{bIRpQI-gsoV;QZ_X1JE>OwB*aunDM<6U-KfMX;|ve;8TEj#XDoe;Db{30`~e)#g@ z=0xMs`rErU;x5+yETN?9tYlj=Ymsk+GJKulLkX4AmhiFH>B4pR7PuWa?M)PLvVX=n!9zk z+At-GaVqD_q~rmnR~jys^y(dSALwWmJBzG;dQk_II^!mKv!XBF<-x7?1mcaG$wI)4^B=VW@y7dZ4&`vqKb)kJr}}#yPx#{+ zBGAjqDhI^@+X6Ag-4UdSyfAo|7$z;!>`fI=brk2Ct*w^xxGvxx^OiIEp5*)1pFWI_ z%YXcR(nx#H!;E%k*k|PCk*@r*H5yQ3v9WVlN6b>?TCzjssAhtZVmusEV7x)VLi|B+ z7TxPJ3S1|;eXCa1QTC8&!&>?`pT#V0^JunA ziR+)YlSZhb9Ge(!R<6OmnZ$}QS-@YA$3Y)MhcoY2?Hr$DSTo0%9p=@8Wz|M=I;A-! zAdHc+2YtheW6K*UC!XY5UASKa!hGROZ0TC#_@TLd^4iwD_3f_$wVUtf57&>~T{_jc zcIUTdWsmVSV#XM6A_}l0EO$>q>(7}(E_P>%CwWl-V;~I~1|tY;g{KJRSU~9T8A%dI zlPJJ&Tqw~eZcOShPI>!hBuOyLvUS1Ryj&`g)-V(@D5L+eI9Dca4dv0%kF-Z(X zaS{_`3LGoRgk=N}G7L^o6yKOMTUa@0J$YIu8fUM$7SA~p?&i^(m4g{m_5BOe!nUvH zjxTL#+}P51dva~YCZtIkpn%16(icV_5|DrxN3pf@VeHl^*C2zn6-7ynV}=L`1WZ}A zp0JKjnK)Zwt8ovOpJbnVc9H?*)guozmAAF$x946~uFReqWb6V!5s(IK5O+SGE=2u%?G6AP&9-q(9IB|X_^^;-z|ZV1Sn16159P%%rY!2N{caB-*xs^ z$zhD>{%L2t9bzaH?XUj)m4MwkLTVX9p(KP5M@fptNxVN|c8i4)U-oZM3}Q4fEL|JN zz!7Av8Fx;JuP>BA8Jb{-p;FEWiY73Kfj&GHMu$8HtivrbBI}~90!z%|k>@CZwk@vY zxST8sF0ilu+PL@3z-&JX*Z`{mT<{bKhx7#@nJYDO18-a^4HXrya;|an zP4nqdo{)Y^Fpw4OsS-7f%e~pYeA{L;;4w~g$=iA};?fFPwqphJ-Sq5uxICuwM?$^M z9V_X{pG#{p<|zZ{o+}Et@Jb!-h$gUjuXn+B+H+pMzo<5q#^@Xo%kyea3nWu*5+bv;5udPhNEe&BlnS>y{(k7LQ|A`YtrL?TBg`qd_)hFds8!%Nj?$n)hBb?(eIeezLeJ6v{4KuU$So zf4zSE#KOt!+I=YQ6^kgu25@ul65;9 zm`WQo!c2jHUbd!i66Z4o7SmA!uE;|{_vCN&``hY=uK%-g@3*tJYuisQ9jR}9AR-+@ z(SX8eL3oQK;|$~yeK?9x5B~YLD?4Ge*f}Z{oXEZ_0r3)Ba5&8-MqZ% z=ZzO{t&QV{tvz~yFC|T*IECYwkay=W+kNAG{5yuhXdGwTCoLfZGP_^+wjkHodGjx` zFY5bF$LgC7)y}?{e_q@6YX16KjDCfVuO>W{V+>G6lSR}YsNKCXzrV6|?)3jw-<(#@ z?5S=%I=8#};I6(7hcK+D>YiaHF=EmzwTG3e{q7mgllrb3$RC?qw>5WPX&%46boN)# z%7H#k63>5H^^s;aSKfY{lO!P-NHP!u6h+YV^5Pj9f8(Q=tN{ryh!O1jvVLxlgd|Cv z#z|V(>w&t7LEZ%*XbeMf8WXv`0ystE6aXw-SRsd=Sk^Dg9^>%d1%@*iN-k@029OL2 zaB=5?pfCs+f)RBt`Z*CQx?oTY;Y9?iTXt8sUtT&`IW&r=FyKxqH*>yr;Cb!p-9PI8 zuX3!qGAz^!t!RF(k)urvuYX30m{ovS}5xlW)z3(@t9tU7w&09xg`73BFYm zWw3V)U5=d08ljNaGsB>&o1Or6%Erb+G zV?FT*t#y+Q28K7MF^Z&7oQ6X9V$tbPO4t&FIG_PaGJG!5G-mQfbtR{uEjYJVN6f!y zo;_}<-n#MI*~`_-SC=k+JAdf=*Wcx5Z<_jxDFG`Jha>}4q_?iX~7!Dyu zLjIkE!>bXLQdd2FHW{z)KC<}W@73M+=kLtEFzaKzmgNv6lLlO+BaIH0#${Qg^XIB( zZiySgLO~)#*{3Ka_-3#NpCEAW?=wF=hY`8^m!) z54f_SD3XB$PK)EH^|SB{ipks%2HxC@nSIjVRIl8cd8KVU*>71qTitixvv|c?+j1HZ=?*;FAd zj$?v^XRP3gQ%`8InR*2%g#X zgah1I%&|B|Qxs0%G|7;FbB|9iF(Uk_-als@70mLwrfq*6|?}K$+#~f}$iz(m0Nje7W7S z(rTBkFIA~M!Lg2n@wUcOsKV;c#*>`#34>;=T%J~78VBbIFh|_wpkMd7zy|DzA2!y& zx@M5BC)U8KZs%!so?ib{NCfu8T3ANA>RAAdfcorc1TD*JBshZB&@B&_qZI{6#>yor zLSz|wQs>jOJb0HBv8R-HC{OAW#%c4=nbFJd4Wc=#%&ZN4&WWDahtn>9KDmz59YG>F zojF3cExxwq%H|lSW(@l=U>y9Xk3}lz>Vq}$gU3SX>7p-+i15>N8f7|l!4YWY^I#+N zd^?+vFrA1lJ2Cd8*Ol#Z%(do{ma4zm8OG|Hw^bgyD{s~Yr=ZWu!pWc%VY-LChLAZw zo^wkPv>UkfslXKwBrHXW7RabAok;1=kGH^@d0&>gkaZL>bgu508Hy#dH*Xx8eP4aD z<1dTH7PfQQ&&0CX!(pRZmuCc?J_$e`~GC%=ik&GJatz0?ybIm{^54*<@ON-C1O)3cUamDyGwjId#1?y3#I1u zOU=F4G~>Kt0H%M1XQD-&0;2a1)*ZkLOE=-RZ4oYq@|A`@V7S9A0A>eX|LFFCc4wOb8KRLwv)4As9Z}pJ5D~62De8Zub?`BCMgE{JbF$@mdwX zSl)jx1LKc@l@Z`HMvy3=K4;oB1UR5+K(Hd$*w+#eU<}GI!~jx8nj#?qATCA%2mnoB z0Hu3OkRNm+JVj9`4r!Lf^od6VG7w@w^kSRDDI8+#o))+#LNOEt45YKh^whW8>9r)<_K#j8^&XFV%Y&>$|VbKVLfhb#v1Td;QL_-hHm; zvVz1gNB}^i1PN&hBZg*A{IdD@cFKv34!|w6lC{eX9g|kzJbgT_?YL>fun&=tKp6~02?C%bGx(EwqX@0)?pUI_d^(QB4 z$M4SXtlhdl`?&JF{(56~AXv7h*B00Lx(i!?+~=!5n<`hEx9-nhuOB?pdCMr*j_nh^ z-Xh_PM~)I6z}3Tw$Lpo)(U&x^yoxI)5!B0r-i^UNFE8gUoELA{Fzj3LelImEFhhps zyjSnjPRqDdMu4VF`LL2x>ZXiI!=B*u$)^H8EYUp%x52HLhziIa7`J^Pp{DYFTR|fr60x#f zwh8uHy}EjX?@uY)e;Zet0@_yQU#}v{m+eaa&kU5N{Wn|t|Jgz@kj;d6zmEpUOi1rd z2;I`tKLXBxRppa)k)UN!TO4F&N{Z;G^21-pPoS&Yf{k#-Wa^LzFa6^-7U8@N~hf)3%4;zkS3g z5X{9RAIWJ$w{kee@9PN~U-ujPR*$qUSjVtHYH*0zC$n#s)q*qYc0?Vmlk^fW=%FSS zkRo0x2!EPsotf6(tkH(OUi^ztF0L+u;r83kd`H$!y4bUec8|?_x60zc8ZN6Je6EPf zRtK#ys`5W^O0Q?sWjK^@;ZH3!+XyYDgCV2tQK^aOn|mn7{AgfiK5siz(>S#oQGA+4QLceQFZ znvr;1QbaxJ$h-8U#)>OdqIG@CeP&NNqhhsIzQNO#zS9aCL}eaIVP!v9d1cZVBXXKa zL!9-j8~zbZ1VZuUehuc_lEg~4dZHm;JlpQK<(c3fi$#^OXog!o=}Tu4aaUC0TDcpN zWLus`2{o$$-mRQS1fo7kVC5uI(%z>e9ml41T3p~&7ZfF`%BKTG*J|Bxq5I6LQdm?r zooagZX(HtHaNjWLx1{ym#uAaNi(3VZ#n{iiq4bJTSCY7rq0UDJ1F>mZRtn@SD_W;@ zohwcX-R~VfhP!_8NbULa^!&!T&DGa;iuEn`D-ZtN*n4&M!OZQs{m$x*`;~WV3+$fu z`PC*kE=6*ac4xYa7s!j`_IPkVP0)-NVw8*VFsRE-0?Oq#8-^SJPutq z-l;SuZJ#cSM|}68%KEhQO#Q+uVJSG~l_HTT+q8}!i(GV*ii8x&rsa?w5-lEn7_g;% zoFd$+pPJ?!YpgXUF~#|J80Qp3XeuRVm9egj17%8=)y7%DY9G~$nW)PsMWBKU*@qwo zDPr`DTMSxR(M$23`iXI!6q%SBp>yS9TBu}GwGAY(vO4WLZPYC16g$c`TWrdaPkyq;+PGN$o1k@ zo>1L*+?mI{Msz z{P07Qd*0tZX3Gljp2()1F>dMFP-(5jbRT+;;*^hOZvex9&uS8-@r=Ew*Ky}y5Bw}< zWG6!m1cEKlj*{1@7Zg(wC{A+8Q~UCGw0`1K>Ed~Qr^@BBDOVs6LF0qFcA&^(7PFwZ z-f6ien>LLmuui7d$-cG9tom=wGON{LvMARH%i zWmc_1X18h9U(Nw1iEEI2r9Wj3tHG+%$_(H39z(5T*9sqKu0dRz-ukUVrq=3JW|>XH zpS~>R(`qU6P48)=*n3qL+uGmkOK1Cau|lIV$SkTct<`3k{+Le?Jf$6>)wO)c_Z5H`YVY(=jkI&W4&oiYy5WHVQa0lbr6nwmb?aW#!RL$z3N+qUaK;$ zw_yDb#MdsUQfpBuY$nU}w^o&9QmatO6bh5wIO^mc_JF^iFj||&F8@Tm*7rtZExpzf zwA*WDmBnf@%JedYLS?nuOgfcuy(JgCTv>zcCY??8X}Xwyd9qgVx*aPsYuC3o``zHI zMO3X)@rinpcT+Wzcovn?EHf%)-^!E*tx;yyuBYl2x!d|kA=k8z_q{?Jvcb_e(*E~s z!+zuFR)febV6UGyDjA}dQo7j(VEy@?MJWdT!GLP0_efSL4E1Pi1WA*VnxRM)yA+9N zQ9Ydt;W{6d93S>Gv~rDx$ashPl6G`TDjx9{zmZwwE~(s?wQ^V%d((9*FKfH@*&;KS zXSXw5?70#0btNQ0(2zz+79{Vd%?_f9&50};Z)!&KlU)}x9(!QDZmFqvR zzI?fK?b~69`2_KWg>!n@h{6Cs3@0H$(*)#X=6%`ZU!k3b_iBFmFs}}3YziVXfPU>> z^}^-3^M78tUpumMep4nkdtmk)ul?AhJHeX9?fh1^mS5V+ZcR}ZVW9*_)dGsaAJ)?- zSu9!mH9MYzda5JpAXs5z4&#)BJG0_PmUZh_N|6+)$#o29fyl}ncnb4^0RZv za_7cH6oI(-^*`&+-~4j!sp7-SnHOVUueP;f;Zxl^yzbpq{q(`P%}X~Ix7YR_u{16{ zSh(GIuy=l6edp%<>}GlM^^NMoE3?~wz4}W5ykDFE7z6;&fWR<-(|ojFf(&S#iZoB& z#rMtq+ZJEWKU#d>ys*7_@q(rC`Z{X<+ix3>4$j~7)vsNw9o^Bmeo8>@nF}A@E*-4A z`E~8}7Gw4Lc`*ScG>Q{|A~3+Cb%+<>LT-)B*dG?z- z??B^bP6=s9eXbDuwn%G?vHuSX9a_)u`p(Y6+E+eRuzhGfC)Y*+(5-XWeNSD{uzPMj;WzY+w&zvi zh1n0Nu@XEjUWY5Ez?%hMHEJ|HzgnLt`re8|M9}lA4{Cn&;Q5{(3kA+|9}C9KuT&C^ zm+x1DH6o&6@?teQWAy_Hj$et&^kq6fl&qAm6s>CSPJBoEuOA;y|DUesK2th2j!%bH zwrfB6Q`fh<{^OFZnby0-1MEp`-6QNd zNs~;9xIL{=$v9n#sge}YPgy36wm`7x20u-_VJ2QT1|Mh0&l7{+`s~5+_iG5K*G`tC zNHBq?lAi9l7%!UM=VeeAMbfy}<@eFJ%gr!^o5C^72R$_D0VrU+6kvQ5z!=I8eH8E$ z1c^};3NZ|>qDFuIX!_2C`7z?32hG{(6iisHeCX-!DaG80>h&##**i0@>-#U)&z#{^ z?H~PXL%Gn^D^aDTf-K_ZhG4cuQqv{Hw1_lcVdm(cXRfLi&(59sySehNcH@CZ`qcKPkjJ3mHoFpF&JN681y)x%Hp+u)SvDh;iIXdK%vnRQ@X*F zuz-_kr-ShE!|Qv7;pENA$(hsjM<>UtclV6XAD-DCv`6blAKFI{4E2mrJ};jXL4s(7 z<+6uFL~3r@T)X))Yo9x?a9;g&?beIxvqvKc6SLc(29CUH%VjNJ4fIgS?QCp*UVXW3 z>9D)@b}L`}{_?=75SkWlQyvp(v3mMIbLX4tlOxTur9&f%nTD|%@ zHoNV^tHz5%BM6esn-qfU1E45H5`baBC$2p=i+uxQ^QB|F6pA6&moq9lQI;Mw-=6wq z?ZvCg0c3XH|J849Z9Y0Qv#)mcRi?h@P~~Cc{O#W_Y^k1nJVGZ0v{8O$j07R0N?Mk; z(cJmG{A>f$y|3$&==O0td-t8ooynD2G#zNLD(mk5A++pQvm)5|UEa8IqkjFpK$U(y zx{``jicMMK{5-McXCWPTZ4AilTFKS&W&Be??h7S|lV(bJ9jAC;dd>)a6i#XQ>YjCr z^Jeaew0?QZ?`KcccRV6z?z$z_^OuWruNV0YB;uWxV?3r@icdEpnoNW&Pev&cSES>7 zvj9QVUMWIO2leAhT;OS%%osv68cY&4pInOQ(#k1XC{#`;KXF-Ny-C9>gQ~nqOKTil z_6G?gnG6!x)Dp(sTJR2zagb83}EiYVPoF{t+O zmJe%8bhJ?>I4T$c8Ipu3xh^}%`s6qo6PVbBzWcAu_d6P|FE(!<6ncNZ{-)!Jpei9V z_(D>|kv8xXh`nCDPKsc@V1!S3lFFuoekr1o$x<4%CmjyhSXBllwJOtTd4ih>Y-G1H zTsq-j|Gc42l$?eNYKHrfzh1xb*Aoo{wZ5IP=n=ObfW z3L(*9vIHqoEk)8gi*V=gx)v0na%_xKSk#39PP4r)c5G;JX z^IR9Q{YzXMHF7ms?=NR}RPGYZ1G~U)M;I(U`bnl(d@>;BJuP0Xy?Q@)Z|1RNaZmH@ z)359IuT{1-_Z(l^D(7mc4u_kPn+wUBtxvYX`O~%Mr<%uiEp2Jsz4iU;L(MA}rOo}D z>-$d^<~LQ2|8tO3`vY$0Bojt4(9NLP3y3!eLBvA0I5;2?99MH5 zO&Iaml%xM7(2|Kv$YD#DgB`4mA7Og-7fNc==z7KKM_?6qlIF2*$P|`R*ra8Ej?4Ut z9J|tb(o{(RWFSL96zjEuK5?8iNueZ4Ga^CO0OEkgAt4@QEddltQ8Ufhqw!faH@~U8T-d##{`%?6ceO`% z>JP3qZk}o$c~*U}wek3s^DoVfCuX-*-(KPTF1oO>cI?>Van@Am8!+E53SKDAeTX1< z9H&W&K`|1d3?Ola`fmt=H}l?8mIqX{W^#fxLEEwA!2)HL>jQbx!hhO|FrSub$(T7z z_T8Iwu;(8rmWY;;;@gaxyRk@-bZ~Oa=JJMz*mH&f0>N!E)DyrgT$i!czEaOVLmvhT zgzK*KAb{A}2l<^9tM2pGRn^%>n9e7-2PfW8K9pJEaz(iiH=UPDkx({DjuS;4G1`VK z%R`?o5#c=QpEuX)u?d$+KdsdBMn{UMCvx148W_~^q;stQ*4)^7WblscD|RnkI~~_D zWVjkeLs&&O4uAtd;snJ?CJUsKoY%K@1%MI^gOdOPPQSKr&5Zgy)9cWxQw{U9q{mk9PJ;s3>7GzMA zMrlH1!;;V#15ik#jOdO92!KHfMOpb=SzkI9imz-aV`-PiXXfmMG^9yLLzF-XlAsti zAEAK#K@lhk8I)^(B+@zW+wBZTOgmbvWK)F@UuE>#lVTYr>@BYWxV%)U85y?egS5LpHojO=ObF8uD;QSlT z)t_+9^;JLoqalV>nGR z7)imQ`9xV}7lGpd2N*%&fPpCJB^F%i$Xs&m+CC8m6FMpGDpQvem#5;4j!iOHK=H6$*i-QR8%&6Q#mWKRj97`QcfncKlteac1}8<3ajL!axRNXp9k|-jxsl$H-+3E~>C3fLz`$F@{D* z*drK*z;TQsARqzB&UO;oBM5>75XS-NnMB@D+_VzP#hQdY4I6x!%(B(7(zVJ7n}!yv z)n3>$I~O&G|p(^Bo@gI$dt z*I_)GGWT;DqB5-86K%>LWhgC0Op_2@^(1&}T!JuRjU`v^^&f^um*|fo(LrY@`J=d* zmBK5A%aEphmOc%z`lN05#t2o`l_)cEe}B_A5t%tN`?h)f#q|7%^8D6?8$E`w-{&cL zqAazTOk}dwWtGVmZ$(>j!Da;&Pe=8XbI>)R&u{~aTB@h0RVM;vS%Mo7*0zWZVLLZs zt)qo%$B)*JA6U8&ZyY$s?rv+AyKV7=9_cU+hY$jq0z+wRW?8jkDClFuW2NEr^%RU7 zy?y~*&BP|hqh*1XF$^Ub8YiHj&aQ6T@pUlWxbkG-XzkU7=HWyCS2+@|?!TCwyHh)L zrFnVxK-CQ?hM^fYKv4A}EFc6hLW)BnffFO<*|0 zX+SU>+uoF3lVuMmY}qfv>EZTlf}#LQ68-jU_i!_SiI~a)Mu3;f=if<8RQe~_gd z(}i*@;2IkAV?8W;mzQVVF5YYIztY%zyZ-!gW#hsg=IiRCJI$S2o3~$9Ph6h4UfcdK z<*>~^ukO0UwRqzjxMp!7vUFD!6U|rWn=hX=51i-xWPV#+v4HOf+2%M&L7E_zRXs(b15OhFP7w^C(6w9USt98e!Z4p7(Fj-i z853?-J9!rFgdXC#K0k8k0=)WhC7~I`3NL1$s2T37zdKhs^_#@pt;WfdwMV;n4F=Nb zk!*06ecGC{8z_H2Lp&CvX}qKtw8i_v#&mCAe`K&Q<0aVZf=zl1KDz_6OOc|f;89LY zcOCCSL@PyXZeJ{4wA(u(2ml6T^bt>?Gm!>k$n@Ua^(ZX~L8(i7yceh@3GFYWw%_2jElV4WKOT;M7i-5POK{zEfDN5fb7RA4C@ zofK!_h%hN_t;YvR!O{jS*}Ratf)XamD(8r{Dx1K1J!W z3E-#bU3N5FFeS(GYsOKLCrsgZXhAC&@;GNT$egMvwy04hf=o5*-poThK` zSbHXE66sKR*#?N36JA-nhA;iozBpiCY)_e(t7uup)>t|9jrp?akf%M3R^z6A#xlW^ zox_0Eyy=?RuDmbp3i#~VP&8C-JMUP}5m0Lm^gRAqx75;ZOQhkLFP2D`MrfO$M{YY7 zig$YiN2%qtuso$~E6uH5c?rSAESK{jW4h9h!O!JVjKMX!6#ortU_J303pwx!eULFI z#mG^i8g)5~RmcMYqk15p12#?K4#mBpct8L?P2PUe>C*NMsAM?IwRK@F|4eJ37>O6w zbs3}xr*{mdq=Ekbq$W!)7i!llR&@pmJrih3r`P_#th@it zG59Dm543Ol#mzkY6PS7JUTp2DM(7Eq)jvp6@4s_W3EF%sX}`rG8z6-i2Jhb%ctK(nAY6s=vi&+H{z&-6H)}%P31LFUn_5Q+CD8s z ztskr!wu<)u3&n73!ZD?6Pv4%)EtNHph>=?PgynO&o2y;CMz8a~Lz}Fp--%gDcwRZ? zr&y(CRXZKAQ;>6H63$QPpso(Q6aZ{QKQ*Qf2)U`)kK9ewF@?Cps${_ixC_%NnpILF z!qQ$`@Ugtwuk!}yrnN)riZRjxq=@BnYKDS*1ij$H z6-6mx(8^3hsfkt#(Ws6X`+>RE|3w}DQT{Xmm?8XWf}z&kpI+&nmbc<^X;VJ)V8);I zhcz!IjSia>F(ggSpQhG`Q>%+x-tMH&09?NE;e&C@I}@w2sqy|y3 zxaHP_6e+lL217pH4OX0-GOJK2!l;UqJwR0J0dZdF2GNC*z%r&PXNfE&MK*wz@A74# z&$%g19ehF>CutnRSPZB?1cY0UI#SZ}anXA)%O3CU1F$`bdvw;6$WIq8)ZXs|i-%_R zZ>ZjTT-i8xQyrWe1q(M=UfV}8d<@yHRPe*o+Oey)5yWuC92QfO3tc%F(U}g$9PW&c zk9pY@W&;;3Lre}qVBkzNVk&WyXu<69P6pT3g>iCPDI)j$ftj~Umm6>1&7GdR zwfH1HcX)*FATxwdDTpQRFhrc%vXwy7MLu-91Su=x4qa^RJ_ovrD&XPu@44A6PgwyL%K^ZFRm}DgfMXcM74>69s6)$9#MU zMF|p{3`6b&9Xy!`SFB`nw#9>I`@oep4t1$#h1T!G_D@5?mNt%GX1~EV@{*S z80JtXfLG36*b<~m75^iKnVt${3(8FE6!=efImnd(rLDXYR;pS;SR+b{Uq>odJg)eBa zPR5}_a5tn-9ES{np=+N2+>LgqULmx4G_CS+!TBXfX&SW{>_XT}>jl7^)ka(}EI#e% z+QyT`#Z$!0fyL`wMTZQSeq08VR;eqT=^?4@eG-gJ^RYVHvQ7wLclW^F?`|I0xOk{> zcw=?vs{l9AdXS))J*FqZQ>FG!i7N7nUc5YJ9OUAL+O& zk*~S?No7al(59JZ%9#W8ds{{j$3T{R{7E4}0^{TSftMf}ZCq2H3iKfm@dCZh2}C62 zVz!FvuqjnEFGVKC#(7WTN+}XCDk5ZxtJ4sqV9yqCA}>WUig1`@kIVoJ+b|58%;6-> zUd;osZ=*pw4465EHacyHau9L(8j7nI`(w(6Lb%JtDr2oP#!j=g`*=1awB>*4wWWwm zWO9UG%*bwTz5c(8k1N|on8TLIc!AGaBSBP?TpYT#7$q?r>FVYq#_HW|)%zDUf17zR zf*63ifLHG7CnwBYY`>MvP`k#Y<1U8|x5fmp@pp(Gr0Xj)ck1^xRUf|jdHvbh#=Bd8 zONW+jHuhg+yz_fT5SUO>LTj9~P4ThlB?x2T5;lmg-VJbr6bZXAzPF?G>ZOQzB8>7K zzmOb-_GBm&&PtK-q;Z7Bo7P!jlHn9)bWC!<3S8?RA;$jmRsF#kEj4paK6esPS8wn8 zW+av|6a@f*=Y}zd3bf&Z!EtiHwoS{L5%YaUbY@qqxJ%wwd zlX@xQvKIMvnF9pPQUqvV1UC(-#5Zt36flE`PFJf_*%38x-^I8=iWDNzasF1SV8)$N zM9=R_J4lwLNJORrQDTI3m34otNkCHBY{2yn0Z%P~W#>@#YBASx(sk6ErFCL@m?U zR3@u0!$-T9AchR4E6`JYb`gN%enX147}k8Cl^pk=&Kx7O8i84rn?!S=3|DK3PD+sW zn_ZZjFqWi<#~0)K+{Pq~N|C6CzlB)C#_19vMJAn7LoPjzQ71uiF}2*0PTG~4y!a|* zt;wX>u1%SzI!9MOMht$fLS?k}n*3|U-goE1V@VUOM7c+5t%fFhWgqXAMihRHoDL1u#9(PN$>}keK>NI`A6T3tkAh)kl^2z6-!Q^< zu;T3B6sKv*7M98ax*%l*>*hCzzLAj*Xp8+=|$GYW9`)Sxy#MRXE;y3`q$Fd z+R+2mJ9mC>SUA{tba-)x|F^Y++hz_n9v`Zl`sd6M|5vQ3&;_dE>yCtH1tCa^^d1@a z<2B&^ycaVDkQ9MJl43}V1^{Q6HDU2eaEL*YrZAkwQ4|o^7vwhGPznk-ZP?EV~ zDpyZoctXY4U6I_h_@;>mxcj9P8TS<}=E2+OFmwVF+|!FTnv{pTv-aHtha(x#a!D|I zSO&Z_hf!%no`JAF$@MOV;u(mIW^_#Cf?SWbjelbgmd!F%g5jFceRuWN?|eb4-0$ZP zZ(NgGpTW)JT91oIu-R(dYc!8@E$aS;!*GLKG|~16Ws1wM+%wbxS!qm88Nw`Vj`m%ZP0NWl?`hr9Iig5CS%K6+(E7n+pi2dloQ&Nb>u-6^Z|bo;KP5V`4ujUR)65Mx zXxTv}%srv!F2a@xq~Nj*cc4}q-))}R+chOU-uDBuSA3gW)vyo~P3{ z^M|XK4p-ltY3@JRIPqP51->cHN7=~T72V}G8LNif3Lh1~IEbUfDC(~h#IVA-2Y|#{)T9tqRnB7SSr`Xq~oer)a z+BmzX`sQlo*&y>=0&t3^D3U@&v3^kurx}Q`NRovhohgPOP@2UsHh?_@hbyRrC=F1W zVHh|7?~|fY3IYP-(zRrV_OvjRpm4~btl7Cd3R<%iNsb3NrREL;13{An$FXd4Ii;t4 z8rErl*HioOxN=B7_i_ktZKx^AkQj-Q_)rs+K_QM3jPU&2VB9d=#LVSfW`)4CG$e}= zDk;#c1cNjnAWhMNGqbtz)c0?%*RP&vKDa$|(f8NpnbVDJPa_|$EN*U|xUqPB_OzyX z;9>3AlR*;~gA_&(G$!KcgJq8c0{|8GDrpSEQHqVzJz&<-G!7xn;45&NC^lfyN-%&y z5~Y})48h?zZ;W!k(Ii)}yc$+g(ENF?W8qw=x&NZ2cK=rG+}XL)wNt074-Z!#-dH&J z`@SzuC<{zcR{ImxI0@&NXsO@>t zJbQTNWMkv;e{r78KAC-KY@E3Jr$YVlgZhbQ&8vqS$G0@z9V4rIw#_}@)ULidJpXcO z)6C=9*9)6#&)$x)H+`YQiR%3!84`OA7^*v1G(KxMVvx`%ilWPF2m=hmFhGp&NAN{$ zXj*{MI7(0ihLRKo;4nzr!&wCw$^Z%oP0vyKxi4(N2)=h>9U15;kZRywGnBIX4 zs#hFh422Supn9Fo% z?4LO{RlRs>_PgfpEwwY-YEN!vn@9I7-VZmf-}rEcXLi`tepxERy6IfS+i=kcO98Mx^(gP)ou5` zR;Op~d?v4sduY~LTR8WOtF^QoAg_#Y!+tsoYwkt;>E%H3k8{svH!ZwvUfo{3dwu?8 zw0ir9LYe?5O~F0}_K^0qgBDQ!=8`#?R#F1ZdNl<_sXW-JBXCF&1Oq5B zrH-K(K`?`8ycr6RD2a~3uO=Y?MPWFKVmP(zGT{TXI=#FF(0C8fP5aVRT_%V2>j0!_ zf+A5$$ghhOQif1X zoSNUgc)Hj)wM+f6t`>j^Vj?z>xUZ!GqeRBx z5om(MWt>~6j{d9M8n~@ffZ}Y#d`FF7AjGf%EYB!T(-0fQPm|yfg%}1Hz%V316Oa~F zeKbK)G)ng9=}~!^e1SBIdi0Ud5H8%}1FZRQ@87EDZkLRWiw9<(ew^1fZ7St}AzUgTE@ra)X+ zLc*rXBs`+hRbRfIIaWLVpt@_@{2hPu$=>GcBbxb_b0=pu*H0e*Q{(Qt#+$u7NrSGO zpg)Nbjuat4|I`vRgxOS~qOhpBTrM0Im9+No&C(Xks2;B#d)qv6VuR@)GaDsyHx_nO z-(KJe7>UNGg28xE7ZH-vsw(!AQK7@su~=!^78GWpGAi;;Stst}KZlMg6qF)G8?KDt z=BaL|OEH*|B0Z@`WxWMTk%Bs$_IC;eV5S^CIV^QF%U~iZ8lZrn7=WQTMpJAiw{|5( z&=v147El)4fma-P{O_ z!XQBc6kBo2=ryogNgxIYj3!phI*dkH)?Fr-Oh$b%Up(uIt~AL~9t6NilA&p0<#YQ3JEW|Zo{w)B<>lS+ZIQ%j9=3YDCHo9ro5JRi=xT|Y>u+y5dY9zlFtf`p$0;1+&4 zQUlO)j=mOvTd+cHxlRbT!vULpGIU#gaM^*t2!+L{8qc>Da56&qQ&MCDw&AB$(tnlk zL2Ol1DT@$*?aEsvzM?CZjQV~TO?X_bW7l;9vt?^!WB@!X(Q~}i4*6#Ny9LgwjdixZ z< z5351bk?g@OA!jS&_4|W ze;7WF8?N1iILPUWF}=PRr@cMbvRg47PJUjT(;pxq%@2M;b)ijhh<+Yq)80NA9^kZk zXh-$!!(TME9jkA9+IV`jcI8Rq&Bou%9a-A4uyOAAuh$9o)Q!6cH%0+3N~5F?LuoHT zxjcYGDcVbVXfN%7B=GoA59)W(G)_?{jpG2PpxaB(ZmJU!GaBqEaJwniy*+N1A~C{SXOk@-j5>2!oro-C^}wr{SEFDu zrV|0-)>3-2(WWl&L2r6CoD(OTFHg=Lp1DCb9Tp{?Wqg%Dcv^ce>h(7qfSw zjW;`lU(ZdxV}T3p+A+QGs=4K1^V+V)<0Id{Jv;Xv{b%#_Zp2k?T>GxNWBbUnchcim z7h-OaMjhh@dwtKt+Knx9??MaDQ?IXg+-XP4(ioneUo+b~TUeUfePN z6ssQCQ{AxxNBH}LIEJkf&GPXcmmg%tAQ$>{5GFAfmT?Fe<9y1dQ|Nig@*j`ztk(wQ zQY4j9z-g{I)ei@2SsuCGJE<)Dxu&cH@o{nbBuI+OCcpy2N)8GHViyc$r z;e_0xOZ!!Pzh@90x;3qe(pglB1dExFbxe_SbH8(lrDG1+xkiTsnGDJuYDK9?31LBe z+=?2LA}F1;^RYb<#HlcWi3yz)5gM*sN{VQ-R=qX>dHe!wm|og9krM{P1~iEhIE|wO zOUwU2fqdgS)M8cgfup+<*Yd08sWY+0gR_+f^Oq`58;@=_Ucc$9Z3Tuyp@LE*$Eb4= zB_A%^P8y}ih7x;`emCg(oySY488W94Ta5y#Wbfopdpfo}i-*xTb zKG^nk{py42zKhKlH<#`#-tsS8iZAV7JXPDj&0egXd9In;)ZBD%1QTT3D@2fi8?6|r zQEQ4^H8+g4Hv6c)@5KN1F|fsaiaVD-T&e7?J^9XAnDl$9yWY%QuHN0vb{tsCizUYT zOmthq&sUng8;L=>c&KtfT|Kb9{`^6G^R32-O*3z5Z@2nK==88HDFp8yn07K+Eq_;D z5zLhrJ40D~JHNMj<-+f3$KHLoKFX>ygMt(>x?vXgjj*xXW9c=e0wwyPt2Mv}B~&rwAuh6kFB7MoLw=tr0ru$VTQIAs}^ zI$$r`lq8O-CO^qc5Y*o#J%W(=ggu82i;|n2;uPeRfowu4GT%EyZa+#aT#Ky?1)$#|I?|DK zD%8nLl>2aP5O4}PuulqDt5O6_a?gN19{!Es@(uJrzr`{33C)P0Z)34|!N5HM9SZiX zG=-zeh>u|J5Cf6l@@BV281FA3m&Ji9;f$HfTpob|h=1#cfDB8NE@tin-e~BZd!qu* zMcHoSV8FSU)mySom2@dpq<7MaqPb-Wugiw_X=p_BIj!23mye}Jlscu0P>Es1-9T&@ zM%H#b*|;M!milH~W=}fGYP}S9sDW#eU8xttpz(V1#M0&Z`R9s-O_lqr^+rHMrceT) z7)g9a_}!HZR2=r+_;7Q^a11AL0;0X=Z9>>y1VI24lD(;M{7i0)#8ILbC}eGL$Yifa z^NG-qB>)2y!B7zUi~!XVK;aYs5Mv>8@$lA2hQ?5ejiARL6M!-#jiC%HcbyNJhT;^B z6ExP-OGAP=X{>yeoyjDVj7gR$soBpyKb-R7j)nb|yTAGV<->(X|7sjRzqo(?AZvyU zm2q3SUORWZzHN)^o5dr4z~>JArhfOkWaY%d6Kk)-)i2>zC{MPXlEmOR#Sl1#;}nWB zC@zL<)IZ%8k`zPXfM6g)LJTLr9CkA2)eisk1n*UO;8wX}s30g!kIl_`Q84Lr*$W}w zyRe8aRmesK6B7Hq%dPN*Tp^aL+_vLnS~NhF^6^pL7O;%5___GGi*vh)g`@Q|`x?hD z)VAEOpW9n`Uwgl=@}RPD=I#8GU+~08jOQs9`AMIi?h($6p;MY{!oq*nN^G>2mBP{& zgSo;O>w^VyFAtunZQi-CxB2kOubY>jegFRA{Po(lJM~Q`s*j&lwl6$w-aI;cyms;O z?7pv4ysz=Ol`fFN;=1feU$lYR(C=f6Xz~BEcb?mABv<19zE9DAd2QLVhNr8#tGXLI z_AUs300<%wfh1^qXF%i(A`k%A-lI(AoHfchXNjWHIU*Rq=Md6c{0|9`?1Ut7#`dn~ z)2LAFx?SP+y|=3F&*EtDI(mnx?YofmGe4FdIeqi@B!XJmctV>VDNq?Xc?w9|N}hxj zs@9{(QXhn}IMa!-$gsY^E7Zj)iKoH)**uu(kV+hZQBMrBX;oV4cvzi|iOumivfjZw z4vHg(&9nFRK-@Ym1{!^>-;o%WK9lEosCCA#aXbuhFCz|-b>(+(ndq3OH>-XMijR^s z`pq3p7)bG1mJYr~TsJNqW&;N{XO#OhtYOSTYs5R)jkX!9i&I;~J62yi&YD8n?i8O6 z@dW3t(P&Xq0BIon={G`5MvCR zOqlNEB)S~f$pP_p4nJ-%X`j-1dIJP>HF$oPdsG+ccSTcEy$xVq<*@SfV~jnkVwC%ls^ zhZZT{%&J&lk~M@2++;w+sBe+Xt>M+^vJtf;Pu{9OlZ|;twPJkgTDp?b!@=6&;|o`c zx5hqQ`yH8Cy0Y}5zjE#Fr^nTOM|4ZV4W;%e-5`xAn&l8c6wR`j!<(E8&!)06(Y*Aq z4mo1;Q%rtv(yi5Y(_f7%oTK6im29RFLnKF$teCyH)?ZuyI=Aba+Wixi>GPH6ABs;) zH>=mT{b6b6+=qLVRrM^sD&IesFCTdD=|%P7BVHYOAAe;UvkWE3$|iR4S%eV89PFHakHv^( zDM8q!Lw0HiNsJ+ah-DC>=?+=SSdM}i)4b%=4Hb!DflmzXz^?)%3pqjR#I@XedQn+3 zqdH~)3865a)QpP?R{wg|y=$#oS6~LCl^&&J+7Ejj69&VmX;fAYng%RlvB2JH-p+8x zWCfYKUVpry&%ZLGy8>X6VIjj%bQeoR!B7xGmTr~S-P_&jn1ES(AUbIsm02Ok)yGB5 z{(>k;V6%N1A__s4BW2gg*z$Do@$$*JgVn?L7oL`PUHsST>un1+7q8bJZR@mX0H!gb zf$(s;Xwe{!fed1B`!vLWrfG(y7~I2>QP2?54B$A1hBTxofZJmT7>1=+Q3t$v&`n}L z*GNv~*Dh>ZcwYH%rFL&0zm4wVcAN)EZ7R)xL0XtCkC9$?ns%cVo5)HuYul`yvKIj-|Ru@2h|$q9_1b;9VwF_5wZL zowDU0tdzVXjja*_rpPfDY*%Xy=&)mluKa4JyK?thW&exc zFYPGKmS^{rj?^E#sT?_7efgsP=4R>or_I*sU2JaNDTXLB1~v z5m@@g8NhiV0&Br5be?(z2wFqpvk+ZH5WBZ+KT7?hR z##xo;^nRP0PD;nxPT3@pp)VWfG0oIeuwOoCl}=~^7N0mi`n8e1klimn>cJoG=v2Od zsHv|Ra*e+)L)pJ%&>6&}X*$^3kdMcqK^GQxQ=<#>tT_7BY1C8F(YD4cn={z@%v5Mx z9Jy^Y8}N^(Lk^Edd?f!Xmv(^Dw%XNTdnS4tXYskl zM#oKA^%19DLd)+E8yvTfsS_I)uYR%spZF|$+b9+EXv7ithS@QQ#MjmvhDRYdAY#e2 zjXz=@}NSapNWi!7fR!u9nmnxL*o6Kb%@@T zC*_@wdgv3HTj>#qFa=nWA~z9D$gz+?kQG>rtxZ?Na2zF!#qey`QKLhUW4n#%%1rv* zs=~P1D`URuvJOW`rg^|2NV6Dll&lR~zxAQE?cK!E-Rk?3)$8XY)1>11q{g{T5w26WZ`0xf&kE{15g}bj-n8YFx$O}OOYfb8Ne_cW-!fk zfWL7ZWJ$pAPVzK#4L3Blq3JqB*A#%ISQfH~=9`3T0WQzbkjbCv6aCWsO9}#vIEs^o z*+%;`j9aj1*CJe7|1kWA`HPnN`6K`CTG+m|ja)RvL5}1ExA@k?>PwPQzpPL+1xP>% z;h7DYMuyOYM^>i#{awW$KfilYyL4vhdHwL~<@+0-p-mugSi?D0AEgtOM%u1Q1tbBY z8J0!etV@6}$6&STxUE0Sh0gBU1iK^*bsIGQ5KPD>I3$WjQ? z6xaQVq*uC?L^NPmv@Y)8a{^2ugb~Brs_8Cx=k;YXXqCy_NERR(cA*X-Bss{k z0LrUFts$$|nH_X@3K4?7Siffgk%>tewK$??MyxU-#KS|GytQB6PI>lZ`QXyi@}W1? zofj&1rz@{_&L65@*!G+1yWN@b%AVbo>n8^mPkd84-bptCOaY3bh1;59-N>*AlaK}N zxg81s0AM)`dWy)gB%m3ZgAkH{qDatQJ2KoVnvVBv?v>mTBU#m$J=3n<8a?R31uLjt zxwUw{y6x#NO1rCfr^{!5{1Y!7P2-5G#f**p z(bL)O1`&~nb2qpwmfJ$93%Cn+=d3{he*TOw02E7 zNRLTs!x`ScG_HWz#BTJnY+zI$$?+|mX7t3L)Q?Y!i@z*>LWvKyNcWzJuaB8T+r&yl zcMy9FlxRU#8;nz;N?ip@NUK|#JP8(gCKvLwcsR%kf9(3QiN{UpOin%SATG*eDKD1rIV%0 zi$B)iz4&2yXYJ6X(wXY)$Ir8m=1zWk*G5W~StQl`;@krG3P*W#lL2O+{3OIig^`P;1Zo!1rh_gDYRQ`@(b zDIIfG_Z_U?-B!N#P+8r5Y5gz0`qbg-=^H4B3b$O}EK9N^=2}HA&0tDv>27sTnmL(; z9cLZJ36US(Y?|W`W=U3Xluv%iLXsm{geXB(DISxf5R0kyXkZoql7S@0biZU3h@~i! zLk!h`19u_=V+2@Ck%%{--9#X{lryP`IQrxKJu6Yz&1heK1d4Zm`21$u_X{WL*X~wd zyd)~SkAJ$e@Tzj~+NYUx?eSH9yWIs6O)jllYG=j+Bi%(10Ygu&lB8P43u|v*E__^k zUp{}WzWw=z@4M-NLgC`zNBBg4#S8GwAN^Bx=gG11?Ct8QUDb;-Q>DA=(&2pd$$fie z$04`i^}pbF9i{=vkR*pF1|W>UmxcZm?20W$LWZSidUXnS8~f{s#>X^?8AySy^aaCl z6vejr%9;t-`_mqvn_RofD*?Rz%UUbV<5Hkc zRANJPYRxVF2V=lGG%+`&Bz!t|dgD9oNn@RoP#3iQNpho?Q%WN5Ekr%*qyQN}R#tDE zSUaEGnF6bzX#f#Pvj9P6#T@F4fqk^_Fc==MK7U-kb#iIP;<4o)Ydc^3wf6q{hL}9% zNwJt@I0|sgs!K(-Ccg@%J6~@C4pWe$SdOJx3UG+-8vF`r$Z-%rggBNaX_gd$Um1o% z7&8bU28oVMD+siTtR)dg(lp?J@Gx{MEG$2uxCVta4(BBGG{_fmPS|BGoudA{Q&Qa< z&=(2<_;a&%Vtu5gxLG^bx2DATyxH~j;Pd-^o{W;H?|xUmeYX5)``m-?{%d((ecMr; z>C?OVjr}y1{R`82l9ybM%M_Q6fJ1iGztg zn>OW%ilvgvL zj=A&ph%cukFiq1m#qrJ##6odRBIXXoSBDBh3~5Ymcn*9N⁣#?5~&ilwK@-s2(^J z^%sxpm-dzKpJYP$^7W5`KXj}P+jDdsY3JSbu+u*6SBfEj+9rJYGE6MZ*IIlNwq*qEa`LQ<1E+?Yt@8qEXTAhhVmj|lX50u_0OV=v9&pTAro!fsm zT7L7S%>*ysJpP;I-Lc(SabFH2ayxD-*q?F_& z>hN?5wR(C3(9D0hX<}#`AhSviWJ>o6GHrhR-HngGEPS$kZqJ7ID*#kBD{Kl#kn~R} zi3wXU*@|lWlW+y6v@L#?0}75ub#}Ls(8ohD((aE&{LQqU-SMV}@+p%%L+~GrK|2-6 zB>E?LnO7A=U)&)C$C@cp@NbKt`WCcB@M|`S6WYNMP2SQqw3eFew`Z_=7zYJUp2{V( z*|^GY7q%yC&N#JcSlj>gvo`v3;cQ1(L!MR=bi|T~ry4F#fTNT|&OGWd+WP|k9FmP8 z`6{$64IBPNd$cWF&HuT%Y}?g7YEVeMa7gEy$cILMHrD$Wa^C+J&!*lO@ABcc^~;gE zkjej3lHipz1U*vVwKiJLaza15<+K{K>dA0geS0RF3@M2wb<}2D_ootGDz7BAP+PiI ziOB3!5>6e{7y@jLjTu(#k*vd;j81wr&1@EZE|0-JlJX)Y;TjtsRsEb3zWt-*W_@?M zQg14_l7GKeS33(wZ66RAF=WsLGvjt7FlEMqI?A+Z*3AFidD1sY8h$PSa6pg0OGiy5 zl|)vZP7bf;Gy3PybTKqvW$~bH44y{vtj#reHtIC2p0S~!=tQ0|C;xtV{{Nh3-7x-X zEVYh*62|{Vt?mi`rCooh{J5+9;?VNdg`1^!mAwc4RD4!^vq@loj1cytaRy;P`#sD! zLI`{Oln>FY-%Vr6k7x>$w43yC3{7K?$IH-&rN{jYM|*wi2XcA?`x~QEF(r{}hvV-Z z-7l`^Qxa;J&TU+*PAiGY9EheGi3$Gx*#2G6+ru78eB@uil`cM8KL7dM&E+3K{q?Q- zu6wmz&wnrfD3yUGBcn!f9uNN09I5|WJUjQ2oqO|L{mrZ5zVZtxy0SIG$geJF#5q}3 zRr-J}61G_!VXs^tv_&Bo`p3m-Q3V*Lz3eaT$ri8c)J#da?7Yp(8~b{AH+Nuwl%nDk zgsBA=IcU>*+Kt=d?EJRUk>!2W7c-T;&#SkdEX~w+KkGrD0jJwMAXBa$?T`5alR^OC zI=m85m}Ma?$YHPvvotx{mL30}#dp=qN9vCrmmXHH?bnswXKFt_s-J$luygVBFXr#| z0+Khd_OU^6j)|rewsuUpty{My>$4Y@Zi`!M{&8$lL%N5h+*sa(Iq+g>rZT&u_Te>I zywb~1B?m?{;;Gnq?pylAhu+(4&9#>x6CWAW(*-Oa^&A) z7K`&(3415MeBHBnOIf*nW%+o0*Z%V9?X@d+dh8slY$-*v7K`{wRpTe=Rm2U;Bxx9y zB54IjO2Cb+b_boW=~vv-Qyyp=NtKRsVKws?PemuFE5-|PVF4&tCWq$CUm zFa|lfm&qszHkTLQtnA1gmz22k>VeU4N>Xl6`-a7KVi&6_8aC#{xfvBiEQKRcG$|>U zyUe^%Gb|-Uq8S1&r3(^)7w6Oc(Z(W`Ed2jM^EL56r0g!YG z_a_35#PW3I@Xh*m>4%^-NmlR?xj0tbL6jdK`+a5C#q!Pb#XGsm)ytX6vD?Y{nI8M5 zFFTPLh>IzqL^Hsf9MFyjdR-lK)SOc*3A1)e70E~q8G;B>+EgTJ@Ul83F`bF(a1xZI=QLvm_eL71%hVX^1k_{BRB=B(CuCMec%8^;m{+*UEAMfd{j;-1>G zrQ<;-_jJ8DCJSV_2Ya?8dABXQQI&IOeO zM;fQ{!H~}vl`~}uBnmKAZ#oIRk^S7O{15=Q~L__i2A4p$x-k=Qnrel^4w z(%Ucg)L4$3iY8MU@mEl=s?&LGoHDjp*%V7t5CFl&oiF!aHixY~9B>=Spf)T9zX-xX zZ>l$@t1tG}_g^WWJ6d{CyMF~%?@TY8sL$-3dtW=VUH;MSB4YIeGo@>bhqu)B+*o+% zti3&*36w8is=v5VzkRp%=BoSyId#sEDYSX&)*t>%lN#6zeswlHdtaZQO`-L?yd3~00c8YRKdg??c&hW4O%wdmglw@%o59VWhl z7!jY1&kJ4MO=8QBj1JLKLvv#Ue8s)x=eL(nE?oZfG?}ix+oP%MeYhyqxNWHNau&9> zFwA7JJ*Y#%UKOl8jXp4mH+_NFQo0ms^TxFU4|{k!xj3#f!in|VO7Vn4B@R@zoqL5z zcT}w;riL{75sTX3?P2=UiFxh{YfU7YszY2+65g4m!>NhZ!Igq zr+Q#89f?VUe+pt)oHk@Fj*_xUzwo@s<@CwV@1N9fUHET9?fy&M!u9XJ5u1-~M=U^D zr-mHHtdh`X`cnq^zLa$Q*r-ob5{htBt(S!*O>P|VUNIx%nb1FKU`yi=$8ZRdi+$cQ z_i*uYi_8+_TqFc*9>f$CimkVb#N0Ufrd3Nvze|hH8glcPT_Po8m^KI#H^~j<6w-y)lkP8go#FoO%4vleDM)+wlG34 z)RDQ@^&1E05B4~$c~0yLHOga|bj+0%doJtpq^E}3N76q%`P6GrKN!gyeIpZ6<+b)L z9&jew_rd(^r)R(HpF3Hdxv4ClIWHIDYA1j>G?X(+?VnDu9hCv;TyB?=Pz~xqpZNQ| z@?T$;rW}?bB{3p>Izi}_L?|29%RweusjNW{u!?uh6~q`bXb`hA6hxZ#kmB!zK)+d; zd@KfKwHp8wNn(b<%$KV-sc+k9@f8L_PP^C(>|)VU*{C#Lyai+N*Hb}kp~YpJxmbO2 z6OU&Z96vRGtH-HXut}9@!(f+N5iMMoZUU+GlehbpJ`DEP9^P3v`5!$>Y03;npu9S9 zrlL8U%43$x>1Kgptfg-EMK>L!pRUONSR;EuX2Lo?d!snwy?KRsA?qKeo?X z-v2nVe5*LSyo)BJ4t9rC+^^G*a`x!Jl#(#nOru#b=vlC0=vX3UPDilA>k7%P8wJMz zn&UWHkYDC+9ABAAq~n2h9`o|?+La$aU0vESf7_t1pSksEw*2ly{rQL5mD9ytm3?ox zzkc6~PqAf-lE`U;VpEJDtiZx%bh!Z~F{bXpH8hyXFYxhNNtZJjG^CPnTT;N8H?{Uz zBB}Ur-=>d6OsuB`e*C$Y`NhY$y5~UU&FzKf%NOT&J8S!QR8AbOpWicDKk~Q-UsF7f zSEHGpyj)FjK%i~+#a(G7p`S#VY))!_O{s>nN*?dCuB4%&yaptK6U9=-=_QLFaNrH?TQ7=&-}WFQSkeq*D>fAmph&_H0X3q1mxoL zqkUO*pFaXyoMrLlO)}blL*`iR-TBg^^7Os(iRs#n^F4^G9kN-Z!A%7*I;64oGufQH zJf@sQdL)4NWqETZ`}ysW^6ndnZ~jm_ez|`2&cgfRnWZN^2Pxya!QX%D%Xq$BJGS1u*8eTeu%)oxk`#gSI_8<)5|^`f zm4t0*&<#^VgG_6JoqSsHL4#Urwre{NbVt$hgBH3E_Nm95;?Ps`!2gg9y7*IawGIB+ zxV0S8eO$!H6#Bl^=A2}5DmbOI$Hr7~3nQ$^&nsQN^s&6_`oi=tMobHD*Q>S64J=L9 z$3U84MQC-|410|-G8Y08VFs}* z-&~R*06|1y04M>HOOo^!V?<$!gJQ0h_+WlVa6OXdW);1#^zIMQHU+C(zSY&t#Hb;0sssk%RsjEkSG90VVXr0*NFwpPzYdvxb~w0If|n=KB%ti1f!(YHUP#$QZ+N+ z3};dk(((~A7wj(is6*}3ji_ZPNO@!-4f(8D_{-1F9^d+(m2*exx6eENpR;s$Y2V!4 zWT1Zd?9yJLw z%iB-aX7365^b0bYBAVg=ra6j1fP@@_zlaykFbre>MKcItmcfGbdR@R=P{wlY+A z@Bd-`LhZ_{f2*B%R@uFqu3R{{aD%Q*|MQD?`wzlmS0axh0SKLEXjs3 zw-U9GbgdhLGMH>lv`?M&uz5GHY!n7VtSKq}Zjz*K2(|u3)}9|;-l6;J!h!1U^LYNg zyLhFx`>mh%vHXc3tg+#!G?MA*k3|zxHiy_$kc7M1q6%z=DUZd~FAj+|J_x?CfRD>f z4TQxGK;wIm4Y)}0DU9{h_m8eGoLP9ar8K>GcHzWAFGN!XqA(K44+O=IR-=CgRBXgz5ZjB5&dDStG3@nBz+1OQl;yKmYsdC~et*1pWa-G_iPF`| z0B{V=07#1r z-)0tO$`c+JH`4@1>gC;XiZ7n(x=QDkeY z1yCf15yH4VE{y{$rU46k$>UCu3`Mde!%`4Ykj0(Y3oM6eNMc@Y{D$rDmfK zB*$Ww5u}`7qYI3h`VHYifianVVVCIlX1*PgrC7kyg7k1r7Pwc|kgeQ4LfAgtS$OaG z^t}4y*uo9fzkXLe`0;nVM0zp|1WdCSGpwADzM!mRfTbbDkx+0SshM4ak(I1aIdT7o zZ!0f${dxJ?+zF<*t@`5V;^p$y16>&2T~kt!DWx5>n#2h*A(aR2_DhiBXo`gZc7r%n za2QZ5%ZTYq%@wHWo9J@+k@l26B8tQ{R-h#}<_o)l9NmzCfW`pPtn6CcO8oGz#oHZ| zohu-Kh@ogi!q&?XW10pG)d_?`LVz*s0qd$@0H7GmLK?6PB3ZTrRDoj{gc*iMcj%6) zzz&=Jv|3;Q3ep4>&;PY|cLq8}rT&J?OGyjelb-(m(Y9!W;@R)Y@9*Kip@%Ymf26+u zjX(aEx#yO?Pp{^WEnZZXE>zB+QxN6*FGQ8=m#>%4%`P4NJoC1G;O4@~>czX&Js7Vno%mM`s@-&VPO@V67?UDL_>)pv`JD-WM{^n&0h(s6M>7^at_J8~N-Gl1e*P^PSA;S+#mn)Co6?*oi7Ejd=?RPJq_*!p@rYM9Mz(GXOm<2TY zGCl;RXpC3}ax4NYh3HKr!zT5^V_+DGw?*vS2yIZKwmMb8&_uUmm0;gQ=0l_D{VQWN;t^OdvIRa+EnX1NL4EXgyQQK`p z4Gya(m&`3;5%)No!mAmiJ1;P-l%!wVV*aG1fRhwUR?^q({=D@}f+& zk6Dy=+^yfcyfpil@{=3>`RUS$^0Disv&Fmf?St#%NyA5CwBCDynm;c!k3{-^KvQ1W2~<&IBn4G&!7t zL%agorP-Jdvio2f7ytd5TVUycPh9wAdtVmT=5!?GcSP*!ev}knVEfvgFBcgUZ>I6~ zyoN(#qRc2gZh38Si8r9S+U!cJMGkJK-6WIvG;A}#mc~(!_~JyTJ+2twq7mo|X)+#f zA0r)Xa=_iUIio$Ch>DMrH>rN{{;+A#Fa*T=pkF!MTO=pq_#2#L&Y+F=$A-RUz=v`g z9gD^1Zo3-vq_;fTS~Hp(fRTKcGW~@VKsWKD>v4oygB=LL6`4VU@mTAv3D%g zRU^#}2CcAwzqwGka(hGGpKL1uGYk?gg7)EWL&6nHj*HbslVhwEX9#P!E2;QEa#V*o z@e!nTzvbn*Pmi&?wp(}#t9^u|4K-xOc<&~pr;X+%>L%|a5bqMtXD{XE4O z+Ebks6eekoVwvu+&J>3@k`-pQ;rZHA!+^iw+IZNy!MI!lkl|>O<3#sW*Ky=KowZB5 z>i3@1ZtPsRReOAN;m7~}ZRyZ>?dai!i_6#QPwxGRZ=J}WN?|F0S(XBAHWL((C20&u z&>q&v(iEnI$6Gph+6)2|3lK#E20{v<_O3QfLlz*6#2X1oT_%{^SoE6^{B}^>kOhef zMe9gGXvXbnt1sGqJ^_vd08^a65NtJ}07Qrd2yrbq!g-%#vb*^-9!gpVbRr6P10@^? zYRBbB!r8*0)hIj9svoykX5LiyJ+6E>-Elra4nfQ^Y?~uBfZ-s36ly!06f0FQhu9wG z6Cg1lX$(n*qbbZ$OeZWj$uI!0G{u`d-Gsw!gL?kD7KNfKhoApPdFJS^7f%%r6(3e- ze{A_2J?NWk{hZR?`t6;ST^CEw7PiB0mJbcoPTgAGS$vcFYx&73G*G_0FVOPI{x*-j zU7op9sGK{#d~fc?;+aqP7jG!IlSyVthrkwcYd2L+w? z1;J>@G5~TEgpi{tnt^SO_Oy;gQydK;fDFcvrD&3)yG0duqu~N(@s}|fi+Tpc8qPO3 zK&RU(I6y)U(lkkT_q|;CxKf~1Y?=%iyHjsrQ68s;Y8#ty+mm@#Ez`8qIxyica9+_d z_caYyzx-~RM9aF z)8g-hv8yKCC!{vOu&DjEaq9uAh12FDR3zZ`W&8NIK&5fnNPT+8{M*u_Ka^(X?u}F* zZSVVwM1momh0$jcHW?+;IwqTNWxeW@WuoN?xG|8>$;%(ou|BpFiH4zcK&% zTm0$9+=ueM3%@E}tG#+Z5t2yH*%GvS$cYN$g`Qp@8S0C+jD*Min*O-F^jRm=({1Hn z+&3hVQedmC%a97gRuXJ@nf#D;-=xpDCUhqrb|ElgwlZpRgcJP`O_0_#GyES6i#@2C zNLrMHnTZBT^+w;>CUopXSV=@P4)=x;H%d(?iGH+Zh|3Uz)~wDhkk~APNE$&z0fZ?I zcSd5{md=#k&K=&cQ26|72GM|7aW!a~;Yg}A|62G}=Y5PJ!iWPL&5<;O6eZYR?!doZ zQO^wISPW^JqM(R>O=A`#mSkD5V*FEB^fLn}nuM68IRt4+hz4&7z-9x!sgbN-66019 za9~nWn~n#=K?k-yXs<3`I~T8XlF_SA}9z88#A1nb!weO2l461`(Z**zSe5 z3)?mn&}uA^F&G#P>EF``Uhbh2P9F1wf zkhGL;EfFYLpZS=dzfj(Doh#j~9N9nrsQhtz_2}%0lV)kO8p{_>SaLU~bIEhFk^ z>DJ<%>h$UPx7AmV>)ZBJ4&GS4RXKgJcKJxzh7S-Eng{Om=ba`$}oWvU=-D{l>-0t<%+u2a6Z_sxx;#fB4Y9wTpL~;D#qg z>8RKYPnZ%OZg?Dt2SM)EV;|{I64{VJn;g^#L(#)ZBJ2$&9Uix^Kax{QVir5HqUEbr7KAKeTAO_L-CdB^PJ$jy~)Cu+A|SC2ng zzEL~yx_bKK^3}fD_S^sO&x_LwPm3RQ^EU;5E@U_l{|{Ne{NdAwrE7CKBQkb@T>Cd#q!R}n(~Ktwe97BeoI!sOSePEh_NGJ5r89@xaQ$l_HMfzD(21`CWu*6+f2H=p}+);iH1G8;sLKsrWF^L zH`&JBo`_HA*RQ$Jf)y__|A;lOSWrR`@oa2-#n$2F3~u<1Y)zXJdSrg6w8)GE(?V+)$p9{Ua(uH40-~GR+pf?lCEAsip9{*28>s=XfCF+&e z+b>7!#l6#dSNfqXqjROg7tm47lS;y+_awPSeh!-{gp@?0VfGA%22-Sxm`Z7L)XzEn zxR{QO(<51W(=7y5Ha7Avjew1&*-gH9#+OQ_LTR5O8uIw!>9s&s#O;r`6{{D3#Y)gw{VazDkj5)K9z9QH48~R>aZ~MaUgfG=@&G>gb57 zZ9F8m@q;Jmi@6mkUm%puqzb$`6QO8kctTWhyB2sYB;kK20EB)ih(v$Ag zK)Z?!?=I$8ud~*KvyhGq#x!HXAAIYl&^HPLy3&aAYK>B=V|)xsesluQJk2v`8-;h0<;a~bS=NW zX2j{RMx$<@6ez}n>>mHm+MPFZM~lZwH)?Osl%6f_9IIVBfh#*sE}#2j{?C#>ZJk?i zT%XI2Ny%OcB4i!ur!+%S3WS0v1VjBpV;q~q!W%j3d0-I&G-Mz{Z|(?1+98vB;>Pxw z{2KACnPwwW%o`5~884k*-d5VdEZ(V|J=H^dU^1anHh`@#TZd7sYS4mQ<4)@($>w@VAXemJZk7U8o;9 zQ#o-^QQ2{EzL)%!8b`vBkYhUQCd4q1wWON#IF-u{w?hq8cVDO-*!}zBlk$lJiTPcn zYk$(s?+8{-KM$5(*Ds&zK|H_7kT9p5p~8Sy3Sm+Z8IM^Tw0PyfF{0GG8+njPOj3xX zdx8vip8q5ocKfr&Au0cYhXmX?cc*wwU44AEhaNC_oH@BXq6yRJuz1#Xo}Dr)aYH_C z>CxcgWoo$mcHf^+ZO@U?-P*MmJ%}oon?J>RvG{oXN_oF;QZH7cO&N{80WUY&jzj$? z*DtcAJ*E4(;=a=1@}XyT`JrYQisAqzP<5M&ME)0{_+8EwYseDAe6yHvzW z`~Tna-e7g#ZvFh5+KCgt>_JSclcJ^CQbCN50T{^*&}ni0rp{Abtsb@;#@cc4e_cQE zV)4N8t@`xo;+^{8-3!O7hb|?5Q$Bej`)Nk0l;(?XqdvovgDq(MT%dq6{Za}OJDJXwff_``ppk5S==0(Z7-RO_Uw?vf6Epnp(mx%6NEwMPbmpDWRv3J z2_oqTJCy{SEFg>6D(Hw0hF;1oHgCH?RRj_-Pga`8&S?s|`{F~+tX(fw8=Hz6F1W(} zlv{jBix4WtnfuH8=bt7P?-ehJ(c?r15Jc80XX354J(;y>Lwac?fDG8Pt5K}nX0abj?^pqHcBRJ|&7?Azy0gM>TK`6)y__M8T%1gz> zcl8M2Ab#9iJYC!Vu)6Df<>9`$qrWcCY%kC3TAJ-~K&8aorU+w5nz>$(gx*~}dZNe1 zLP+Jq38y^VOgj?F8|0>sg4j~{DXA`_{jPC2Jn+W5n*OKN-$qCDo^*S}e*MJ9(ek?; z|MT74$LhQ3;{9*_t9ZB9*`HPtQJl`p;*k48!zw1MBu2EB0tjcsW`JO_4~($Lo1#$+ z>SSjGBBSxKaF1G>|wS45R7kPhgiCdFEy#%*icTxHj8*YM)Y%FUCXuF(t6 zdTcxI*2;lyR$Dd?qmVU(jACkuu>Gw>?d_?`ldHd|oZGi>tNQTA>f_tK+M8F)+w7&w z%RA=wFQ0Nqp;GOo>T|WG=E|FeoZsQ<*E8Y>i-K?)vAz%YZf62YY-4ZcCz0xxDnWjy zI*OMomrl(eOnl?6-gz|ORFqyVTv>cxe|o~da7@bNZr_`u>A3 zU(US`E`6*&dsEwgzw+TGv3TqI`8T!MUEkLZKVIHn-f^{h^?^yc;M#?d#kNyZ7S@&Lra%ymtR*eJe7Z%S-i(4j0Kio9IWnrUA?^TSD)X% z{^rw_fuW@rwb^au!_)O`+ZH}99IEZ;WkV?vj^+wRIkuffBe$RG^0UK!q)IV4rnMm+ zM;=>dax}aa-)WCgo`{AgOA+^liN2lLtj*Nz}LHyH~C7RReTruxBvi4=1Vjb3y zVk`<$BiT*PE(nswKwNA!@UqUaV=*CHqQ|6jadBL)tBiB5(3DVRcT72_$xn#CagAQf zi0!yesU*i^(xEnzcrv;4;Et2=6Rh!uCEY3Hb# zX+5yw1T)=@?6@PJ8;Xga${XI%k*^ut&_rB3b-Ef{AJ^O9dccT$3f*)7I zcygN}w(PZ{UIn)p9jc$EbEUV1zDTx>E>&3#o7<1AZYuRGr$M9siTY4-IjeiwY+8*~ zW!9*^S7}TJv&w4NOy$?+7T4EE_(h+=me<6(Y_Rw5Q0v=d-M(Y*AKf-r-S`oQUNfCj zR-wPu(l=a79L~4k+vW_Paz`SG7SHZA#ktL!k4A>Odf0}foXSU!bStehG|){ybQX0y z*;{|wo!yG)FLd+d=ACeN=vzOc4a$&3_zOP``{Mn~{OS2e3umh*ZqL2>^rn2^(1!op z0}h?VG(}^I{#n`E6b(p(Fx8HSzEXjt*bd}81z->)X^It~^TgRN5zDb0!$5KV=$?7# zKnjuEbRIe&8H6E&1;EOmct|LUVjyM(*;yrAQ3i7if=qkv766cDDOx~Q6^{qT97iJx z3Rr~Qkpr1wy_wnsBDrWm_XZ^Y=F{uS-h-v*#<`cv=Z(LvOuwGHU%R|}>3U$RsOqF8 zSvnc}Rq0aY`Kik7d-KnQ+XZrYjH91!kfqbc%AJGrr!>WT)kjZC50*~M->qD`AFLdC zC#qeWy=>_lo4@>d_IUlx{kcQScNSj#Fn3)rA-hU}%zb+F`Qw$+^YYVU^G7UOlfK^$ z{abC%$NDV)SznkEnPVZvL5?F43u*F;QX(s8ih~qIk{Cn8VJu+J{%vXJa$kJOqow8D zJlYcFe>S8EP#5+VA4lh&N?IGrnmV_{OOI-{4oHg|=}{+JWM|E%Lla3)$kU!yHvi+& z&g%5t;-Q6|%QqHh%Ddi4WF3#XCVLW=^|zAMATO#QzAQt5-+w$(d2zIKhjK2TC>~il z;*7E1=4<gK5$%dRvS_akXn5sAP%rKDjIfq>ls#}2_?m$qL>cLVo=MWdx z_xI&m8*1A5*{Rx#ht*eSDrc|EJ^RI2)?R%%U77vxU-j#+c^2DG1ky3XemEg19X0v} z#ICY}Q2P_ZLKmvP`y1Wh6603IZQD$11So#n+@5Crbg`QXr}wF$cpz}8m1Wnx~TvsJ{Y)`5+Ac9 zAfXr`v(Zs(<<;@}`<rtaz)_VPRlqLK<*DvJJ9oKwyL5hTM|t1TZ|V=8EKTQ^X6pwJceKE1iep%o zq*`0x3cx@FSqiZoXyPP7h{RZMnyVvDoMK1_I1FeC00dxLoB&`Tpb%hqSfGXiO?B-` zDJU9nEAvqfm_KC`6*m6{(|`sv1X%KAR_WZ#D2~Q+vaVSD?Cmy^01Pk*SV~}+u8G1< z$cq9=Owu%kuvC^lSs6aRKQ#Yr>9T&@pRC`wSAY2CFYP)90v2)%i)19S%L>FIlB79C zz~0|zym)Q?6q zs380>2-R&hfr6%Kk|jA3b)g9qfM#iiVpximR|U>NHfVR|y3+@&Ml&v>48~*{He@j4 z)>;57s}E{#j#f_}FFvZgywOPkC;)_r;#h>*ssNf}NQ7AdYfCOH0ug3uNU=RJMIc5L zy|Ttw3>g;V_DTRihNBsZw}QKNXNRESNMY{bz<>+`OwGG{iP>^W0mRc>$QINz=G%?j9he}c(!(FH)BBym+QB$&7CMe zdQ^SAL$Kt#LGLf$sGPbocPn3c_t3wvcYbDhmyBN{cJk$%^EDqIFbs!Tj=>a0B!flN z!>*ltz_1trh6I?wB!wArGr>nDPn^Qytn1PnQWlegYEKFTfMQ4zGLY;>F+o6LOfig@ zg5f1f{GJOC?qXDd&i z%^xW5y%y-GlQ7K!mgTs1m?Oxr3}!jd9_q$&B!>{m_F$7Bj7h*S3<(%W(=64V5y&A9 zaTxM!qh4_QLFk4tRjggTrm{$ei~H8Abp%l1jj8zBxdl#mxp<4U#_jjO+z&1@+?C_ex7 zf0+B|(&_q(cYWojdn;F;EgdMIyRo=kBDbX{skI&h6YFm!x8CS?+vO!UI|BM#TiJg- zziV#Kzt^tsE5F<(k1?_QWCjvvJf6>B~g50!vy6cipn{R z$87#VtMt?}uSz0fOxpxeCFu$10^6VO<2!s`aY7PAybf_>qS1<3H`T8frwsYp^N}N( zghqT(gm*ep@6Zd+w)c2G(mf)+%h=WNNSnuzOC`Ou)jcsH`aX2n#fMB*6CdIHCUN?g zMjv`ZIfED5O|3!OvWH^LV<4#=77wtJ7@c7J63F_Ojl0Js&JoaP+7L8?gwbpk=SKL- z6VIf$2Y7=nGPrsia!Vm+)MmZnG#g!wyH?CW>@eB^okM*5w$W?iq-UE5QulYYtG*F# zo$7Zwfi;ljUrKBnZnZN5DPM~=WU=Id@i96!;Sd({gRNV?slGp5JYG3`?wf4!RPpBL znbUJ`tGn+cDi^kwPXDI-;C}hs-P(@RbH_Gz>VC4&YdmjE=cRcF`XP$AY2n?Dw!uZ| zJZcz(T!bu`l0mWFX;_B30k1fx*qUKjzPr8pXm{=6yW+9R#p?_EKRp>%Ej%QPv-RU= zh03ITV38#$4q_TpG$2VxZF&^eoE=CENbmLq3K6YAQo05A06TZaBNH0RE+4e*3ySY; zHF}f*5Yd?8#Or;nTeCfM9ZhnG!Wc6oMkLA7sN0Y%AH^#hJ|$_2p*X4=h&ffp9O4j_`mh{hzx zG91_5ZBYQ41SFy%w-M24e!=}3h8OAV6i~$+AX!KX0z+#d!*Nkr^DijOLc}qY#8kDT z{+M>eI4M}pYq7+@pVPkbwI`Ls+sgN5D(6mA?w_yUy`wr6xkJR2CU$|C2d`;ZW?A-OtpK7lU%zdc5J6Ah!eg0|r=+(-eQ}vIp$nuUK6ET4T z=;|EN{HtFIhUp7pi6nxU;{c>d4wE#+wTUIl9z1G7)ESB)0j3ax5g-|eHZztO_W5mQ zdt2qD-~dfS+|7p=uaac}7GITX>aLOSWIz+q>AKThY;Y=ICnsc7*OZ*zVp+st!Pkf2 z>8;XCG&KLRljZ^>ph<@1Xs)&50`y8P7J&Ae3jj>x)qU#jHJ5^-ScEZ4VveMxhNx6^ zF_1zl`VsIZME9Y>sd06%U8SZrp(`ivz`2*jGyhh5dzY8q_icCURxhLDZ6h?;I2NHmV>_?DD3=(V)Ha%fj+w)*mT{njb~rsO{jCuf%XlN{c&N`LFE)y2(`;M0&GnntDi`0Gn9=f+-IaYu7thS? zEIlwUR!P(YPIIT?=x%+8)VpW-`?F1*&^bm5#bx zOWVJz9(r22vEx50H_psmU7oJ&x&DVgmG)O3o~zF8n>!$R4Wq$m8+G}P%HZ1q*0rc{XM8#fNrXs9kpR*(3p&%&c_A>tSD2+~5;HUj zI1V5d;MU}H!Ia^BfN7e76d);<=2#l6JgZx9I>TYa(ii}eBPjsI;B*c!G{qo*Se9i- zOm#&@w?uq=Rk+42m(+uFL0Zjkuu5wRf``qDLtfZpk5@+LXRAk#Z!aJApo?v~2ox!PxrS)Gjn zf>-nRO#ylJ4JZlS1Zit*1NB=yR@Y=~ypQp!#(YXbU0_DszJ|*BnXpM&n8Gb8dDEs zSz{in*VgzKpf&%mPgs@45LEx2(E$HBCM#p|Re(U)ygSw&5V(3WZFBj6&8}+j*i@ah z-cJGIUlni*yJclo4*YZ0^)%~RlliUslpLDhI;!&Yrx7F@uF0n1&({{g#((Yj=a6?- zvJuPyS)G*>lr`Yz-jU?!-$x;vU)gP9|rU^K9AwWuEQNG<&1oO`N;U zV@g(r@eELo{}pcOR9xV0j;M!>?vOhy@DY=RuD#3u{_7_AkpH+-BMiLG2z3=W$CAs$f-=Cs= zuI+Pu$9TFr7k>6!ga82|2oZ#4{KjMuIf-EVt&?-kIp;hl>g2T!O6YS8>07)dg6Kp8 zl4k7d>+{E~QFT$hyY{ZCy?0gpe%u^*+-x<>IyH$+%SitZ*S_1G4n}_lU!o}zQ3y`Q z(e0F$ z|KT;8Mxnmw{)Z%z{|WuopVnx4XMd9gy-j7ZS&6Jz61ds6%$IjX6A|Cf?drGj)oDtO6lbETmU_21x5$x#2K_k)0F`!Zy7B8hLFcqO?HZF6ah$I^cDjeO5{^`9r`^MupcXnWC+Bb1*&aRzuGjrqLG!_Qm*q$H1(5w8f&1WnDsEcNPo!@z2#8SA4Y-?`qrbR!`r^Ecf8C!;?i6M^n(q zr`Tn;R^N5C^kVs5vT^tJ;)i_Y$}P*U_$0CI<_KSa&lSXBCq8|8@kI6IwuL=kEgY(U ze6IX)?!)4n`4_)m{8Yd2bn#v7?0dX+VNd162|**h$?-%PJ#`e7b{TVgO32km`4NlF zKdKLg6k^@qylLL6=kobo9RD9e;PS2fq zyRbuCBn+SsBM6#Ox!^R?fe>DEw`Z!i zFMMA;vYiK-Dg7D7lo8c>0cjGm+LSA37NsK9`GY2&E?Ae0Sv=G7O&Q#SaN+hhgJei! z6f%W(J9K98>GHkW{VV0q=HLaKfiuk|Npai?Ct^t^uU=gc{w@l+6kJcZt$M}#QtIsC*w5(0pEYsr| zK5(|A-A6p07%4|0dF};U4mYwwwdqqzWJco(NUhdG=?+&!JZk7Oh4>yw`)yO^xK?Tc zn}0w5%2>O1{>$@xWA5e3fgVe=)CwK_w)}qd%fpqY^Ec*im(Prqc9z~XPQ5eMPaggy zAA?-#Q#?6~TId+cken`)Fa!#Az=xKR)Gie$MswJRLypV>A0KE6K_;}6CL%|a;bI|& z3deEQlEZ);!KrX$xXEiOGzAT*;4Hs5j9EfI$?Ro`C!y5bRlR#s^Ve^NP=ixBqEiL= z06da?4W~$@9I@H}p9d5{%o-4uBg_mOtj!5o$e@qQ9? zwK>5nC;}6VI>^*W@9}KoI2^G|X!E1`t|PM=QSduUat7(I^fk37k{M;d5fQE%Y~A}7 z9+!TY{;f!zUg~eIR6biOlNQdgtIsr1jnB*{d2WCBNYE#o);a-_CnF3&*`khrQ+a-? z_VUOt>(@Rt-tVqI_*j{HT6$C7Rk?grxNu5;fN(hUNDqh>OO5ZQTcdIE7v(;)!s@U1 zGms3KisVNzC&}kTmm#XG7#*SHTrq^1-&)>QK2blv zv+?O<_4bFw0F6L$zjyV=yGjq1_^FnD5{j9o3=zikl9M2UXeJVJL}2H=Ca~34@DN(1jiVxw8iGVJa>Si9@m-UCBYw&`mH_-^ zREFsEGh(oygADK9ALEE8vVllOWd=Gq;&W*d;Sm4LQf4>?bC93Wks%6(pGx4EXJR(2 zcZgaiMq(I)QXKTMpUpTUlOajFtlz${^iZ*|xAdvL`;Oz=`O}qiKdc;D_`Gnkyt8`u z=yc`zgJFB$RE&CjrjZFbqQ;^bu_bxJ6CaZ!$qa6?P}80nr%06ysZ0id907Uga4;%c zq0l>+5jQw=O2f~&53n%lDSn!7GgljZJnmQV^XmvlAzP8s5>7k;RJ zIP=w)*T1cOyuWy;bhdtF$FLTJ1^seF<5T-BrnFEJ1W70`T#kg3VKLVxH7!R*$0$!v zJ&I_(FzZkAS)gRdIBw<_a)$iK$cS=g+7}TW^*F=`hQ{&D$;}TEYxn9;G?p~B7j`ZjE6oj|>hwA^)L%?>fgJU@B}A>B-QPHL@t5_(r_0-aDX7;wV2`;& z!nnJ~b|^JrvW&XDRB@S*KcYuiC^2=oH^KJf6#Fubof`1faC;ggr2yX4i zYu6K42Nrrj^?L+V@p44x;Fqlr!d;;C_Q`llh&K88KHf%w`zQEOBn!Zuns%xKoX10A zxF^Fle!_Sl{Pu#%PZo;+=PverVchfaVm8mW-B#!Ex3l^H^^2iT1$-`ia}*rR`S1uH z#`t-IHt--nZL>j${xE-oiKXEv?ca!g(J7TiwJrq{9v>e|xQ}v!(OG`SwE7D$)59ru zT&q+WCsqA**;ghPZ5G#IF+FB<*gcbwJ&O#>5HM=NgWlBaw3fR#_GJnPYwX0>G>1rB ziYFjr!JS#48RQ-PWu_7aFKSny!%3`6CkB<)<4aDD=xDz;X&&Sq?Q3YBoPWxQ=_9tU zlg^1To!p|;aI3Is4rJ)U+v@d;lxM z*M8pqABn0L3Yy zw>D%HhT{xMqqL+t07U?dMj;2TT%ZjM#c4ocIK}FpL3sp$2#ug2mD8Gq#le8fF&KH$l2PsQB~#_t$NJry^`}Q<)r(xdWHIRP`pYA=yZ08Jlpk03ekz@> zUHtSnj%5zS6!@TW@WK33lP~w((zV*HlbpUA9^0G3a1_Hxl)-37<212Oo)yDb>V!ty~F`@Mp8LcYm3BLZT~a^Zv_!c0U9sHs@Y%?3WrqtmRv ztg}>65ErnXu(I6s^ zjrI01Lw2XVXx)gLiBC-OlV$^XnTmiRV^$64(v1W)3jVH0+ileQqF!8?=I5k(^X|8P z2fgaNCpab4b1)m9p4l8tr^DW;IPX_rQWduGBY+J?6osh5lN&F(bSTQ#3rp`_A8$iq zNUcu?a=D3Fe&Tr`#ha`tmtr`*n|=KA<*ok1VN^M7r&ShyhN?#&uEWod^l)T_JP;lK z-Wzi(U17tZKC>=0YSS7>F9J?b?szajgT;;TbjE z+odn-+k$HV&mb7{OF&)S-LjA zr#`nc_vO(Lea1kH#HrOFi6H^bWy{?drw0ZBm;=Ma?iWEDd(z(AVm!NYFXU|~v; zN%o6oTD^>V^HGr?#~jMjlZDKf$m=nNAQ_w>ctmy`D?NRAX~*KD#Y^?=SN`Vi7Y6}A zq7=mdMvB)2qagt>6iP=zI8GA;L1V+vnotzUU=#*W289qu8EIA%2E`bFLRNs>PCn@; zJiI!2K|+@=yPn@4HO*cpyr zBw<#WNtH4foYe$I(|!^2(xp-&QjmZGGzNPx<#_(O_^7`3Q}xVs`QoW>N{9Q|mW&3? z`II}c@hpI0a6kb{+O%YV!BB>x0fi23To}DN6#-T6orYcy8&u=GXMd{2`@l{^-i> z!u-*-+Utt#`Hs&}!Tng{%IW!?jn}&yr?=JaZsR>&I8r_L1T8GyDnG5Bd1tBIIj!^6 z51bq+UsBG$;w*v#@o|+tuN-e2+4JMu$DW0~jq?|mJ}h60aXNhHD4rxCz$uiVo2fz^ zlM3P`2)Zbo0VKnakS1uH!SGEb`%l>!d|W@lD`jZAr{7YCVE_;~1qNB_aDt(6io$x# zOPW06hl!wNut~}9h&c$Q#x61;6(%C6*{D+C0TC&z&XD+8_iA@O_Pga*)XI_C`Sbne zBMc=`h|+`v_h6H%k|Z#iv$%>(NUKu|MlmGEU+6O-5db9!oW=>9AyFFkA^WFL0woEI zl@#s8*5&gs;W5{!RK4~*Q9E^{+mY*K=~B%l*4*d9`5XF)?I`9~c4CA!>12s%`Lp{gy}%~5o;m=Eyx zdRwoa3XJl#zfl$21Xp@lI!5k=c09$;CQnuF7coky{PDWq>TtYW*8|N**cKS8l?%1dXP8tmp9`@UDLw}t8~t) z9fL~haE&-LN{frx9C3ZYu{4bKXscHWF$VI3ifi@ShDpcSj5%7$m!u(vZFaKHYNW92=(r-QV|AB-hT{Ok2MB#+0LO5g0R*4$yc7H6bc01b3B_2NcmKL&pkW*o z9YEyOm@nc^>BU2yvrlVxKmRy)s9&^0;xtWC7%h=}0RUeOZwZp>6YMY$r)i2N2ak1R zGzw9SL~#_S36emeWUPac1i%Rb?{-rA1ec?`IlT#4y*vtegIWALcFMp_?`LOt5arc*Jc>VdE+Q&on zy*H~bU)JAWt)D+#x%;7eE$JstRf?SK0)^_ztO&QO3M z07>_rg)sn76eS3<&mIZ|F^q;77$RdSqfrVaC<+58P0%C>rBjwNh>|2tldNQMubgE- zsz!SrXC&x*ht&%wE0>QgUYOrmy?n57xZ8OHBn8#ci6HxuxG*Ew zxP9pVF5RzQda>}rQMb`Kn;eGZ^m97}=!&ZxZaOS{)XD&&sjlO} z&i)mnxoAf&nb;Y(xLV~hVm81k8q1E%z}YaMeaaavtDKc<6-@!gaGibD&Q2(`Q$sdD zm{n70{)6@9hZG@nDuBmxS|2?X;h#)u31Z_P4%ld#Xu4n`bctLzfd%odn^L0E z^3TC-RKt@#Gww1^`Dezp9zXxK3roi+1fh+n*h&WZ=tu)8S)bR02wZ8`_=eMVkJF)K zmM_KTr2-Av8SX*Q{+TL|-NMeNOQx!#iA_oY8hj?aS5v(N&EZO7P(gz+XMUjO`-^I{ zk_L5DNs)tmc~{yF2f+Zs79v>D2L=+iodZ-bac&Vi0r*Yz{4s0e<>RUDKG#o{{wuo1 zO&V@WNiqc$R*)d<=AZOz`CQ|MnA#K3>O92}{tVNhJy~`5AjyZ}?6_a@`rMhy<){Ct zU4B!$aj$ZKd&NLHGldZ(MH47aFeHE|2ANIH;T0J=X&StrrczXzzf`n(DWB)hknPQU zhys-1IdSaX!7C5$E?oW7xT}6(?l0rT?83J4$I9hfU+(HQF$MM0FJa0qBf z;1ED;@GRaS0YxDnMsa|ri<032&X6by2rx*n07wSX04FFY9xK=sgT)Hd4!>0-SeUgM zo!J0snHIaSBm)ow08kVr8Z!94-0(U}mzG}ijTUH>fdt0jQaKx(qzDotDe0Uaph=Ww zP?Q-aX#+4CqiGZ+35q}g-_Qg{t|*ei0K-uH<9zCT(b|m<`dv_?aEitmjIFj+O=!(> zgvigRMp3)o&N(5!`n2^^3`ObI2}FUDpLcVzyWKl(Up~ybYZo5WuRLAZpIbR$sU100 z+E>4Gr*fbh$8SQa5}o7~@Eiphq6u>VD}>e$2y}J6qQOA9NgfrWd^Z@y}L?9O~Y?KMTQ z^k8G|h2Ce-UCx9s$koCv+^nj2Zcp_5VCNhn4M_}#kRl<<01~Y4G9gBw5Kt(M z1DXan1e_DCL|{!NRt4?Y0lN>-g_n}10aKk5W^^nplQ5c&TiF}MH!4Bx)WZnq#YKLJdD^L#Pzx3^Lys+)DOQY zeN=qCbfkK{yJxb_Gl%+!%{C=iqm2$zkNOUv8#f5*Cylut^+)U~L2VCDM9K7GL0QZs z`Xm@DZ|>F)?)pRH#K-!Mz4b?jRvwo>=PLVl<;u?t_0O+Pn@9u1F{rKy;HPqa4WvLlGb1^?BmnZsAON^}{_)&ZzE>kaQ*$igjJ% zP%INiH1Spn4~hGmoK(oSe-6bmzLekP@gaZxduMBn&Ct>{;sS+h1LDmwuD#z+l%Ah!jVi?CmOJ@@u8p%lWja(=z3ImWJaE3-9 zqyb=mPr8uyWFl!{s$Ds&VLP+!yz7=Nf{I>~uv#)VT~Mv{Hye$sr3_`q@6W^|zEp=) z?%O}Fm9`+hCKIbeRvC|_GbvXn#d&aWXKi@@`DoRe0s$@?7J_o0Z+AlhsEb?e)j6 z{xE<*fjHyxTBcGl;TtD=z3lYz`~T9EFE=iKu3otKef8yw+VKzb_kO|YP!WJU8P^!> zbY7cg@A3GONmd*A$*?acM<9bU1kSKRlV~V58jrd{s|LW31V&>R&O&@)v8{DC=O=4V zkCk3m4;-x@+V!8*R!(he(@;8feR%1Xb@@*1`kRsJ;nVeF$CqAKj=fp>)Y!3O@kpq2 zj|B$E!Id+{RUU&Q+?}X$L0`-kOS>|mv_Ir>M|^Um^7d@w%Jbh;=Uy+&l^^`2@%B~c zz<3(E3z;}jMJwaVZne!oXo!1#a)e|H?e^Sj^{H9n%s7rRKPo!!FszOY8QAjMvr{F45wa z_IGai*Jhg(P%dui{2~~ShquU^T)$n$WKnm3=M0Fu0z5~6kC51ToD29eY~MqUxU=bk zJKoubSc5+NcI#@@t(_UYc_jq-c57F^asnfok9h&K(KqW${i4?rF2ZgMhGjQyFG#M| zf+T9AgFs1gh<4i*q>19mQRRpZQdv0yu(41y)-t5&iIgRuaLW-zYk%G4_E?N@TrsB2 z$&tVq7?^0)3gk$_;BOz|`kBl|ZFh`s)kROFLTR5Y67u+B>5h9C zcKO3DSu@}4&iZA6P)6o^5ao7~y+@D>sbx47Awg(z@JyW8rKcpwy8?ZIHyEsHlh&=U#y zVwrZ&$Pp*Xua@wo((#xpB6Bq}F|tf+(#khMpq%PDJ?3iUgcbS8V`9r{06+~eD`@cF z!AOtw7cGiqQ^J+Z`u@SR`%M;TpUfSKtw!nTP6M*$^VLTq?I)cTUp3)`I7C$(9An2+ zVREft^;aSdt+lWzWdHvwrq-XH@xLk0WIkO)#~eX9QiPtFf2)A40!beCwJls3A3?O0 zcE`z9)GtI5&A3tlUwgL}Z*B>2IpEjdo84||%`zFC&C%D8yldqCLR)er66vqk3~F?( zrnF6I3B4TAgF^A&<}|Q5rF@A<$m2?{br07jL=gA~C%BjDfOID1%J>594cb&Z5(&iu zwuIM}@vU7wYZ+7R-owhVr?n&Z%hy+SkQCDR^kCJ+>KIa6PL^FXU(L6TW@iR{o^U!F zZ7*+f1oHtu=_d&kxLqFTqC76fjbSM1B2hnv`rIDEg))AR%kQEYf}%Yxf@FMd=wk=~ z+|=61klwb2AY6MJuK)U(P)CQ&ngYr|cEXBt3~fV1f*WO84_G|GF)0@Qz@HlTKD!(H zj;-t*`SPi<{d(ol`^NUU<-^tO2L(Ut%|F3E^4WAFgd|M88D)b7Ax$WY7URr`m7PnM z7WXVZA3~@JTcN^7##-0cD1G_5Mj&tgE*luVNkOYHs zt{`rL&f?=PDc14&)we_RK|E`7*%Qu~e$>X-QTuhXGdW6Qb~>$kJ`){>XYb+7knzi0 z<-+IE+47T+ki(?62-8+qG9mtMFJsS+Oi@WGCgJ+756kz4c%6%JnS6YDwf@BEnVj3F zl%i8Ey(rx+&1o8!Ka`Iw&wY9PGf(03^kd{h@6je~v?l1^& zNRkY>xptRSQdvKQK0YlBhl&5gjoN`TjZb?TdyfB~{Al&)z4E6oPwVgbb49yJmtl4JiFfm- z>pSjmoqt#R_`dPt%^!qj*SnvsD$f+3VzK@1G#Itp|p_1=-??Lrpd-hvqDSqJ~FQ~RA^sik@=vT(a} zZWu+TiX(U^$-iScpw)-8*qByoxm>=xbYgnpPUG&W#@x-nFTJZhe6n&f|J7g1&uTAT z2}u}xi@C)pMy6$rO$cx+nwy|HJPKw5Gkl~RPfOL< zU%@_w*W@3uX!1&*aAE59;K=;D((CG#4~=`

lHhUgiCT{C}4ZG>#18j%m`uiL(b` zo&)0i*;kS(FJYzpHZ-5r%8@7+4M>`EFb{~Sn8M7st-J@h2pCUtebc@yld34cAf`1% z%)CNhC_TzO60=!UhtlrIAEuXXu4C+M{p<3}+T9)1*AFTmFV;@HC|z87xb#^^HBP=r zt!%5lxiZYUGYiFBh=^M_3(622mjgm${+f;Fr9LWkpn?z8D7G~rKp&ALf#QR>L zO{-RI<LVVIi)~(+SfjxR?kl<6)4|L}@z`ab~_pWa`qvi)v?Vb6|_<+O~ z9o^~`YQ5t7NyX&&_h!Z9q{CzpP+_ivNl#>ZSX5p|vWGxsi^*ylv8lh;XszFmC?>T^ zh0Qv)`6Bk&9v@EVW-lrnlZHvXR$=&_z3IA%9V)&tKb)l2@yYL%3bl4zWmZ@P^h7+; zr`Ai-U$eK-rP@_ltm|*tm&)|&UFDd{ps=Vk+DWU$*?g5=}?a|;-4QFP7;mDq#0LzuN>E^jGHY}@8b{al5tdPQ7Nq^i}U+Q zmBp@AsuW74$z~kZd9Vi&*99mkxeCt|md!CFM@P)&#jlIuN4f>74uly3HyVxcK~?PKryq9+>jTE8Z!;+S3K(uU;@ZWT6G&C1EkR*tH#4^ z*SwQj?It$N^^8*#N<)DCjNIEYfSUkotwm~o!DhE$}dA@k_59SF@-wutVN}(tYNB|j>X;L_^4{Cvc zI7%=$w%QU(W7IznZL`=yE@)ae;k%EAvb-_@VJ z)+`=2;gzGO1tP}N@&293W)d2mB>~~@CA!0arp8oEQe608J~r!+6uox+bmQSw)8dZ$ z(Wm7*mFtfeP9_C1PX>n&xh2;`XJ`wP-O)T52iXjp<=dDwn0>PePbR=BB%Kpo=TQU* z)fQ6}SP+=&a4)lAP{_^3hIEDCNQ@qLp;BH;w+BN2k#gL7LMBGpno%hX%NHFFapY)G&_cYg- zI_4gcOM6##{?}LKs*7Q4m7_5~pwqpitUr z#Tf#}0Sbnp?|>)+X%Z)K3{Vuwpwb{h7)sy_q%nx{LJ(JaG&L|WZ$J7L3}85oqd12Q zqBo!&gF+H8I8BKg$Cd%fH=K@XJ3Zp1rn4#$!*Im#K-!Sk+eAbN&l-zlRMSt_G>wrE zq8#R5K2{V%(-7j2kXAIs5Cnl!)DU1%G7{1dB`BOEQMB2;(wL1X4QQIA2u^G>0Cb%u zh{ckVaSojw@9z52<@pny%Go_`~-kIK1Mm3Mne_gsrl{`#BL%I>MJs_(WfUF;j7RUY43_*{8=FR}0xlx|cH-ded{ zdHIZ2sd{Bwv3yas@Iz(a{^k4gcYjsgzO!_5>0J3Ze}P!O%~`Pr3Ha*AkCpZ|uHRj` zv3#@qsCwmsX>m@(VI3m$lVJ=&p*W2LiXu=HtTXn*FdD@ng<=4QfS@6@nJ|0PsSvM3 z$NSr!lbk&%NRcE-p#x2x1jI0s#(RN*;<0pOHfHt=HiL$IdY{PD=}t%JTv#FUdW?jC z0uYd*>*~s-zCWI6*x1aKv@M#GzWWHF4yXo%trPSOO*L9c7?h;`-sNpaRXS3SF6~`DTfg>*S~$=7ojBSV?e$SpMk!aJ zEs0wh>LEt$%!BIVr{xn1FXnH2yRvKH!s5=_p&j3UdA9OoWzYQ6^5x~10|?^NI%ar9 zdZ83yRM|s{@|6KzBJhE9g&aD;4^P8@uOzXfsf5y{^3HHVh~7AF0Twoy44KsGSifoG zx~;}$I0{j+Tayj!CR=s6Q4-KBpmY&rHC`SafZS5T!vu$JCYV)QDPm-S{Tf3`z<6z_JiN?)S5#f(@OuEOf>NjuH4{oo0 z+FO4%*Vz4_a{t3`%g-_^C%&n^dr&=leEC-W?5hDxCFLtB;W*zk@TsDjSCr3APPmN| zoV-t4$W+{!=q2U-{naDaRxW&9d4F#Chw9mjja_G}A1_sJd>+L1w9Y9x0%IYIIptx5 zrUW5PHFqFHEr~!;lz>bhL#my8T)lg82dAmq447Kk;eX$)x&c?&YfL4AYo)% zk?_hHs%^$A3I^MW=b@`R4e6zai^j2}(%TY=x8 z`^|4lhZn9ao?X1Td=IVe-&23M?Y~MLDDq)|16e0PqyPi?`yoQaKsGMmTB9=ICP*Kw zL5%JNHmJ$)8s)4yazMjR}P!?nHRH(S>oJGuW zucBSUm-;stO%I%}Ho`&FmA9+`Rp8AWUDTIJg*wy(0L46YrE8E7tlC{$Y%@$?8yepcB_2gg>2FJ7ZBAplpS8eToHV&}1D&MSQrnMWW zkt1zhiJxf@GsJ|pS3~PT%x$&m8=L+aFx6U$_}|^j8-h&(?d`TcuxXImbl9{`hqPAs zthL~Y1ZH5yZvO`$s7(}AawO%Bt7nW!i=yQmPrBtu$VQJwqi73;Kcl0FQ8^ODnUv$- zM)%JKuGaa~!2#Ch=NgAU;^ljlgNK)&eYs<;9=p0ed^KIz0py6^7YI5PU0+&&x<;Xd zm-b-0%(}XK?89`YGsxDD(r8@OXSAz)_3_9t=PnxcnrJk)$7UQ)Kr%S3Epv zH!x#zgf_dnr>hIjRMZ(;9ZBt?pC6vBYi_Im+=Nz+%+M%ZWS!*k6=Fb+1d`rFx2Mt$ ziySf7QM%=g|4)Q>iz;KYW23PM|86cjXR~moe(U&ee_4J1K)tkU{(g1m+xod%jZ3G0 zoZI%Dc&k!qT!QQQ{n0RHW(yN`J|GtdqUB2Y#nS%z(*p}P%U4%!{JnJTcVFJu?mra# zL;{?p2dvx{3X{SUSok!=JNWm7+OJ?Hvj!;unyr6dzS}syFZoUF?R8J>($4C;&y{x{ zDrY~|?mb?<{g=kAL(0arvsNy0K?iM01|SUxn&j+e{`6>5(r7VLsfiGynxRc2Qh+fF zXGSYmU)NsW5qm*@)3#1z%=&SO_Q(E)eEGcc@T=;v`=wW3)la?n@#E#ilj4mz>?wsm zJVi_k5g#N>Tgn(lgcwLNWHfF`is6vybF+Mmp#I%VC#2BmmJT;A?O%9m_>a=#`uW|V zrTt5nt(nO3^=~VeU;joZn*`vLbv86Mr6;tYC@#lr1m>Yz2=K_tcpn)CmC?<3bwnU$ z8W+P~F^m-QFiMBA4)vs20LRzCikuxcrKR8->*r4`++EqT{H%In`_ic)WTP|zjSz8Z zH4>bTGGgM=mTYnyj3&BMCL4BV)7FV@o2z4%FS#W2P9K;O1Tol(PB{W+)c)}qk;nev zj3zxINAy8HYqb>q%&OEF&cDIf2efAOM>C^7!Zap!^-&U(rtep3q*85lWYoJnWA=7bUT4QZ@#EM183G5%!8NZt_e6r<^|M(`+>p76{eUfpKLBoaTe{4r=lPsZ&ym-!1N`-g`7%J-%z{@bdmI59axcDAGrzE_zs{d8v#e zDo30lez$UlhdExHnoSdNO58QVP?8}D9OsZk|Dz$yA_`{Kn#oBlPX2}K*w>4@$nsHj zW6ww1ck}Pk3!heYE*{oaU+@Q02PRjdxyr#;)!iq()$M00Z{9AR`DXFUODuEh)OoqMKQ3LT3F+$Td| z(%?f=TCTUpu`MO%B;@Ak-bPWQ>G-J0nH7R~vS4oyJ_=V)9ju%>T=Z6ty)1vygZjrO z)f>l__AFm)9KTw-zq58|7_~)wqvI}>b1Ib-d5HTJ(tO}J7W>bb(V?7W}oxZd|w(oWHnu zwQ=w8%JIb;Lx?lZ;1-jC4_z%eRiR-yGFF(J(CaR51_8D>OGkdpoOlvGSr4Spdhfmio zd|cTpbSHXiYbsRqn6JgyZx8I&qxx-SUfA`hJV~fuhpOtP8@j6jh$_XYtIX)^}YGjDs z4kkxqlSD!hoEUHl)$_%cAqhsU3X_F#kmfzG>YTkN*4*^Cj}r{_z#9EW2SkJTO*tVV zK3kVDp=nAxO7Vh!!sm$#?W2#ogvW|KQX!w# z5Hm43VhsEF>AimLs!yqKg!u@DGGy9P`iXRuk`!h^2z)F3UbD(*V#G37t^A5`PT_c*2R{Fy^q{i$gTDND zwtRd=m|*E+&Z8cS-{-K%5#f@7AgW|01vGLbNf*e1Fu#Z(M&pPa;ZOZi(fO1Wg~p`N zx`=E{HN$tUIdfUaU`eW{M57N1r5J){){ednLLAzv`A>whY9T2)!B%$rn0VBY<m$s%oF^ePTL zLN^*6QuX3ps7qu_d|H8i3U|ynbW=i|Lwh0|=G-LMfW|EeAI(Qc=pc!ZYUj+jfJ0-0 zxXQwQXK8(ABlU3&U-YkO-R8ddIR~lO_|IQ2ccmlMGe@dV_E#P}Q!nmbt2zXD8lV8f;5ZK0+4Y|sJ&gqDs#`#^H){n~Gii)r zaJt{sOc`Ksj3EHUuOx5^(@u9dE?9Ocv&yZ=8nf3o)cJTh5({ZTckp8qs|rSxKH2gk;{ zm-vO4N^7_HxBf|6I#%CtvwWfSeEywQvvOwfYVH2#g?C#yDjNPSKgCcqj-m`jU<3sT ze0_KMA&rp?MWQH%;V1){e;OD!Pew&f2;tTO9;;W)8G3yX*J6x5VbV}ovu^ws>; z(kX!m@l!YPcs#F~xL;_}dD8XE;r8u+bpZAb0FrIFt)T&Ta?S>JtX z@yVB)jq4xhcl(_dfo#-tf1_l{?4=F5UQ&;Dj8Yh%8%RxjT;=Mfh(ti&Smq)cedl9B ze>^Z2i6`~SX$5N79G@JjTxsuYa*Tict|bDli;~HR-Qwl%iEK0))2gyTl<)1cLo$tH zBknm>$jq4e%@5?DPY>t+x`5uVR3^lG&y-Hs22EXbln!PLBO+=~&pKdmb2J`NjR0|G zn>2sJZ5`nkONYg@O}7yx0x+op{ODpJC7RUJ&bWItO%A8bTu!`SP<{fomlD^3+o;Hz ztuDh9H~HAJ-#fUCPU8r4u)9VQvT>qdrv_=izqCd&R5TKVK{uSZ0L5pVHY_nSsKnaz zKyPRVkA7|e2VnBg<8<}N`^Jf*^B3|dC631+iFE4M%%X`Eyy8637qa3-kZ&mpaj z(i!mauxdgahf+)A3I1t`HH@ZR%iDgva-_2RMB~=6xJTw0qJuD;WB`Vt0Ae(Qp~U7w zQhEzX{uvq?^5I7)BjyaTH&#TFBQ%9mB)~WT?!AF385*StitGVY$ zP3QK@?#KW}kdVLu!`9)dUbJR860*m6rJY|RO)vw*G z9XvVHxOAlU=FWePFFpKrty&)-&q2mvj`#QUbTKA5;A9K|NCE<45M)>xzyU)+oThN` z5m&?q8*-z1Mqx#BA_LDlp)wl{)>L#HqeLYjh*eXC1TH!N7cN#G9FYH}@0g=0hQVkO zm(0DPBu$|NMx%X(97!@Hi9&pcAxAL~MFCBs6oC>r*#{rA`3jsOAM%5= zHegKJlx~%F*WTQjnkhY~AKq4fwuk+)!BT~IArZ{y2Sf;^fe1!u zat3&E9w=x7LGs!$OcElrvinl~?5@g<=d}yl*6RH1>B8FQy^ANlD_yP~+tGM;sDA5p z?ZDZ_p>6YfDtGr+-#z+PTRZxy^5#tGM*Z{Q(rMn0m(Ro|zufuqZfV=X{-qbcDShC; z*AA8gTzdaq*cT;V1=rAaasnsEf>~ z2btq<6^I-2}qI{gEOKN+0u5o=33G=)+mDvi6@EHgE)+75)r>C9%6 z!S1;bX?#tOadx^Rq%eV|8qwwSX*SIl!-TBVl!r}OIOVZojBApGuqTpc(>nu6ue+NF zTt|>@#L*Fl8qRPJfc6c0*-10Wa5peWyZyzS4Lf@@)QkTi5Tj^+W>7JqI~tfAMAUX% z9u20sMeNAj6<9c-`{mMy#h10~FXzvV%p|_dEnRIKJ+=IBmK72W8JP301W3k*VGy4V z@lWx!;msXU{t1fCoba`xHh17xUzd(W>bpL#?ACwhEWQ77eRTQK5Mdy}FenXB3Q{OW zFgU&0adK1zCI|0_Ty%VvpZRJ{n`UO5f7GvyVhnI})$^zMXYo6|q$t0czx;LS{_@ev zr5C^cZLBhPbBO*SDF%=vK~fBb0h%EYjst@3(%D7>(03LrY-w0|o~)v$|YM zJL3=|F#-b4-Ne3N{RD+EfM8brcm}2Vg7s50iUNYQ+O{SsWucn_=^yu!42D7s100RC z!_6_DKgDs@IiW8kXqsU-0e*Xvk=(-d2-_hiS-*F_a(mCh?)tg6OOG0No-f@ky-Ek9 zq@z)YK?>4@h;)-Z1j7iN#Bkwh4aRht45qfbU*D8zAy z^`XjuI7!eLgAPNL0SG`qlExVdk|+sLX$KN803~Svus$?^V!`QT&OSXZj4Pv*X_Qe7 z7PGpiC-lM=f>48slqxlOjV7ZGOy(uS*6Pz;jn_wOXRenIuUxF0J{4)aeLBAzR*&qh z?l`!3XQuS2bg=6f|J>p1*8ievM=zFcFFoMGfQX%9NzU)By}RjI-nVk#%fsa-Uv6c8 z{QRQ!;#gzn+)So`)%nbuYxtj7t_41j<`?=+V%eP9`D=)6q zKJ2Jpyz=FZ(a2Hb&=D?%0f+&bq$rvs0S4jv0$dpdNru8n0-`8@5GMwXa0i**>`A>! z6H)L=gTOa25iKMor#*lZ1ldeD4>0RBQ^NowQB-`^L)FvT7kX2BbD37`=5klXh_0UZ$iS?005-{ z!N5MJ?f{Mgz@Q8^1W5(X&=^6{I7$&1B>MRp6iuwI_H0bp9s#gBiZKx>z5zU1u0^R*14=v->SMf9*wtI)OvfI@umdp{!}!m?gpal0G!NC zbjGMK{*I#_6ZAxi>~lF|hDkT;PbzCiyU~;A5f%e(hYp`PA-F3dM+#{ZC%>_Q6AiYc zOBWzgyhm-f$Dhwk@sDb6@K|{y=Odg^qnUpnly&wYGciNbvl}{MKFvSWJ7P8CauM1h=K!B%a>}L94MqgtPEP5}0h^gy$WBj9AYWduJ^jhf zhonH(U=$)R@PV&n2*ceTmrUn)vcVw#vPf&0k4za-A!nR_H?qB{2N?#%af0fV(%JgE z`o~@2;`|B!!fmb>DxJ)cF${(R6sJgxBml)=o1N`)t0K{?H-K2V`P-#?i=P(`d^berFc=^J4p+l23P6(C)I^s77I-Bt zenHyea!UHC6pAtoO%MaQsU)On8sZcbcT=-2Mn9OBicV$KB7UkJ7kR6UMsa}ASPx3I z`o1^6s=t0$+F!r&!rVBw{m+#PI~w<2H%=U^9lKM%@#0sDbEY3Z9qH?`0t`n<0+N&z zZ7BeUKzP57lN5zR&W^U2&k7g<0F1jm*2iasC{1HDNia0PXa?_>AA=A>83xC?lC-(X zx{LZIF9_87z8xMLBQ&l3L-E_k$}Mnnn5XyV2D16Sd64_ zK(NBJ!45@iVYrDNPBv!wX`%7(!pfaLEi4knT~NBG7JTKF{{!+uRCEIY$kRaDb+|S7SK9GCgkz#EDA;5pNOP2qbi-~ z9K3R>a%E@r`h)6$m$kF+42J65{iV14W?~HBBm)_okvh`>P?`V~Ao?6oYw8y=+}okj zQ!zo2IELZ?U>GC;#`Ib8F-SBg`>uo1D^I1As?kY^pFAR8KCxDDpbV5%Gvj8w%0c4I-0C@7rYwwLWdL3!k*^mqmlxnW92mOf?=! zx}~Lju*WYD(5RalosH*b#e^x^H34%kS-Nl>>=dF_Wpd}3P8Lx>liR)M|38cbS2t>j z(W~pEN#pOP$RheAYG)Xi9LZYnZU{L$Rg7X|u~jwOEcw|;C;Kfzn@df*$2w!LKXEQj zU=+kKh*306wcKKUB`$An^?vt|1$%{Ja6myoLIx!vElHWnUFTTK6NS+zibJp(gfKJ; zhM>&Fa0qb%gBa1gzD%+GNf|<6C`FP4j-m{KGYpXA(+z0DA+u%DL*gno(aH8na_Y|S z{Y&-j-sK}$?dh%hmD80sFY6Z{{pr6;b6;*Yt{m#_nKZLxD!RLK!6Je^y}j{aSMB7! z`twusry6^o&(AGis6T)Ax22c!yCU^d@8+MCKh|D!7ZVZcT^xlN#Q=hUBmroK(|zqc z>2x$zWY#{Z7yWK`NDadX*aeVPRf)uY)o z#cP#+7rRf(1m|uCyJd@}r@WmKeX8(J$vgS4O5`I-H3^!@mrbXdWI3!qH`63RZj5QN zb!BIhm?j6|M$4>5ug(9;Jn>k}=UEk0f+@`$_j0VdJ-&Qn(=uKoTe##+TiRoH%fGb2 z3y7Pxbbb+x$HQCXO-9AF!N7+GT%*Yi_%duKOpds->4H1n@ms$58dwMe>tdIDxtdH%r-ql*`MXgC1Ke6dxbEx^+&o_mk z?`N_t>892{oobqAnMHWf{<(M%|A+T-0Zq85M6}6Hz7gWX)+{Z}d)V5f+g#qmZk^VO z1Fh*9-9%W|e@Xbs*oQSHwH#50>71vvn(Ht*Vh@Eza%mN8@6?vx|ONb^$A|K1MYm~+^^)6s_&yZO$| z^$yz|(sB*AZ21RpVG|)aQp|-627PM@pSJ34qX8@~14D_J`l!PcfG5UHjUwrza2Yv$m0m3?dK&?(Tn$3=laHVb?y& ztDJMDBq~rjOH?|C1eiX@B7KYJkN|~A7yuL{d3~){VozhbrmMQTtGfI5+YFZL4+gdR zFW~d*qjD*<1+){{8zZm&^hCn_*`s7?vwm`1j67=YW%Kl1-t*pMNt0T2kwGr|iz8%p zr<`L&DdY*+bx72LDxD@5muROSnGPEX7aEL#2TpU@7&ntuN6F{UWh&YK82)yh&T{o&iY=Ryc%_6^%jukzY@cu8I2TjWLyrLF&oM9iSqLa zmpg3;6QmT%8TITdKH}7U$&50Gy8SBdd0T^4uG6!VEPZJJy`eG^;gl&%>DXvL%FT^+ zKZ+~d_HhG$6f!BoFT;(y7wgY&EI(FiDl=et-_NgZww}IP9EJwZY?cE)wWb70Vq7|z zj$}cE3*F1&Z(Dkw4h#1PuS*SZf#eh^vQ^zY`-)Gk+1ohWTDQ`kCEw>0?8bGPic{>dNh5oSHlr2=b}u zB~Zzzb;r0jIM;h#M1aNPzn#C`dUirOfBENkXIqzc4IxYxq(f*tz(opQ>uN$rxJM{1 z!_zuNby&@%x@UQd{nbOQE2sWAf4ez7TfcOzdcAh=c5CMF^27SR%Z&#&b<5iq&o5nE zdNzctRywOoD!2n$bZ$rNQi#Ib;b=A}A7aG2d>9yRz?VY_pO;gXQWVBrW<94gJQlHj znprvQ%;n_*Yh#9onEAuXg~iwP{fBDP7n(1&&COt~=f_%)kNxk;FhkG1=U8zVfK{ z`grT@?bgn_^_jzsS4Uer?)_!{RPE?cT}gyfz5QCj?Y0L++!_}rP25;LL1l6{^ZqnM z(lV#nE7r}Gi^1m9Ewin5Xjkpz-P*1r@IMXpo40ER4;dP_&Ngoy`PRPlW{5sEqFiSt z&IPWdrBI&FPHqQMs2DLs++t(7vn|C<|w*{ygt7?%M(5f)}C7qNgQ z2tcD~AF@#drcjImFzZ%69~BTG5rRg@4X|4VTw?}Bda&El7QUAp%jQRY6Cr_{*oE{L zCazpQQh)F|yLhX9>UL{(>yNEFH#il3SATL<{SBuOX+3(rJiU0Xd1goJ?Sqvas`}Kc z=BtZK#~LSJHqY#@Pn~6_7=*4x`|5|bHQ$~J(BCdzn&Y;*^w$3K%l+=^>~EV-wl`1i zL^;oYe)Zt*)$5gg)t8M6FIO%#-khlZRJ(DY_UuW0`sCt~LgnCpFW#=*xV`+8HBP!$ zu6e%p!;S0e4psBP?dqxO`Pz=%ENu^s5=h__j1f4ApcDpRToeXhPYsMB4672^LMQ)PjlwVg_Y_0h3hUNRPhB~0LIODLj?M@8ja zd|JPD_51JtRz1DE8*5xTidRq1-81~T^5TcagByzvcygOEC6!fAj}9e!PHR#dWmW;2 z%nnayMy@aQjNKFpKl2)OG2zTwm|D@(h7?r@yGK4|9Tl+phg(HWsOiZ;mr>3q6XAJL zv@yqJe3U>2vnL((aX|I7U$1EdB>1v>%7VKf_4`BT*cuU<5(XO(uN< zdRQId(!M#foPr5wDK5T1#b^X3X#{3Qg}o`L2!Nmn4A35=Z-po-a}5af;SgBysaAk7w(%uPcu$H}gNv-)KDE)pv~ya2x;xAeaaV6@USb z6GWe=MMBUpNgxC(uI>l6M6PkD(KJQlBuN0I4+RyCkt7b22$%Ftqql?^1P1*=9)gDP z)o_H_)(4igvGK`#2%%-1XX^m-C`Dr!0kiC+11;urlu-|5a;gPGr{q@yL{0;d3sHc; zU=(AKPxOWeqhXZ7NxTPHS}KJ*S$!^IsaXrH922lsU&7KyPDoWwDNB*ii400|=)iUVp0k|7C( z<0KAX1j8w?y6ncqtre#LNz+VXzJcRG+~IfAz|0Tm?Bjj~ztpRTQ>qEr=p8JA%u->u zdfcp0^WT(HSVWPy7H>7*PR%|2+v4`6%OC1|_Mo!${?h+g8jmlu?jHF4;@#GcqhGa- z?v4H`_#LNSWgn|RC`$Zm?cP-V>ilfO;Yk6v#)oBF-L0(uxm zGz0}0iG$Txkfu?R-dHF|Q#8FA39bf$B#C32#fL_dfW#3n5FeTZ;50^XsaP03%RHF7 zQfbGnSpj#Yk^x0Ns>?at0*#005G?4jTH79(TNjTuXCBvIYzr@+tZ$vF?ruGv?mxrA z2)w!kqDhe%7DW+20QP!92sjf12twh2^{&2iEKHFkN}>pYQ3OE{;&UucpcsmfjB^Y^ z)M&kswQOQFIxgg!<)h!v-&)x>f3B{q;YHmE+ChkLcQyQ)uJVsoIJA%RB2AE`7~w7)y=? zlv$SgJHfIwDdQKn<7BU}R9@7sW(8b)!B)gld4yz8_mUtO>-ISl8f(lQ zAyhHT$a?%G5#pvpi$%qR-P(=O1UFFubKkhLyXG5-aSJ!Nvqs~>dut&sQTRu0tYt@K zRM;JGbGM@y8*If;N*7b>*yn18++YhDtnf&Qi=aKw_L|L;C}JFs+h-?hJfx3vH~c%@ zH<`526WnuB{Wemwh_6r%@YNm8Z;rNu%A}*rMS1TKMd-Pw`#)0QX;|SX0d6{kp>8>9 zh=xB#*JB`*h-Rp8${y!#+YY2~(xTFtT;s#3TpN*Vxk;6F4@M*796??&mYB&-(UhE)8sycTWL!S4(<@|}WW?oVKVoL&zWyq{yypj{qV;N~dS>BN z{oGYW>*Ry6%FOb8UH#VO?iBE8X&&t{2lw=3dmS`MC%D`2?KO}-%*EvYun0PTL-Tdx z;N#_!wM$1Aj@PEov5iMG5riTzM&cxZ0YalBf{~k?FUwLmj4ML8WAMHS%Zzdjmx7|* z2?kS96XEvHdOy&AUEVXqmrF<-ASgg!5`))({svEh^;=j=0D>bpO;W6F=blSz9K&cp z<8+T~z!uY%!PeHrphaM1EiY-^MYS3f1e(SOoI+_77AB3Gf4X#HW#{7CrIWu|I9uY}$upOnl#@bj z(kMow6pbT-rm{4<_zW};>~1}{wRHZw>JzXqHUFsoZhQYgj3x+zUe!czlaT<5AZQH3 za9lhRTOD&a0#m~TVi=C%Fu+iNq7+V1cwfGK45tACBg69TTZ>A0nmMg=ayYHa2UhOa z-|zaW=NqyqMIg}o1L2K)t z-!48SM;Fg6JYTrL-oOybQ?*{*(@w(8E7!kXxZF5*apBfCbGKO2=Rj!h^S3Gw7Oww~ zp?P*X-*|LtW#_`7f7Ea97;9`l#p?GBz`z3-10;eHfJ6X+kiXTtW zY#JxOgr-me!$@?HEuPi+1yCq~^x$$CCzA>=nD?6$G64%e6x@^LJ{` z4lPdCuHOF}uU$dfh294y6hMQG*#Q4hI|~!&u6dbBn55rQTu+w%`=FB}5h>)iMhI`N z(6uKkCWRc?ZnPa#n{?xvs1zEPN7v853t)IsdZQtqqCXs>?~h6@L1Bah2!X6l;S@kw zSk{8DMySbYFF;mFJD~jp8jHaQWTH~PTv6erQu-{K^R;V4ZJL%@{-grZ3l#tDRkX#&9r7F;<(1B%8dm>}@gwKePGB@jiS z1Wi!@Lur5$B)i#C)|ZQA`RP5kEt`^sGR%#|PS!_d`v8e2gofS*A%i#&=v}k!jUxWR z!h2qJ?0L}zL-CMJE`@yKX?BurJa3mm3C;<1y>pyMS;nQ1tK{k`D()%TqJhHNZZfvU z!phjJj7Jj6WZV-;tOYqVjL|e;9Ajoem3+Xx-+Qcjf>p!5_MIOL@Xo9J@(JVjjcr#~ z?htb`&g#|L?EB^OT}R8jaD!rrSjrMW?A@$EAsk3J5?N0!k_|>Y-dI2iRi`R@TZeAd zo}X+zI90vA^q_h1ar4Oa<(Yt@dJL}~MSraCTfb{G3{-mu!G~ESjMc8s5hiVNtgLcz z9+*EDhV!bZ8w7Fww}D;y*T8RH)r1tl=#T);UFR==K#6~L1j_cJcqjvE|!(}JW?p-6Ri#z5Q!`?zEHOhXl_Eu#9U?j68}(ZqR=h1sT5X~UB5Pgx1S~>ejoR@zH$GArduPL^Kfef)HG~OhSls!{zztR zRacUDQjzuV1m$sqO{W@NnM&i@j;4FB<%Ota^6 zE|iEoofP6*Xs35Jja{MZySx9yxD}XqjGa3}))dMrYV#{N$G@0F?(wuoKqAAqaw3`2 z>A#plLB88kjm)-R_O>6UccpxY0ApBXGCFrK9xlR8Vu&?_}ibfPMyUN%5-U@TB5_Dc`s z0{zniy5dOR)WAfz7)e^fqr3z`z#@bc)J29ao6;eniH+tGOIp&f=CF>YD_>BCESBuLL!F8z~+qMJq zgAvpKlP-dgn?C6>JElGDI%Tr)sN3}gn8M^mJc1gf9kl7}WXxmNq--NfDMVV zq=fjuI$iJ?2*H@2JUA;@_07u7HOz$#u!0$bS-%tt$Gdl0d5mBrhM-u0raZv_iP2Qh zi~Bu65JU-&5Al<=Xfj8F&yvrm9;E@fHw zFy+52PuL*bTDS){j`QgknAqvjg+q%s7S7Jysh!)oa4*xkHQm~NL0#Fua-??nrur*^ z--^*)$*p{x_BEn}LXOmp@JUHJa@r?UXhH4eWAHO2HUFJhm~On>V~{GMD?3}SE;o+e z98x?UoOHX`UsM``5rg0}SR2YF0*06&*-Q9bUhcJ-jaE_N>r>}f?liBTUpcmX+Zmm# zzkk#?bN<(rbCK5eM+(#8DXezy$&epImvw^Wq#cduWCbo0NI#Z0x63yfNyPY|YnH;O znNRLvL_=Hv_5rBmxX5b~NDsy{V_{yg5-6fpE>QJm($3}6iP9Jm6;)cMa{ueb_1W6< zE0t&U6X&aZ!jyFmBeN-J9OILtut=rqS6`^8mCMb;=j&(p4ykKCnNA-*IBj}_N=TuU zLI((&!1K66C51*xMSmnS4y$|hvw#LesoWSJ(vUlLBoL{HTiQ(M%zvx{*W=1?py10) z>IL0A0;4ESk;o=_`OP8tnefSiZhVZ}VN5-@rnhGJX1@08?1aeg9JQNAt#c1~HAKje zsIr&q+&e8HhPZ`KNYQPq`f}-NZT4MlYMXq4&#lDJB zwXp!(N%o}^NuXm^pB+z+bIQvaQ#$0(n7HL(rJI+s*$e`bEhK;9VDQvj+3}60c6Cql z*`?OCgRN&5N$&M|u`YE)%CtPeW#j2I9QKp^NwM4V*FQ8~JYSwlIKLjE!ATz|O#qn7 z{kVoq$~D|IpB)mG4JJ|(alX&%O7~6e<@x50!$XK>9R+*_EeYhtozAc(ofFnA&uX#( zqutJi&|>)=)sSwXmw6{sF|9!g5u`c`yYkp@rp*y>vn(}i9(B5me5SjuRwfsZ)~;Pb z=C8J{z27pvaS+$XJxiZ`OVWXHZw3<^qBBTilm3Ts&$Cq~cQya|5N#T-AqE-Z2{}@MAS* zr}C*j`z)prm&2M@3$PKb{!{4e6LCTcCCqB>;%Kc|M=s`cD5Ve_1(=6Bm9pH45tP)p zOD4D)#z+!JV4O8Qem2h#_fI5?UOp!^vs1?qTlLoBL#lS?a{a}PABq2C_Ac>4`ESIFKa(AxQwk1kL=GFCEwN?LdSj zU2I*Ji|6J1z*7RzX%(&EqBE{ONa|7^t1`jmR9|0Fim{aDTf5Hi1s91fc${%-d*fLo zqtse6mRN-Efh15ugL%_QS#*?(G}w_aVD#`uAcJ%Fa^>XG)5QbY=8gCC-1JCu@1^Da z!vq=jq*m^A8l(^wrTFB&5hSgNIwvO8DiAN|S z3VlweAj9$D0viNmU^l0XV?u)kJ3YC2<)%U?J|x@Uz|$C|*v)N*Tmsuxt2kC9xuGSY!Nu3n(=-fpQ@2O7}NK%oa6hi$Y`GjF2#dkoFu+1-p(i*Zj!~jqehEe@+ z#_urrG)_*L)iuc}392_R9Qs?8Ju2|!jOE7D`rFy&!>NU<;pXg~>izkv^Y53ARc}{L z459X*i#Fw*LNwrJ3L8eHFdfuNA(hgm8si(LGA4zvJW6?#7=KVtx)r{NRSG2nY1z1+ zj0*Q9Pc_MMIie-hT-W5Vj>Zf+b#EVF3)s@wx)}^`aH(DKUx$j9<$F5-GcK<_$t~R& zu&`H~$>+IQ{th|pfIOqnfVje{G>j7w$IM|Tl4#s$v(Yy`Rq?gmolb`r}4ti6|cfT42{sqDz={~Q~gNJ>-eM@;PI zrIXEbHyd|O{CVzabN{Yn*QACZp_KrXMree#KM@W>wMN}d|V45UxW{(aG!%CHW#=&4%6_cTuMay?8S)5;% zkBrE_Fc0nAorN>y`oYVb;^oV#*3L(j`}G|&uKLuC>gnY($)$tME7!1vncC5<*1w2{ za6(9}wOiM{EUO&|nRVr0{rutIEj*vU!Rq<3a2&(!-^s(1(PUD zp(us|K%(%!3Mp)e_Z|b~_c|jf*1+lDX0qsC7%wrKVUL+$4rxA?Cri~GiUXzI*k4>m z`?8o-F~Wb)M(rdWfw&>7?eU#%s_c)6v&*!0pPrkVdpId=?wI1q>IwK|MvahA97R!?zW)2l)clFst|yhZf912>Se){(kVr^48`Jd?DCNkR z(4OH#%*p&C1Q3Z{wG`XbSt8%IkT>-Z<9(jRAu9k_%5#emasb=Blch;C? zxo?w#2`W4}=}C@oqsvYlQ{t}SdM%2f0T-K2iyh}Cxf#pNtnXtY3b^RCJ9yFSKr7Om zMLvd@y_(_HhAx%fosV)EFFI)Zy_f02@r1<)8%w1T)JjIVQ4*d{K*@ufx zh^R76IYMf!jpD1?07tORQ8n#!1h~n`4*G*TV|DZnsWvvYHCpb87KXlM<6PpPAyuy8 zZdVMXY!89v(!*&wmUpHEJ1u7MCwbf4Jv6-m&Y{Wj7(1`lmvKmGHmOT2>TprkAv*8N z^=N?Wk^0G6#uEx!Ih?e3Amu38K%|7nsX;|9r>$zmAkFj_*;AMZ>SFGqX*j73VOhpJ z8uF%rSz$#Cg9;w^;+|r893P~yPOczrF+|4Mg)D}rA1b%%GjG4Eyso^e?pfYn+jd~- z(4Sgo&bRLE{Rny|-k|G2cvO-F%-sD036#are4JN`vWrAnku*AIR>yrsJ0OlIxhH%& zH}6Oa01_rKu18pBZE2i4Qhn4sI=ghSa0MoO#k;)8dV%v%gw^d9c1kal;WZZ~%;qTOEP|>1ahLI0CfE6f@)O^T-{G zmM1X*0Z8cjqODi{*t{8s9cq&X&MIbnVqJR>~{QwjpDV#=dHoXI%v6>)A z8X*y8wSJUCC`|$!1_VxG0H7r3!~KerC`J(s1hBT}bfDd3!X}VZv5&*>O$DU^jF1F^ z4rC}4PN6tKB3$aqj-iAT>G)tq5)!Zu1x5)psunbg=Ke#m<;U~eT33(GpI+LxxNB)E zT{*O+e&%gIE0F*U#sC3REKV+tncxTjC_q`g!nYCxhH;qY@K^P-5}d{m43L0^aTLe; z5mO-mP$+?;G{!KB0n>}dERgY6ht8-oJYd$*i$$$;B2LSLqwW&_O#wrQUl`6CRiczp zm3Q@BC;n_nEgo*|yGqwzpIW}yx_nUEI(XnWD>Kb^cO2dGBA-2PS*Yy#s&;0kapi>j z?@KqAt_D}m{CD*rtCCO>a^d~oD|;)4n)`1o-e{iLv$(G|{i<>I_0kniy~ed$X!GTb z#;#jHxA4-}I&iLja2r(F=MMaSeku-q%bHpTVK;B>e?G2@|G9bN)$;zi=SzDl$Cj=) zwm$!H;dS-c?`p@USQ_2{%@l><2#f%nq*07QaBO2d=QvHFG>Xswp-G&?=z&S52JvrM zci3*oa0)pzlM*PJHqaiWGA`;00Ssd>MYM6i*Z=k8tU?F^CQ0^21H%=@z(fRSogm^H z%pqoUS^<|hLZU#K5o#VqQH(%H6cu!jt*KY7hv$~x)}J1npILa)cjlyEf*@hQdK-7< zL}(bMDH0al`i6jgYFwWQn>&0(n0V4{HPUY1_ zl$coMj%Ql=sdedrT+w>@rhaSN{ENj`_37E}&o)Ms?%}hZ!(LgB%3}fRxP#{XKn9O{ z)w-~z$FG9^NSyZ@tFF6u&Sa@_Cza~;4U=CyOI7#WtpGM9Y$2?Pq&)B;z8HXRiogjH zPza5|fFJ=*_obU6BFhhJSGG%AZ;vd_%y(&O*<^hrMIwMkQJAJt93`otDW)Vifsi{nOwa^E(*y-bfRPxBMT#bIib7UL9E@W)fwLY;aD+fH8X;gBqbZD_ z2I81<37iQbbupz~VIjiV56a+kOm)zLpbd~rb?Xenf7AsnVU`M0AaVD-I`D^#cXrTD zj7fiB)uS>8J`?xKpoaUiCVdIy_{abnB{W=#beaaZL@&lF^t|k zp!oI97eI5PegSB1!(h#0QHKiFVCTYO`n ze>{jk5CjMe<2W3kf`ANQ7>3e*PY}ZbKFUY0#)B9h4B!Ebrv0=Z$0>p!Jfw%f0pY>C z{%(>bppin8MQy^@4ZT8ANUkMH-QDt{B4@Kmq0IVz;c&o!Zq;~L3YGK0?k(ia00itB z+s42EHy2%x^;pujxwVrQy>2$~F%-JjnkuJx4|`u{!`ZxdO#kj<@#hQGMOKdav?q7-=VTv2anSxB6cOOIzfV zd3h+Dz` z5fSHRYv(VRn$K>+ji*K*sT>PmQBcE!Q1YlMmbtG+ENBF*`>>S=U*+& z%>PtgoK`fS-kf_le{$@v8`Eb>MtVTV<>#XfFtJ%GGdZ(<7#tnMtHRb;N4XDzC8OEJ zJ)GB(rH~DK3#68NsE{d&u7300KkLVi8g1XqA6+=qJoUCU{mj#NG0b44CvsfytNvQa zat)1z)V1$U^T6H4#pl&Me3#N&knwPde}Py6nL;4LZ%qOv(h=?;SO?M=F+{k>^H^6j zxBdL~qM^0pbhdHpMXvh#55eZ1d-eTKS`VKgfgczoS-)IJ(h2{hI9AWXbAiXA7&rVO zv35v^dqA>XJcf*0-F!sEbqu7jNm-14iIyqf|5v+ssCD+`Z{}{!UH^XmT7Bk9ZTjr| zuGaKkUG4hm<>QU_w_7J(Hs8G*@-vDE5p_lRke+?eJe1`~q^Q-o{8Ff-7%yA6Zm%EO z#<(fZ)rSPKY7E@DZ2;g7j~eB_iC1DzOc1uXoeNX2nJ7R3FfNY9s$ag;m^r-o{*SGf z*QyVFCjML@t}9oDkFwB5Pin*xAazp6A1m1XVg4iuK{34)N+e@KNK&ONU6w+D{J7H+ z@#s)F*LjISoaAKX$pU5`0bB$v)-7j(je65XD7){q*tW1FgHWe3%V!Yj98UXTsHTa>OZ&&>O(= zK0Eib`i(BwV6$`agd~v47Dc!#ya9%)LLUxJT45U(k7_eVp$yImjjL{-H{YF~ySZ|; zcIo0+lIo#xBZBQCma*}rNTP2S1w@_0_#-vcvF>ZE6g|wQK zLb)tnu%;*MB?T8Ut)KfDLzE_y!fXwYZXRH~1WJWs;{l9|VJd+NDEpisG?=d|dLy_# z=ZN!{A^~?G5y=_++^}*py?q8ScKTQV=9Ebx6+h~MpoBFXGZ>1XG*Xg6xI>*0!X)VB7|975N%G;t zkuVosg5?-F_p{brB8?z0iLh>je`y@Gf_yT`y@JPDW^9{(v;1I)&@-Tqmy-Mi`dVXh zBtJoL?^KB*x2=N&8#3+~ABU9@hn}oGyHY#)1X_OcJ*!$@03>!gWV4WsM#VC1KhIu^ z)b~G~e?LUGngbC>HtyoTRstn8;~v7uMVS&EE?c%pA%g(CmU4_NS*4I^P(WhK=)|ZO zHL$C*MuH{_hO}8RnG@>alQj0k})cl9*CvwoeQ7Vi999Avq2y0Q1p(vJG0 z>4l$aw+^Pitxug?-f3EVI^+V|2ExXuP%26S@dxo**n#_!N^XATgV0f3SuT|6V_??r zt-P+?oAoZ=T)w+)L6~#>@ zN+8mw7~>=4#&~ow1B7cjTnNNsv*IxaMT^_o(s88z?0x;+!?DJjBeg>}TgMI+s(YG; zwza0tG!H*t*;BvBpY8iFb;XI2ePwIb=|%fHFi@7(vb&Y!H_uf00aJhZL;czWed<=w*B>ct^Hh{SUfBrcqD z7>@{{Eccq>Srf#bo%KDZYEREr?k*o`ZhcdkslD0XxbgNkLrOQ|ER2t3Frj3g1ahjP zg$U&~@$PfCA9Lf-zJYQuLKR^7xD;|@l)>sBkMp*0#NuI>r+}CeLGDl3bTu)3&`+w^ zpYtIt2$K{b2<$@?{0l@V&G-Qv1k6F-xv8MZIR-#Y90Ywt0l1#1-L#jx?Egrd8Cv6v z8MEAogaJJgW8(x2i93RELxh2FM*^jZ$#Rx$*?o~migKgb6A;FmG*dF}4A2iyNZ=ky z&=vCsHb=eK$YfY4i*nCmw427gAsHD9sJJQljX=yWG+A~Lnc&AL)5hH`9Y~odhoGph zBC{B`oz5kil!xmAKO2r|Adw4XQkh6LAc;kMfkc+O1<*OnIHm~%tzoA3=ml;%HsTGE zq*0yzGp#90?IHGaCU(j4j_PIaUu!S#R4)A;9ckX&+kAex@#H~sy32z%1lB1+(j-a2 z2y<9}Vq8rC(-eikI3fbAfB_7U7z)H;P5~e(9N;)1hI2}hC`JGbbQ6sm#5v_(rrdOx zQ6Jr@G-_MM=i983lCNdwUr z|GPX>+jHHqvj4mKlQWI|Cs<=*AQ08s%qwZ_%Hi*qFV}C}Y}`1zaPjNLrOPZO4i7ni zkT{JX6pfP@Mx!u{ZwPTfLIH##NRmPc0z+V!`j-Jzb!Ke_Y_e!7Dx%{S-aCysHY`ma zU{xbC+r~!+ZQQypUzlp%JU)Mn)n#pV- zEG*WjH6$um{m41}!pZvGlltc4XU!`Y{PokvD_iF;HqYK}{dAlsXIh~eK}f5*e@`={ zPmIW6+?r>dUSY|vhd-RJdV9wpVsq9NL1++B7i`X%vE@Rw;=E>~@c zI6Dhny;59*qnOh-yq46Hb%87gi~M8QB(k z3%X@ssc~v-asnNwf%O1Afse7vm_d2t-t^+(>h;Qj#@Q#e=QlN#V7*v`AkB7tJrSSiHah>$=rTd0U@5N(jX*&z-qY8um*x!I?72w9eP&Xu39`&yK`#g*vg5?>b}2ZN_g|>dG=ru2gU>x21taWU;;x(fMEDwNTOVB zP0_E;DS=g4PaK0`gr+fq;|V*s zWuBzWgcyn}lrIt3vPma^h>YUS&M&f!|1xG>M|H z80iiGFhLL~#%fCdz!8Hf9H!u5u*ygb#u1tz0ZG6JjS_uOJ`s$>P=WzB+QIbFCW1x8 z>gk>o*aWQ4q*jJpm3a`ND3bW22X;~IF11rz{2JXr&`JY7d?fuGGdGqEQ_cxmQlb@O|uGSA9XkGrP zb>ewHI|DFI0+c{e5tvX30wXwv0F)p_?My-e1ji|W6N4KXh60SjPy)sY8o?1n+|DF` zfN7c{NRpMIi}X!St^01_MDy60+T)*?!VZ>B)H`EE#K&LhnFq@ux)r*DMs5&= zCl*J^Jr)?Xf~Je0612;~mzGp`m- zamto&wq|e6-$W|gYP-(YFWzjPI9t1Lrup{m|FbmDP2r6&;c)%+h043;>#NPXTPxQs%~#V)yMAol+0i_rppqLNEufx-6B4Gr-YZT`+M+ouTzT4}P{4aib*TPZE!s8GqU*CMTk9 zd&Wm~bL|2tSR-u8mAhwJ1hcFN>vBma|6=AAZ7}f$l4X51KOvla3&jkRGVO?k+~l(# zXh=4p;U4i~@=2Lec`L=Hml!hbk}Prq)q#>Nmb`vQ-WhG)gBXAzsc;&zTxN?7#$Zri zuul>a))m&$3@59+qMRMG**rkr+(?7@+Wg z1Rq0vvYmT4DJ8fG&<#;xl%R2<7h%Ug7tb#L^p}Ml-;&?e@9oWo8}H6=fEW6N;`mzJ zMxrzY2pp%7&E@C-A<7>p_$N5UF>74eZ(_$+zZ)NHUdLz{0RW>A;d$LU*sQLwY3$*0 zSR*j8(lWl$_U}wPD!8BPZIv_nyufN6bXSMB!Lkmi>Nr6 z&1o%Ch*CH>rR^WlfCMN7U_Nax7z>$;?Dco&Kuc}c%cVPwnH}@z7iZ9TefzcEGLa}v z-~__zzjcxPqob&xOcH=%6bb`2YJ7({k(Jl&%JlVLt26ao@2Y1EbF=lSV>)T`z>WIe zhmB{`i>H^4Rt`zOX2fJ4oexR75uNCeLuix)G{L&g*&Fa5#VM4)K#zrVBs5^kjDuFy zSw)W}bYXXz)C!Jun8ay(b+GpvRVV_e)!2X*SvKQ1fulGH`lKuf1P92ff`=GW7))U( z1(OH@5Ddi-@ny4whB10=naxo8ASnxtUTaF^bxgD8MDW!!vANsd)b8$S>^=D1&u?#j z#cY9}XAn*mB;&lC0tDql9s$nfV#1nD5em_)!pcQ|^+4re^Vpf%_UXUW&mR4;arSxf ztIEB2_1?nSY8RyKv(uh5p6*O6Utf4QQn`dV7oIF$U%J+KGTprLQ;t({?%m3c>WSL! z*Y)Ykf1P_@KfEVgJM*T>zBn$Fk|1mE?=|nu)*jui-8s2%X=PXQ>fJxrAHEq6)posJ zdf7UAt$E})=QqtAxBlLG@N8kG^0s;U70aCr!j0mHEu1Yby*}Ju~CmUOL z*S6nk9Y6AIWA-jf`$H2yV>m?vfWQDDF@&PXjS-`u2#gT`BM=w^7=|JEW~LnMYH{Bu z!6}>q7!D7zYXC?Jh7lM+g?(R4mLE}MRD=1yEflpyzysQajzek_g3F86i)YQl_d>0y z$4l=Tw`cmVH7J}QXcEw3TLu_G<0QpoS`s|JO29aQQaCbJUt z5dbKLUV0@HaDZmVydjxb#g6l7ojbnxruOK~{4TO~`trj4*6c<2hou{fyDCS1)&2R# zI8O4RQJIdn1Yi)5u&c|}!GvAOs~-)j35A=}vgk2A1=AY&$INO+57utKt{u9uc&zd4 zd2QSF=9Tjcv&}1~nkNrVHXlE%oZ`u#9Gx8TOoT^@EEDJ)Df75SH2F}P|EPVS%xLS* z>&(oDd3{*?;^|gCyg?qP9a1Q1cZFga!oNOl1vpq@m@!#cZ+QUz6_lhg3`Zym$6*8~ z0p5>)rGEEu>)I>p@{Q)HlXK4u|6iqhj+K=oMga+M0w!<*;A>&W@DwZ<1`q_sX&9$4 zWObo4I0Xxd031-O%PE)!0B6OUlGRbXy86ZdNh1IzQ1(*-hDi)TP!!+0ZL&gz*!mj z&R2QRac{}?LGI0^hhb8?ic!NbPwn=hg`rr1EQ1xsT^!fKBjL$^NoJV;GbrZ5%rT#W zHwGiV9B&N5$YE@RHwIa|1++=LF>R^{9%l^w3*d}d`wHBfvZSO?Dw$A@mD+k7lqZ`lBr~fDkn3U}YG*y!n8Z`aO5)k5 zB;tun+WM2U_kc`kCC;weeGN&ex{p>PL60O82t~5FOo>s;Wz4G;8ZvF=)csI37t2a~ z9w`J$c**J|%!pUCW?;4ZO!;s$oHCA)qIKJF&ShUlJ@KL1dTX#n%`RJeZ$Xw(vWmNy z1+io(l34B1aNa9PuJx!d76~MBoeq;i6Ml(QI0-0t&|zD1?}t_{zzsmJ}F5&smS{0X3XOr(;D@NKjlgI zJ(9J1muoe;rb79IYpm-`q4SPtjUsi{beK2yuCb=hd{_<}{;NHwnp2*1KJdB7kqlC( zbF0-AltOx};4x2hj@jk3E`uRdl0trvEo&`KqL}-SU+n7_KZ-#K=>R8+Gbmx?=2IxG zcT(F1wLw?VnjEoez5tJs+!q)%x+CVe6jFh_C+Z)uL=7gxe@yS=Oz%rDEUkb3;0#Ok zmRPF9dv2Xk2CPc=e4jEqxqd+uDx<315JF;9@`wKRyIiH+59IeEGKv#~asw z`qj#r*q;_(RIfB2OgA6D`ihT2*&8P>DT`8>$!LI&!6kvzUYOFP@^S8!n2u~Nokony z=<6S`ZzDg??*CQwN%QoLV(ZC;#hGE4a0t{j*@Nqei-N=ACwke~da81;y8BnPx4Y^` zwhqyvHBt8S>4PMYsVKyulux+x2`;8pe?FXo!2*w_{Uh?YpXLLtGZKSG3rlZm&#z7@ z{=Rgoa$(^}eQK()cX#Eu*7L{a-J4Y|anCxVjXxAO@)7vD@2wt~ySemy;ly8l?QYGy z#%=Yd7i*8tSN7FTUi#AzeWjiZa&H8!qX&*=#W<1b&!?A8&d)5}UfN%~eGslcINRJa z+jw&O+r^#LU9IV3L&z}h^NmJ}?Bh9Iq6|PH6iSnTxn=d~Y18@-XG|t|t-#ONJbN>hKy~}mPUV{M*i4n84j!(^BQZ#p6 zEjKS8o8KnpV9vQ}Y;w590ORcvKQV0|x?asenI9q$W z|BtmZkL$N?4AG)_T!@luGA2aGl~=etW=fIZ3?Rm_$zL#`R@{wdWNJPPJhPWe)yI|D zr8})N+ZuPDIp^*-Z||t`J)bzLqBlIL?ukU1k9bVuZr?bc+)NaYzB__sM$uokPQ7g1 zebc&mvHosRDwAZd2Y@EIQ`=4L($>qd9X$vg`NGX9-wup&) ztGzD}WK>~Ox^vk$E`=t?1S!tsv63P!g(i5=`~4tMY{Q3Qf<@aRm#Z2wi z>)#HmJVj9o6$%y$*9yh3JLzJWkAtg|<#XavG~3TNz`8b!~R>#MjGb8dr|Z@2(#|x^TI2ZAjbDgpHWorc0a5L*uWmMxmsM zdzGW#h$ z&>&q}**f>2_Gah8>H6(MjUyK-Q>}wf=AJKILuyyg|7rPt{r#cklZ|VahSVAEim2eC zia&Z+A7a^5(a2|OU7MmE7Ovast7O-RHZ6q`TqFV3=;0`Iee{rkfN_Li+)Mj~qooT^ zS`5JRD+@=Lrfa+2q1ESn`nh#BS<7U;QsC+yZEN@CixWBYkrkKOZS^Pu`N;vaUp7X%IEFL1S!zPz(#R{QkF4I6eDiTFK9@B zrcnw-ahMs!e`(e(RZ1WAN8%}wIJI^4;==k}r0CDF@ zy%-ltuKxB>>&}hT{PWhcS#SN_Hlnrf)ezBdnHD0lH~5W0{6;)}P%*PmOCf=L$*2bj zDtyovrH2OBLY!t?+Uyz)G1a zmS?AX2IIZy)lW$sPAH`iipF`5a#0JFGfSbkHX1Cc2$gWFyssE5a?uCE-h!Owl(8o@ z*04)^LU2BjU*84!1u_BXWoo_bdz;K=_}(J3*_>u8^KAM?(Z&T1un0Ii#^#=oP!_A% zZk9XL-)pq?@8vR^Rv~lPM>b!~J_mS)7ksTZWlo#Xrq{}h-!spDY+}a>A0irFTD!sa zy+Wqe8dMgUT>v3~Wp(X_vVUft?h$*h%4*;En**6#uO3#6sEjhJN~5*et*(#x1i{l$ zL$tcl5A1Q)YVelzD%WN;%rqO(b~oQc^f<>hj1?Qq8m;MjozvbPXPY1!_XyYU(rC

wBBZI;K^qWD14ZVH(!52R&TZOBk(v#3BDg zo!0Xp;RZUbEoZmWEGnzbY?2vd3WdsMvzzrQ(`E}Uc&u@F(an0h?9+5G|Fq%;rR#R9 z%%a`gzU*~gas!fTm5NW)kG!Ly!$@aUDJ?RSQue(}Y1Eoz7VT!bY>~sHA1C96rth8y zR|jlx`1!Ntwv0LMHw-B)oJR+hRYq7eC|Q>4f(4Ux zpk_KiP*#P@MgUbYn2!CKavOs2QamlirU(>ZBq;*Q0!RV{047)v&H~^A7>Uv-LbG1QLnB0J zKoB%aZGfw(NDPLe8VCqbImHBUQBo-_Rg`~ehNkB8+l`;5=4NZBxBt+5d4uy*v2dSN zB8aJa|8lf);+yL3>doc--?40RAS_f*^>yo~2f?K)wabr|XP3^gdU$yF5ro1pK$A2~ zU?@$a8-pK_U=%`;7(uTZ3x!fFDC;jvlO(hh;Jun(KFF(OqbcWPDyLRO$rA6CG;Is{ z%~`jSH4OXEFr_ez_aetIFK|S(ycamt{$XCB3^3uG_+S_yT048Wb>Y&&w#qABTfmJt z6QQu(C)A=ni>vc7{*yN9g{u_tD}_Z$CXA#{9HJxsjbiyOPaKT`cV}HNY0UIjEkn@p zTrVLrM93W#7Lp2CCdSFIPgKl>9req*8i&s<-D~c6%M&*#NT21&yLK8-`Q8i1UkT)3W z&A|1sY%&QHF%B8-_)-He$sNAU33J9Y@?L>M4}s=R!-F)Ufj~$ z{*ZmjyAN0^f&-cW1O@<1p%kF;0TF5k?cPj$l*^MNfiy+y_-J(So^)u(Qsc%-Dhv-2R zr}5P|ZVjy!A!uULh-V}eg-{4ik%K_U;V=plG(yuHciDlEWA>Z~c$_*CQz+Qkwss$z zEbfd#l@@52FeNSFBvsI6i|lD-y_+lBmR_}{X6xH;w+>tzUpU#=wzKkH^Ybg_X?4NK zj-&uV!K4^N2m<36E>1!N0Kf^1BB>#eHZh!}NdhMcilhNX;g~q096=HkK~h*ZCC~vx z&vnnfZUWwFz^@N-ieLw)z^Kk3=CG()0SX{AOyDersGdN`Bn?oKM$jHO$XZ!irj+}V zgP9kOYup0HB^y-;G@UKl$9*Y5lUjIT47DzvYaG5+JM(hs^vbc;(Y;F->Q|3dPcI&c zRu5KAR-Uyk9qead5`e-OLZh&Vg;69yVhD=&N#y_x!C(xq7YsXQ;!Ae@qLs42r3Y2v@d!(*3*AfI(CD=Slz zqJXW-)8EaXZXA2^;rV9=W?eqj-2IIFYUR@Wz46M8qGa)5<>B(X`iRP&Q=wX#ME>`p(z7xjQRoWVQPj7GBLg=hSIkzvIz0E+5G*Zfl)8 zT1JWb%d6wfXKy&we!qC3wew;9z-)c?SoPRg{r_k0+q>f^&OZ4UeTrr{dz@$)sqfvR zv)Qw8 zENi-`YMNLjhL>XKvMDQKjs@MY&km2crSa`i1U_Ib>I@5d8h9xkd>Izo8K<8l)9nFhAiu9zM-s3q9!&(ts!ZJrZRMCL{UwJKPxem;Y4hTnrfJu z)G#EmBvzL$N{VR64YE7fj=Ko&0Z7@4yqjN_78i?TkO4dNxPAAt7f!6*{n0C5yZO62 z@4WiYcNcHHd*^50`r_|5ev~-j*=t|P`%5n?1N%5$mt~;}%UF5VC;okYG=D@RSv;L{ zb8d5WGnpruh{WX!(kYTcjpJVrS48^P9frTYe08N`(VdaVyK(6-eI-R6WVZu=sy&-VA37LqCmKbFp*u zY@<>Zc)Qpr*cCqXd|$u&gZKW+oljo*;!jUJzHs}0y?^W1USd)28x|zff!pgs=c*f| zk*z|c;_#w(fj-O;P0_AzTwbuxY@DT!*F|&mMH-&Olk?i<*6aWC*0+UQFKm7A_b>m? z^;fq){Kt*Yw%&MS_T0@6ZvW%0bPp^Bdz6M@nwqH?x+yD~s#Xn0RJHz2xPJAjI=w+( z`w&&shE3ab91}-rhz(7Z^CC4}|Lg5vet+@v?~YL;im8~gX-c}Nn6j#j5jD7q6KNhT z_97)wlU1Xk7*ztKn6jvu5*?8hdy&h^`C0kI##!r3HAiwqWO$JqmoDgxoLfiROt*3S zNAF6{ZN2$X^UiCpY+ZY2>yx*(-uU?TPhQ!2`wutXzWefTufKcc%h!Xuzxw6%UzPcn zb*W+Kx+EH@U^fFgWUH>~qG=XK5U4lQhNLxQb&P05l40r%(J&NEH$o3qE_N_wQPC7x zRSY^cXY7g*^%eS&&rKP%Ct(x@0PvBuR>r6Lvy-vcIx9xZGZ; z)};;~X*2rNBAxWm8R||A6Ns0+W#nTHNWIPtv?d58A-vMOteshbU1 zG!)gS9Qg&t*D`fcl~qGj6eAtlrLKvhrWv9sHZ(&wWP--W3ebXX$QSY=w4hUE$)L-I zRFO^1&}GxmOjT*fdTKuhhePhVPUGzHD{)SFF;(Jxb5FzPo@G`p^=AZ6?rPSB^!C~2 zIdy62^5Tr3B#u|!G3>gqK6h%gdYJg({Ihe%PR)@AE-t#OZOb8aU0GfO8_)+=l!j(D z63g9p+#_D!a$Lxd)-)AUm{c!sS|9fNm z=l?gAY6aF;%p3XXPqzQ|(%sj7y7j$lU)%o8Ckw+npT0!28F99{bz(Ew&)(<)_q^*{ zf#bIwtJw?9)}6nNj`MAV+6}-sUN-*+>J5=SRz{_GoiPIMX_n zo<-Zi=8WJh>8!ey!sV)An7Yoa+q$MpnjuN#W;CO2zx-(H<3IlMqpdezp4$H4{X;kY z>K9b%&F^kq`yV$xIDg}v$Nv4Zw{QI6?t3r%_pO)zy7k(N?3x|SomefZ*{$EbIX`p# zwXK(5e&X&2pCZX|LI+VNe~O|9(Ja<%1R*j`P)cztfBPJc(Ys#4+lw`R2z2`xcWa4I^2OUI-;4$qa zhLQrqUf-h_N~r3~20{S*Ao_2;<+(0sg=H-WF|p*?sjiPgJ4dGaMEaDvX7dCy{EA!Z=t(61c6# z3W60)AAM`Uv@Ee9Nv{8z5u!!#<3fAr^@XVm@GiS4q$`(%xbA-zUa&L-K1NxD@os&2fOm_e*m2aZaSGzi zo;oAmW^NG40@q_*<)Wk+JNM}>mj_tQ(*3UIgk(dWxh$Z>6l`5SJU4e_5V2&`Q@iHL zi`1@lQke|sDrTFM?@$w9FR?Kk|H|5}O^+FJ!!{{v{^n{TGtRCPJx=f4wo}#hz&(PP zu{X3cjCtSseB~3Q=jjlgnc)hpj#h?e>EM~cHEB7 zVc)&c-8k&aVP6jWa@hAk!M@P2XQ!hX;hS~%K74f;y}|P;4P@X!ehz)Iu(XJ;$_kT5 zE)%Q<>>!SstDr@mm5!|A$Ol78Cy+tv*TK+RckIyJT3oO!Vi42FHj_tTe{!mGZ4J=>yinYwUjGP$A~Txs=2HpqSNxW(_2 z04b8Js2p79;5rA_Ik>(b`pd%wu3MU^TZ*V^y3v-jwyj!5!)|Cm(nM8Nm4>35ZQE>^ z8c=0RvKmUuZZ&mVY-*|q>^MRn2iG~c&cXG#F*vx+!F3LwDPed&t3cj;HU9 zZpQI+j;C`xo#W{T6Hn)m^u9N)9FpdcG>4@3a({WaAZf{Jw@kZj*>(>LTQ+K@>0OPRq-sox^mgcZDhow0zeb8WO4(oDQm&3Xo*4+pF<>7*L z)wUrSps5?6t+dsa0ZcjJBe|tWE^3_mdbF_S2=1QfVjRKc z2rfr(IfBa(+yiQyID*R&T#n%G<^IAET#n#!1eX(YIh@PkTn^`QIG4k@`_$)qsNh_1 zB^X-uaGchYl5$jcZ}c>d>T*<oXAQR{-$~XmvfIb^`Qzo}fHd%NRyN({$5ur<<1FB~5ROHbQ;J z4M1-?vPE^PH*j1KuF|{p)@azPuRc2i9io65VGzDdBVZh*<|y?(_hBC@l-hASLx==L zox^cE9HQPE-Hb!j9HQnBHHWA;4pDQ6nnTnaqCTJy zH76eL4M-Q^cv&aU1;K_lTyxyc)S4MNMcCt;kJ9A2dlON6Lm`A}9x(3@dlRSvxxer|2ENC@_ZZmMQ}g`~g(n>g_%OPD3>2gSyL%IhG(%o=^F2{BE zSWn})F2{8_uFG*>(R+-w%TeFG z(1SSY%TZsB`f}8F&!E1X$jeb*j{0)cm!rN14E23vZ$8)yh$`NnPWmlEsBs6bw=5s{ zQ^A$M8jhKVD2k%4s__4!DANDeWL11bQguVqHAz>rM?_iD4C4_&yiebpdPZRbJ|gZq zFZ$#5$+KX&Bdgcj6k0>89RM4SBLTLx(DsJH3h;v!)CDH$b-ci;L(kS1pv{|i1K@^3 z6DsO~b|5r+mb*43d^r`nn2LJrL(B-0tf=uk+3JmKa{j1I;&~5T$$w|{dfo=GXIpsA zs!i6OW`9w=>A1Gzb{JoF7{AH=Kr9h`XZTAr;XtR2xr&VH;v5>%!qVbgwBi~yS3xTv zJ|>!BMt&Ry0y>@Rjvdb3OFawePjuFR3_|f*PRrFT*Dm;2U$9)8{rOEV=DB6Runmu60-ev@w%`KfjA2>bd zDx8Ctz_10}0M4LjeH@7`fW9}}ERv*)*&2+Ph3rF3g6j#b!RW!2Q4%vHL?vMrGAz97 zp|b9_kdiuPHPYvSq9P*P1j3LB3Q62(7U7dM{Hiv=;KY*ZQ+w0tJT|7Q=8yqwi&5|} z|7=8zFmrqj-UMC0v_k5>Jba&8d_UZC&k6X7IN_VZvm-A6!t>9=E7p<=;_B%u+cNjH zMc1{}bM9mdzbd}QtsZ3wFLFy|7=9~pB^Ufi=$u0TGWroN$)M>S`GME32Ue$EDNWe6 z9ayF$Wy*#}OQ3qs@dM!2aT60}7=e$G!2-i|FvR96N)xrJq9{s%-f((|I$4|r*d&Di|m=fzN1ci=J1TLV7Z&2KN56-&;f3^@I*e3FLbSSAXu*8xa(HWu_IpvIzdqB zd}>)e@wj05f)gC_h1HQC2$m4-WW$MW2wWQsLtS7v^oBwo_`cNvQ^HEu@u71i_+4)! z^0GF%Rxt6n5aoGkcHy+p^Sm`*=s9a(Y9bqmicy#u6o(2=lwm((gnS~q-2}M^s#Ogu zg=WWOnIzQWxK*_$gj&5-6VRF|1;y6U_9I$6Q(>~mC|S=vCs?*ENP;Xp|NLXMy}E3A zXr8?FU*xDyb-a6!NAdbkmLy$Cum2=XmleMLdl1j`wD6xhUf^{>uRr5-TyF@z2Itd( z)mpPUAck@#oIbSNUzvFH8KDOHO<>n1CLXm01Ako-YUoN^Yv4?yP0QNEqb+X;sF&eS z(aYpMTuLN)0R_K0F|lq9!+fWwJKhY;8LcBD^z6|i(c&`VG(Zdb)YHw)08FrwL{u9{ zQki%(O0o=pI=Q@f1}FUL1mt4~(fiP}k6MB7+{B~jqW#15^yX>#eMGkkW$m=6wH{dXw*8f*Vxit_G0+jg11CL?tB=^@KddiS7cKxF;|aM++|I zgI==w7OfZxLK_jSj@Sy(%W{QijTI_9hqvii;^@<{%sKGv$Qgn@aAV^XTSlY>k6ygk z&OG7E<-C`qN@7(GO&GBWmPt~%N0D1;q1KgT6DwPg*yJWsY^}sr82o<3j$nQrQduB_ zzaL3N#mw1Nql(FvN{X4I1r9HI>w_#(Wn-S%K#A-jbVb++3ty6|kwX(IJQ^;gj=Jki z@whsUy6YFLY+s2L0;Gl1cx>qP3pIuU(OzMJ#!x8MdLi2F%-0$Tl#~-`p|nOj;ssh4 zvNKy&YosMsovcrD3LFa*6*$onnJseNOC>9ONh(e+s*&Lyf*@NBsKCT)mRiDa$66At z%oGA*{ukKTv{qQHF+H9kUHFpJmyqm3ou^6i4xIu|hpcxgohb@XG#!v^m7S_hb6$`Q zh_?7yspf{j3an;<6-aDA#GejTCbUXMg5+ghOCgmBjT5#!BL6W95v`e~64e=L-16vm zXu2UrmGc~hP-xMYW78dKseNPOd9=XEd|tBDft3mM#f~zrJ@^KDsFrKPF@kJ6;dNTB z{e;(d0?;2s(+@NYv%`*`5eN89DgiDf(Y2HEosJHOM8oJDXrloYvFeh3nHD0HG97c) z=QEz{(jikdV=g@^E;Yt<-r3GNJu9c4>=aF`+OpM`skfEzC3<3y7mC6+xF2o~K;(=M z<59<0KF7}XFu=YWPBEDkCw#L|D&6;1VvM;cZGuG8wasu1nYD}SC+$Ng^%D(MJEt2_ z#X(yfaHtXf)MTz7g}Wi?HkEuuIwjRrPI!scdFpBOP2rEMT;W~^tn1Uu@w=y`l1zdaelBz zPo};v{+SS8i8?#Zo?N-G`vvhCCNKaq#Ytt;atPvnzmh-@&;fzaw}yV#>V?e}c%e23I))Qr&;_nA9JxZ!9eSfqR|p0@VWaD`xvWiKnf%FEbnGH?(XdM#?QX^oD^snLeCG1(^64dXrZZ#U=z>^&56h-YGyCN7!t$y4*@f8I%-3RV z_zV8pyw#6oDUamz^4x5W#iexxJ%7&1CI`cu)g>c2$aqAjm(%4hR=_HMSV@EK(8{hk zv*{Drw3=x5&{ z5Qoz62s)I8e=()un^1ajEkGtY{EM=*NZMNqph;ewKQf18=a0w%=n;W!r0}E-DOAsAUOz#^j84ZU=Cp9Ee<^23CBQ@JeGmO zK0fgoL$%2-xbfp(q9t30HZGYw0;>bR>R(NH;Scc?^S_=MSi``vdQ%|38{?~(eAVI1*a(cG#7$(F*fP~Eoo1PBe&4r7xgg)Ec4F7?;ig096IJ3AS z96d6>GF8MPdmzj)Xh4^ul8r~^VqnD7Q-fyh>nS!@G7WvbRx2TPO`>w;3*j6f6^o^M z=OnL`YC;W_OCjMaABLtsfaGOSITVt=s^>tnzo=XacVi|?nP51VqU{+f$3jvVZu)$3 z7|zkpasOc+yCjI=JV=HZU2nT1i^cVpsG&00C2s4$x=oc zp`Mb+^r!-I*<>lZEa_3jnG_JssBX*H5vRH>ZL^9df@9L ztjpS@e3D&klXA&+giVTAc9i-;!W~whPrSqG6UH6ggNn#^lcnstxCf!%>1n8lh?n%C zJVIVP4TWmbs-I75gZlVO7YO=cm%c&>|oqU)>(9!#pl z>J(PUZWw#nHD26HVY1z=7k98e9CKw=zLF|r^<`_FT$)#@^+KZGB!lS}x9aAAu3eJ# z$HG~XCDD)`+a(mhlpDO1OnRg!?&`zuiO(!(Gx0aJSg+Fn|FCEgyR{l+E1rM(h*dMqTw#nWS&5f`V-r^Jyd zvz$1lJ=g&^F10+EFL2*8roD_9S8jTk(0`n)*S6fCj>gIAWNi+-R1C2 zzNeq{>#>$nf1V)PVJ%t0UE(}NZwjlt+EIq|G6!v7C#!?Bbnz(3-*k@Jwx}H`U6l@t z#6704gD?(`kZ5%3{pZ%F$uR~jja0(OWN6HxWU@7` zFsi!}DKlSPw(={{GIJGXo1zjiGXaRJFf$ortdyZy08-=3W2z?g1qo{tPelweBvum9 zH)#zqlQY(kr76Z5;44Z)!tTTx7%We$!CMRHZjvxQ z^j6^X(XI#0)Qb%rBKK98xY(Sy3R4yw8MNFQJp$N^T;`!JW+x?AfsEOanZ3zsnMM7KdVUeNH}3I;hcS`cDP~sw*Z(ONGJYPn6cf|LtP}Y3LZ|tMw zQ+`?H9FzK6Uc{UMJ_f%w>B!9KG{dm1Dc zVQyr3R8em|NM&qo0PMYef7`Z_Fna#I`V=@y_a^R&lI_GvS9^N)s)5`Q(w^S7 z*M&$(LQDcI0NPR0KA-*hVemqbqF!w0rQOFoztdPGFc=I5gP8#^BXdF$8RL{hJSPGx zE_#P^EL3-av-EH8<=Nfc-F^P-8T`AuyIcQvZ~xizzwJGH{^H>I!QS(y2Y=h$JJ>sT z@i(;lewttZ6jEXFx7~ZURqxziW|MxLwCndPd+T35w{MAt+}%2^*h{^yryue36Zg&xq_D?C5V(r5vkCE7Xl5=k0rXH zYK{cKDZ1ezO^}QU!-8_zMd*;HDTx)rEJ1?kPPY(J0#BzjhKjsU$hN>{-PW9IT<1#V zvft~KICo>7wP>u7n9`K=dp#^AQL?As$zDU}x;dM*uE^qsi$wNYQ9yuJ1YNNIP&R8t zNRXNC8|4gsq!dqRO4Xtjp_JnUUIO|NVnp3=aiy!9jmWi)95FH_TdN20x;|u|dY1gpeVXL|HBJj6-`@hTLH@sZ_I$rC|DWwY zeUSej<9UPzOv^lUMHYxkB*?D?6(m85qnI&BuOlY0vUl~%+Q1&L8e3y7Lx=~CKbU6;!{8X=hUF7 zBuS^b`SF}M5LqFWu5QatxyZ2Uw;r_~A+^X!AD!j+*MhVjp#&@3Z#_Z?jn0R|qtW5u zWOz9^Kfe5S_(LE4R8`D>B>({^M8ZM*IS1WLG;lA3abB)Z$W zRv)!-o_DJ>fttD>Km$HCt5BR4QW4Q@**{J}R<^T6WM9-9jCq!GMwpU_W_YH_qVzf- zyDj*w7k5EsR4TFPqggEUavH232q`@4qiZK|5z31+J?ANn7kxBHZ}39uCQtYbrR18V zn!?QpbXzH(o#--s)TV680ax7vnd6v9O_d2jH(14UlAy_=NnJo#B8*Zhm8OZNjqJjT z0Wd~HFTq^&(T_iC;KxiVQN&6jC&Y9k3CUBwK!QkK2;DFvF_99Bh5kyJA_B+CEcPMQ z(NyrP&hiPC^9jcy>9+izgIL4sBP9x=(RfKyUHzg+iEaVsdAewrJukVq!6G4|HH8Yg zd>^%?!Ysie0dgH-h0zI@5}gZjO_p)} zr+t_SO{Eq?oTUpWuBCth8FQutPf?y?2Eu}Ik9(h$Q;j!#0IwJyuA`CEkPrLgEy_p$^NUt4=B%sF% zMih~~3^P0vrrJSIqr6-n$I$n?DIv>qWz#5IkH?4UP%B0HK=vV(|f1;LpysV%J6%?isuR7QldC5 z(iCasmr=DqeDVgAe9a>YQf%ZJCZr?9+|z1Yqj66HLJG{b_LtQC7YWBR3x z7*B|d3aQyg{~fs|Tka2sl3o;?08~6B!VdkmIK`aBBv-O0wVW+d-6FZBv4+yqn5hV} zBq~AoT0t{TvDb_ue6jfe5B>ecQ~bqVFTU6_8WYS+a1(y|J*W#j!4G)$h_BWp9}tW;lxZR zgSA-k%F<+E77!=N^w>$FjVUHID{DlYm_#{%BM+SflBvb%iOKR7I1!-29UP2`-N`>@Fn#{0JC}9$%oL?2W zTbs}mOIe9dhvUn^(W~Rrot6b)+aKw=7et$i@DFh|oRIBdrZ-iJrKnW^ecE-z!oJ zOl%rsZP*)8wbO06#nI?wRyol>kVVn_jZmByeRQz9o7vwP$+%YE4)*q6QFy26L}abT z-g1q-{V$-#BQ)nXDCK5u++eC;nFIyp_1FmJm}i$RpDy833Hu;xnHg`^WzR`|Bm*IDKN?j&pyMMH zQqueiY3bfnsp;O5d`>bVa2iR)h1Q%kJ$-?a;1$4o4RD`s4VKOr7vxfk_)@C?vX6-A zrZx~d{s$McdU2Y|KKh~y|LdT=F8nVnlt^_On7a5Hm`oC(F16^mv`T@Qb^4=9>KGX)$hX z6i}V2Hmh4y|K4hylDFV1f1IY?qQgm2uVFMNyISiqpdkf|W4ARTq-t$dT_Zh7RFU_r zpy*lTdac&+G+1P`KB1cyJWcg-BnYU6db!E8&ID^Sj_1gG53K9n$dZ;?`Jo}^y)4zg+e{KrW~VF%$}&fxX)e{X+x_nF z7opE$91Df|U!ry!MSuL!GB1~3U6DoomDDeuSoOVqz1K!<;}mV9?uFT{>w4E8Y6t9Q zy+Tn;gp%zY50Xwb)DjKA?Mp;iLf)d!WEb2~?HG4sq1xzo@56agE1^;eMRw5dX!877 zLgH%QmO#1+4dr#m8_Qpj#Zq}hQb~}jicVI%6a`)GwNAGMWaR1vt9BrE&Z$#$5nY z8w_Zy_QjCheEF6v{0G7k_&bWC%7(8OSJu;QoK#m|fIs4TuXROP(nqffg|&kDym;Q?!U{qaZ3`CpV84_@W0ulx<8E|y3jyF~SjF?<+uUxLdwV)US7gyg zRnL~=k*)@23nK6G?xXf8SI4aFzgTyZ{|#V^35n!FDv~X~2frXtqKP+_x=<47Zs@MZ zRktoMn~`l0Fi7a3M8Bh73$94@TfmJ=Kee@Z&0}C>KdjSJ*aXm@iKD1Re@^sBntA6XgD(e+?fM>mIJ_7R#zXt#_4!fx<7jv?v_ERTnkZCe?Hj4Nb6TX5 z_*V%g8E3(ZH+MBcvzta5^Qil6`c_ z8SGRVZ_x-gA7mfx?fwZ@g2fKjwqU%(v>ZQE=wY?^ zE3Fo5mV>2nd_NL&NlsN*?1M`y*t>d=SATJNb!|rRL1H~ftPd}-)~i|XOMH0=WjsF> zNwg$P<|NI!a&9F^E=Xkkx=UZ9grr1~D7XASAyY0$WSmA;z6B6c- zVwJO1DqCKpgTrgJsni*5RH z{A%#^@bdii$;svU*~#(Y50&C@?z&qZqh6{r8XjH@$D_XS@|X`7!>^A=?*u_2fH5?}jIpKD*QArpv*p z{iBof%fqwNm&a8aC28I@f^DhB%i|M0@)xg9sv}>X(>7Jc!;|5w;rQZ*%j47W@Z!6{ zNgwU$mHzwV@i)5Nr3UR$>#EiWrH@ZX=flJC*+sQZ^^AG7p1rJK8EBbN!^;WPnn%O) zld~T#kA|<#s?GVskJa*DpPYR)IJq30o}P^dwnL8pFMq6)BpB&U+g{Te;?zixFK^&-YUYt=dk2{ zJS?Q**@bl?91*yzPv z2A_p1DVr537PXo!gk;RM?e8_Nq=nFR#h;0j1Za)Za{>3(4tZK+rT^!R$i(RR( zDr6VOie8h76LS#0GVX>6=PALg0ZLBdZpM=;gjeMYQ{P;(Scyc;nZaBB8140c?q)J^IGXwTo6Rrl$SS*W>h)36!R=A7*&fNh!{F46c@6WXiK0c=`6w` zo>N6)RS43y_V;b`m~ zvu3314J%)Ci7sw@G&L!k5@G83ORIz>Ij2mSTa&N}f@Cp)yD#qSJ5sz3_R!p@ocN=z z^#aEX9pa3nhuS>+xMQV9MMioMwi>N)MXDDz+G#?kKa$=zYwv|rq`d7>o&GP`* zgkV`_x|L(BpI9$mMSd5$9h$06h`Y=879!G1pSde+w= z_?iUw&#AfeY?wvO$pYOFK~Pc%Cl7>!K5itSJL?MQwJFRIE*5QbN?Z^S)J6vQ+l6k> zO{)}$-2mF`u7pS|6(X$2mT4U!k4M8dx3N=w%go+V^;tL2Cg#owpDj(Etp>ZSZf_$> z#09ceutX`JxhCM!J4jM2W<)grbJza5?v|Qicu_0~Mg1HN&o73DgYodF4>uLYM5+rj zrv|YqaB6&S-9sDjAwYEnfkK@vq>u)4I4ALyY#OC)h!jHTAbXJ=WsAy<{*Kpsz8UPH z*cP`_x&dq)9#Xj7>;{A5^~K4ZdgCgCe5X@Nv~V;ak$$Z>l7uDb^TEl<=U(b5-bLuO zZ0gAOZrmN{V-KUOtrvXLUJR{h=>f3}w3u7ROt&G772jN(@SCHhWo|qAd|iW~F^%n_ z=HY9VPIqZeXY&RaM0c7J7B6}!zcFzlc%kyb2&k@)=0FpIO~4Qh30-UBrHRBj5fHb9 zX{Xm7v5^5tf$RArszctMmR-1{Qu!o)C70BAk#ao z`y*c)&3T$w%GvNz-h4G}XwIhb+=WDF(q6HkypX>3ETIcW z57%?8BJpB22Xjtj1|O}=^4O}aL5QwK=->K7ETw7N>}o)3?IQDl*QW7Ht*@t6J_i^! zHi*_wU1YC_YrC$g-3V3Anblz~*_Yu*EX0zG_hAgycCMMf?FNh!cs^W$Q$aQ;U(4#L zQ*xG-&-KG(Bx&<7Rr>KbY%ww6Sqe!WH`ZJy8IU%Dfa z-;J$W1C;!P=WxU(59!&E$EJ>~xS7ae=bi)ljF<}Lu&(2PI4_#U-Yt54t+PvO!`n-a| z+e{$?_AfSr4AL64zxD*$z8`<$`BQcRrqRcl4ZK)`{x&M3dCm&e=t0w+;f1nc9oJFP zsVv6lxysd8?b&J#U@NVw@uOromvgR;kM5*-`Pz%lmvzuX6F%vZ%=Y1A~ptD8A4$ci;nouYM*4%--Ecj>D=)?>S=AyvYk+1|n~ zrZ!?JqjFvvwoNJ>w>x^4UccBwM!&e|Rqlg7XmqQts&p__L|hP@Ebi3d@kt4wT-C7t zfS$PiYkPGEWh9u$2QL^b7@wvAD@w5*NTg%R9md zj4cd-fT@zYB2MjA#S=oo(-iY8Pl+O0;7lRpWP>@phMLaDdO@alq2>2wb;m&7{&g+{ zvsvIyQ!F&jA(;`}TS1lxNb&3W9Fu6B#XYE%1tS$nIFEHn~z zaDH6h_zOaOuSRy`+PAzX-`GBE#jk7_RoqwYBY&g6eJ7k&J1e$ZV;g)J6=W}5#L=5M zu_r&YumJ~>kzY2NC0@~h-vK$+%xon?(nU7JcNx;O+CawRs}-8c78EhJ0ydN7w8rC2 zB&ckLcQbqHWxSrk2iCAsgLWoHyS#G4{Skxz-UTMqTX@P3y$ig?bvIX$D0X-aI zRq^cr!Jd}ZBf$I7S_$vWoJ$A{R?|*GmvRJVs9_u?MNmRu3s4?4SW4EfZj% zF$DcpeV{1OAY3VFn-2=^)o*^{}U?Uo09aLz)f?G^7nN`}fdF=5`fJr1G zZ!s_-XNJ7!B^NH1a>o!;D`6Y_HNQ+b?*`$Re?d2J)Yf1Q_GBGRK3zR?7Lf~DQG?t6 zV)u*P4#Ltz{Ki@+BMwFtj7`w$_PBNtdgT}pWQ$L|ZZx(fLaGz+X+ zC_cQLsS5= zmaloxJH&TtF~-55`N{$5%X+2`^INS zXMLk~TeFSo#a@dDl5`NH1DRk@+HA(tm}s#tNDMZwJB0%3pjQt485Ez+VO9J0KgEK! zTnW~lQfZ*stNaB=GI-^;w6yCwXi_MI*L&8@)Ggi3>+C+`iq&nH`M%l-JuV%-TRWkHvHBDH zplewEd0f!zMgu}2X#R&Z(z(6(ITrU0T`;)C6HY zt-LI?ooV)pIno0m2It4f#jNW7#G)wriGhqTY4hRgBU2_3aPxURWY=7<&agz78Ky>9 zSzTERn;ffoL)@b-($cvRs*~71G5DW?JcKVfw`^tbd#AtX(!CzKC=ai!S}hF!*`tJf ziZGgT{@4$`p-ne{`7Pr&tO;+8O=A;SkUsjUJ-Eg+)tcf@?GE~>eJ(ht5|qvK3oRpm zY9EoAzzIoyYL_iG!u)q|XT2g~M!qGBFLm1ij^^t~39QI$@nxoqg`ZO@)p(JUFEgC$ z_l-^b6cm1i^LjI$110+L=Zq+Pz1J9=E z$!boqRAYgeq%P9deU;~Bh|b*9U+k%D2n*xru6$`dI|a``6c}bT>E5BMt2JFS(@h+! z2{C&*x(N_?>B8<5IN3ADYzBKl$5V5b*}B88^dtezirI~7e~R2g)N;m10t*Ig%{V3| z>+vcSom&<%LTHG0-3zdx)$Th+7K|~J=S7AYWCDl8?f#otax@*Bl*SWnDq02K4%voL zv1bWu8T(gN%JAD0!e(mTM^E=(JpbaZWNKLO?@6&`h~X(iO_DNh-K;DF{8i=l8!V9| z3Qe%KDT{m^317Noy(}gj2s+!;NVx2yy?vvn0!qsP`riKBZRiS>=s!9&Jhfh3z*6iZ z>oq;#UlGKt+jjf0vJSb$-1TGA9HC4-f3}K0D5F`C_0jHH&d^K!j5M#uf?#=nb}&#% zJqBw*I}WA%62_FYK=1@1Y0K?P}&7i4-rURRC7o4Rz^h(Iv1@uTZ`EO zm7*9_@1;p3m6n^<^;JfcgF{$e7dHZaLShWIikMI(uvi2pnsxE5#HEmATBPWSBm{LC zPss90v18T)JfSI7;D<~|%-J-h)||?6E)-rJd&A6dL1yGFqRP9qs6jO5>I9nzv()r3bmpgqv0FHA4b1uW?F$y9csFs!DuD(EAEV^Dr&a zMh8tUNRGvO?~P`kZwMA@La^GRKa~S9{y_JHXtj0On|?3Uwo%k8xScgBuim=!p1D#z zUQNtqO>>%$*@OsK!D(h)jWwPx+z4nSLL7>qTbc z&G&KR#r#TWTN7~pmVswY)y<(Pb^C=#{Wamn*t)lA*xsyrkAl)de6NzFaT!>8X(nVJ zLZ_M+iVHj=;hSPo%Ub9)U-a&eR;dIVPm56yD)Ieo0&N$xAASZNYnNLEN08wB9vR@)=l|H--8X%W!xVDMGy^Gzq&73m7&% zKRbftbHU;dev6la*StjFj%x_OQcFEq{Rovz?w95q&viUT=YzwKjSS4ZkWAI~B70Kf z70#Dh+>~1!p+`QOMl~^T!eiObA!a40-?{)W|_8$3BkFNKkm8129xp#&4lMtTKvK;bK*t=5<%q~h9tgbW+|d%=^1 zHc5u;+693~3Xojpc-srfn<0NraH{6NRX=f|`pA5VAn8EmGbAJ; zeTbMGe6Ze{Ba-5UPhkEu+#=F;F;AMmS)WYMgHR^a^P-o%Gn}zBmvt9pO)!{Qc@CX> z_Uvh^&R#B&IG9Reb=@y^zt~%<+(<1!a6-2nu)Wr zF6D9({z;`Qi0mCafBNECz1`Q6h;SFy1d@Nn3sz?9l@Tx0rbgyms#BtFxVWmO zm@VIz%(arWs$(61x5se@ajZLXx))gvmv9kXf# zqqT#ue51p>S;D!gdbFATTf-0G*0gdwg>09>%IDs|*wti)FI`HCFUp!rrbewT#Zw;* z(3c5bHnkYmxl^NzCuC%e#IjKMwyD`ltxfHIYEQ?*)AX$O|LOU5AJ3n8*8Bf4F!784Y4#5BBll7jzIZ3mwoCBxywT%|RaW0$nE&Ljp{h=tg z28KyE7a5Um6S{WHimo*|lGrfA6&N>!&gQC*+Rr|wH*r%=;wB@rN{Ve;zqC8()++kbd+b&Z5^C`0eR{VW7PE>*T-g$Sgb0&` z0G|sj!%Bu(8sj;JoSR@*A{-teK;ay0?621KFHL@|pa%%-vCH#|vw!{YWvG*urOPb+ z=%*U^%4n=;Q?6=s)ZD7Pf3u7?wRw8B+@LRco7Q0N$0`Ne6-D4&x)D?n6h(|jBA(Ke zL?)$f1zHs0oJLnBijztH*FXbcu#zt`K_f6?9T?soV3dk4F_yS-lvs@(t4@4r_~ zqXuuWoCiOmc%3u!uk1_6P%=k#mAiyZW@2+lsVLJY^)fSJ7>%4S`#)fy2d?3yp8G*u=JY2?B!eIlIQ zcGMb-b3%k348oL6^6`mqjX4*I-P>Bp5a5mbRK%>D6%A5(6o)-c@|W;8fRApeBNyeAO(me*H7< z_pJroeKwW-hVavmw;^n9Go0o4*MhVh5tjFGDh_{3)!)(N`7^>|)A8lqoLZgywMZ*< z-o1OzB6`#OHwN?l1i+^G|Ki1x|M$hS=MVG$V>}J2Rz;6`P@wLlK)KC-f9N~1C!*ac zZwUAn^R$n~hv!Q-wB9QT%UiN3$H`YX#VjV~#O9{?uhRRU{@Qr|bAR{6)7t!h{$lT8 z{(qE5^XzA_P^kYUYPV4YYfOYbyCRGFE2&>RNjbkNa@4-wYooSN2HH(CuU$V`+ure@ z=u|`VfOYd(y;!KWS^g3dS8;1B4}1Q#@`$98Am0=*U7ZnjI6&=@ z$FYr`K0ny4;{@fqhq_X&b@N3p>F$G``B8)M`d2wockpLFQD>Z8(VHvzaG>rla-i-5 z;dZa1b&!`-ah{^+iYy@T1L_r0^in$My}8bMZv=tAotL{8V-R2nMJBct2$6{KT<|Pc zC{m)3sw@N`b1bC|1xgh{5hMW%*cwHU$Eo3NNzY2YD$2!##41G*L!Z5?TzCD$x_ez( zi(uxwxsprAw>AMYlgt5wi={NK1C64o;2HGbOWW`6n=AR{R%EQkZr|d_+Q&V#w#|j5 z4{{-B!yW5C<=y7L@^L<#;omrmxe!Dt{=SawRTe2X+P6Bgx8=>P2+{-S0WG8NEM3of zxE%EtIaK(8c0B$x%H`glL%IAEZi@Ouy~_sJJx=BQX;@&tedn7r0sU5;-D^6gQl0_& z6bH{fE`wjrk3 zs;UMLQmOR2R@T-82;lRoZctgLn)!TH+rRqMuFHq#Jv>eR|E``VCUoC>X=Bs=-@(&^ zn*aac>GNj~{{N5hJVNIt9y%n{F@tX6#ZC&E>h&7sIKIL&BD<|eHldEmnkSK*lQczI z)R~xql+8LwkQ75|GDwM4zQ-(SJwlAkOibD*xgb;e)n)OOR z6C7U^Ipn;RtgIw&FxxIo z2=1BUg1>2XuVu^=()%k&$fo&!a(p;E9Sz@G8|&x){`0-PXSMnNZ2#Hr!~Fjk58Ct$ zavaYII-xOPa%~=9tFfW|?rsPDH)aJE3$(wxyDFUua<1H)o0~3%X1ZL=dZ}qj_P|p- z9$vf}p~2}9Iy^f)IvyXNosQ7UvkUZkH0+>@;rYec(d$F~x&x(-jz{B*)u3z2h4WJy&&;BJiC7D^ks zBGD7NW2*8SB04U`BR6T8^xqx59-2fdWwu502`C^?h8dm_Na4VzNEY$jBG&QgkR~=T zKL*$#Wp1eECN9tuN_Wig$T`h5q$!=Mg*Nugm06!M1!K;9A&Q%H@M z6JZ@6me0&2fMHo;wGsG0+7N5L&S^QsHx(u?XJ(S=;wwmm%o93ww@TaqQx>NMkYZ9O z$V-vZj4G3zTk@&8fwbKwMyXz&JAUq!wjQztI&S`#9u}h?l&GJ9RlJNkW()I95Lu)! zKOl2qM&dbUH1?V1A)!|pqhGVKev{gtQ-qNr4}j}bJLrATm2Sp7%c-7FCd$6;rjHI= z?Qkf)V$QB@?0XHz%-xJ66q}r3Ww*cQ;%Z4KK(IQEF~}j!Y2_54%yq+007E+4tqdmw zVVA+k&i_CzLGEam<<^9Y^>V>UH^vo>i5G8%QY6uBYq6q~URx5Eg+XI$K|I0CZV0&*N85%gmP3AwX9CLvZ z-GKtzqoM29L^@cJ!LZ( z0`)Pvne!AT1=6}OWjJjZ^JRJL{X3{mK1)3YDd}PC0K8o_1j(?^mn}(-1#pU{ z3v?qRf}{&=C|m*IAfV-B0sfI4H|UfpBBt1+=I;b+q$lbUQkpu1Ps>q1)S}$3@r@&1 zp96l%2JLwQ+6m{@QjdoQRv8oE;UuBq070*?GPSr^iF_xR6iQ2d&TyGxNEVZfDl0sk z-T~YNm`j`g%%cZ#d`YcvqbzJJ=hdr4sHkYE49#nPpO86Dr)7ruhE}#)?NQtJ$>o_d z>%AAte2QRGPH;x!4mizm3Vd`UbUg;jN5L%hku38}TUPRf(sWX?oGd_p*;%_3dD#`V z!C8P4$}mlJ<&;V#JK>V$RUs4kRfZxQg0ku*B!)H8mN3JwS3aYycwH+bdM6Mg6)p&< z4e36qj0?!|Y+B4fURpKsdyshL(nQ`mB2@e8_%Y^8<}@yNA=3rQu(;BqPn6n`Q@Mzw zGX}DsG8iKuY$GRXVbwn63Skt^)oy!v3fJ^&-)%PoH>x}#0kwS0YK=m2oe3cf2@(^K z`(c(Za_<k> z(GJQ@UxU%h@D=HxIld;KpIT2Dp2g6ojWrvMD7xK;A1$k`@L)y~jt=|>Tu>K4}&KmAd$_2~o)`CkJ0l{=PV55%+^P4h+QHpP5L6z=mN@iveuo znw)0F2~{p!$ZGKQj#i15>}a9o$KM)$dZ^o{XXE3;VH+v(Rsp^Bw6kq!l{;uBoLzwk zXqYKWl!fsMKsnPB!}(mWF-xW+jbwF)&qMNCp$3w{bOgH4*@mtGm}Uw$(iNBuD~MvE z&8g5!Z>yBEHBT`dMYU*Rhhs_Wl0p@(l527J&rq0Gm@J&vRRE*f1_KZ7^%af?&~wjGlVbZCIrm znS=2L<-wTJ-pPm4zUA=Z3Q`(}2LviGkDR$pqdiG%*>^l_=``X9%-u-=dL3 zrBwlHD>&nY@I`HO|2rTVZRaRlIb;mq2sG9U+F?AVhlu zs#$<$z%T}cQC$7X#(M%A-_zOEjz#=1WNgRlH5WJosg3Pcm`$~1&!|nw<@1n6&KxEgP3vqgM z!a;H>qjCp3LYnY)L(Ql!ZW{wV(bUbpz{r-6T&DrZQ`hIY6F*qF`4@cafr_u50%ZuaFuZORO zr{fNKHM}_dW^g(le06+sJpKV#=;iVFbT~4{2L=|#`QT!FeE9lgaDmQWU!0$fhGw-j zyM-x9wXG&|&Lo9h2iTc0R$-N0aGndE3#!#~=v33>{N5Y z#UgOExScG;g$i8;jLcFxBP=F69lzV%skm~z=Vv3oKQW4eLte&511 zsSu8pgx&Gx`C+7IW%=L&P27;B6dJZ30T^1G;aSy(uWP#_0p;NUnUk27PBzM7nrOw= zY$a#~#`tt8P90Duq2oE$Bq9P~VfM`RD(=^6S){6N=mIqhFJlVxhB7;tfm{te22a-R zi94)xw^MEycE)*fL(|ZAc!i|md5&kK13E#W5x2Pl%_)dU6Dd7OvfHb6RLT=iGQf!P8mUYzLn!!e~lBo^)*Xddy;CI*}VUsFi*T z;5(8rs{DNPySJ&s9q~zOy-=XH^t9N~ny=Yvp%NA;YhO`W+3q1-^bNn!mXI+eJ;8vU z0pPNKaH55!!ET7xx$U+HIC1T3El5i-3iyJiQ|_Xa620^k1#Dn_!rEq{QzM`Cgg5gY zXfyS+NywD2#MGGcG-+_1W08R*a>})*VmX})Ap8|!5}~J$b)t5b{l=4pRW`~F zEi?s6ntEmaCg8?EZS=Sp1|FUs>2+b_V_}0bWeW+ zRBrrU5<+OaWrdDCMp5-9IJKJ7ln97sV6C}MY01OoVu=WgQ!b6rp9maZ5hYRk$DiA! zk&@!rt#%8?OdwUQ)fZUOUG(ILv&a6tKrlxg@W1aMu-3s$m2+OCiB|DF9@aVtmhE6~ zR?ii=U<$wW8=+v-8w9%OdxCH(ITFN_wtiA4#i6X>8!16!HD(v6nYmkx-PY=alt)%z zhtwx=)D_#gpy0UHGPteRit5g%J^Z54Bv?|vA8#q=_FcVurgU;(5zpzhla%FV;{NXb z9x6klz*ox?Nnj#Xxup}H|3pu80e{4D=RY+FXMX5;Z&oYoEq7WwW!CBhN$45KYczq8 z&nMsLiN>=FQ(4(?aV3opsPi@=j z*+8}tAr%xHPlFaSr7=n|n-zFQ(2QRb!RiP3taGGP&*gHzx_^b^?hjAxX*&OZF&rGd z8g{efJ+-kp|4aS;&$ENQhy0Hp<@x)MUsLr>F+pQI`}v7W0Zp@6SI%MK?ow_uLietF z3eUnwHU66CoTS-KtJQiGEF0*|U5;<*W%$SPOWBT=%hlWUJHDEhlNkN@t-rhIZ`+sk zs}~y+9?M?LnO;m}57K@lQINOVGx$ymR%^J_Y%QQ5%L^pMc1H>PsZpE%0@iVbuZV=x z?{IxcIw|fCTbg|W9~~fuQ*p4nijhe%2m6q@(ngdGo{lKf)`B9K^D?-7b?sfNf|GgEVZ#00X`maH$ zk)a=LdIWRql?rlWc0+@M*(EpV@vjGKfJ5Yj#iUmzTG#=S1e_YDyhxx4d$-<=31I&< zQRsr?938VMZ?%5;<(CPT^A_}2==V5D!pKezod6S?Ql0YZl<5UP>}C63e)*-8QHX*1d#|9Gg)=hkBS=tpP)W^J8>H7JA5>&eKIB zI%BBFjd6s2oN7BOAeIsorzJ`?dh5~=6zT0~Q%x&Neb*voPU5R_BghS} zZo=QhN0MjmB1x&~`gj!GR?BY7yEaLJl0rDYrESqVX&1bBtcT9(m*qAy5kgBd&9RjssoG#9Mb?ftCd=F zMkVDlX`QfOZ1^x>o&keUXaN^Ny*GT)#B-IzzR)rR_d`?q){zMM-a!R(qvHjnFn9Dj zE@m6h%yjt;pR{0Y5er8z@D|K4W&PTWsbX8U(-h67xrerWP1>#c_~;RO?VGXkJDV5?m8t2G**H0U$xYMq@Zw0?AS>nV zCX12)ABgQ5d`-v{7pcLvbVOvB6|j97rvx)?Ddr7~X$LA6Ni6|a0;v7TN^PMlhbf;4 z3_jncVG5U;rg4MHY~?n=g_8raWT~VC>ak(JTC)dfZggO8{A}Sp8EgrHU7B-z0`|L7r)mW2+GR! z(+=8#5e&6MMrf^I1Y5G(I^+y?0l>wiyZj?Gcoeds*2Hw{E0`K^xSSBFE_0zZ)tJbh z+4sD36uAr%-R;!ojA4Y$GscwLW;rVv6E0m*P)L!DS^|zs#K?`i7Sn1CP=?=Vpg>J` zTgIHkLr+qAMbPzLcfb1-MgK(C``z8{?vB4GCjD_#0S*_;T9j##f)#AzO$0G_2`xO$ zmvFTZ#=@%hdM(sb>Kl^gt&k-(5khZdaDNRe^kah_x>iYr4XihuGE~TxRj_{y)l+kU zLM_lJ#qm`MOV{a2{SI_56--QDrw2DflS|63sUp4KRP^>h#Ns#hEc(|sU+?|DzsBF3 z{_FVF|9ZCIzg>vmz8LKM{lSs*f6mk7|G{}434)W1ydNLX?fpLo2QMDtKYWzu!TDc zVQyr3R8em|NM&qo0POwgb|bg7IEwo-p8`M1`CIZ4Crxeh#Q8@pwcT3jflE>+C(9=* z4OW39tRhebP?VTXzsUV^zuw2Yk8l^pLQQ0mqK59U*0Niy0yZ{)jg5^xK`@9$_@;9< zflRdLa2kEH@u%DEc2ACu)W6+sH~(+%GU2-QK~;arYb0-8?GA zC*cCJZ@TwxE8n><q&k6Qr!WfpAcjm3#7c{Wn8y*Ew+Nh~KClfB7`>a9mcL1cs5L{3V@mqq zyFdNZYabl6yRGhbrNzyV8SrM=HDHYYYC+5n8ZeI2pNH*U`=}8j9xxmW_3qT+HG~|6 z;4jG#F@gl*0FyC8oP&T8!DtjA)|gP))I^Aw_d6Zaq{O9x0|{+}Bh>G7Am>Q%j(o>m zshEr#H)wuKS;+g1mP5E@8)~!wLE@IO8!U?^L-g0uv6wV1lMl@^mbz97Y31W67%Jelvm*M-5r7)p9&fRR$Bv z1z>25xnPnr+dumtlv@$g%etf@Lowx8P*cnPNY}Ng73u*|JxLjI0{{WX8PwHE{gn%b z$#@@-B#Qn~-g2Bo5r}Do1KG6vHBdkL;9~TSiUC6$5z%OAJrk1C@jmDk zfzv1i6U^m2$uVF^ZY5?k=q->N-4F&hVE1AK2o-=Mv2Q2P-yIckOG4&I$m+eWZhD60 z+`iT=yuni}N@f@nfyRiLDgN&%CU}}m`(2Cf>69jNi2!(dVCb1H!SV9OUV~e=N(a}T4qmxw5kbiOp?({>8xr!AMMk2?}m_Th}*Cu&>(X zZ6^g$CMn*pFraKz8mZM`$=2H7gYKwg!ebCK=Z8f^TK}l~dxn)8@8IUV5fDB;r8wzA$$>99c zo!lfAwxf0$zljl!1d?Ovmm1DNkZ?h#ro3z>O1Gh63o#8Vx-dn2lHx0Oo|w@o5)+h2 zf?`k(*Pa4-AplQeMbTEAz+~J8?+F3{B#NzLq1k{DWFmaym_$bl@ZWv<v@1h? zYl1fT{8^sdVj7+<9W}XT77UmCTsBTI4c{ypD#=szQ7JP@g5dzr(I}#l0LON!706Ul zICGWz;8!h(*n>w%1KtjyfFT`Eepd&O5Y12|iHCPWI_3fj9(EFf@BYcvfxh$q7jXEK zWEvVzb0p$4fT9(fL-7s(z({m3iZMYQ^}XL~ciYG2J7i;tP_xCG`=HrMv$it zL$1N{blXy6o^YgT2@@>RfmIu1*@$N*;;$N{n}sSI<=`sx9L}*ub_Q98C8VQgrG@S! z-7Bp{9{U`6DbaAld!?8zH@+$6QqTdA13sa*1PoC`ZzTa`K{%wP{Ls{c(@N{}rYfHj zs@$9z`aQu+3i~54r-_sxwA}Bti#eCaO9lE8$@LfNcm35)#~lr*bNJ&)W^9X?X32Ay z@cEG5_0=)NPJoo5p%ia_ZSskt&OrWO&?K0Ej$AJt7)(+7H%`fagJ3eHA!yCONw=H- zT9-B2D-pI`#pDNI@7#IGT-xeSLX21 z2B&cx&E-UWl+^c5D{%B#;9~=TkZ^l4Np~d=)UOg&K*eKP>@oUN4}jQ zCLN!Kd4y05j=F|0W6H&qfK1rha?E}~qQH8LfMVV$QTNAgx9eU_lw26m07hw=b0?-@D|E11Lj}7v>vi@TF%8pJb)zdNE8NlAzL>(h55(;(3v>qyP7hN|PCW=~ zz|cc_#*mbHpgSF3Xg#hP{*2ZKdmq;6y-_S+ZscAA$h;(IIE=CMXu^C2SgrGTa2zQP~n8?#67syDU?r%M9w`i#UaJvo@vSYG0W=AwymbXbHa2$Ei zz!c8a;&NS=CHDbOhVrx~2ULD}W6H~|D24(LafHPjuq4v5o^D%;lCnCOCR~6i6u|^Q z{U+4fV>Qb9aL4sw(AL&l&<}bGa$R{Jn?aR(kR157TIavMHb2vi!i>7y2-+NvdHd!E zuB~x)x8N}fIy}k}ymWF>Fx;3+5%ztKd z>J}L{SUNncY`RnjFH5BAB|Gqv`a{eW%K&K?zz_vc61y=J2T-6(G~yZUC=5ds?im@w&qH%y#HWxxkLk2Ryv$vw=gSJx z4&=E(wg;zS=&xfV*}l1wYgTpG4FEUfV%FXDo2#?j!S>$W_`|_y)@$b*NV}3_IJvG! ztcPdp?l`cBSU z_4KfkOsH7txUQV2P+3V>{3Tm4FEJLSIxYGx&7iHxGH7hH~?kJL=Q^2n3_Fzn+okf_FhwUQCeNn&Vn(^^r~#Ya)t-b z@@dY2dZ&@wkv=gNh9-lH0->tN6I~w+pqLC88sWR$j~!R#;~x0;zq8+9j6d#W5s-&* zWryU5&2Uh^eN&!W(cP*JVT}K5ftpX&IByOiSGs13huw-~i^^P%LTzb_DJI&zL2mJt zNa<1BH*;f7e*03s*iVHF#{m3e6c*ockZ@l^mNvW(ZYMaHNKu4PAva3OQE0(*{?Gq{ zbLxGOk{0ujld=^}1b}3&Sh+PG&5-Vf9wa0rBt!YuxTx$92BGFZmeb}Ghhcl|8f^*BZ)&O(3N0Npz(ZVC8o7QfGiv-TUUEx zX}{1*8bz3lKd6cgpgf@5@4lhmtk$`^z+0twaGt`utAveFAM`Bk)vVn}9V8^zS=q}^ zo=cslQb38MIe}*gj3AB@IoFo7jc=0mJ5r=KL7LeC$W;YRWv1%&gdskmQRq3DW!tl! zQG$Y7h=px}3&@0pKf;U)-Adb7PBDzmQ3O*Dr-QoS#VtZ4(@h0fotxvVS68pptIMy- zlORBxBhMHss2d+|a7@8b63KSVuhmCKEjI&Fd-QNrHY-?Ur$gW=qKWWE%elflW0E=C zlFV}=nTD?b|5cealNcxhs$mS)rsjm9R!qZ|Gu(RbElIWa-(pE*%e4TMg8pZ+!OnhOQYvVnh}p|Ls?nRoOJDWD%V1;o^mWSXaCf_7+~V7 ze8fciP%2XhW?C<+R@ND#r9KGR7Bh{!GA^3R7;J?g+2BQ9LQ*aG#jmW$w5T1CFanOd zhuY^@qK>rq0T2m|Jmfp6+IFU~n5PY7NA7P16o?^%QzW!5SvyjaXzmT1Cq6*pNyAzv z?9{2+9~m;|=z+pEcyE0&_dS5hpT%&K6x=?Tz?o?TNz66GePAR!4d2RRxpppuc0z^` zr^<8AaR3irO2D~0bU_k=*PhUrAt5!+hUBzlm$e`pBgu{y)~`^60zp|HATq;@5-IEa z6f+to>Lj;6MPfq3pHlZ;JI9PcB_cV(G|WW=lQy^*fe4L+9*liwfmL7iHsICMSf;mQ_P`eRA)BgNR*C0Q+7bx|BSxof@Usd}>Zho745iB#4sLpQ)dm^cdG4L6mD3ay z6YJXTaj~c25S1Po7JKWuU>Ss(68rLWaIsJcbWO+O2yyFU?Gy#Cd^ZncjP&-VT@OAm z0j?m>#W)CQpe&U7IBr!3Dx^c7yg`sKhKPvf2C*yx*JlH(iVEdLip;G;~YB)WYV`GO`pYnYAXH|+4p+dg?e){$e&@qDhV4Md2 z*=a@L9@yo}J+hqC+>uyxwDQHY;&}<4hN1J{HWq2ifnyrB)qzBR*Onb6^rW$gvPvAa zZIok>buH5|T~H~3KnyVh>HwpU2~!yBm?C)u;_h`@&}rmCBTq-d9Ha~q6Uf0(9^n*h z6z(f`0A;vS)wv0mv?1Pet5%yJ@Ug`5|54eJwJY~NK;wR6r?i}W-^#ijC>-Vg|#T{d9|l&5wO9Xy3V`zHu7Hn#?#w$yd`%afC(2+%3Mkw(o+aQM8|xBD%aYYY`Q|voG8~IC4wb>mtZuVtX08!$x85_xvRfqH( zDc?mkxcdML>+i%3n~5mH|3V?4iHH*`fY3AfKHV!cZT2&r&>KpIY!~e_iU8BX>ye?Z z-+FXv^u|2D=nPKnh>mle9VVlZ(qLWTf1&$y)B)o7U&ii`fxR^NG>4e8r)7}hK30o{ z-PYc-Yy%9!H=ZTIdrQIt9)NFRt+6DsiUy`1Cx1Q zlfoM1;Omu8JO6<>t~NSVLVk<$gPQ zE1yD=z({smnLxNgv$%iTHIQ!@u=StwZVYW> z3ihz_r-*0uH~ILYP?^j_HxoS7*|@-3Gxl#O!Gf|yilCf}#{w6Vyi}wH@RpMA1Tel1 zBY(ZVx1sZAm*-k=)EVD$4ZS6A(+Rg7O(X}?zCQ{q>iK2I`HwL7CDwoCxOi`m@Sk;ho2XO%}zmIQ(W8!Rr@fJ!oB7ongQKnspl zS_z~6gc?TMf;GSUpxHZk(eAdp?VgU)_u6%?Pcs`zpJIJce zg(JN~?~{olP|jGsKa*`BpiyKZ2T~?%eTuvW6o72br*vVrd|qlcfg;r zRZ4cjOuMyqyCSOj9nWhNlTno1g~NmO>C1uuvxDW-7O8lL8ijZu7 zo;mqdDeE5fI9T4`0~`p;8+wQ%p=#+aj&Ohl7}A7jQL?Eb?VKvi=uU29pJq+O|!iRfL_j)6Sqa4G*8 z8%LI0&h%Q9qOC(wvjLFf07k~12oYzb=PC-#Gr0wA8=J}N>+8Wn`Po`rlrH#>It9s} z`kl@nB~ScQ|BsT_{ppV}6q7%B-BB2KIw|u!I_&+>ne{sUQUT6&Ars`CwHz5$mL5(e zu-N_?cFR!8ZWoPpPMPMZ`gWYJferq%eu`SI@tM2d+6tp>TNhDYji=Z;6cY=;^M_Z? z_LN~U*IEiMWvcSInR9`rV5o9)r<%+FdZSsPQXl~sK zyqr{C+lYx8tus86-Mc~add({H@S=8a(7f1eQB&bfFEJraFbGgAxQcZ0hd$QnV$+G2 zJPk3x&=|5Xl5&PoDcb;Lm6$W2Gs$5cBADo)j;k9S{}nMjDhsSHVRvH|2M@I3$Crb% z=eOXs%fy2_^F>O?blL7&VKIs};CFVf|LW<6wvhWb=m3gZb;(n+tGhLxQT^!MtQZ z0ty_oGOMiwMFl5%dUgBU9u=l~o35urL9X5(UtHqJ{safKm{L`oM zjA%B!g!xxxnXrK_Eh`A_w^|V$x0Mg)Ps$zhbMs@P%nMpO>E=D5S8T57K;&Ar6Z9$# z)2X@?N6@kv`m^=!Frw){y(^ji*+690cNbF)-k<;T-Rav`4WP&RXGW)*YbhtIOEj`P zO#Rlrj8i0F2nAGbZ3R$QgVVEnz*DyBdyRk!;Yt0pl{1_63For&3MDy%4V5KM;$x;p zqn6244AMN>D#^Oae5WqH&Tz`ENsR5XdZeI|d^i;Fd)psUR3U6T~U zK%62-xXz-XQ^QH7YOHiB_l+XGky>Gj1=;r(1KtLIH+cwep}Lz#0u(x^Q!#6E?~P8( zPLLe>H1tC^mx)SoZ5dc;K#K11($FK)9ywRlKk|B!q8pXV%&mu zz&jcuIbFsBJe>*I`K#COKfE~y@7`ZqFSu+Rh}@WnXS($6vT!*HFZB4xF;uKv`z>Rk zX_6*_l0-XQDQIFQX^~ERai88 zxSiRKmlv6Zc_v!Tlo*t(0hfBw6?5RAXU6r1t~V~{c%=470R&`Yx!Q6Br_=FiTCvv`$+^22sAU7*yj0M1?KOGP zs&nhh||Fbs7n?_EGpc>lUq7B1^bPi#YWNCOVu!@}}MYY5i;qw7%bShZ0#8g%<tua8Fu&#o9QG(7J6$ zc!bW>Z4q8qeoqh=r|QV0?uT0&v$3uHUZdteD}lN}C_atw484VSml{9buLQN2A7r6P z?E32=md}y=CGB-K5AxbVY;HGPvGz)Prpwv3oWPc@DyLwJ3CJ?I=-`b-;1 z%c_DVc~zQO$M|F^z@=A#qyX0Gpn{u%xK=)@kRfnG=q=GfWF~*7PRzpQ<|aw++-Fm} ztBu(Mb~XV2Kk(sv0Cr!?X7<_!zPbun(gI{OA?9`r%+y?wIQnr%{Rrq(j$G^bhZjGdbYC3x7U{=fI73We$AeZ}I#n{;brMW zv%RgPww2WCAg1W>0SM8i5cVuS#e7=8CW-Z|7Xf185^);M5c6J#bPCnoOuiqcy`L1S zd-vXYd21=jiiY(LKVCjt&%dHp)zVS$;H5}+{?Gq{3l(Lkv}T9{y|;h}lN*pz>$y#JAtIZJ6;o`M3#<)@0vF}=`f*P2Z zg;pA1rM~w5obEq?$(UbO?x3VxF~zVKdF)%d^zP{0yQot?K%(<2DuGl`0B013YRDoS z7{>`I2s-Eeer~?K4KD3hCUG;bRtqKS62!HzD@(N!|x_pYB;f*Qdz*Gv6j z)lQmuZ28H#3m3)XEV-$3xI4pVjOt6eq;S+7@`9cVH;HIjNsg0CuBfq5gZ~!aq0mZd zZ(bVF_@g}rsLMgpJORE{T+!;jJ60HK7q`^P*ZY7HWV59y#%q6nI9J|bTp{H!)!C4I zGfT;(CVuLFbO$9b9;mVhz%gq?u4b}!0s=LOV6Nv#WhqCQmgDKgv(d4LE z-B0t+QD)9`2D+ky7zGXoWKw)yGdLRIz+S6%ra7-F5_u$YG3bM4uYJ%yY#-@>EyJVL z2lcwG!h`)vSIRr{Qss~HuEOs9c+l>h{Lt>Ud!54r`|^c++3vQxo!*IC2qrb&$fQn! zAsAZIAfCn%asprhVUuOkS{HAA;B9!zJ0u#)#cMjBo`4hzx_i2DDYem&Sa) zpu8f^6BwBnlz~g_=i*-K`N8qeaEhb39aayF2LA?gA>m&Pz(|(FZV6osW=C>)b(GR; zcCu&K0z;!z1X@*PBhTY4E}QS{*zZ1~7`a%_mcqdQp{FBrzj>OoRg;sZY5#6I&4^-m zb%Sx)^>hL|JK##`9&A2kE_VexH6XpU?M0FV1&uoU4CkkWxS>g|4XjnXh6eLQw}kc z4zleouw9m6Ab;0tj2Krs9=%=pssrzn*`5aWjQ~2Qom_Z$s!7BVUOC+*9I@6o!6E86 zz@lZ+0d^Wj#?NI|RB_YV&C9!}ZC{yzKFW`9j6MQPG6yYQcE57wR&{iTxjf(~?9I7M z%b9OgZlOyA!@n^s(0igNi>q8(y@Ma#V);wA>!+;N-FTN?{uO7gYOmPH-jitVl1K7n zsQl^-6Eowhvpg!XF;pq_hc3gLxvSZ~z>e7w$R4AlJa*}`g@vLM45p~F0^Y^QKhUI^Ygj_KQ}3HAbk(ix_U6g-Otu5ADTo=8M?H`b9!yY}=!~i{4LJxC zl{rR<*a3|qtgiRpmolE$w2r9VQJjY%rJCk{>g}s*CPM&;z%9Ag5iI7~Ls9D#Lvxv& zi|I$oQ%Fn{EU$t}77KZr)+uv;zV9*kH{zgMIvn?5nt^yjPOB*9n)tKzV+2#4NM%%si!GEd7zW@H+`|DTVf8Pfm{Vsjn z2Oq7M(wmohY`*{Ar1<^*`&1wfwBTmBp+4N(r4WM4m#1eb+h14Tl`2ELtMJXqxU*x% z$%t@Vj+2X}*(=>%QUv_~9kZdREnuVrbQCQ&eBH#ti~3F0IhcqEQUCu}M-q8w$Aj6j zFyVO2kUS|}Q@8tCLCTw1<1(nT^U6b~ZUjqIy-V(u%bv;oER-GBXe2loGf2#>r)Y-Q z+<;UC?bc)vsxa4HIWj)0~Ov;P<;MP-VnTGoPA>m-YKLwh>7u!mrS=t==y7bEQ- z35naP3rOh`d}zx%pGsI((y0?N8LZQk$)hBS^o^b-4YhxjXTh5~+p~)6?% zQI*(T9X$0$Y?Fof*7}fZV3a7$BsU3i2(?$mcqMhh0Rt>`LbV>w1wXap~WEX~To~YcZ8V5|q7h^)*>sNQ`MkGp1C3)`2 z-n?Mn1A8~1&5yI=TQp!Cx3e>vrm=Q;&~4fiB=t zUA7x?0An4}jO`VqA)|30{CfK4jg+n=h03$+C8gqL93dUdW{wly#Ml7=k2NC8$HNnh zydhx;Ipx1Fn#6r@a(t|mkLuk!N@OS9NlCr@z!9_M8aqb7yAuq$)0?37#_?SpWr5^B z*1!SX%Gp!ZF9_gtia-E4;!2~h%)-jnCs)0)#Hfn_oJg{-G){`$s`nEbWKC=Ol(2LB z<8eW3SIfkn2L$4Rck~c-knDsSC{@X@rglTUf3N%I3AKuUsi+@y#WKSo%A}$-TMtOL z9+mY7MN_lYEAdhaa&R<4f$-C6o^!yHU?PX>V>TbGIb9AiNjmw*hC7L5?&WFh)Izm- zYc&_RsNs(yU`Cej?9m;98H{iUA{-#1cDfrx+E&+QFVZ<3T-YmS)GdlSL!wrS#aIiJl8ox- z7LyR)x_WJ^{N~jNl{#p_P~EU4b;sb`Av`%4L_;sd`RmnUOMRho;sd2c|*-HG6}b88h7C_0 zW!>`Z+ST?trIL{1p^?-4l!)@J6PMi@3jM2Mu1pIh*hpDRDQ!?8K>tH-Fh?qUQbWp} zSi!E#LvQ`Dl^2E`2REjBr6?3e++Z-sjrV;pu)|)CL19w#oNEU z%HRg5$R)4#oWe}!mLvekUi@zJ8>9$W+%v)d1<=K?|1!8`V6$=kMZjr9e@%$li2c+v zp%^gl-P5zFDE{($J{BkCa2iSNCnXmlVvI6-)^^?{kL~=eDdP(o8HmMi{q2y-pS#~H{IUR;mM0{ zKzDN}R6hw9kbTp=cU$?+eId^$wXΜ;<>D9V4`s39KlZwv?N{PbAHKQ(wRHVaU%d zQnX-(L}z-Ookw}SGu;y#B`;Kiq*+29g{O>=UCpC+`_6r9+a)w4MR^YK-F*;(o>=J{75fq zJ|z51-+%cujcZ%vJ!r24>;@Q63Dik?qdk93d681@g|iQRK-mK5CUmCR2i?U}@oVW< zRl)?$G|K^~BKB6X;`5J{J9MSe&Q*5_5!Igs2*19*9xTFEe!p5!K=!7*Gi#5bncasR zLdwNygdyKB%fVAPMuQ}ZwDNGnzzG%)#E5S&sj;Y6S#?qQ{_Va$9P5kl2nF*XTCge} zvhf)rh;w=7-|T=+F}XxAoL`}UlCZ|~TTWC9x-#59>2?{@utMg0gvJ?yA%2*7vrdp3 zo-l@H$^lc|Yr*E~7Sb<%XJZKwc#53Cce69WCy=25qXE*;l>uwRqKrUniiui9Dw=qJ z7*xr09|RDY6;A+IplOBhzvOVB%8*5K1nSIFNpD|qZ4+B;z3A*L?b-=g7il3$ULH?4bIeYU?U|E|NCos-QHO->au)v{cn#?lja5xGiH zFaH!pzx-2YFycj;n?mWO^3+-=n8@)5q>9D6?_wNl@8l29*B7pxwPbfvUtWJWUAkf7 z>Ui>?7K8`lx=(hzz9&80f8w$i0IYNlT7=yiGN%_^Q7uRmrZod0Deid7#R%Wm@cz55 z^VHk?-kW+3KJD(CdKP~1{C>gN>`Oc~DDScR)3EXPtljnH;*=YlI>Oyj`KelNS~Q{7 zw{(-;sx2KpSg)LGXnjImwgwk9XB`_Kr#0)Gxp`jdyi}i-mDV242gSnr%YM!5+_=v^ z4&90c!lWy-D#-@$X{kg-7d$BjMc>-h@mab{uY%AGS_6YGXU){+3-uSxgNs1cMSAI> zYJoj(xv+9?d!C9wddh>J^2d14qk5b~(L;DzF*L?pu#H2FDaV3t8m@o~yxbn$;phHj zjURqJ!f%^e}YF&<*n@gIAl9j#GHy85BkirGBXnh?>4a-ag&@c34zpypI z=7X9?v}$czC31DdiMpd&;TKl}%rX_KEBE-*t14V)cI@(5L%;q#>9gK~i$j1C`G!(>w3T~8R|6B^Y} z7OWIVfC&~DM&~Gk4;5RoDIfSUMQEb(#Xi*F7<Y0f8DJ|jF zODiu8fvv20gHXJJPpqpKGP+hhhC;YZV8}leQMQ$BtRohI`hps;!rE#x3|5vw3bj{} zy8LIk%m-GGQ&+{Jjy!3uHr+0>T)piw+b*-Z%WNZuu=}Vj^c`i-Qlp}CRW8TOum{qui}z+({~qVbqb!pdimj(C394Bo4(JIB=n3%w0^w8 zqlaqTTg7FrvR*^WRYyCup1TtjQM?iL*{jrWxFpX_9^o$|@C1gT^2uUfZTIYbt6ydR z9@&b17e_e2;w4Q;2wAP%EgLX}jaeLQUJY7z=v;*d@zS>;QqLoJ;fV*Mj?L2*URPbV zLa0iL*dyqLRtjNxRLt%X+ET!?HodHa=qe#E1~0xTgi- zDUBanPW~)0+aM=j!(volUM^IvpSQ?9%kvl6XS>6!(fVWTFmb{sNZae@Tt`L4z(a4qr zYsNFV@{crr&xLBubiLilkr&uarNy$YmL|DQ`g5Ezfz1Z3W!_} zqM!_pQO$f|D?v_%o4-?Srf!S9=M7=^W=k;*&oO6-x(xee5{^sq>^}cwaZ`BrfxsEW zk%V3id=pp5Ezk4!2$#%FF**HOySoXRzCuC5u$Z4wBGBC$*G991obq27O%^!Lt`&{1 z0KcQ;lF}M?1h2FT6zC6pK|1)yi1GJEzappT7jZ>=Oj+3_8_Q6ya{sOiARU9dnAXXF zzp64T4VHMYgZ<;k_lrGqDM#VLi?Rz1F1==Hp&jQDo2q+*(=+k`5DcOb-as0+?W*{a zR>g#JaWUAWS^DW?(qy0N4dGJh%a#11(!Ok2-J*I6?{eI-xv!GVjVQZ?EJWe!nl8#K z&)ai}NMQ*VD7+Xvpq~24>4(q|Z5jL*%itHcb~hi?ZgRUwE75rJMaqof{+g~jkB@K6U0~X->5y_X;)Sa@mOK}U6seairOE< zYrMvVau0ej_ZKjL5gwtlc~HY?*Hu|JvTMv>pv>~`S1`-F+UrLstvqk8=IZn3sy>(4 zCZ;*dX%L`T{9TT6_s=Y@D zo_q48_t>}9Z4G`~gCE%L#|zPTa;C5~sjYJd;&NmI#Ka}yG@31N8!w{r0HK^AokF}y zdWZ*zfP5aY=`>z3QN}Zkz}%XL%WHfAa^}`Nyx`fIhr!pWRo|M2YgGM;?HXJ2uwV1* zqpq!axU}kX8S|}qc;WNKu+hgkU6g)#y8JFN!&F6_N09T3O3p6M{fUdDIAkAL!2+pmQ!f*UU&alLV6^#4itEX-n@J{ zKd|vvj1Egq_M1GK zLmVXxT~8R|6B^YR*Ok)GVS)vQ(K(9X{0aq>gf+%>r52>vr&7Q@0BoM946_e4I6~_l zH-P&FC{9!U(iC*-0O$A3j;O?~0mCyKp)q>J0~o3Fyc=c$0gT}gM|k13S6es@8Le?e zCl+X0bB|rc?V|2}_~fSo$?D#dXnskl_!&ot&$&P~@)JK`D#of?Y3f|5Z`ktE)3`&XTS?T>fsu8&89PCMBkrO-iQs%qqX(uAVO7 zs+$mz1Y{zKE9CwA!xs^MU*YDt8R%DnmUyOb0yd2hs~Y$Uc95+f(}<4eSFsc|&M4u6 zK}^b$E!Tm@U{H2l<3^9y!K#vfFR_dokg;oVij#`V1u zHyiBx^ez)M?>=+ozvN-q?5cT&>O6fZ;0mgch6kZ3uuv4xyw>;afB~a-bMP8PQ*btc zOf+r594en1-)!PB*Zgz@n#K_nh<9Q}r$|gt!dVg_-k!s0biX#b-EQ~f=t%wB?RNA3 z9(21W-}H`7UL2ns_f8H^zUlT}bdL_c0o{%CaLJQ!0oga*d$*PE+!ykE`qTn=1loUv zQG$5e+=bRoi2!{5+%Sc9t4n!*UM3ORYnxMutPOyzPpAO9?K96r+&&##{1q{dDdFwc zkb~xw5-g}(tnGj@M0q=))6T5d+}qQ@^5Cj*3Ne>RoDMF|CMdW`0ca2-h$GN^b$R*z zvJd`F6EJ}@1Ox>kiX%D)RhWPgW?VFVY!LB!YJR{No1XP6K{akL3Hx%*dxO`QA^}4v zV7~zXfm756pFRP*K;6w;?NJg%O2H4>x^d^(qbk&%thTEM{tZl`Ik1aK5GA44TzY*t zXq%DLR+vlmC;{HELhAkN5 zm@)yQ4eb6)_y6um?=ZLjpBx??Z}{co19|Kk^j`SpK%bbPX1|BvxV z3jB7aS2XDVl#(!>!Z9*S-3T$NtO;asA*Ni`3MdKSGNBRt8$_6kJ;!WZ;B>nX*OXS| zYH_Hh&o0j&s@b#4^U@|^6lI&_l!?Z|WiVvvkc9x=n5H8;Mb5z6ps1qvo&LK*&-asz4K{J`6o$`i=ShmCJb4;w2U z2)@m8LMI&C!yQM{8DeL28bgLa^N+K`cCX!Sb(@Y{%^{>ES@JJVBG=5msr4<+B|H6M z4O85`F-}VQ#SF2bS9*+u`&&|x`=O%Et!N!_v=%P+YPqzn5c7b}5SyDBUOEa67sSKy6(W|zgNp-Y3*un}}RTtJbO zVx{da8PTn5z_ZMM@nFl{r^Y~ACb|@VMiYT}>01%RL(jc_o}DlO{}S9XQFQuTJw(ix0t zXhVHsi4-nh8VN6@z;FF?oS-*|+<#vx-!xNUDTDfR+{xB!KcJL_nE2vS6$%l8>vAyD z7DJMyYr0EVV?hC+Y| z_>0>x!A!RKU(K8vJFlS9q}!SGhDbnXY{|EkIRbfsPkI@16a;h{x9xIhLwWl1Hg9>3 zQo)rd956bHG{RS_y273P9n+bkic{2e8ilnUJ;GvH+~-@Us2=gW(C=l{HVb@|te zvsaCbEIpxIywl=f#!BYBPYYfQ&eFc9>t!y^(-$MI_Kbcbw}zHu5A-SCp*)3meQz*z+G z^nMb?_Ib`vh5Q#p2^WZM#tg7n{_FLQ3;O>T-Q&Zp{P!5ossMRFhQIp%MXKvve-F>; zulKS#>N8DW52C6LQrPb{BLvwRTKAsmp_lu|vGvM6xWX+#TSjZ%SGNJ7W?t==SBMv+ z?xI3`t+PI%;eAx!Bm?mpvYwM^|^)YzB!SeT9l*;6^W)zu1A%#c2N-$P5<-i($s?OCg| zYs+mP4{Q1eBIxWNU$#YLjgj^YA77f?V-3^Az04)+?#`LH*j+RkCTsCtjTu=WPGs!@ zD~ko7WVg@p**uruoG_3_vrNcZB)&ZGwpeFl9P3GJ*IwYJLY@to*XfIi5OHpOF*HI9 zkpPVu^d&P9N!MwwqT{OqD;+3B6-&2#sM3lCln6$nj1XwR z>H^t!+H*Jaia~)QJjEjOHuJ-fTjt#`Az_pQ9zn7S$*jGk{JC6}v}dS-u5*~gi+C@L zV_ww)Lve%y$SWMOYO$J!Rwh*HJQiYgRh)fXC6Q=$Jg@)XpG+wQ3XUK;;#P>BCL zKG^zyKgv^Tef5*}DIKn&^GvLV`I?UhDOJ%H6s_47-c`pit`;P+x>`49?JwwyD)Sen z;!JfAo*xUE2s)J@vZHq`Wglx$ej3Bta{JE^tGhGr!2_18|6cc?Tk!vRvGxCXl;>e= zIxjWNd;z8%N#U1hq+EZD2(bXw1^`9-)fyP{L}hU>=KWH}D!Z~42VI?qZcY0CxzB?5 zzxy+O^DN>22i@*LKK}Q`i>>|tQJ(+6m_DQGyHB&b^%UvE3jle5kiwF#+&9W_r69wH z+T|ZS)^NQ&fB9ygL;OK@`ES?Q<-fgmn85b=N}uBX|4&18Z4qxI`hV&EfAr$G5dVL0 zwB7$7<&m5qL?cX!Y^SAJncKK5cawWo%rFrn(EI~${ed@2woT8EgHbAXYNtmsdlUNI zyla}6hO(x9Dl)|!?UE{iYXT(e76UF0w>+F z;FL3^B{B+f0IjVV+)gM*Ktfl%Sc(t=V#2|cG6ci~64_udfeZ!$G2SdkHSKKa=c>uE zduemER4Ho6{QWT1U~A2nUHy@lV5_#C%lmU7^6Kgrujy~aJXUmN(~mXZc-PuAQ>;`u zRZae-W2)14CB5*#sJmCqXysq~f`#cs1w@JZ!cjRWj7m09OwCj=g^BVFsOWdo?c6xk z7zO{1pyFWoU;DND*sA!I#lpLLNmut?tkYH&I*xyaQykg&F;y!2u4Im@2Fz5%c8Jp7 zt07uY4(@@bO2PyvvBI&M z44MetUqBh~acJ(9Okv9;a+3VON65+6sx9zu@Owgq3&8R7I(_<-j)E#{yPp=a)zTDE zUZv*s*`S#Yped3wi`&nHhRBC#e`{1L3YA;hZD|HxS>*e)-CtLf^<2+@%l9~9{dZMPOZ7P==Uhr)Q%ceV!+sPmo^16$kMfil3d+L6Gj0Hx0(Y1TOvWluTpJ%sQ^XER1Iss)>Aa4Y&@xXS zzfWFSVE2@I8;+FGEYq@nhppJ0K5r0;Hk;@ap1Iz6$tjuO9^j1XKdqD1)T$qT9Uq~eRGOxIr}OBSbjXaE0aG?;yVe}& z58fZT?U6h<%eo;7B6Z@#1Q=bnMs{z}U^?YrZn`r1*Mh3mr~V1$B1;4IjWGuN+fsW0 zjS^^XjrukQrNPtL$SzgXU*C;S>i*OBW@N601DY#9LL@BFBg zwCX{~H|v$jed=e{Ln(vnbr&{UqSO6C<9+f^QU0^x=$jJ&m&kwJqod=({SPPIt^D^G zPo1q+MEpup1jrrk(;&^xtfvxLTJh=n&6TQAE9P`dhXEN8lK3Df*Pf!P-VjaT3{$2Xw7-_M z=xQx&vUC$J^8XN`DJ2};H|tCKEaCr0yeE0RhLp-{BA`AHJgHvt%lCim@xfpg`k!&P&-E z9ClTp%^ql8(nxZc52{jg5A3#?|0ZX?F%rUVI%|Juf?Ywc1d}73tt+|k2LfjhN0P|) z3bqU9f?jfi$sX8^1lS!#6pE9hC6Ga{-OWJvM>kv6vnP*LumaP8Ts=)Q+BV|h(QdA3 zH^}@bSg7sZYxZ4BlusgG+}rl-F^sjmcuS4cd7rg%y;at2En7yVcXMPBOi*yc6L({2 zE1VNJ#X&2eWR!`{HlZ!wwy(`FwqHVy22e~uvs`)F+*3W|6L@fZ!joy8W$F!D!Dhd* zkv^t3}3*Per`qGdlx!LIGwmkbW1v9JN_945FHS|Sn zAzh_Ycz2bsaaA4lZP^kwf-4N?S16z)%nG00Z03rUda!xL8Jc0q6JBF3D4V~*Q!K0x zU-3&-qt#F{U9gOyf=k3Sv^2lX9Q2huMfu;)OTU>Tz%u>s$x+__@8qz%)&D-qljA&Q z^0j|fmGx(V-`s^)fAPJF88XWTZD8IqqH`-qgR{#p#QaMG3N7 zx4o|+qwlU08t}#Fz?bM&Q=8^ixw=)ZuAy9A;u?{OietWI+AfXWA}&+WooApdd{U({ z->Q=rsFSyP-0f5IDe?cOVTd_P)aiYggyVaAf-KYj93H>O-~aQXd$5)NALGgU|I_f? zP5w(g`Mw(17SG82r-KV4UGes7$U#$Qyy(n&ok0;^Gp|H)r7L~%T!|qPuvc`)D{1A+ za>aYVt#rxcPBA&nZejkLY?6#x)fb5>r4UMX(XzdFMGz&vZ`;kS1^GwH z|J^%0=ynVFKMuF?pO5k={m%?f`$|P14^~oC{%I=TJ!D&xSQ;9w!K{1^GqM~->Ke9p5S1BK=Z$vp!v_{ z`u$0RCyr>O%4GELlnS-Bf#ktfxkGjv7T;~mXQO< z5KvdTq7VqGvo!9SX+M8=CCg$mRw)nm+Kr15U^**cE{(fKM_7Pc97R^iq7hNJ-HGU?ld{k4~!ho>6}4aFr-eCH>t&%Rw5!TgHKK(k4k z>o1(Dzcu}xMiIRQLBa){noC|R6T^fHNCKoe0#MOxix!zF-YREqy9>LO`K4sZJ;yN6v3rlGwDEqH}?8?g{3_dUm8L>gHxBpSp8-9@J&ss?KQorKd90 zyqXd&SP}@g-z!R0R0IvG5@qy;9TyYS$I! zz$lf&#qx_e@s%)f_qCFX7fYeB&bHpmB1|}$onY#NNgo#qD3*^XFm)8#dVuBcINK%|8 zk-%|;vV^W?f$K%4##BQ0#fL?*Wd15pI|BLLV%eaUY#)m#s$3MyEbkbKiCWp}M@f=D znj0>ip5a zaOh8RvXlxWf6!=H0v;oR7!)XMH$HI0xH5bitmQuDmbc>ZJH z_?xf)+XK75QA|K{zq!Iql!e35G9-WTvPnKHqQ#b0Mz(m_=R+Y|Y^mbdd8sm0a7{vS zgyfl;A+!(Vj-W+-xp6>|o_MTqwt$`6{1+LQ2QiP)1qV&8BHo&yt)ORo3**SXZJSIP zR%7XO-+tL$Q`lxI+$&ToRdi-hR%do|G`F)M_gdouGD(I~5*k9T1M+8w?H<^j9k#n* zh(?ql`R1_Q+f$6#REinBo9_c|BsF=0023J8NcIh96e}TangkOw=yxg-lYq;Yr)NOR zvQxPq-%fBak-}fYwV!b}YWSW=X((VaYzumWh!et1upmQYboW+mAI;gX-PVu)_^)>6 zpJwWl(rl&xQ!kXgQh%qz_Cc##T3%rw2P-SK$w4d%XsJ*Kc6l6O0h)jIF#5LWCR2uC z`=4E3!K58xT20v@?=`xM5yNtjVWdAU6B)rTW@qh06o&G!IBIb`CMfh%D(Y=DoMNsJ zyhXzar8m6tywsADWlH^1!tr)F`BQE|5v4at44SiE6Ev?-z>p~2;hK|V*n(q3L@NtP zU9p3haMTSL($SiF`Op!tsp?f&JacY+FlfS_CDcI5`?TNo*sT3rFGwz6Hf!@I$4|ADvpEGQj{z2Yd25xGLq=t@nQ z?Az)vcl8CwDRze^$LiL^bgXp$75IOH;mHvqfj>z4^IyKiOMe zHsJ%j#QuMLaB@_*|LOR6YyWwSC#TIQ-oOMrKj7u}G`-bSQ=SZ7ISlSD@f|R9hsn4d zP==^dVs&P{W||-%3$7X`lM()OaB((4!OdPSTS3P2`0q5)ndSur+Pw-?VFE^&<(yQ@ zT)2D(hAL2v%%$LF@HXVSPx(i?*6?m&=$PREt(~<8F@eFG{rch3PdSPx5`xS&RfC zg3SjKVs>$@ID8XID9er<0N%?Q3DehW^BPYP7jPQq+f6?_MB91=ycQxpNa1)dAEM0> zjUsw`i9*b5ZbuC(_u(Ph#zY`CgI=C}`{p59;{k&)k~2sXk1jK>7qq){Pt3QcOI&I$ zg~`|(+rlTE%S#^Ya|ylHX~yOII@v3==&aNWR)#;zW4ej)!2;EDq)+*|2N}6@9eCix!J^5O7y$aXxwO?=dUA+G;cQP#7f!Fp}ELn+P z$wdp#^r^i6>oN0xoaFt#PYzz3Y|np>@qDVj|4SvixW^@6>tDN7OdnEt_tx^OrS6di zq(u10v~usv0cpk$eRr0ZPr)=)mK0=@EU+a1b24l>Wue#n`n+I?|8MuCn~VQG=pG+z z{eK_j$;n-LyGr3BjB#qb@mG6B5uIOTB_;s5L`IBG?d@B6Zs93M0)|9G$M|JkqC`~2 zC9)=hC%II@7!UI5avhwfO$Iq#IVep7X_uk#&s83a1*Z8n5l~<<{+k|OeI-Yt3s((K z5Z|Mh*5V^;+S~S0^MZ39ngu%eSEUcpSh)*kwJe&wD$N5@yh5$^)Ma!Rx}ORQ_%b1( z2`0%;2>=|2=+$VXkH7CIK{_3_#pe>uFuJvh%2bv&>9JW7`4T>j5%W`B+4pCcuTHOD zWnO(4oabMizk2h^dj(_s3!_P#gQXU#+b#Ukc`PlaCOwaRmAeAimeV%|8?LY7t}x<{ zNtrR;Fl9P+&`#rDnSjyL6K9ND9x7WJtxcmb*5k$(PO~PZC!gc(v3B=%_jcx zSGY^;qX`v1eDUjF{aqr;=E{{K;)M#GOKG=3sl zr@AKzI0G&J=QiSm)LMoW32r zd3DvEhC2yIEnA#GfoG@{A;DXS1Z*CQ7A69X_14#t$k0UVWm{T}%o=h?RBB30Mzjs& z05&QNzXfYdRj`fX#aYJyrJvS3`ZSIsjKVTSwU;_NSIa_E{@NxgUT(j2z(FhMzH)t)}JzabyKdv?9i#IiqtQy z$N*v*Cy@%wGSQLPrceke`A(RaKJ_gN`s1fh?a!Y-0%)d%5|Eiq7m%oF11#{lT$NUA z2+@{az7~2hGrAtlJoRS$1W%>^f6KZM-QNXdiTroaE#!YXIeD?o|Mw`*D*pe=oy%4W z7TC+A7StAG>(pM#Y|F2e9V4(CA(GbJ1IOKTnP=Sm&s4r&5ZFXS_O4cozY?^vX@JtS z*~eYQpkN>n=6r3X0I+J_aftJw(WO5BkDckjnrm7)5hi)nwdBuV6 zNFSS9Klb1Szo6=a-c#7n@Gxhr8|q9)G*0uw=}^2=4G+%>&H>I$#K8omT#Q%uy# z`Gvs%4G_aL^b^oq{oP5oY*-f7_rt5)^~sq{&3nHf`p0W8Bz&MUL#M^vtJTAbvVgUX zDg!ucwn|wBN00>*l;KqNoo`6-DZtf9DWTWRv$_nvX?sedLrk(`|FieHs#U+{8V%F9 zz>&?Xss?S1+KsI=O_E?vBdjuVWvI)%?60%v7Os0=iR!QV%=`Xg_ER3|k{#({(|iIM z8Za6l&eMDiDXS>^oLSr}b(AGU;3-mG?rH2OP-e~Sm!<10D2z)>bIGc_jb8fNj2YLl zR)2wKYz(pcm|qulBdARu%gmsK;c}(?s+F^zrTaz8Y*$~xpD{UTdEcPDx4oAj$!yCQ^_0L$UdL(%Mi#@4PRzl z7D^NuHmz)>Nvvx50-E=_N_tsEMvCwV1@j;(0IR&M%~sgd_Tl-t0LO|vk=nb^w^Y*3 z7^6tlUBLQ?=;QLqX5Y$5%piMe&fucr#G&*(9k!7dWTVM1^ zO4{?K{c3O*BvCCF8vsk0vGc!w4+g+4b{E)Pl9KK8n0=l`CV>HFFc=I5b5Y7bMj}a9 zq*P^~C76oeI#|6$RG1tN@u1fp^L#n1*GR6^G`FA1Oe#0C3JHq3yOoLiR;WSJN+bKN zag=Lo8pN|U$k};wh_my?0QF{G@TG;-4G_ILJs*_hFirgAw3=5jvXt2aPoR9cJOihO z^$?m5T9>D?ELGOndvX|66KuA^{Ja}RDWte-NyO3VoAOvuUMYSn)hiT z4}C6LDXwb{2!XBZ+$t}=UYSRasXxj%%|$--X+Gxb;3$D^-koRBl*=rH%eeZRz6~%2 z_nA?1KbiW%W?q`S!at}@NHfxpry8o0NOUx?dBj`DT>P`%PN}_b(qvt+Mg$4*zO28T zkg`ayo6B^RCHb7D;s8zj_?X{AvmK00gQ1X&<2f1hoK#0WT>pX^*EsS{ay-=XIXp2U zqrwNz)X3d*a%Cd2ADu1bW5Sw#9q71`4vP7_-DomT*wn3w9b(%$G2z-0JiGfSR@xcS+a{QHR?ga0fI!uy|%5 z^`5Nl@x)vZn=6VL^rtF1pE$u1$kd_Uq>dhfiyYlu8A#YsUY@xMj9?CT5G7K4p0tV@{ioI`!!^d#L%8B^K|}_8R{5fp<4OMUF zS}r+`XgcqD&vcq~y=S&5^cKuE3ccI6?VWQw1;mBEn*!2+^l=rC=J20|Bx+9Ut|U=l zq`Qzr{-HjCB=QgZIY^?N6_5&QJ1HOyNO!7$G)McW3P^MK&u`n`sR9xh>CU(P$5cT4 z1Ah+NezPwPduy-G*P6-oKU~*7p9`s1XN9oVc73oQOZ*2UO^C5!WfKs^3IsEtXgF{lS>>e)b?3fi}++f2ZU>HEI~q5^?a zdpbwuU}Kx83~diT0IE+-T(u)TOR~!!`$Bd zagwl`Q_j4>^POmTdT;og)N6jv-|4H68pIlqH=U&q#+}S{naTCmlXN?8I6F64FQ4M5 zOmG&XeL-N4>f;Dq`QpwJ-$%M|aTx|4&)pO~#IkKs*Z`Y|88t`_} z+2Z)7p00h7+4&f+3wHmtzb5Vf*bw#`qH5&*nKS#Bj9uqG;~k(;sd&A~5Iv8SjV&cT z*M^i_4^JtmCQSF^P0tZqrFwGG=|=WM(sr?-~E&;efE>^Si(rF&`LmE@bvVk4sexzVRd_*T0K z5X)ik(*;gb;&Z=fo3aZb(hzzJ9cQ^KS#>v@LZ$EBd5ZVV{QtS_=2F7;XRfnGpF7&s zGwRD$({~?3taMB{to-^(pIB!F`UY~bbOMHEJ9_Z885hfFfJ)r(*DZm=?_1)A>%WdT z(WJRzUUTZ#lG#*gI%R8Z;3gPPsu558uZtM^^;iA)V}VeXy3q|I$(}&qvYv~QCag>@ z(lqmJKakE8^#lskc-|GfWE*9iGESw>(7nS{EL1m)+dt?A4q2w&oqcpsm3!N7tI zy?pgH)z{~~q;Z^(8_c~I+a6PP090HO{R3=rSXv0dN2Y3Qa)di0^doIZYQzeXg|;cAap{mbmelHRrK_bs|1>S|_{L@u1tJ}6Z*cS8d zSoeM`0okv@@arvi+WQZ}NH)f4%g5DsxEhd3auNR^A88eKI!M6Id2;&d`P21z!$Re> zuiN**;`5-zykGXNWc;g-S5zLPspKrqBU_ZpmfTyxK>ugpy) za(}#Klw8n&Q)MDMB1PjQh?Dc%Eu-W>28`TUY=ltj55{muXXLb*b2!AbKj%cqlPDsY zgnAxf77n!Bg;d2{!{7~9ho-qBJIpPtHy)JTA8!Xs7a|~58UOY;!A0?!knAL(EAk4z zyU=tL4OD%Nc0t((4-odwX7jVhi=ColD`u*}ZDFNgH86r1^v32E43`xnZo=l?9FW#W zU`|rPaiX-LC6=YHV)K`T3W)|0TP|5TK!bk?a9-?_XWN}i9W12Xo)Sc;To8^lc*HmY z_-NBJy$-&)t_ho)A2)e~@Qpwd(oB0=j$wY@cofUYj6(vMI!1N{j9+Q(=YxZ4r<9$t zgmK8g>f>@XQ`1Jvo?5@HsgsbE_mxTw2){isnLYC?3uLxzc@e`<9=_!QuNx%3Ooo-| z8bCpADd4p7Os_N84i#n_XE2(OEXX|FqRdW*47X`Mn-L{qFX=BnWxpJ+ zXesC~p}>aCh$_AJVYjW2Smq*PvDa!{A-)3Uwhzs)k6tn2MDjJ3k}NZC5}oGAl^z?9 zsj*$sG|qMT{a#}_?YF=-Yz%QnB1tT4_SGee^}-iR2)|nS;j{{HhOzBJKNH{re`9zF z(fRYdpy9c+&rG2q9R9^1Hu%LIsVC$5$FR{g?Nsr!x-F_$(7mZr>2Pb*+46Oko5uwI z+pPQC5KKA!wSGW3L|+RcA%j%;KHz=Vy{2h=CLk(gP<9GI2U@tnSNjSUD zl)fe@)zMp$;sEV`y;;o-pXt4E2e9?mVO!;#lvOzZb#-lr38>X>4BM}$PDL+pyN90Q z{raPA&{dbDtNe(wGF4|EXV*2tb@B4pg}H_ z8VwcuGc3dn5jJ`SgrjLTrf!>lV8E?4I6&OB$_44f1 z+0~t4sE6Mf$+{Nh*OxR_g__h4DSaURg{-{@rJjn&<>#8Lj}c6z9f<}CBwaO;+@{Kw z53<6twkPU{Z#UfgU@_}b)Am) zwo6emvpD2uG?MF#pn=}4wO0De>Kc@KZeV0TH7kSZOU)~s)y6BnuMXLQX4g>`_^NBO z{pc$K*LSbk&fY5eZByE!lv}uvTae@0$$;hi2Nl`I3*-Yh_(qk%;S7{?3LWxj+U~RG(&IQZ+9NA!W!Cx zAHqGWH{`}o)pH`;u^Y#X#h0P_n!)OtyCW-E#u7GPUuK-(_>`qWa!f0RuJ-{~%cIfJ zccaO0GC-qKoZ%@=sH8-U{*q70kJ|Zi^rOcKvta@X&p{0&@+@Oqk{GcxStFLBGSCVA z=?Pk?dANR<4U~iMySGZPYoEPi%%o~&U;TDIHUi5EE-~ih=bUmd1c}iaFO!|em`o;< z#}6OEe&2AKZWZ6`I@%h8>?=NX);Q>^xQ- zx!=eKv^5(p57A{t>!eFOw;Nl>6Yg2jkdm^?z&*}~s|TZrEmji}Bo9UtEk_zY+YM21 zwV(pok=P8$1wp3^%%v6%MplTzP5Yd)cWbnIVC6$)cNTx{y>BMRP?y9a;1ir*Os!>6 zoaDnrJ}v7|19?WAWK2-W`1-)Xx+?C<-UvD&Dv;S@u`VKCSiCJBFVslG@T~WHL|m8U z%OPOZ>pDLf^5}uP5c)x2qe%Q9;!nwpaboe;F7z$)Q-LbOq2~Y{QHiE&WZ!>! z<_3@q99@DW3|IyNY~ioiz2C?~RL`pt3NLTIiR7GY8{ZY(_NWYPm$&r%{sg{TwtU4tk>jsw3ukwCbOq z=%BlYlL;=oOb+!FHA}P{+)po_A;#TrY@E3r)`Ok%=f{`-&GX-cpmUZ>@^Q}pqi>HI z=l_Grm-GK)eBQtBtch(H0!p(OMb`=Oa3sTUINZY-HA+Kq^o=MRua0n%E%4FaHBIAV zyDI?X-jYZhV~Lf1UR+1b#ShpB9#2xSvMM5>9Q#1=qnx1#rr3gIO&+%}%uoyNnVW8GM( z8z|xjKvkxbRO*^;FcXoHNX^1=(>~s-Ji!%gS~SpLhK`xOf*J@ufHFi&ETe^91sjsC zzPZTD5DLxE>Ki|5qL%v2{`+{Z^-}-1j_fc*J5Ln8^VK%P?0H5hUM!`%?BP}NoNvSO zlKk7cBmX;pn&-dG6L>2}KYTjQ|3{A>JglAnkM2MGa{vD*AGrS)GRisiEgO_C07Vi@ zd#x(_JyBOQ=idYKiZwv{Y)NGuC>k`OYO}%K`$oEY+eiCM)~29~yM0~HZ8^h*l2h+px69gR!n&ffl7bjm1 z{8~=ZL0aAQUe`6TTC$&^dnK~X-17k*`Q5Ytr7>XGF!ZX+ktY>O)uE(u8~SgS+uNJ& zfOOi0h8LeqgwI^-egi~1EwGIV$xd0eZlI>y{!_I9b}M@gG7}s;K!YEioe%nSah5}^ zx_Ndj^aUrmQCo(EgAhe6OA4CK6H+sY*QTUdqDb@pzr;}ImMGcbz@2)Hnzd)$D)fR; zw}oC+BI}xnegG|F>YTuDSdWA5_0ZER=Hg}Ou3?Mi8(f{951O+$Fh7K*QBY~)Y3%EK zD8&R|%U7A`z)FuQWvlYw37D(`qg6F1M^SrURv52>1KD!mbcfAbFC<{SaXC?UCnJf` z{}RP626;0m<>x_g3UG_6OktmKm$07wP`@v(?Df#hByckk{FjuFnXghtS?V+7TH=rr#$#z~fy^7g^#X!NjSkg~&2x9=QfZ||gd zs+(d#V)wzvSYuJdQps785Wctf``^D{OOoL^IsX0c(I4$}9Q*j6_V(`GL$5Hk4y}88 z9}wuFAJFrq(%n9wA9#X3?0rDP;c$rbf9xOd{W4)xkc8wMeL#O)(r7`FQSse>m81O$ zeL&D7T40_~GF;${ZqeY!v#r}LxqLZ6uoeqS@!nIWjaQ0 z|McW&bpQTnGMv1HruvGl=>8WVhGIVS0oe@s>Ms#-ssj^0?0o?8>;Jd^sr&{1+WUZf zVTB(Mgm!#DZ-4s7Tl4{)6m1YL8cBwx1Z7w#4#U#2+&2PEX^Qz8T@r$RI(>PDF35~< zl18Lt^_WFaAJsA#w@t=E9kS8ThTs94kE4W+56};SpeX0b8cjLmx|R&a*Y5C&Xo|jw zrb6N*LBpXS^2xx1;FI^gib}vE#}m7DHuJ!tn;zoX^QS-j`Pac)R3)YMMt#Nd4r;F4 zc9JOw;2y9b#SV_F6S*G3dRl%!Z2B(}0oeDyDzGdCCq#j67K9U&GQ=QRiS=;ESZsXQ zq6LZbgv29sCXraMJc-p(=E8b>ESQk5iM(O_`dDB56s0*?DfI@P`_=L!G*Z~9S>=+6 z2q!cxAKX5mDPu}5yoJl2n&GLw$h}~k{-Ur-&RKk7x)N>>8Uf!t|J%u{^OtbqqZ#99 z$v8nVk(ef8q=iEzYPv~|QzxPq6(PN-!dD~3n#agtN|z_?=7pcfI9ihNJtt0hSOV=i zV@QeeQokiNCwvme4hQKcEZ~VGDI!sX0mO+7vcJd^a=A_=euq9FUHwmi91MU4I4u@d zGWB0HPuLVE$r`Qh>!&1+gzm18=%B>v!DupG(z)4{tNTOAhN}nTdnvgYt{x0Eq@hxj zrwLJlE}fe>cLzuWH%U~s+9#v=NRt<;QzJH;B@D+3Ye8cYVJ;5BRyQp_I<+Y{@0s3}x5Jlx+$)WP_rEZi6Fy`a;aD@*wVjE+}FqX(1my^O_i zDm2L9>S(Cg);GIzme6SJW8ZRiYH}I08=;ddOV;Y@`?evc-qyi4rIBf7J-8f#*SanU zPUIq5kmy>xV8AZ*3AS|s)2!PirAb$xOGqr=s}~dUB%xS%xY>~HC)EaF-Kcd*B^K9W zoN7XjBj`?lAwvZ~=#YRJ<3n|Tj2jCGPJ`!pl3YTJN^?5uHxs}D96Td3T7c=jal&Z_ z#QFf$E!VPlYc0!7V;%IMLPSQmjp@fi9e+1UNG9y2f!Z}q zvhtlKsA~F&5CeNV*=WWZHqE27bB~c9;0yveX4+$G`%1=USE=krLiImO<{5q1@~$} z(2}NfnJ-bAFQ-Z~m?;K=wpJ}l35l%^nr9%0d7h?fw5jpzT##}}#?DfeS0DAK03{Gn z>4^N=d@~lG^cCPrSotOQl88kqrWM0voGpo5kX#@UajZyn04kYv95!YhrB5_WocsV>v zVzkh$6+?2R^QA^}V>d{#+7w6EX#Z@6QYO_39u{$w&edFpvr_>}EEzhQG$)s*l0uZG ziRo!lPstyQ8Vy+rtXYF67MPQB&LZMgp7p5i>gtv0cBQo!sqUWrEtP~#VFN(M({sWp z1Qb$nf42ykv_UFHxy?luTorCPptU>KfP(t6V>z zwgfp-u!?v-f#4W3C#)K+pRc)RDUIS|PhS_1b&l4)dZ!o9nnT&j+kNQR6-b$4%*)B%~N?J{kjZz)jGJyu-^ZA^QGj zYmD{2444jq^F&=mhuZa@gKMS`IpGJDp~C9#UzIrQ;ZlESR{$3x%TCK3NT>X1+{6br zWI8y0KTw(^96rZ`!Qr3~AX@Vu9H)7b9Kz$o;P?-d$>gwfm^dE1xVkzY{Q9fbw`MdY z$QjHxh0zU}j_im&#U(TJwQclD|MbHAv(%LhXmzO>2|5>}>pzH^wJIag_+C+SPpi=C zyf!UYME zFF{7&tEJW2CztA+)B6(OgH>sSUge3TS>i7760hOXqk1zPhBCNlONt9qtVnkE@q^6{-whg&x1z1TRwnp87Hj;Vw zN9r7|bs$fRWjaJoz>#))fQc2jzb&Z#7Rd!p?XgjrY}Gq_`>hXBZr)cM=rf}+jXrmu z3WOHz(h}Al4}MLvGW;g%_U8s7U@P;Q#RtQo{&fU5_mte2Ahp3^`IFL9aLUs4lI0>7 zcuodz$o(09274eFko+cfWBQYYVgPEcnwMkt@E!1Hvq}rK(RfY{l};#%d>tW3^|SU#mp%1e>ysZZKpU((qUoChKNH& z4Sg7^E}-X4iN5Vdm&riqJIaivcmXNxOw^r&nVL@> zn$2S81NY4SX6@YSDyA?ho=Gb!H>krd(&Bm6=6Ug(Ss6WPcw$P;6I8^~R3Am|IE`U! z4mr;#a6Z|ejiDays|GY!%a|Fvm~QK6MRvI&jh$y)eKXXEsTOR8ps1UEM=}!u(5 z`pwEF_w&r^2m8}4%*qbaJ}Z-q(Z?_57j4^!)#cuDipf-pGzgdPMRR~ej3Vq^0lBc6 zmGj~SXzF^Ru+!<ll_5O?b&S)@LFkixpaglEmgX0I zXu?zM%S)HO7;3qwOW?XP)r=Fx5ClwMdb%~44Ws+!d`*1s9~IJYx>AFvmYdO}g{PI= z$!mPQwcIJPB!-?Z%6Rs$Bzmh~5#DMhR>*z>UB0oa5;%L#te?MtW6Nr?Fs{ypkmX6@ zduckGy=L-UFP$ce)sWyZLUl7QPYy6n=2S>t0~NFA8t&pAIG|{i-5f|ZMMD*q(bGJT z+#UrOiRV7L8~sT878H&|x}O`CS-rFym0@rUTVOziS#M}-zqQx-U!9lz@=|c-LRYM6 zad3u)8|^5@Vlicy$NlXhm55)zaik?`^`LDI-QEj0t%L^``>=q~4!#WYbZ--Owc&bj znUP3|B2aphgx!!Bm34h8=W=ym>)QqI`iF)Z2J|7iAyfE2Eiev7m3t?Z-w1P#7Y011 zr1;H(MhhhyA)rP(8;{WVcYjCEnDZT4vz$8rFNI^&gfZ_A48MyemPZmu1vpZi`WCl+D|;d4^WY>YVBx?41|;Pbjn8S!^%094Kms zPCW#z4s`qS%bmil*<(3T_}uJYWGG?B=P?fu>YaoIE25ZaR0|Z%)HHbx4M8FqL*>Au*SB z*cs(Q>cM?OX8yP3qe-992$Z5_gz zhO<2Jjc#lK+Yl8toEbzHcooFA##A;Im(7K@MqBVzSs>l~rMd^Ifs6fC=5qI5huxv7 z_1QePnoAb6K_u4GGI2sn8bLS|q6P1ww+A_08#1(8N(M!`S zwc?;>e>HlzwGrC}XcRy7n7$Z-;@sMMQSDorf_Vu@L=$pYygC<9^l?7&jMGm1#7M)< z$sVA0wR~ySob~$qH-O+t0+JUFA+-lp18A>(2q19f5S^dAK07@`-=AEaygWn@cYlcf zdUEml5T4-_G!MSE?rO-c>R3<#jG+$|CI$lhb7CrtE7U?ALS8e>j9w}R z$`X?$USCV+7w4zJ@y*LnQ&4>md*>MaQ9y9OpN_}lKQ5S%e>(nS#<={`A2Tc$e{zVT z1kCYxoUjNds^Rg&2Si@Cu%`7;P%^w)3N;XB2V1Rl)=EN zo{+kOIhb{6KfM6O*+bvHarNEPY4c?cf$(He+JGMQ{FyE9Tqq_nNWJphwx)jT;GzyR zvu9qhlq%lq7&rJ5)X~v^--Q)wkTeBeNSWQ=gf+cTJ{?2VrZZ#eesMu!%1uzvwumiQ z%6LKJouFLNB@q%Yvt1z3@Y&Q8!oS!Q@Yx=MZgD|?iD^1-UcY+++F{=}KokYkw%!SR zcZ4A5mRtqhECEb0<(B6-C06=;Rw3S5&}MIr6>N3@ugA?Rfp33 z7ha8Y-WNaq4U zP>fXRn6u(e<;jqc3&Mxn2p>Thv_qx*k&MFWjBg4VaNbJilChLQ}V z$r|YhVT?pRg*ltcidjLh+rvG>#5cQ;^%4aFFLY}bKcj-@u;-rU@fd0j2 z@KkYhF!O~!!)$FIWIAm(*&D{M6Ncm3bXP~?d$xk)Fwz4wW?T5_hL@oda?EUwV2sWi zP$0xg2s%&IMa1xmO(uL2MZjDuiqQp2$Wxj^G9h&zDa%3GZ}l`eR07wBi@8&HA4lDp z{x{1Zl2J+d8?5i0rmvcgRaGIRia~TpuytIL+Sr*OquTIa$kYKiiW#9ic;iAhIZ+>|B484AHWw*0g(0ph?XL;RP7=BzukgDI@^emv6jrr#e^a+r`+Y)Zkv)^>qfvvh3WqZ$8SNce7QOMNoXxEVAgs8B{aP*{Ha0z(P^Bk>2^Uw(jj8& z6fYY;8}Qm3EUa&|uF|X8r*qX|MN$dr(>r!(k>O;_R*L<}&G?@EZdlqf5gL{@KKTCV zzsl_u@z~SieyxR%j-ThbZYEbd-P^X>CTD!vWvi3k+x?@Q_h#fxPIB9&{+cszEqXfN zRm_%{rebjX(?1UD!L=qtq==-w^)pE(fph48geG#^#I!UsB;^!bQrhw{f=TV%Gz1BF z&Iws&8*Fx+e}|^?Az4wl)PpI_jy}u^fY$I=BzKz8L?7kE?{-8J2m*nh_y7Ck)l1{6 zdx++&Odx6!l0va^(VZr|l)P$q|D5_f<3k+$QDDN?u=gUm4 zFU#P#017?jYgRhFHilt3xgQZTrygv@^CMg=YqJYE%f|_ANY>6*120 z0e4;HteYsmWH|Ozx7Q#8jMP%B+LI~DkWZZ~cu6GTCSk}S7-pQ+b)x)m>ID31BW01$ zO&fwRFS4tWc!b`l1-hYv96A6Y5tMO|D#0D11zwp!lnhvFh=<6WcpAPnF4e}dPmgc| z6GWCFYR-IFik=mr*Ghc7aDpT&1P0zRi!*Aaa_Zy`tOt^Ej@R(!Shj&kHW@9zhzF^^ z0M)}{gTt>ng3;;MH3vyot~J2O2NQ7;Upvv)*Dp2ki6Dm6%MDtOUD!^IE~b5 zK(tVqela|g{`p!ht~Ntp!OlvI*)LDd&$@?l60@EzaGHX1fhV|aK2M0SvcJ%wp1XNn zZU2%@_uZ**^X?t#W}No~Pj!S;hrh#Pq;m!v zpCa7{$XT^~Q1cLRJtQlQDu;*xb9;wK3GfaMkuG9r7h zpf>y`$yeZ1$!fgW{A8KFy%bJy>8{qF)A>|OSC(N}lWKebGk$BtFjh>X)&;zID zv2*9nH^ZX?Gf(58UHB?HN3!o^aCn4dwa^{6Gr?gGcRL$x>+hDm>#RlRHTz zr&c~%kW$ypbS?rf9RvpTDOd-w>d{+Cet5MgG*E<1bK{R_{7WE{0MlL^*g7hyCXPm7 zuWr?Gd)FPRP1m1cjL|sqCSQU>EYHq$2C&9BrtZQ|m%15(c0EdpSs_Y>O8OLn(fQtH zxfvGc$I#4Ws1LXCJ$)6ceXXZ06Y(Ys5$EdVC9=ONoz?0iSfHP-US8^-z{R@L7OX2k z%0!#fhsI`q;QFe)g{@(|s^1=>HOs$IDk?D!!K5hc#nN)(z%X2?PU`aL1XS2~ib^Pj zOvEKP7W=W)zj<)gKWvJsQD%p3mMU{)r$X`cEKjTtlk4GBW&y2)Pj({562c2suf4!J zzv-$c z0o@!Ic$)$oG~@-lLFYxCRoxUvoC#6!sY7_l(z(@Uhvt3A%#Y(pOQwph?_|Izw0S0z zY;fFkP@eNF@_lbF>iSj6zRMLq%LJZWBCLOhtn!tXWr%9g=bEfR4*q&LP@K~}s(Cvf z9KZi{#}V}t&qnD~3~kE?VVB~)Q(V~<+9bb~9iuz#M!zDg0lYGjN*l#GZVvnja$Wew z|Hx7B%_)5HTo=tLeVmy1z__0-Cf+}x-$t$r|J*-COnhY~pCZ?VZvvlkmw&2U7tKk0 zf_?otNkY^45Af}1iQir3d`@bXywW8M1$e5<`Sd+PZ8vaxnz%x zt0f>XFkNUmcm5oeE>2Hw$W$%o-rjJd&)!KcSy2z()Gl3ME|oOJki1Q!{L_LY%VEqS zfmTPOqlcsWPHDn2L@Q36XA)tAq|{l{K7^{A zOk2;l9%C|@Oddac2>+c-CiVY*J9+fztD}dHzkT%h(b3}vkH4B6ef#+F!>`cfRxu5H zav?GQYO?cKb>w~{A0=CGMor$J%L5lUSG4UD=^mlhM)R(a|14y2N^o1xx1K6B&sV=s9P3c8r`~ zbYC;Bp7W~$%+={Re6NK6Uz)$Yq(Z{)S(0;{)F%KxDH)q5nAd*XLr6p{BgbV1ig*tp zgBna{Xs}ux;Urt&BMnX|=vdDdA(oN!dogZN5Y_L3PH!1GJR)^Id zEyXHWW$fblb$+n2GqAK3fpVFV zsIuQ;BEV%qNK;D{S36YcDjXjWOcywi zSl-neV9xP+GZy@-lE2%tV9~wCg5~$0o&}$&6BQCQ9-~aViRYraPiQJ6!Cn!tGXvi! zQhZ_HyI^4N57w|*PGwjq2F_RN_}>cx0$XmZs~PAobfPiy&8NPse)-(`r(*ws0>Y&Y z2xrvZV0SVAwcCI0AAS4ian=5FAAbH~|M>`?&&>Ywa5O3GKQ8-KIkRp6s{QIQ0+sfI zngyu*p<(`U#;@6a%3pdJe#*Cna}HL6Q+>tyS7s>G7i?BS1W7R^fqO#{ccR^R=NzZ%pbR6jvtG3KzNite9=vWD#1@^t@aO zbky3o&!QQyL@rp|*{r^Px|fv^W~;uqx;nQ2kz}19k>XQb9o2AYk;uKB7O3Cy=})I6 z!Tl`pyE6ccjwYRr+e{GEPo`AN%}5Mc$E)-u@065w@{ISuzA82~eY=Uf#P42`bguN` z`;Q*=Bt%aVzZ*Icfh(NQ*uC+zeTHaBgaD(;G8a;Z25HYojJ_Fv(}NsJq8uwS%tp{# z{FTbZ{x{=q4mKG*sswon^v!6r!RX)o4#w9)Q|$A>V6gx9@!v;(AN_rN@WK4~^}%2; zIOqbJ6@~V<;4a;<#$&);8T`_RyR^UJ7bdHG{tcPzg3QS_JO=$77Q=`WFa;p;PF+a~ zyF%v_lvYqZ?j5dkZTpnNj9brs{prn7Ee|5q&vtC*EV`Qcp|htvK-bG0+=&I|OFbwn40*ifM8a3X*A*%daPpAGZ%wh~_7Bh> zpP-{Q)^m^IwzGIiQ`@ekRiCpOEIEBuSjg^T+=f7@H?pvz^}BgtT1nGS7e{re`JfZy zR_<=Td{jTfLbDGxP^h;);k4|U?iFrdHCxcA&;8QYKGMF^#_d--T^Dtcdft3dF9lmW z_qXi)P6f8F5})&=OEPb8c5Zue*3Zo;K^Q@Q^uxu=PPw3k5EVaMyae&mc2st;t)5QK zlg{1IA=3MapgsbqOZ>E>G_>5*vPpudgzp~x3>m(Qh&2j=wy1O?n%0vB*bEIf;80`3 zlN#I0MnJGB1mFjpYPA231^IJMI3-{bjfo_D3Hi`WPz@G>MHGDfO-7@`N-jW19i?un zI%ivHE@h^!hBb>(fv}V~T7)NcCchDgE;GiZ2{KQaBsxgL39C_{Xd1C)h9#XQ#P}H% z*}E98W-Ba-z04CyvxJ~2j;=`>m-X{o$OH>k>_IqEVAK`G2%|qgzp{o~b5{o)!`SD6 z&k#nCZE>h#UNxy;%>YrH;UB6RCZ6=wv)Z;hQ-M7@&Z$(EB%Kd)(`iF~` z`cc6;H^0cI2+!3zJ4~ZmL4J}iT`?3LbDk74 zH8~|cv(z)JUJcNP59K#GPwKNakEq)?h}m+KwDJP!q~tQvIp_?gpT?HDDngNtss|M+P#{LcOjjsHIC+xX!3 z2M7PDdi5VMUX1Ns{DrK8pZjf{EJP>Fy^AZ%2$64toJ zAdC`7K{`hwQEL1CI1o|OdMRzOBuufO(Mj&J6L-_(sqO6W8UTb`Q9JP(CkmHH3R?|Y zGE>6OreT&0U8n2@GGTJBRdiQQ15^|yn{t{?-}OBuNx-V#kKJCBU>t8bQ$=nDUrPoz z7|nN14qXxhSwf6r{WMNM`zcb!S^92As3ltw z%@VuOtAwLHY_)iDzBNx5HXR?lWUHSGCS#obq7gUD*p&T_%&TwRPBQ5Xr7c97GL{hR zGmPm{5`97-p`q^;-|?QUylJWSftfp&XtnE5#7V5U11EvknysaEKAV9D?^e>9{sKfT70d;e_R+7bTdVe?e&V_tA#O1o-&^8$W-e0}ucvG2 z@i1-|?8~C~qQ`!q#>P(VFE=xkQ$K;A`! z#MQ801sQTXLIovRT_aiMlZShpdzF|gF@n**fvzB^Bx3`!zc&)2hlo8P@YVT?`Y5xXGYT#_Org{l=>cZ-BKAKF> zzRf*tu9)aK=Zu$Y*%l4|Db|!MZ*_k*!BtjN7IkdO#nKB|`V-gK2c0K&!)dcw5CPT436hRLQ#*r>di)P*rQk8d9{&YcRMl3{Z znK2Oz7b{j^*MPt3*i^f;+tQD4g?v>pV8G>bm*Be1y^>uq5V+LTUUx#DuKA6s$Rqnyg8oZxGpg`h&=(@JAkeCZ$1 z)cmqjUO1@6d=AA0{iMR_`pqolQ`L2tmTg)VtBQ3wA1hYifog@5qL87fAV^n4Pd_A7 ztYmM}OCP#u|3=qSMMB~W6HiMmUNBEzT)3QSGwI z>3mMOQNuXRvf!=)Jhn1n&2W;atNt^?PoD)-d|#WCB~Wbtt*+Xo`e_zCKpV>jpqsk& zI3-`3w*pQet3TQYy%t+y-!^-gVb-4&tuJbmx;m?DDlE^_h{ayB zaD(vAsy%Aq9kxauu|LyL?ms9KaRNyfhZfjd`yOD7P1Uzg#CYK%9{`FK+r|;*G1`Co z`?uS?b(-MEn8Z-4HkDWFY&WyTa}T_VW@_&yk!}F6pPh2UlQQ4V%Sl?aIEuD`MVR3(?zc zB0ieje|YPMQNcOeokvCYs)+|!2MQ4Fax9T|RQp{SV~>H(If-PMBPvfNO%RqSAy~+Y zlx8Wh?`hEjr*nAAMi|Xmukj5r= zsJ>xW9@aeBCBPmARxTYTUM1sQ9b*m$-7~0rN9umwTM(Sc1-wawU&g8-oX`WFB??+; zDCVsK*y;H@?XmMZ{04=}b!$mD)GrB*4z<1@F;&-=O|ojXRLq0ElQ;_BqIF%7m<$hbp)l zJ*E$;ol9ijB0G2_{A6Q4eV%UWZ8v40&dqyfUsl~!m;t@gXzeBDW?S>Yq&+|I7B4pT zqcf3gz;Ze%ZUxnaBdj&NTVaxA@G;3dvCd_BrBs0Cyv>TJ(YhAoY-V$aC}}X~S#+q6 zX30ZC57W_`2J}>mHPX)LDB96z0Ksj)hy+3M^xGz1bi8l zt^aEPo;aMZ*~!&7+mH~{W$oqQQW z+R@TVySrB8U8e08aC>sJ`VP!$W=`)hzQNJfy@rx53Clb9^0#udU1?;z&i#cegUuvR zx`NE0pudmCP|r~X8S2*h&9Hd)Qz0}&#JfaPeJyWZ zwg-zLMAAH91w^p;mo2w5-NGzUSHm7$)UKiS=dQj!oSy42<28KRm<5WFQ1F{iCDjaT zJ>b9t?1mv)=J=1TkpNZ<47XwEJ;~MK5_)G2p}Uc;7jlxW$jhgvY@3nxWAZ}2IL ziBgnqX;lkoAAMaFBBD&oqE=WtIoTgU9fY~Kv1su2NJTO8wq-bz_G!g^c!RPuI9h;( z65!hdlIN*F#2BrTb@?dku!vzRG|i=(b5ggc_t($cSi!8BC39>#=SRU*}8mQb$qhAZVe|WC39VM%cM{xSeJ8w;SgOeNldXM$r|CA62tm& zn^Q?@QN&#rC*bu;gd7!!&Qr!otWSjtvLalNbI#ta%lu*$KQnA{Xc26jCiVCK(J?p_ znaZO@>ECy#aS(7!YSPxiqFvm3U%rkelV$t;tCuY5ao6gyjPz$tV=}4Of%I3Bfg!J+ zaA3DH+p+MhxUjMqr*Y{D6>xpBpHrM_Ro^}#gCoo)%iD+al1A5o z=XA6g!2wd0arIY1d+UpC*9QC9@NJm0T5+$a6IyZ)1&tx8u{hLH9}Dz< z@d{tU4Eh#`>VDTnI+MuByknsn_;>0GNaqwe0k4`EJoJnhDKerP6~VX&JA@kLb3a8Zs^dN^GpqreD^#Oh%oK;|^>bUPe-Tubk?%-+tX%C?`J4%7N#hPLW zF0PkU-U-iK8rW4ipfD5a+l(bN>a}n_aY$AqQG#K#WWUfP!H__oq{AOBm8cZszmn-# z?d-8}Fc@DFIn-1f+lk#OAxV_;P04r(opu*I_Lzi&cS)sGr={X&oFbA&e4VLpB9^Aw zIkX4JeL5l|kd2o?udnjcUr6=xw&uWZR1*}duTBi zEKlPLHl;<3DJ+)AGo>Ke{KCjYR4&=F_4d+(A#VtsFK$JJ{3}4J5JdxbE2CJ}D=qY( zJ%a!%YzR(;m%`ND2rzBQT^&Cm8>5PETE&SRow!4a8 z1rsWC@NC;7YftCI>Z_}cPPPRbxOQNLvlzZ2g)bT>B2OR$Qb~hOzr?d5GajKJjc~|-1@f_D=~@`bn6S2ucKN>S?l@o@ zpu5Mr#3WJ5TH!CN@8z{915oN(Zfv`{!y0V1iFm;=kVY#9;)+?jVvo&w66hKT4uw`B z-eF)kE6tDfFb(|#U-y(~4-mV{$WI){{_uJql^}B7C5j(A19L0?Zw1jL$$Qb}9R%nS^(<6k*7wpaI*F)h^6%IJWgp*#HQo znXo_IPnx~F^et%{nEgh32J{w1(X@P&3cgAJi4TqQmO6BBy4I1h>K{rKn;)ZQk$>*kV0O%4-w9fV?z7|0F3#Qd*!MyqM2jMOwH=%RTk~ zcK&8EF!(kSOD27`%GJxu3hk@U7B)^--#=R(rOMmi7V@au2p8cunT{CfdG+|l4P90^ znum_staP0cm|Dwa0c>n0=y_id;uiW?G<1+6a4VI$?V&s zcyj;oboy<4KR$X8P5&^%_v6R$V={U4?fvPuld<5@7_QK4EE56sLRdPQvwJTeKX`aB z3YQP>b19DSWlPXtgJ`YywbPUB;tK2aD^E`phnSLqu17SA6c0c}%TA}R(-XI~ni6>@ zIR+n55D(X6jo!*cj3WG29dU0XJc_t{yVK=Y4S9m!Rsqn9BvfhoBG}SWY@|tEp5>97*Z7pYwj$R8_=caaWcLS>|V|IG}we7r)+q&er zkmlOdJ8b!zt41$h^fJIk`{4%_bKV@lf%muJ_x5BQ{=U#O{6c5zWD0YhMSmsJZSIzT z)?J-@B}7@=km-(zvY@b+68;4|N1etgm?p>f^{+t>@s5jMlCYaMoX%;epl(l<$$?`M z85{K#MgUJUrhg9c>?u~7yyPr)4yMpKDcHf1ea?zx{wE&{lxj zB)LFX^focv;L;fCThWhotD$K&G?)0{i@<{DkFN3ufu@M2P@yXUQ}-vduQagL!F}6N z%Jl6+Dc$t9OeigjUsBO08Ap>=W%qzI51N;?jQ{+kc{`E%+6>w#rELV;kPCd@BuP!g zd{KRpK-pF|W3X7K62C+H#pMoebnx<QryBFHPar`6Z>)v;W6Suwh+N6Fi zo$EvIW|gFKIF3m?HkDJ$n2NUT9J&)KW(vGdcb@z@AI1wNLdiL*lyI6?L-%uq)6Y3h z^n0@rHz7*cEF5f!X{tlDK0en^IlB>r|4oSRX(D@Z!c)`b@=|y4T_tg>t6%+X__xc; z;dzn#D}aRI8hA1-Q&AlK2SnFDnIJFLALNF*`B1gLV??jk8F|e_N@s!479Va-r*@`v z^Gy!5c{n7n>a3X>_?;NGFeO~a%5C(c0=3IE|I`PtvY_>S*khf{ZI-PF=QK8Op4P-g zj})5Wm4;b=&+(F&CAcL*G(gr!0l(X2-pwkfKQSam1 zHtw8Jkoic)-xqy5;u%wdC?b~Ob z-r!VSoXBhjIsVN1pL;<$M3$?l=HvmD*P!&*YGiS8dev?1w= za+bp1K$j(r+yQ{^Beu*EB2A7uxJJ-)4kRfvBL+P@4atnX{17Dsa`r1#0JlcMcWtGt zE;4svnWp@8_n7mm(c$~+J2piD#DD5gI&~knS4MmGZ08e~<le<6KvKeuh|W4G=M z5A`58s9NSFWT$^|{+IL6CTA$)O2$j{>g?(j!cyYs+BoXY7@w24^0K>SLg^XdobcTj z_M!r*va0r{TU$~qVa(DNnGwp-2)Cn1W~yldlX~w~ppFQ%Pu^iAfsWC@b&628Z8kVY19%k} zv{q^gM`wt{uJslyX1i|7X3tZ}*XN9;vN$gxIDr=oXrkhG-a}VpnK6#}dIxM9Ft)wZ zd@Qu3F!h@*^QqQ|`e@acSC@@$UV}U>T0PUP0+<^NSK!Envy7xpN}Nlm7&0s(@e7-v z*@RmbBvAJPk}%w-l*i@OrD^O%Gc&)<5gv)!sV7hz7UgTU z#Q?Nx6Kgy&tmXC}yA`;YUL4sMNd&Pgi$!Qi`k`Os8j$;rpGT0e#?n6@7hxfljSB#-oI9;O)yCga%A14rl zf)h?~ytb1n)(zgC*&Kp^_NUk+^C-i?A?L^`r;>1Z=QpvofwO$~SJ~QtI|-56+)L4k zC5no#sVF@4=bYu4J1=6%O9^>)UPh05f;Xn?B0Y{|P*;sFX-Ztb@%Aj1J5x0S(UDLg$Mgk^swCJs{G$~Cd@WxErgKcYhsrnVY<8+w$%&OkQo!SM^c1+ zAu%tvC~&;u#g6Ozn`GjCUiK<;FjeR$)a|M}YkG~mE&&Bel#&mw7nBRd zji#n<2TU8s*G`~Ti*W&}Zz7I%3$oj$H30#4-|1fWP-?-$IW-1PtpLAx&>X z6Si7isRO&}Q|tL~o9DuYDsR`R+Vh>}W1prU^Cay)MLSN=yE#3#IXTO-u?2ANQ?t*B z+3U32@}%63Sm9H$$2r(}25yk2Gko@SoO_(8A9R+P(_nF*zOO1(Se0Y2ULr(q+!^DD zlNtQob;y;;5gHeghm!|r|9i%#G>%Cq6;QwX;RQ~6IVWG1t!wpbD)(~5dHXg|Psm7E zYd>8ZQ~2rGvkQeYNV?A{H4V-Fx}cKuI7BOUWXBBbo}*z)@0auD%X#zVy!m%JZ$5h= z3zr_sKYmi37Q$s%h^v>EryyBQi7!`lx2!v_198Ni8o*7*5viYdxyRr*wkwtB5@9ix zxZIvPZ;>4iMs{)@K-#eIL(8rLR1Gc@p$AvvZhX;EV|R1!Svq5e0EQSkU1H?R^AHn> zX%b>yaM{Az9}9dHSwo0iC1R)-cc@l(2&1>XR`oEG3X%6NBXS0ft4V8o=`2*MRtqA~ z;WiQNhb)2siRF@|?WUgw;-^KYHqTPV=QuSb>v8f!O1o;?DkkGglMg2~bkOAMV|?sR z%Nnsfm7%KQ0ZgGs8=3~_r^Zb`-Jh~$#?qkQs29g))t)W5cHmf>!rkKxZlP3evY;FgCP7gV&~c8~(4EM9`=O0~hf^Df4!=7ToMSMq$G_m?3V@TVf)f%8*)Y>i8T0_5oPrde5k^8MEwzrD(XQgtSc4m*2zS(B%f1{@ah}fR4F5yaRLtB!#urC*-bixn(rb|P_~EZ z8zxuvq%LjMdg|Ra?*3+H4N)}B$}I%sSdy1?=@W8;5^JpMAQWXqZy{$@kF=J_c~13L_B_i=@3oVrME&_P-?7bWuByLoc)}xNT&yQwS4L1(3Azzg>zHpEPYG- z`IY4nDiDsO4o0^wz=io+&Q^@-svGmSzvrTi}E21>G&`%YB`Z9aMR_w~EGQDB9op?AYe6I6unPD^d7~~dxz&!7DI(?6)~&gNavRk(I>&MML~ zDFxnyZ);yT0~^a|p=+PTrV<(nRjA$h%4X&QBaiR-t7^3$4jJJ~95#km?J2gcH`{@m zkb;U5aDb2YA54x~ea*uR#(O4T4;5jv8(9}aQ|lDrOyWK0EL z^unWPU0}0dH-G|*=?uyos=26d7C8723KEapAgOMQ+fKg6_SHE^cGCKF%07C37I1&Ry2ry-128Q=4 z9@F}(ooCUycVLg7*(9AO)>Y3h|m$I3#8hhi-}aRX^)YcGF7vP@_sA$Kh& zbIjv}2vHsmrf9K_T)mquD*1Zj2P-MbGV51T#Wbzx-AkOVE!~}crR!}5_;{-Mfrf0c zT~;ZYQb}=gmP*1`p^Cwu%iF?Pb+Xl3G+?p1!BpxJMCM(GyweU*6eqyPY&HXjh0yLc z>9@>d1hpekfg+qld7`a~0?8X1X<=BSV2epSPfe^5i4V)IS6I~bG9tQMl9*yi{F}*6 zQD*{Yv-c~)>hi51AyJcS6vxSGAq3mRMdbi1&0%Q$D(^U<7*VzL@5I^R3TT##oi z!e@)8mKG@rHOS97nbEEEj?1#UBT)e;RI8%9DjQ3-B9*u@5*xt8x#uhGLmg6gA-Z&x zb{KL~0j6saBv|xORD-*;QgNYx*qV{m5Dx14=b}jYNJVR{5#)lect@C1B2U1KuPLGy z0nyk_iHH!G2e;%i{kWwWddr)vVUs?W1j|vC zi-P@9GQ-hz6)iCLpyKvP;%c28zV-FuvIZlx*Kgx`QSSKS4)Mu0{HMQ86z0$H#T0g- zS%ChRh)=+a-XFM$L@%c@L`x!Zj3suyQqq4f2uNp2bxuDa8TdNsZ@&8S`OSUo9*uY` z#^v7qr}@+R>y6fUnQS}8WHOmNe)tgnJDE(X|2>*KdUXH(S4R&YfBWe1qocIf&<0v~C3(Sj_o70fIn>B;%oj}I;@ zU$?0bRUE84;pxS*vfzroE`bTr`d*mkqc9*X`K|k{tfZ+Jq7x{Nc0(XHv}6{Z&{c(S zJe=YLr&0B28=_Yf9I_!lV(i@9A|8+LDNYzRmP>#9 zYKF5ZDyM6^7N=HD_o`?dh6hM&7Q477a0346?gFKT?sa|Q66{aHUX&x2t_YWilZeez z`bz;@*nmKF>4%J15XqV7tM{R&@ZA!xP3|_7rw%+_p`$(z&)UqXw4x$n%VnNYxgNu= zr_)?AF2+z2YAon{hJsiRAiG|r$@h2u9T@+su#EUYS$ z)xn;EIEC^iy8Lpz!C8t<@scE`xLN1wj@L@9iWsUz=(SqzAyIGK&||HL4=im}R9$8y zs%*HJ2&L_Usg+dZo=5Dp-87aUu4p>%xX-<^?JCnKzcoUq>!#Lz|lC=1()vP7Kc70;L7HvhG(1wMaP+tecI(t;=HR&R*c4q1j znG#+2U$VA=>r}LIuFGSt)xXhJj_k=RFKnU7%Aspb%|#i?)`w?g{r-$=Y3T=9;?_|D zqt`Of);9~({%(PKzFnYx?-yt@=W*`?2GAsp)?R}3-%<}Ip?qaq1w9~r-Yi0KCk@PB zLF0P$vO<7rSUWBJGMEy#F`3q7cvVk_TcNlbrH$Zcvm#ysoOiS6P`~9^NA~%}`Dqno z#+hUhOLS#MHYLt`Xs@+Zy2mb*3;Up;PCpd$Y-=rEpg-M&YSOW#)F;?+laj-DnV+M~F1h!;-18^=u({610geSIb+qUhT*v5%% zo!GW*CvR-q_RaVG_piEDx3;#rrh9s7cWZ06XXfdCxKy>41^GLlMTL)3U6%tpC!9gX zJweVeXwG84j~tt)>gKz}{Nt5*Fm*fmrZk*a6i1f&Q)bI4@@5Eo}zJk70K z=uv%wLp>_HLi0uwuDc*fSS7_vA<}P#5z%h^$Ec0a zpTlN>V+JKL*iEo<$Uf4XX$Gz;yx#lwV#B#Fv?wnq829yBPTS^Mw6@>c_2#FdVCF_2 zuSJuT{pTyo^PkUCH|piw?l$u;zo)IQE?b-l%&qw41m`o` zjJILA_Y1Zzco88CGPFKI3GTD$t)9>K9b6zV$+%z|PI_I#<5e!Aa5vnn*}6*V zl8#L%D9p~PNxltGL>#6`BrDz8bh_SmMP(X|`j`YJ-94Lm3M*9d;ZDZZlO-~gF!i(~ZKrrNa0){g zaLUf=LymLop3wU z_D}9EN>ETxlBV{YbgMCf=7Jy|c#8a`;|B#RmWI#+mIhm^P7qeV-4sL$?J0Y$vo&Y! z!#UR^H!wCLji8tHUsOHw`+Ga*cy=F6{$*!+)9XDxp8DOo6Pc8m)m^C1ROXXBIC5z0OD>{}5ozd}$6CmaS zO<2m{Nf8H~eX^dyR$B(*Dn;UqQnw~-8+decA} zTXICBAv(ukfx9(;7fx=km4Jr?n1UhoV6Gs{*gYBO_X<3sp%X+g4lB+bQ%M9ds8L5V`l7s|lqa41Wx zbVMBs?-f(>Q)AO==A~;4NE$F3%Qu~GmQ0cPnzxlMW>C2rX4BOaR1z#DXUxyPEh41w zS(n$}&_QTIL6ySNx&JZmI1yUbFF~^kR{G2c4;BxAJtfY%$RLeymPy@n%OP>5x~l+9 zk<-(q$frW|HERHMxk7B580!P4CgaG3EVkCpRl-R2(d4U`mv|}UJ13NjxB-(*YBSnh z)4LOrJOUByfs!upPA=0YiZA|)jIDBtpIc8kI~xg1;YxEJS1%x+#USU(FxA_h+9OA) za8HWHLdM3>D#g8{g%-$>pPDbTpK3I$T%Zs-l;{#20X(lCL8mbIh6Zn=0_VE51ojz~ zw{Z1vVqxWvAj;3#KuY}%<8Ul+R!Jt@+>ayN+3@uH-Ctmo7UR#@aGJ5DAZ&jMGe(7H zT`JA+FLH*%u6K^$*_JtpGw}TbZhQzc>GS@T>u#-njBB5?t*h}9w%Q3uI9oR(qmEA& zc!c7ae;Dmc>rDARa7PW?3|X7~CTz|<@abb9>UNREb+IE9PmGxZcBW7`V5zVSzTjjp zZ*dSc>ly8Ku|(f>2Dx@aQ4R6H#~8(#3I$VSM;Z9% zZXH2F;i%JQ^6kWI7`cIGG&yTUB^FQfAfBwPtCkdI#s$T0y~Jh~a`7XCh22Ft_T-^7AwHb=o)5%Mwfucdr(DF3da{(KKNYsv2s9@=jBwsS6lh{Lko z-dufzw_v6b8_);00ga407hb&i3(FFX$YqR%6RG<*1Hmckl)#~!Eo6p7k_&&zCEFkM9L;~#q6$U-l_4!Z20kc;p(WuMxIWAJW~oL~ z%52ij@N>Jdd9$|GBY|YRDwU*>j3L#o1k{XSRPpc4rW!Xw$&R=}U5R-*lChNkin2$c zW8v$dr$;_QX|>rj48W`8Ez2_(H3%Dn>m+qO5@(muTdLn%VMN<-0Z$5Kq~np!ZO>fP z#AyUwBK$fB4-b#`#|iQeUh$^(c6+~ozWZe__dnSEyT}oJTwdRomt2I!@9(?Z(cP5c z6>TZa*^gWVcDoABR{6r8V(DHi`}}n}Ad-2%%&%cmKuS1#-pzlAV9pD?cBsU11RMsW ztAc&YPY{B&HkiXC@MtoM^MUB38YI?`i40#4B8rrUu&1SR25G{^Wfzvi77D}{2E5+b zh-*L3wC{4b(#z*7bdpw~EqNAwC0D4PULHQ+zLFg@z3qKHrb+P+X(*jC43yoIJUms& zSi*9zkco)%ZnwjgV3!0+3Lul!v>7?!6qPreUblPb2G51YEweA(DHGJlrJRsUkbU zjAG{$M-`~*(tdbJh^UfhBfObj8Kbehh59g~hm03ZSwTqB%S%+Gko$y7WT8|FC^@BT z9LWw>K5mtgLQq~DvDiN*GI)n6TCfJlCjHxio9v;cPojoqyV(T8>w%u0#SW_XGjn6z zVuUW)PLEXpcYErOP`^H+hdjj%*xN`rCmhM9a09Oe%1bId3ant`;@gSi^_XixExAj} z*0lmqho~@U2^l>D3?|mR>7q zMCjrhxZ*yngzhc+U@_25rx7fM$r<9%o>rWH`I%v8cwXILYy(`iFZJCJoqHh0bl8X7{))U1 z9C32>^i|6ZwEKnk_s=lB)>LE08}eAQT{RaVqP}-4LNu5)65nkemhjMl*8oRIQ)Ys&_%ji6lRGUPsM>a|1rg6^ZXZp6UN^oGR5?Q|z{lgw#?z#*~AME!!z3$EL#8HFzwwTF5?4A4BD;uUPT&GFI|(dnNm*X13x}zhqS9s_Q)V zGvL=+uGAOz`a1ddxwRvp<#D5;^_oua4$!%LuQsaNrS?IBmF>>WRzLiRnZGyS^|M!r zNiJLd>fkWg)#0_m-|O&{O>eU&z|h(MSwU8@A5DRJCc{{=D!T6lZ)e_0@o81l#S{)_(e^3tCX%hS%fq?)A5>0MX!KMe0mI=Ywvt z@H$3^^3mANDc0{(LlTN$Ao%#)FGAT#yE9IbY~j-sULj@pMsVZ;2r#=j=syo4%o{Xm zPxH_C^!rsbW)TyouDflO{dZ&A(ka5fTS*wHHM+r0(te3WtF65@Ip0PgZP2(k)><*r zLDRxu)3$TFsBNSM(=*3ovVdFVMhIoHDC}me{{F{;G7*L0ox*_HP}xz$b?`Kseqox9 z#v_fDK6gSZy)QV(#wuHD@C29NB;4dVMVWU{Gec*q0Xu$HO@MpBEHvhq^>w53c)m^V z>uqRD5{k)+eZ+cV3RJ@{QLt1X({ixCe6VRhR%0I`eqH!(c>K0Facm*RP{*{L%q&y` z;Ns2{>ndusE&@YqN!&xo~=-n#XLZT}9n@6y}D-x>)0n|D+*Mo#Hr{`G5*+S7efM9s zfD_c-i+KH8`sfAJ@aZ#HV9eBRVUQdzBJkMsxqGv+zv*>2Kb<1$;7iZHikRMGr zha*Hr9Fj0M|6A5Mpi?iF^Q168QrnpM$6NI^cauM^b@?b0Oyx%}>O`hB^-1t37aiBD zp52H2c_-YT%0qHJ?DUw!$chD+p>ixmve&c{KsGmhNO?R0K8@^N4IIpb9?Kpr5Tu2D zZK(;DZ_234atp9ru8O+JPsexhHc)!07y1(b{V)@L*x^#R0XdJB*1ACqoe^8p{dQI% zItxhmz24+cczzx`&fQP^KI98n<9Vy-wjrx!Use=5Xf&Al#A%OdHr=YgBYtFUZsV5j zXlPt)aBl1ha&|s0Dcup>o1<8?*LsZ6ED&ugJS8z_fhd()M(R3(KOqv+Hiu$?nN ztt)OeYF}jk%YHlBr)T|)EqLFx(3=p|tYw;Jn+JY8_xnjfU-Z4?@u+*UJ2W6Hb(Ca{649?n#v9 z%2SidDWxtb{R8gLcv|kyIXSu{5-Ii)~tMgrH5! zE_<4fZS0_AD)J8IK$oEotO!^Nd~K(ikKH7&o>MGpNunH0(DZ;=504DNk+#PigoZf!Ij3cLL2P0$viI}(0)}>}PpT}cEXu6Adz$BmAg@EAusHUobgg@Ho zAVlUo*oNMbkaQ}ztZ~K&Ngi{`34{TZbOr{`-I7-ZO7mods_iV7jAFR)S8uAXF248I zWT0=be?KdKUyyB5ZZxo^oy#eA+oE^fnwLX%R=4{a`fdk0R_j7ej+K&WPA^+MaG^x@ zNN_@n4Y$+&<7Ed8?tOE`GC--OytUG7>YN`AP{ME^ocsajJg+(?b@Z2Vj$Hq%sn zFd~J)JKAW#xFoZ6-zGua(Z|R^UDv!8@ml2QK-mYJMAf*=f`%DK)^EJys^OIliMY{|kKiS79W_~Ut5RhEE##~k9QhsVf0or@fllqZC1{XkXA%*2RrlFvC ze1w~r84~A?uHkF=kWwYKkB=+(d=fQ1kGv&V1!_o7QyU$%vue@)Wa`y12vt~iq%&`m z&n{1xQe`a8>`UFiU+aOcRW^{e`Rjgp=uwa@MS{j0$P45z20|{I7{co1zqM%1VI}gC zc5uaeb`)HV?|G_X?LUv#%>TY((ImIUU+utOkWw{4IK%d+m<5dgqMty^CUm(Oe`NN# zyk<(QZdu7}$@WEkJuaJo`(3j8?5?s-s1xDc=|6idp4eNz##5|}N>C;Pst{JvCUFy0 z_8WI4DYPhCeZ2NNdQG=CUC=RYFQgY!YGDnDcYsj@2#;d*3mcT6O2*n z+lz*O!RTwv!WG~wu-ZjqpGsOpKdh@#q3CRi{;l)7EAWn{*U z=2eNnyZmrP@qJZ!=feKkw;{XyZ3*SCQ#40}S$gHt;P;bQL-&Dd#&>!{#!cNQ=qZB* z=@y|#M3fPgB)}TcCIU|!DSla_sYTa?tW*v%b1i4Pi}P<{XBA=KtTSieDYn6lWl{Bg zXv2>+X-N)E4Ia4JJRoWExHkHtM&tX7?=|$p>67>F^|-3+4<92##kUy3GqjerE>azQ zLDSMww;j1jMS*60C2GZBezIfG#y*~c+jo+5^>*&R|-G_P; zxINB`%j?IU&>|4O>XYxi)5Ma!wg{2Y<;T%8VhYmq!%A(Ku%KS*3_XKbQP>~tF)LhEnk(0<<1ZP^u8EUmK1Grv$Y&v%=jOr z2EH}c7^^8Lc=zLf5(js&Q7yQR3tl7ojBu89fL;x z&%S$|TI>zd7>6=p_0iA;bNwHUNRk)o>4BsVy_WcJ1O~-_t6;R6!-N7=XXN}`;xJsi ztdilLh#10lT!FRA_b~I?PhsEN>G=meZ^bn*O%{Pgj61hB(xWv6J?1S{w`hx6XH+Z-gl>Gz{}nSDJs;(3rLn z9a*{bFV#JTyOGvR;#{5Z25ng+8`l+X5O=h6z|&_e4$aiA|EAWETG%RXnZljltW!Jo zt<5$R+pYBNl`GF)xs*ZLA^&ZuzZUz($>B36v93v!yIbt!{I<9c&U~_ubg;{Cu+6aJ z|F1goAj9Pab}=aAvBDSRUv8UPdJJEtGmFl6LRC`{Nae4bfG;DD-gKxP{7@bx460jDj#l@j~rLV0;m{yO4c?4E`-v*xf zM-rhAqEpYhRvv8RWemaJ z3;~0Xxvc6pEd|*LqeCRee#K;LfN zYm^qB$!E`>SMEyJ%ZToj#&BC#FNXjTx_-Lih#Q*n5FsXSBwj*U#+Yu7Qr6u5o(jhx zdFdW6Gx8(!h*7?V?lmFY(IKSU)<WSOdNt%~b1^4n1%~q1rAckUZE`!g2A<_(j|&1Fjr25j>kz z$Mp!a6WkLt7WGM_@N|Tw!u*ksRd;_j8?G7uNdH0vRxv2ZSZs?aMb@IfCY^h^xAYLs z87^X-gqclUT__1^wTeohGP|luKn<@x*63-b;wvqEc_e$*qtB82lvJs9m)91{h_!}> z%o_oSlnJ#g7&X6GpsC32E=x2@-~Lb7an!JtxQ~p}NBveww@0x_pM{dMVS+d;M%SXd zFhlfx79F*H_ur$q7c^|(0Ek>r`)JfnMaE(=_EeRoG;JNs4WMmC?1qnhEj;;|w^OeX z5-My_R`f6q{;p$8g$4jDFMXnksGXzTFB_jCS3vv70tKZp2TKSEGjh$aL+SkDS4v8W z`0AMQSU!_EroG1#>cp$}DCJ}2qu>yzt`1L)CQbF?{WM9I56yH!H}i8SkNK;c5JEbp zuZ5rC?SK^~f)26QBKn^6g%(t+G2oCz6H4FPbenGqYXV*Qfrl>sf$bDHpHlS3gic{xzgz|^Kx-ud1{Wn!eXK1*|L z0$WAQ2a&sqMmv;tuRNgG_HDEiLon2Id0a&$M<~*{nAa- zx>>nC@0Sfzl@>e*;rskvTB+{54-tdYZK+M1GJBj?<;VD1T4(EJjq9V+RjzAz!<(zqIRtkHNS;mX4Cc4O%IpMARBaOUZN_bOVtk7LS1i=Vdk>3b~7(!;v;xg zuXJnsSLyJAOI<5ALR`9XZ{mRW7K9ht>r-EuQWl?)ly!pHt`F*lZFCqCJXjS77!~#r z_UwfJc0AgktoOCtH%Yqgxb_t-e}f*WX9vIl0bdql0&-(#(MM0s1`6Xy^kD%Pl#p*!A<#o>%S^L5NC@XO82bemU{lWX-9 z`YB((vdI1vd2owWK~BYLzuRJ+-d@szbhzncQ9C7#-4EXMrxHqwabi#eVe+WZKog_oK_BC8m@P%1ix#g$l4%4)dtU zF8Gh? zAV~tcUbJ7PfC1Yn?~?Or6^x>|B6j8!f4^;r>G}Jz!jVn93Yn_CPO0@hb#HCx(|-eT zEe9d5{7p&WVH+L<^ptB_G{q&I2ITnZnsmYo?zjp1lmBe<2}T&5q<~Ym-l(7mpRb;< z`qy?v&|gT^a|XttZao@|eMMT4mZwA@A=8vdkfvOp*|_soBWFGIGc$)3Ratqq+przp zvNP>Ib~%igp46xt4di9c8fR_ZY{I-y-S16(`tuDHYnDwoFc!?{Vel#Q&QZ&&4FRat z<0c*za2%wN{_Av+--&>EUuDVW>YzTY;EA4A3f(o4h9n|*PU zW~#J@5Eiu}CS_a0!?5Vb&PeLC9k7RbsumW&v&W<6mH}SKU6d4l8IGZk>n;6}au=a2 zF5A-Tjw=uGCWV0fy=hG$3UcaCL6RP|AT#j{ccoS^?=pOorgi659ABJYf@yaw=-RoR|2BJ(1k`|k-MTUZ z8qS1V?qu-(x*)8^K2?Nv1L4Q*pAxpI_&hnIcPFHWazW41$93@dmx_6U7(*GvaFgwZ zD@Sq@ZX#$b@>q&4;bzsDK*O+P_fKb+$`6$fK$gD?>$RT*Y$xw6!83^Itn2O3$Awi~OTw>_(1xj{!R-|CnhK4#b)9xO?8 zDQE6i^0=(Sr+H$QmSsNOpB};sN`w8jsv?vYeXEPViGSbVM4p*evIgdJ#nWp} zIvrq6Th_T>mruuDFNFkiv?yzl?@1*M**5vM=|!yjB2NDyFaS1<&1bxb5fm-JkvRmz zIhQegI!($#HxVQ?ETgEwpfj$x`UN1>Vcx8Y!SH~&{bbWWqfL+P_OBY=QI5{4n97$D zQp+xF_s?Dqx@g0*J?irnW`gdRx4E~51MScj&I#6kNTV5an)$tP5KaaLY<_el^K}lc zU_@WEP2I&xi}_OAJ^tV(jEN4tX6#e8A6Og`7xhLHZmkm6;4$ru4Ef0QX8K1m^&;>c zg`s*56`*P}A0MC#!bzL+0EPbOQnSTot#2SD@p6jT0L&NCgkvE0O*NQ2lY-fwzt@6L zQ116aFj8aJ>s(KIsEd8%8BEh@Q6MLqM(SI`7_A&D&Yc1;4CY}a1ojP7c>#GO?&h7> zbMewYUB3_O^2)Ljh^McSjHmB@F2#qWzk*KHDERwX3|WZDc+PFB_exjbNnEr2j{p9F z%3SFvpN383n;_!b_u=K`5A64MBt5~^UeC|8dvvd7^JC_b)_r|r#$01US{3#~2i&tG zRttHnY3Vj?ebnxG^<4&J$JL#p>7H~NMyr1}(i?Nfc7m?g3v=hQ4BWk=#E&Dl?%kE* zd3c^kKf40G1N~;N;p|>(8xD@;X9-XIcdr`ZsLZ82zs*g5Vsnh# zgZmp$n^Ra76)T^&$2&vop=tVxH9C-zX}T#9y#`#9v(M;!J@KTp?q~VDc7>xQvI|U0 z9`haOfq-)fSTXS3pOnpXGCLoQT33%7&F-;LTDAV+e^>k}s;@J`;9go#$F^R-o?Z&K z9V6;>bnZ1|6ABt5?_PG8n`X!scREx$KUd}-N5QpMrP;*AdSkE%XZ*0NVhozsfTL~F z{JeU!+7{o{0!IM>(M|h*2ZoW@5Kyib@&6e<#gtZ=Ry)sB)xpD!HW;=rH0S+3#NW|r zN%qZs)DuoxQ_wl+Jb6%qBLzBc$LEJGWh)8BY{#en1wia5 z*{$^7@r5TuU?U5zZFbDU;B=9dI^*(hgk`n5?<#T^maP^(l*vS}5J?{+GFN#IJm(C4 z3DN01*Md`x$eKRpIh!&?7Q0|@dQAk6+^QBN><+47sA~gX3D{;>=LAcSH@{XG_L*~o zsZ0C(DYV!hDk4CgNwPQGs*BLwZO4KbAd#tsDyK!NMx$W|-=W6Nz>M&wDg@covFSmK zESnG@*=zLcEe3G;h=MT~WXfQ*kn|YOzcCHBrK8a~mt|H?Jo~t+a{1d6+*#m^2C{0E zecXQ+94Zi`uO6u$%Zzf(crka8RqY=ZvXi!DuSL@bblZZ9%HQr@YvbkdnAto?S^|o; zYD;;FL`oLjPYwcKTNE^-Ro`#6OxnLtS*OTLYL*C2>0;E^A~k-41o%${YjMSYvP*_U z4p4Djkis?UjR-w&!)jRsJuvd=#_6&mfzLP2LbW33S|6t6AZYgy^MR}Nv>6wzMgy~_ zT=01T2Q71NH2e%{;PGLZRIoGv{b&`g8 zFBWptxld)mOtgV}+KJpwHK|uBp#yIH-i=VN0I?`XB@YdAyws5??NX=Sz>>y3)yJP2 zb@&?vZA#E{Bx}}cR$`Dc@CS&d&r-K9_*!8Sr7>f(bce372{isQa0TX}`7QdZ7f%Ee zws+?RjkAA|K2|4!ikWa0$#pU^qM-JRLwB~PUCrU!Nacst=LmmCarSZ6bmBBJXY!^4 z_sMeqiz_^g!~rJk;Tj2NW$cR(5^Cm;I&-)`g~PY$t69D8v2mL*$R6$hLpiQX65%XZ zD$Rz%mN#R`vmCtpI*1=U!vKWMd^_qVSo9@wm{UUN2Xzx_8rtC?OFOzEyi&e)GGX;$ z4hJ8kZ$T-3&rA!umK}TP37lnUFlgdrwxO%`gqD9zj0*t&B$XW`Oj^!27cWbf789d0 zD#LB2sBbL22`=ftOQ}`=kg*{P19-qNFy4&mcojIRnHZ=twh(D&Gy`^t=F2Y|7rD(@ zv}QH)=b$HtvQo=PWT-(CRS&&)Z3wz9M=NQf$UCMK{|8P8f9tPU-4s%;x_U)6UYfKG zt@*HfkzT(g##OVpF;B}iO;xQICXI@#OlsK3b>vXhY>#j*4E`4X90FU(8XZ)x0rcID zaNQ2E-F{ThDk>5O+qY`_c^anEi(T1jima+`1-JOD-T=IBdGHH9u96Qrw>-5f)>`5t zl;z}-YfxZ$kXoA0v$>f+)3`y3M@YMYlcY!|3%r8I-tdnDPN^+(fdwA5n!{LPu(bg9 zOW#e*te_b$GAnSK=8Xun$m;k8nrpE+5kf++oaA`*PRx_#ksB)Hv+}N8!^!>~KtZUW z-Vsak0OnSP(|YMTb!oF+Igh0waDQ8Ozu=B&0AR^dB0BH-|6&Ed6o`MYf<_U*Czz+S zSJShkl3hN<_mi^j zty`Dv6%iTT1PdkxONUdyubNSFn$?5Ud}z+6?eMNS;_5{MAE zD%%HsOC7U4nrldrIQeXuZpF>-7TL&k3Pm)qSo)S*9t8%ejwZXaT|q<(|6|e&GQt(t zq9r*9R!zpi3{mFz%ES>8#AkE0`ZI=X?o)!(gfrQdx|bOBWCUJS)FW{oD?nKc01Kz*DbkJ+3;K06gFU3%9p9;%~q!Jz`ub1=I?vRXHFLg zZs~iW8HK5QYEBc;t)@XqIEnoa9x$UWmu9$)oZ%Jpo%_P-1uLuYkc#%CBbqlTFXiet z^5*2`aD)L)*ZnN$!$KDtDnqv?fq;MXu_O>ykiBH*DP-vK&fTl1?b+rA*gAq~1G659 zEuH&sYS@X$RGEl_c4<6<=FJ?AM`tY`UH`9*&JB8LenYJ*x!)8n)WAV4X_oHC{$kRu zH|fj~;g{(x>4dG?KvK{F_~%(qB^n_=ERgE4!KgaCW~%tm0*Nk|h4%^T&hlq=?$(Gi zRN zg!9ETLB(|Nz<^Z$qa80Ltit{q14gMq`$oMd*+sH{4P$mEFWT{~M19sK`Q)?O&uRfj zo|^Lt- zTx;9%G$1keiTSEOc)K^@zH^_4qR?+QQCL@DbyUq+mSPW{-7*@B1exmC;vZn!dOy(9 z?l+#_?cweKJ;M2m-$>X9_eamOG9R(LNb|U$t(Uj^N9n0Y6lKl9!lHyK&L=Q2X(MNtLdW(#vgNUh9Q;uF%212{fF1Tu7t45?d zm{FXb zH;zC*ft53?W|`M7(I@f?3h`igz(_uBTC1D zNhlv&RyhSpR_@Bj)t)K6_q^0!8F1W-geM$QyvCefqK@5l$^JYcis7BtHLrio!f4)o0S2HFXu5XOg5DHZvCErnWb-bM4Ux+EKxMPcBtrl>f_& za|25kwZ$s0!oG71Q@G#*06DF6BWMc=85L|U&k!*y2)uUgDc|AF{g>zs+p!>O1f)Jo zPDGhnR`q3%avzf&SC&y|8RB{-;Iw1IUl)7THW@nrv{Vr!AgN0DB=B`Nwe_7-Zr}ao z>5NV3Ikq?VRkNTaLds@}56NoM{N323d*-57r{%)9$oBL^!U5+~6;V>PO*$tXjF|2|~?9aUGIwEXoRz-}tJw zUeOk$F|Tb$TC9~CenTO=KxI=hK2%@zYpO{K5KU3^m!tFYgvk;CrA@gCrTP@T6EiXs z?Y_lPrc8&xm{mO)$5HE~%n5IHS1V9%3WW+bVIhq;r)}Z*-&Z@)-fAas1+`=&k`Oi& zA+BhbUI{OA=@Ue}*5d6zMWi%?9BI_iSi}#2Q`LCX$$#IY>hsO@&7*JjP_huI2@*P? zB07^9FH6Ll7q?~D`F1n*hh5Bts`yWomWgngA&Dc?F{SLwHO+N5$rjRk!j`*T*J5x7 z@4WStQkn8Z$Ge98+?n(aWZCiTpR>=%DA`%bXGmy3S>nH(+@A1)qdk>lAkefUCwB zcjW<|+8udlGEY>j4zW;EMEhfp%hDBFHNLzR>kHsp6-NTDZH&5;MMXwvuk-_>-Zf}kKn_R>s9_^_p$GM?4jlR`TO&}$J^J>{<|-C z`1|c~tj6yx6@k|#?5zbu+x-W9xPZX?7)+C%^pEfpIwdQ}i&d`Pob6tTmJBSx?~@f- z(z`F=$k)-$@te(!!?WH%QtcKn<%LUkO{x{l6{R$-#OK>M?XAkQA$=5XipQ6BYzMBF zrW3Zc(BEqyYGFXeI#fcJl8l*`2+sY?#R6Oaq%^S*UEP01 zGrU?>o_w3KLS9fr*&L!&m8x}IkeSpNBxfKk_7gJWHUA3SoqTz9CVY|KvQ}`y2N<}4 zIfjgT8|?Qr8!$4TnyrR(+}9L8pdll<)S+}%C#meIz(M`6o1~xtEyj>lmbhjLZ8o-Y z(vCI*Ywq%Vvh2`Ek#@xNbAuvAP&?!A9z@d0Lvi!&whSYO5gD3S7WYq8qhug@l9YjH zCgUG$kZ24`L5k>LW%P_)X#WMev?jtoP};g?HlR(9Q!u!GWFg_opD*9^zQ&`U>RePn z=FVhK{2EyIa$4kCr6KII{-W1Wb7(Af=r97oWk5wZ!0w;l>qv2`!g~bafZDK~Nda3v za;gi@=WHMUQ*76>60`9S1u0M4u~4-Z`Z08&r65${C^prZR4e=TQcRzNb>6a|618O z&y$-tKP;w(B@Psf?am$U?m~ZD^RHvp9sczzHpmh#vQ_@PipiF85qUVTI`$MfP<>-V zXSc;iB+t)tW(U3I4#aO1VW%$;SFzQLG>4DI&q|gtAw7wabsR~WB`MRNP)iQ9w8dHE zLNMLP=89c#tm)mTYtP0p8VJ$%JFOVvH}6e$b9C99*zN$9C^Zw1PbTb-{>V~OKBx>K zKx-Njdh;lg!Zd6O{iUEf>yX+IJQ30msFfF`#ZM5Vzg_CelUh;9!~u$(l13~N?sM2Y z_E)SqR0@Bgp0trdNvw2jG-R=QC(E;}-k4+;1#V?niN_~fjx2GRa>KEHbfUC0ow&W$ z5}6+k7mwnA1PIgF*s1RvrPph{xSNu2+Z9mW#IV0i`JoT&^j3wGk!0}wCC#g7PkCWoj&1*i)_L!|Q46D!u(1I0^i@ zNagygr6yANst$i|vu`oP)2G>*g#_io$DjictT^LkxUE*Aj4US#!$PR~VFV+5=?XoR zXs0Z#p~COrB?&ZHW(7axd#iGeu3(uN5!h=AJRS__g9-jx!$!{*l=@de$OY*H@zzmI zhhQ!?%#>v*t)Gfh9bXN>Y98qby+({3l(Wnyj0O`-EleeAo=-!SmKn4DubE0326%`? zG`bF7ds!Tz;``=hV#Kfel7%q9AS_&IeEHpEnCJK z9&vB*he6H(uk{^oRu3aEvw=Tw*~mE<__jy7!mr%JsQ6) zyH>>G9Y02gV8O;+SC|;z(aMtG;LM%4N-~L;Q}OeI#pXp{9d8=_f=)+qHyqfv2Ez$k z;|z6k7*RD>k%@+9MVSba8|Y+imDD$zaTcXgf~#~pM;a5Flf^#FC%Ys6pe0Vh6bIoq zMh4d;&AlZmc^yyw;<9DXkQzHO6?!5uHpz%cYqF2<=|nt!ZgX`f~O-okVG`4`JJW$iuVXrpuHX6u&kZ1N^x zr8oO5F~+^@xb@DgT zoDC%_DmDP+@5gQK*h9~3f)!(rVVHI&?X5Q2>x~qb)i&B?gw1JNkK^Xf|5du#O-zk& zw;X!@7`@0${~wF(kLJhgr^Amqd;RYJ^ZS3)8>&GjT! zl=~S>{bzKUFUU698FcW$+_%pZ>NmM2rtv-pvA7dtC8eNGxNm0`7l;*XCA&fXUvTCh z9>kruc=In$al`x^!yF&;ftc4q7}tYn^maFrs4AWPs4Wl$?#2?g)Z&7xu5&H_P6M`H zSz?^XNE3T_UR+?F?W($!y*uTief_?jXrY`vKh){LSewgczO#G(cJ$NBR@sD&ON5U_ zk&DV5OZ^1mEOJReg9{#Viu;;NIs<0ZO#3G$_qguANjLn96eP!uXB_~kMX;D6MfeC@Vc#RdyTmMoKE)7K5H(O)xC#A z$jEsy)#m~Wi=uG$xq5TH^z4ol;OVGHt&8h`Pe6D3Fs`k*`HNe&_uH`J1Cdl?_=teu zcjaLEF<+J2wH<=0*Y^)Ct!kn@93#(Bh%80vJm+qP}nw(X>1S8O}k*|96CbiQ+1qp$jI{eV5zUSrPZeP^9ysVIy2kTLBS zrNGK?aY_0ytd|QLUp{{>zc(v|Lwx*~ud{RMKka&oUpWAV{;mszmZauYHTqWCE7>vv zLLt={5*A+VhvaExAo~0!TNJHKG31OD1T(!)Vbsm6&PTwDzJMp+&X>8$jeGwy;c(Wq zO!}V%u=}UA<9~jv(eE#loX8iUKeDSha4%0v7A$o>apT0_^HRAOH$DmD+Q&DMYZnpY zezcTM;tOl4I98knyj;_H$Xg{}E|f4ANz6WO($u_;a^3BTPCWyf_5d;ob{OUDa{?Ou zhw8%x2RDAf(vHo0`MtA!-El!}FEc*48Y=8wImGS#96&*)DEot@IP*gAr>D+k2h_j~ z5p1+!$31fz8v8z2BE^DeAfGC+XSMVQMuMer8V6Jv@tQ5eu7+CKOPNB8X4?13##k^l zvvxncL&KBGctc%W`sxH?yM}a!>ZHpm3{L&xH-db9a`oF=6y>FV4$L4LqN5HbshgmQ zgD|lVqT8xMBe*zbW37QpqNhw@eI-gswT1)cY89qPd6$|HL+Vu!lS(dhKa*9ihz`}F zVyl&W#<-g)t|%_Uk|hRPoSEFwT-~Qxs6ErUVDL!A%vjp7mV%S%il~9AD}%}Kk#S`G z3!>3`zu1@PWYpc`f6{FDOBj}STdrWrs+(+EAp+n$l_~2GKy6wJ*J9`Gt+As{Vk^{l zd>QVIWoKRfTa_@OI-)FnXh6y)Z)m`GT_y^QCU?aJGD<|{5GqJz26o! zcry(EV?>1iZ)j-1$xyJy<0M~3huQVLSl<01p}_8i!wmuVOx-yWLx#ec$cFblH3>N6 zo63$X2cQUhMw@OZmGV-maqhX80SvW$PHX(9!ZvfV*AzuD^~!?w-zEu@_YcLn+SYY1 zmG%0pm7Avg3QqrcSYJu*pn%2H6SOepbXp48eC8y;Fi3c}nkfQOp^Jm<~O~y@%GNyyC z2m3Xx&HBuMzaQIfcRWJHSvvhgPwBLAwPc#|>}O$ciH5>l9@Hhs*s=K_NaXat(;Fj` z!t!FswBJ{oBKJ>C^U`0|5r)U`@LXuh&Z7c=rO+kjf_E{kHJMgp|I!_^CF|2pGMpJW z!Zg?c>k~SowPn2f5_zUX$Im@DA6hs3kb;Z&4+N<$WNAagq-4QpyfNj>CfMETzZLbr z6ATF6t2vzI{+!`936^?3XpCba5c*N#Yq9fM?1Aj*p# zn#C2#ki<-#cOqx=w)bbI|H81jSvj|jnHmlAx)a%^&=duAPN)ut3_ z0n=h29o-l=9XpLi>N=3ZU--r0Kq_M5|Fq1jd6Y{r87uBENeIQY{1Tktv8E<};rcdH zdEmg~E%M_nT`Kv6&X^g*C(?$I-ILW@@e4I#7hi%&mT!oI&T0I17&%4Ma z*OSN91?+$294Ww02mc@xUG?=|?3A!hqqS-mWl#5lrBzw<8D#VA3F|I%HV5A-?^`^t z?_bk-tEV@F9bWChI#irB$UY4F$})-JsPF_oSX}9IlzWtUQyO_+xYP>XK5sRWudmV! zNuPUw{<JJqkGn8!m-*|48g@9oBvkS?zVOP(DhEPmOYphxg zGlsP#NX@*8KGhDDt#%TMe*znlo_(TzH9aV=t=uiY#i?$#Z%2L7LUfhCN<(A4s&~n2 zq#XmR@#QLA+n6xhj1*xHApq?B9ZfqS(Xr_{Np40;>_@_2rJE-yF6&VZ`S}_-TPi(5 zTk5hI`L2$`i|h=qyz~~;Q^ecp5{10O(q?sF?0fv`ShI3>$Kks6)F5eXMp$Y>h|Kl@06?FhNeM2f-X;Pk5W#Nh5&o(j(A?26ci zfkUL0@&BgarfW6Z{#G zsD<{RTS$;<(`zg4x%i8PVq0Q^Yr~CH&yn zW`nmSh7jM~QXA|dKp{HL4||SByGEno-Yp({-AnxD6WNhmtwse+ZWvk1O{li&y2FS& z_m>p!tDY)r*@Yjc7=jVMsx6Zv@i0pmOeWf@mkh>)f4iv*wX$D^>i%tGHbodOQt4P? zKeLNv$8vFzMxpz96d3qZsX!M=nCG^JE)Yqt6ddBhF5V|E$z6mdZ%fCqs^!OsXDwba z$-ut*8LnRC11D9b=5f64o5kd&gU$Z?&BNle8uRHj859116K9PAeP=%PqcG1|w=a|< z)om581uRyQPQ9al!X$P30{4sR404+L$wg6<5X47y?eZK?RQtZ6E{f~ZdZPzCpou?e z#2WDqye5iGNfx9Q%t$s4FAB(r4!zpaQB^@P-$+D6NF@AAIn|tqPMWU_c@*7oyGandUI^q z1MhXj4G^WaWIfq0-kNs&;^bg9h{hu9`SfScQ;jM`ZMg|O_6v#`}%6T2L>zVa<} zpn(KQn}|F;T}9%3jI=V;>wG;{>FZX5TQg1=UKrCGk|<@@lTLhUDm}{>BaB(- zlk71D&0Vf5`eA~%=~E)}46#|UyXx?yJhEK2dr9J9*xGZ6;F53aFV)NOnkE_8^eHi0 zcC*S3We{EOJSOY?jUHfej+z&S=;Q?f*h!zG6>=2&*R{2 zZfMdaIojqe9{X1NgPvbKjxKS`Mm0c8{MZ$Ov^Auw;1YJYVNZFt9Y$95HftzX=r zBhFwYVvzUH5}{)nt(~TiAn488ZUyxwu3FW&MQ1{@h6lc&I@q|T|6@5 z$6-{<0r^6qKW)n^f+w+x0}ZZS)18oSOyb!gPvya&m>Z1vC#$4jEY?C~+@2zJ6&7%3 zRsv&PjttpF5@<$HpWDjU1drRu*QJNMl^!8NC}B9#=OahS7+n6K(KDX~uJyOq6mnxL zqlMn2v%|CzZoF;L%A(t*GqfsbN1E;ThE9%_%Pwmn`7T|i7p{Sq0pBi)QrZsKK(X$0 z^BiTO76J3&O8*CO3}j$O6*2X-52lBdwVIyy&7=& z%h-i1V25njmLiF|3hGM7dMH>t>7P%E8{-62Jo=|?ts=tug7DCC2pbgqIhn~1Pug(T zue$~8$C78(VHh{|*2`;Z3)OK|g04lKVNp72*K&`!k461X4 zOX9~P?#OT~3tJlG#)TZqR51+rC6FfK*DX{oG35Z#@7;LYO_}pqo#spaF4_ezpxIqU z4jcY@yvcV+B4I#d9bj z+6J!d5;7s?*^JZ_WsOxAG#(l1Fh-mxEO5&yM0hcE)htX~_-~s{<4|Hn+dVI*gO4-( zy|67wCx3|0OU7ZdL!J50ZX93E9YHAlLwG_zQ3COXA_HODLDxj|e07WmWc zR|y$XWZ!9sjP8Ib%llOAO~4gILjmQ>X@>QK1``j2iK1Dw(MoRplHRmen>!&h8J`T4+-X4#MUplRUsFfvwT-16@> z9X=+$hxXl|g>=7PXjuL^UmPSUwh<9cX?+A-{|Y3 zVD{WD!Ns-#!pH+=a*ME-B!o_+u#~&n7Jqo8D{EsmaV8`f95AMY-*O)316DR4v!+}jdrXCvG#LO}aSD!+S0m@6G8}u^Hh>iGHv443 zNst@CKXTFkVD6ZHcUU9T1!E`P!G=ehv^jQf!>aijr9arTmFzZSYywS9Rx!R&k-LLr zfLbOU6-7q*6GpIG4O3j;dD~$|Oe%kAgL5Fi@G}MIQU2=e${8*K#wc-#7%f4S-Q57IkL;+<|*nxoK@dKpoq&ub9;;BNz9ZA zbW-_!r=S#c)KLxAT!Ef$q3-$?jHQB|Ou&qlH5xWCQ_fN#Yzzh`4_Qri=`IJGdeL(l zOZ@W_M;#->vO})J6YX&IqP&Gpj8cR=BEtBVDc|^3hV4IL^fNkx`(i_<$}PL`I87KN zkU%B!t<0CQNICPUA}K;Gs&15xB|@!tnBgPS-bP7KksbRa0ZE4142ao;+58hiRSBJ; z3UK~x&&q?{t0`V&A;RYB)i&R~iPB=mw)l6+m|};T*d*=E<`B}PBKmwccq1g10d%-* zGWLbo`G5N3{(!EwesIxwY>GI;p6GMo}U4&Y@8HH#dtsv-K=^c z`I=uNjxPfAmIIzd;8t1=9+|}8oC5QzfdYoM!u^=-G;JF<%H5k7>(A;2 zHZ*Jayt?5w@`A`t%?xeVs@&gI^g1YbhnLJ4C4Yz(kUbWb?V3q{4coVV-$Qb2TCS=| z)(IqOCaC7raN{m)OQ$mO#L#$6UFArlU4o%?g6Im_WW13fwP)+C2q8CHGm>V&w$=jf zz*&}<(s1qj-G17iUk3BFLNc?gT^DI@v_N43L0#(0T14~BZDjg$N8ht)lVCXUl z*u42V`<&{wnmVP-l32UhK!|r>v3HD9_NA0F(~X67ZXI=tf7QQa)t*N|Z3=D_Va~$` z#({)U$&3IdMAa#lDTM5(IH0v*B17^!CGW1fj+1-;-Yw>V_YJjiV*|ob`MDkp3B}p^ z3=%WNez6)>%yThd`#_5>C!Fi&OhEorFm&rTks_7V#&tofrm+j;jcsI(0bd2)?+f%>Xacu5LG||_Y5qe`46i^acrmd~JLF*>0aj{05`Z7hW)-J%vt8SU%zFAjK zO;r_BOZS_#(nMFQS>!6(GpD$sR@ISIh^WUj=hD(bKbH<*n@?Was~%)7l7d8*KxPB&$rW!Gp%Ew~lf|raj9=J~k^~ zEe4~4^WNh`j@4781$5=~UNp)+nhFYGa@6TE$w6h)#2(yCh3`g+aIE|cu`E`>v$D0| zmm7xcdKkUgziN{)n2ru*z}m!CS`iZgFJzgirKqQ4VNOmTM7@HFkQ3|R&3#zHnc3qY zO?~#7FuP>dfecYvpicW@Lavpw)Kqx&p8wbaNzrdtSGA4sr3Y^-SSh|8orizuT}AN( zMP+{AYp1aX7c(o4iwcO1`ia5OK;R!Nd6k&OcVr0}YCUM{_t^$pM{ff2In*w48_hGSw+ zSD)|44|7s0J%0BHg8~N=UeMqMd;JaZicjVjj^PN)-dLgZv~*|YGHbd_?1p{6%31w4 zL5JHuS5lBUq%VGHBD9_G04JpKe%3&_v)PkR%EphAac5`ml8@h>`TH=*kLNF=Ev%@F z1Oapn3V)*)lpdxeU%N`wkpl@~JI(hc_vhvWA`E(>D3~2`Kz;vlZ-kWbRj;mIznGkL zI7B{3E6lia$Ui38tA5PQWWT)N@eT(>$ZA_j;w5|n)(AQvz=qd!00S#c{;2dryd`2fqHb*u}NrU0O^DWfZlGrwMdF@pmibCb~dH z{neR!ikzrH7tG;h-~dQ)8>Ns=a)!t#1s8#_rO0J}lCdqlPPQwp3Ac~cfiTQ4H9 z58B3hSwOQwC2Cg6PlTL$NjccGcf4FfMK~pQ0o%DGJ^9LKj4=G7E(5`%ax%!yc!I2G z#&5yS=b(9$v=ymLvh;GitALs4StL+ojhgAP21ucneG~8DjrK3Z^6J0EQ8={e+73tf zrVYQ5^Y`LNjFE1uQM|>WIGkr~jok(ZM>}ehqEFW>Ef`+lLYc}|065m^`ZetSN(5X@ zm=S2l=DmH}e=>dB`g;HR_xe4O?(g{8S2zmzd@~L44Bp+rukL-Hq;lPvgjVB=4DQv; zir~>j0Vy#~Zz5C`sr!PUaJLS_4%^l+SM3*uZ{XsP<_-C(+9bF$5WHL86{ZI8U+33lVz(x_E1L3%&k_s7p$QErt zlu@ajcVrxAyt%kZ{8B_Z^zIq<9H8AdFODQ8{v|b_MlG&BGKM^9u3{k}{y?-`#k!Wc4eE z2hNX|_f5*{T=WP*m?J)h%1n`K9TZ1fQ$WWwOj|V*sq?F?+HT5AS#yG!_xt1zzJ7GV z|HcrWUR&?~QdU^rf`&de3&UA6J40igytlDVKqq%0xt{J0rPLDlD2e%C zvh^9?r4s8CozlpP1;K8)%I^VJ1OIO(69mFpSdH$S^~!4*dX|Z4TWsB1=V|I0im*1( z$tL8wTdXU5j1ecKVNyUs+MW$9Qg$wz8YbUomTqgP2A}Aq4aX0IY)eQO@Y)H7=I@xD zDA@e>yEz14)^r}*X5%`@w~{K0!53vERH3oLyDCw)8Ni87lEe(v^S@LE4e>)9f*SiX z&Qazy1%sQ1L#gV&Kk+?t?ThXRd0SfQ!}uJ>DT7zRDtV%L$^klud8z1)jZ`?m6jxHXi9%p4igI__sX;0+Yp)*TLU=eH7#=cI^HME@4zjGFyjb zM@VAstHw*I)GVjL224kuj3y1tX^IM|Pkv{>)BXY`HZuF_TNuksA6Q6yl9^fL#Qtn@ zj`Ht9tNug@vb1LLw3!D@q7~}=3O&1w?)%x>m|v%x+{cwBAu*1`IEBLl@av&NeD2?P z_mM(lBJC@bdA@1}I5#_Yh04!yK=as&$YlewU3vpP&6M-5&Kr=P`cXDEKUC}cIOzAFeuIDrFk;SUhyb}1E>`b+3PmOMB*;G4pe>^@5Sidt# zRC#QuPpmJ=Cz6=LwZPhV&3AWL^_|%TNtIv0grWe+Y5tjO?H56{G!)izUaOxp7HtoPQT>;$ zB#58HC2*=pZB;?7zlR&TykL|awa7HkcrZPgd`*^g)RN(F&>W>#+^|_b8XSsC=}n`zWxHTj46r(qkHhjNSYt8*$U};ShUc(0 z)?x{~fy&}(@_U0rrz^5Trw>HVfTlpFKds*NWePNI55W|_W1IgNMCD35Fh`-gm;pvG zCmFs%z>{mXn==fe8nX?uSn>?A{9!ge=PWVQa(MSuO!<+HWTH9PZ1?aZT`rEUJiSeh zUULYZ;cZ6|P+*5+&n{SIu9IT|RUR;)8DhpIbr*Or_IugpH?zYNo>L=)yj_4M zh*nPGcAAp}Qs4MU$cYKd&fO_-b;FI)%P#O}%!b2Bf77>a}_MpY0V5!jOy?{3t2M;#*=Ytc`C-swDhk!P^9 z!GDgi6YEPlNNgRN!D{wLwq5hCLG1Q&OO~7xaAo4QwL7C(od02wBMIHbVF~vdc7p z+CqJo6(fhK@9XWxr!g53k>VKBk2KlYO12g4o|AgfrFwQA9kt)Rum?mydVkHwJ|Hhe zu>mej81D0SI>eyDK9zA*BOwT>dO@kizvZQ0i1^=|4dqcLGHHrXM4;k*B70bbL*MRb8=EjzznXoIQr@|J6cG)MFL=7oU%dY))*20atk? z{QxBgojY&N3&N`fRWc}f)+IW9qZ#U%M<)rVp$E#U02E=_(_R0-Lp5|OfO{$SD-=0N zPPBlZPD%};um~EXb=4n~$y(K(8_id0+ z=A$$VrGY8I__iEu`3QW>UqYpVeAq$G*ce?jSS*%qJ-k2WVkf$dW%lsT)frGfCZuku zot4X57u&+8-NjRfoG$9Q@;knpJkvsm;{I_iEk#qjgH~j+4qDnfF(R_!+MF+%Y??Ut zZ+*IwO$py;vJ2lxnADjrb|4NBv#+5BDM|OMq|RjyB7s?KE7J(5Ucj%GQNwd5+d8n!sS#rYtk!>{SKfn=?W0dp`-?rOJ~KuGbK8? zhfDr2^!k9^&8>BK3{?Rq_zCEG)|USh<(smr z-q>Q)xZPahbimuE|ZnrTzB)g)cc?38l-MKs@E<$L^JUzP!>P;%JO zBo`!FH^8MZ66c5EJLqQYh2VdgkYsvesVewE=~Da82hcP}irg+uE*YO~f|HbM?V->h zZK@i#$vT_#1b2kc`-?n5I8kDUd0+_)aG7qVd|O+siJDZ*g0mH4B_x$TkM33tG?aoG z5l`N;Bpr3g&$db@uhGt~^83mzsENT$su|}&z%8lT4QFrtvKAS@HL`xUw_bSCqM&zA5GWe>`4{Q>jXi?GUTU4?e4;9 za!JXr`}FM!MQTg`QR0UbNg*hipV+`$N&?HE|61f~UX>j@4Y;z0cn$6Fhd=TY1&GvL ze8Ijk8KDoq?<2tIVLFCcb_a>nTwYoFQ5&{~|O8 zeoo^6P({J`Gs19?KWv^qiR>`ELPI=O_my(Dq&CVjx;{0uLNc8|tlLG|?SW4te0I}j z&UZzjOVLN=0XKTWSQQglS71W~Rd+kmyp@s4d}XDE0;6X8#cI~KVl{r5fTR(y>9F~f zlEM=U+ZxDMvTAZibgZ4;_9nb>V>Y6k?NYSx{PgR6?Z#5t-%_E$!ua-0=#$2qxyo+u z0L+ZT>ZjlwgSfw0-RA3eTcdc+%iTe0ZZi3I7Z-Q! z6X1UG6{d0@u(IS*0m>W5+!fT@P=zfhWeLBm+FH2Sq30v{n;%pA+~5j%1Sbr1>$v5O z?ZEZVnZMF1!kgm)`5%THb=Gn6NlX3PN?FVNTFF^d_p77ZFzLrP0)JP?&hvXxM!`s{=;Kw-8%n2=$QNc|3$}Wk}Lm*j`^Rs_0B8C72(n*-@+o zpY@wP`XF#&U}979^^Vuutzw0QJ=N}4XAX0ixp3w|Lgw<9lq2-&>~eyWS=dm^q*gLT zE23u?7*x{yDan4q<+cnbiSKMO=B=`iIaKq2e(%jITPOJzTWJfTNfLA6)t6uecMUm? zY9o25IEeVcP}RqusU}9O>4FpF{SVF|llz_j$mMO0=KeuVnlfent@1V+axZ1d8PY4W zR?dN2OH4gc%aTq8JC!UfHF=0}KQxzx>1oT}d&Ra7DIY(QthPs;z9BZfHKNH>=}rMr zQm*iSAnjX$pC9@n>s{34a0IrlRmnPFL2+#U*rR_(!Bq2DUT@cICt&xmhH?)2tgQ3O^;_Vh2l$`GC0OqN2ric zY!OIm4MDi{+yc<>BfpsPB4TfI}TMlnq2vU`|# zT6S8SMX#ZCvsx0t0@0aw)flV-)rIjofcquV_HEC0kJ(&AVah`p<-8TPxINz5`Gm4| zjLV$G(JMjJ{T-^KWgJYavT8h3+q@(Z0E8_030CO@HXV?$lMa*~;jif_q2U`&{GP%kIwA_Pi4DjaN$A??8zozpmFhN&bNL20ftdX`A0guqvyE*@|_YWE%pon1CLFnVBRQj{$Tti*=w+h?!@44qY@*rl8lR{co!Hi~GGW!<~a^A6Dk^pBR zQ{DOla<6Dt`4t!6db_g&&$v(M9USq@R^j`I`M?3n5D0nMAHfgdFca?`OX-R*By(S_ zd1)E~@Z?z?j3qqH)J2R`&OKhdjtyesZXCt-W8(?_7IZo(@g5c-Jb!xIhs@<*g~H`r z#EIZ$94*XxzBBC-KNo*9fO5x5SyvQZ(`x&o6rh2ttK>x64DhDjHLFo}3e3i5zmC?! z4iR0kf^c%a#4Et-%#;@yGhaGpDi$;ie5?81McY{ zqWH8nx08?hriyA5b)Vj!g>NRkEtcYLmV&*dPPY}67Sfk6oFnvIQxjZJl4r)LFE<`& z=d&nF%P}fV`9x)U^5Be61{P2BZqy!lM`W`P`i%eUhzDa1;%@v@B|c8@>4F_QD^uZ?QQ;6*xz!1P26_z zmo@I4?B+D%TGl1}+*e`!AVy#L0hW7(zrsUuR%>DZV@1p6L5Nv(PQFR6y5ya`A^8Qf zS=r>8s_9*A?AWeo=I?#K&Q?a<#9T(JvEfl}lWLcus)WhCIOIvEJM0OSjUA^E23Hc( zK~@H=^|f2fSFJ3qdUE+HOSNrvU*_T*<=61T!G5tEe~+b4B+0+QR&bmYrHng(^__7HwFF zGq5~^!55g!RZ_7|Hf@Z)e}I3u1+o^K(+YuM{b6%DYKbFrs0i}OwMZwg8dA!xJ-x1f zBo`TL={JD#M}ID_u4F}JhgOnh?H~s-#d=Aa4^UFbeSKHng*-xhfA!!*Tgy}YW(Z@1wa;~^FYoH_HAA(D}vow;8s^Pp07 zi8S;#b>;K$tI?3x!c?1u2b#!236&*aK@*YjNGydeF_?q%B=K9Jy|{XzH>gLT&!HcL2r+;mBg1})R1-+eBI`(taBm@xL0`l@ zVIU-a6YB_&!rcdglK5mWQNfTTO1BnG(e@R;WsO^n7FD1;Z7@`)d+_TpN(I=mYINj> zDLBct4H+9Q26Q}oRL!d6x_RjEdDw3uw9PZ?*`3@+PfWBZ6MIbH@ai|3Xi7OvDM

?)eHy*S7#$zC(iE~oo6}2`NM<$t}M;EGACD#UmK0TiAYP`z@@1lSo zyHaAdhQ17r;kyg8#5kWa^rB){K_o@TKXs7U_e*p+s}17ug(q#fMkT^Qz^;mhauf=7 zg6AaKhU}w}G<4AW7jku=j5acjDe-C* z*sxIj#Os>k7IY-A>N?=)blOci4!(9G?w>cGB$8}Sc_Xyt-cEOZ{$`8GCklTAznG#GPblvoCvwl&+5vs9BgdMe8N>4nGaKpy&# zJB4bEFo8DlQmPvh7I{uZfi1gN3VN9L&B3wfFYaK@AY8G@4=HBrd_yVCnX_}sZ9f`< zfyuo>#GeJr!U~i${Mh~uS74al%9F!a{x!}Yr@0Ay{c;)@e=8}k3y5&dntTM?35<9k z8J_|ryJFz_Y98YjPw4PCBPA$qtJ;=|>2UUqW4HMBDuw)^hrrZg*Ky%Q* zn{tW~ATfwiK$ysk!wi?Ao46tEn5rRdl7u{$MX=b*wcnEchfuQ&eE+@1%x!)1u^+<+ zVKkP&>90YVCHQ@-+T<`3#V1dueLQ7d;_q_Lq};Wz>Q(YW7&EVxT>iT!^B8AV3g{|K@)m9f?~ zKUpNZ3u7ixCM3!K1lfFfkJElDhX2yjmdtu{gQk{LQ-nIl${3j4Uhi*z$kd;pd4EDJ zc?+e~o5!8-kUD}Mf!Ov4@`wx!alque56qIIv~qGWCpD%_sO>Ti6npct+R!Oqgl|Ch zAW8=qhc4L1-iu<5_OSikGC!~JWWMv(9}Kz+TCnv!mxKOi`UiIkVxi~=O%`L^{J^yf zBF))IsocX^!q3#^aU}|Br7RFm-`zpF-!HQgz$O!ho@PS}abeCJCkS8%ehac)v;PE{ z@wXs5%Ws}tv5JewipX5ERd4>mjVDQ4GHLl`|_`-_6RRQv#ONO}0f zb>&)hJsV83a2dLKS1iY)ElwW+LUH zG5`{^k&Ec6P1mnMt(7i0$d9gG6rHvh^nD0Wj*g+VA;e*YcBg!C)leryDMAP_ZeXj{ zVE>AjBVf9QR-Iv~+E~hV-EKNg)9D+KaggWazK|=pnnf{?BEh5Y1magm*8U7VaH7%2 zE)A?Va%dFD?hym$M!}dtt8(OpUTI1%J&MPc`?c(N)4oEGStmN0(Y~VJb!0Y;j#vaH+g8X;k(m{gX_%&+*af48bB&j|b1pwP833)3 z#+}q&$fw!OP|x6Yp2t>TMq8Pds4gFBn$fR%B?bd=SUqbo=cScZ^WkZT_UC%DM5=fQ(&vyq)v`uxs1h%vs%X0VtKw| z$3kOH?K9HvTq72`Eh&gcl`H6LIsyevp;T{X5xI*y5Y&XHY3lE&8|-K_Dh|YtB7Z=$ z8xX<_-C+C=A6qq&t;f;U0uILjN>0(inaPYWomsZ5(!s=Z8k5P zB)n5Ad>vcb9CI_4ABiK(%4FM|+YL1OQWqYt8$F7lCw+7Aqu zfjv33&56#)FE2m?5!*t|L2MzYM4NqX3S(HlR2UPS9%ZIB2Ci>7|SB zg*Hp2>?5+;DmD%46jB%+6|>D3>%Qup?7Ct3#BiUsty~@p5PYB^hzgn21;|FSbWo0eB(lX+rZ=5>Bv#~-{On;eD97Tio z_`muZu!|q+F<|l~wkz{IJPQyW2pCX?oHBhY6Kws0d7(%HQS=~l)ntchc6)zc-%qgV z<{~?;(|zi&LIWJoFRn?oyLIV}3aYw~6**Rym6Y(6YZujXUEg&9@M$;(3|@%&q;cCT z1HRpz-OJ6lzG`*SP=MaY_=w2SG_ zOs)v$>A7haVG+A$s6)#E*KU4c6NQ< z5Sw@DZw@WhzpnENxL0-=PhVb~A4%gadG~g)85`74q?+}ONIP8YZxZn=VIE6F`TR;e zJFY0mbyzWt-_LkR-we`QA=OchR>CU;Ou$g*6NOyhsPd#+)yv@9e_-kzAScVDw_;1F zAJ#Yl@@#edr;;%bJWSwd)U!4ne*~@CcY6cg3=n_!b#?JzCx_%{Xh8ep4Gq2+=n;GX zbWX&phHNF9o1!$NUG6i$ZS~uc2nGa9U7!V$8T<15+6xbv@HDdK!(fJ=FpP?wr!S7o z-2M2XKuApwPaOfWV6+TV4oHX-Efyp3*O9(bw*`*Jy(vKrNQlQM%?|eXvz<}dfZ$HE zuoK_)MRqJ%c}@BR!q@_j0oNH%43tB2t6=CWRZd|E0=_CYb9dv4;W*N)jg3Up3KPEW zOZb0Yt=u>kh7G_l0FeAp(5;?Pv2uj6$ys?-|Ju?dYSRL&2!{*p?^%n*?V5YJ)Z>;n z*j#>+h~}nBPrG@40e8TAGFJnHHpeoThD7(mt;I}wLOkw&d@Pn@Dv`tgxx}Dj8x;oL z;HC&tV|+x)mT4Ddva-@19^z20+w{!T@$G$&kBCozfKQ;$>)!|dzy7b?$FVGgXN&A$ zdJ%gB9RcqnKllB-y0`PMfC#)BJcPKz5Z| z&zO3_aUsw|IOjy@$_-}4r?Koi8*j%GSDC&1qME4o8?_LJsQKe|36w`uVF>2J%IzS1Fk6kK8IL+*F`Ypg##N67p0Z8Y#kDmxSDul8P) znzux%HeVBN?-YE6oi;Db%lZ%0DM%F}vmuSPJD4-bMcq(XxY>8Hu63ezDZ90BHpIho zoA5t+=DHV1b_B9WzQ`OtMZd-oU7&XhdWqr$K5qI0o*m{85fkDASU=`6&X6W3VXjX# zk9LqY3olTKWS28v=%&u8FqMn&L z^YG*KV}H4`kfkiOd~pc~q3k3HyUMJP0Yf1ax)jIA5pd@jeCy0J;AUuD&rybZA+3Y}>YtJ+^Jz zwr$(C?LD^k*tTuYygBz&-MaNs{bQvn$*-hWy8A2mqEZ? zAc;gXj7i>uH(UV9JDig1lD5Mo+`PFns^8w-^b~@;99%LjU%@vB>VMH==ELYbWWe1n zJ{vdbFqd@Z9(y^-JM4Z@$Q$6T_c;<0iUDG!{1_>b!4;;JZ1HIkn4~D)C+KQvhdE%6 zzIkz?MK7Eb_LUs0L+O+^+FBs|iGn_RDf;o%bqd4E@qou_D9xJjjJcH!TW&`4nlb`h zx7#PTKUBZyu|4gx6^@?XNxj1ja`MBR;b^Oehr0^>BV1Oo$VAQ)@WR^sxEwZzGWQW$ zv4bnYYodE!`vT^>ZTQeb9$N&m!vxPd{lIPb9>X?L8TET#eXqyXH*9_sFXEY@yw&%T z%MDE8Z_gNelZ!Nef#Yu)6$cMPJvs}*pX;mr?uUD9O_ojvjwL-`?Z(LMoY!2n=i(_7RJ0@{M~Z!Vzz~c7hsGb0GqsprO(eV{lB&87`bp#sxT$u zxAV{Mz6^7nq%0EB*L{VT_gj9ip{pgY?zYw7P&-+)nqA@w0xCGP3|2iR+o@$uhf?~W z1B(r;B|qzbhmvg1bJI7;>IaOi%59B3W&)4fXfTn7E(SG2IP2>5vntQ5>|inKEEMiB z4?!w1#qEJ>B@0qB{QNaNWX*>~8;5O{h-rzr?PHw9k&RDiRi(zd3L#f5|Jj9y)1Kvb zu;kpUlt|j0kzS~y!W!qUB*GJ+WTBh&eiXtY_asS=5op|tr7}l1x>F3ZY5ju7NF_!R z^GKQt541jFBNUoGZgPo8n2z=9A`u{a_edoKw$lY5Mg7Pt_CD7#vvbdA6pjsE{oWoA zR+&?j<9Fb(52Qn6mt+NPoyET>F}F9MrVIz=VK{{>@pQ~crmB|p)q?ov(4ZG%_zR4W z!EM22X$dP;DZh05Wz1h563ORR9a8aU@9oV1DCJ} zx1}xAVouV?{kf8l+XhMt0QIcm!bb}S)Zc%-LDi{8rN*x!Q(5XTq!>m@YPzwJJ*nY3j#4`&{w~FGq!}5I-2Wf9_V_X80jI$%!A{ z)-RPdYR-F_U4Fr1FfJ{3S&qY@>G|A?@A}vUf+NcbmDD@m%#U;5UY&H3g$QDSrR(hn zT9gOYHIY4AzYmot62FXi>-Le06}|H5DR|3NSB+LJI3`3w1xYcQQ`Y*+B*n*MXzXBo ztHf56UzNPjOjYuJdb+0GUF$+a-G5vajRQ3@#&H6<(M1`1%bO1s0imp<)2|f(cdJM> zu!pSMsP!CCoDyLz1Ij7w=-}!3yzj|64A5qQ7Urij2a_#scb4eWRJ|TptxZ|L z+Bg*e=ao+?12@IF&G&6$JoEfI`fE#`vlH9OeP*C^Q7Vqhl=r#I*OxOKVhW5n3 zWeEljpsFo7OxlIACrF2X!(NMy0fK?6a(MhBl3-OyJr%1J8+jidFX4c&ygnr86fD4JwT+w~%RvZuW!p{{thV7$^VdaU7@=kA#r ze9Z}vBI9&|F-cy>0`lFrze%13n-}Z>$X`4r-r7n$=pUTUsvA6@FG`Ef{!wZqk*gm> zYq3Ylv~>R}=MZx7AH9E5&4*Y-Ez%und;3AfeSg!YQc%QI{uYufnU}cPU=Ks&6U|;^zl!=dFu;JGn>S^HTu?f z2!9srj8JnL;jD4iPr={{f_cLv^xUxn1WQK_Jy5sWRn7G(alnkwCsKiF79KRxMK%P> z`i9NiaUsNGgW5@m<|rN=3~PCL^sKuZ81L7;m><{*7;mpTI5=;EEu1$IGaHvS-s_{* zsF;J_Zc_-da17%#YM>km<-r!w>toUR%mGpVNnW2q;LP+U>FW@O%=gvs4X#JauY9I zak#?^AP#{~B#4U&&^#04YFeOkTWp{_;E`WWBQMy%v7ALN_bQ=_j@8uZeMNaD6IqWw zpz~j-39~0hQvE%)354eG=dUR$w@P?K5UQZBy+s(u-QYkK#FM`pjlbwIo%)O#Z!%DB zX0>*VWsZ=xonJ@Zqo}~S`TPt(R27-W5tIVT>Y4$pvG;%&+hF@z5tN`xIj}Scci3Zh zb?TrTdUDv1x!sU_Xqh6@PPlZ@^DDAf)_-Ju6R^!~)4WxzJ7a2WJXZr$a9;qIEP@CJ zv8HrDE!iytq;T3=>wuNR$*zb5)8gm>qc)CoS_1V4pd+q_HtDL(U<)DNAMOMz34t!` z?Jel#noea`<%@v#e`8W#AgoGt;V&a^0QI*xqxC+~7Ocz*E zXVhIVd9Kp?iA1Zge9N9C0=*PE74va)bbF`9xuWJ@TG(Ewg9+WKYmPuWwqzu6C~X!O zlULY}B|XrbOLl53uN2JA%ib(qGGqn)+R`vd*oNXsL8P5eGE6ZcH|zcRy2;;LmdKS> z^GIx%%gJ5dI(v2g>^dk~3q0nWoR(?9>Odnc(xgR3)j>0r;1?l)W8Ju6@0cT@ylsWi z4erExKQQ^Taq!9PsR za_}I6$?Ym0$=UYr1)@9B?-JbFRO8m7bzqo-liswZ6nPeZ5aZU6hZH|%mXLx?*RuRi+Q+8O5oErM1x z?eTGYnoyQr=xf3VD2#VEFQ8$S?JPy;s%T+r8O{k?EkBeylm1yrRDsUr4=A>?v#ph# zR`#%dY5XCZBFNDVVXu(1FLiI$k>$+7^xTgqS0@}fgm->U2-pv{hz~%y1!uj} zsFaYY8L?1;6=t&xg9!&sJiB+Sz~%cpCA`Ce5zeYJ{+t7bjTKguTi_cBFpvUNHijv+ zi<_NwpOF5X@s0jY`n2eZW@VP6(tpm^z+g=!f+r zaPaq8BgSUWRVPvGHZ$Vf+=cq$J5q|KK+sj z^pRvmB^O&^v5gN2Ye8ep3I`ill(H*&}6{q6r(W!k|fly7x#%88W6&g=!M3c zH=AXL3cy5Js(&igp(b3=$~+cSf%kBGsw@#8g)^eOmA2(O7k5ToA*w@cNH2HBM1S;t zmnL=e^LvQQ&du$%N4R3FTqfuP3gbya52KPis({k&hYoOS0QNtW9Lc@?;#0 z_L|XJ>e}$Cq^@Nif^fp>5FX+ z&_(CFqEocTIDaxfXg;UYTnfoIYZLt@Ex=AJR8%r8m6Ih-Y%TL}jf2Jp`D2*5v`-#V zeYzXoyhjI`L|P6s?rq7D9N{8-0(3t5mJ-T{UZyb9`Y1-4m}=BB6a~vZV=0GgeLdQl zXW4w1o@jqc$s*EfX99HRQSML10+zAht)U{yY+Mv=wD&=pCn6}NbS61N5{#Y+P2oYW zEwhjIh7%|q=}`GUsp)YA#m9F#7%Iy8*CqR>*)wZG<3dRk{$!ABU9~ zs8`OFX=-_v?7j(l#Za4ZIwMIZ_d81=EN z8Qz38@x(|W$tFd3ZJscVW7D5&eM}qCo>;fK4 z4q!8jE%;J#mH5L(v`swvAKT4OF`MKD(DVv|5aYp}u0KBC`%e0)_d8`~^r69tM&_TZ zue`xj1?22vki+2JQ@}#wYEr7D%;<9&X@~mG{%OoClvJ9A@tBjyM#;{6FRgZ&I7w~V zM+9h9-l{dyiE{eDZlWMA!R;IlwjEcR#Ja7)9&|7${cJ~EI0V4R$Yob#e_p@r zNmb0D(a72vrgl3 zrrWt`Q|4bD+ruPskjrII>h8w@G(P=PxWq%DQnK_fgjz*7e32r{bfH;N80K0KGvy>r|Kx9k@UT^> zO1+*2s=SNKQd!d?VQB|!bOuAuu)a>+X<$lg>uw^YwuKNCh1wPNwVDw3Vuuiy`zHh^ zLMmfPNz9pYhHFT*(OhO@!fBHblP$S|AvSR`l~a?=0!!}7L4BHWD)k1K8?PW#Uc zp@cz>*>0`ThikvW!WvR1{!%D0l4{Cq37l59UqO*v46oLIwR_pssPo<29Q_X$7puX^ z{U7DXV1t(Ji>P1t;`sodrM;13M$kXNh0);m0xD`78A=-fkx3QRk|IIfQv9{`8r44m zr$yuO(j+!VKbc!qR}}Z~$OLI^Hd+y~q+D|}O~@=s3X>aHR+VEF{|Ic9MIK`Mj|T>_ zSd==VsQWeN8TM?TIY5R6c!Le1)`3GVr9G_oz#o}kr$SqPnWqgws^2^vh{dv}KzJ%P zg*w1um2nz=nc4=?5q^Nx_EelH)S>(`uDgk< z;{HG;%1jbR8;(wj-cYg~6C`RLq#KxPt~d=^YyiVf41}aPMv-x!O);QWN#PC#M*}Jd zf6F-9uEv@{c?|m!~i`D{aKhxsg&ii^cGc5Z$Xr- z#p9iF#Wy}+gsz3l6kzjrW}y5i7qWdMRLZ;-PrI7AShnxQsu2;yzASXOwjQisnX5%2 zR`%qIL}S4xvb+{r-Rx{%qqHw9SC$(xd zZlKHtVYPkV0;6I{Uu<#tqh?KJ<`tWksZU_{HRB(a%%$NQv}^!}Fe7u{@=U@bXxpC9 zYuYsgI--CZxnwO+J{#G*UIMIq^`sxSPDp59>Y2q+&^b#;9t6ngtPrXh<6gXw7$c_) zwrOg5k*7h`@C7}PVW7sUEIm^6 z@a$A`oCVS1vPL7cyJ@xUAI;@v^qf9GfX;F#GD6dWt7|j9uGoA7{&gS`MG2>IKOc+5 z!QRF5h}F#IN`I%fXw%d(uqh`i|H|!V{E`Bb9n{z9q=oob&6SpoK0OjIZ)f7ehLgn$ z(bd60+M7j>>)|&>LvPJjF1VFjcIDH=W~SI)%l;3?v#_qjckc2 z?LI2+~e z?6H-2QftsI_@Y@4=?UkE79&ft>ASZ`r7#Vqf&K6Oujy9rRwnZn9?W2(eiD3yuIK1^ ze&72K&mTB?P*UTB<|?DnKlVbp9a5S1Se%q4fzO=^^{$iQl0F+wa|Caaf=2Iyp$ zl746>n&=X+gM($EoWm@brnu*)((<=An`$eSTH85nxg|& zJztM9r#J4s#A!#xoFW$KIW{Jr^==|<$XHhL^d3>M57)i^8shg4Jvs@=g%-4F`Zp0N zG;lkLu~4C{x@m6~zxO%cfv7bzOao7rTw5uKp;?beRWW!(8>62Z&*dpe6sqpIDmK1Gl3F}#E!t{KnQDL*R@tMizqTn#h*iSOMApt z+kNeAGA!`u<@%ZErIn5Lpg_NJ$K2RZIw%dz1R>T@;zzQ79v*U&L#lB7wwjT8Y=sV` z;ihCA|K`{bk)~hZm#%+)=LrfbE&b&h^Ic4Zf zuOL?KfB6Ok%Kj{a(2FX0P(?RZ7in3!XvMMnKkWK|2ehLjJ%RlW?@`3u`$d%@7?mFXoN+^e6d zHfqsG^|t85HT$23y&D@=vhf#sELPO9b~Jt+FcQa5&1II&*gat8Ar5^rLC`6mE38W9 znrnhBPtlpZgI)_ZDmFG+;+rMN`G%|?D$+#GsQmVWUKc^-2cmb2vyef=5fv_lB9=R8 zZc7O(p5EqK5}91f`cDX0GN<@0B~K*L#+RuOYKweo&`JZPG5K?LQB4iDA2Tly#Y2ds z&5@j*@Ff$hG#vqOS^5c`WCjV9VQ=tyOXKKt^wb7N_n@qB_W^momM0s4cW0xkXMx7iQPX ziHr-|u>BE{l_eI)7dV)**bFuj@438`Avd!GE^{lC%H=>fE-kXp!0LM>K06?-Zuw^(1`7rBl^gF^%6n_&; zF*1_YVw2;K^qXVj#9TPJ0M6v=`=iVeAd(rsIN&FRm8k2nI}Mjb4U4iBL2U!oIYQ%O z1Oe=tblfrT@=&Phpw8c&H7Q7F_tSh>Hz`SIL#g=4fi@N!hWpQm_61+|LuO#GA(t24 z*PYA7Vd*}5bXn>?M^s;!M3_ol)JT%I+BAsck`86t z8Ae5{nT44QUoLoU362X)kykpJyQLa^t(}Wo3tZDI^EvvEk%#5U^(z8jqP4Zj?@4 zT<A$y$tf^kGm;k06w&clYt$bFya~y+@F#+s~;jq9=6qMM44nw)Q*T~4xeJZ^o zQ_&$e!eOG4GucQ}c@pNFF{j)9f-wiQAMSJJXw%Z=k3TKeD2r$rp-2}y`2yz`AStqe42#rS;F(B5^?eSiOD;={heNoIzDx<&!J`PrDf?7 z7F5HcIY+t^uYVB7E7-S+E75v0pR4HINdn8!t_;iKZrN9ffj187q2c3BIhpVCh2O`E z8Te?g2Ori?FZ>Ok&)sL)&(|G$!#Ox_cM5{{?e|)4|0jU9G9!#}h4*$EEAnLSMVHCO z@aNUT4&S_`t;jR4CmiowWrQzoD$)CwE)*=U0LGp?z0FdMk6a$q>~|UZo?(?p8xN`0 zediU+2Ojzp*XeLo07e;=_6k|Fqf$xxS^vURg(|MlL{}_jNUZksHi+KHP9fLeJhVOL zB0Zug9B34Nb1Dv!=3HfQQ(SfPz0iP}Xeh_W{v$N8&}VBI%-sWpKv_Ac&E3%&XU6>N zuzim=VejXLE-Sr@=a^nKoy#ALKbcEW{c*kCPvz(lUgsiO+H8EtS*pY)4s8+oa~I9D z3tgtDD8=3M3z17y&l*zUlQI`0+2HDSzIU6(KV&I*lTxl$if?5MWtTBJ+!+f09*jjj zn2LT^e{;#1Cz3Fa#-sOpzKuouPY|alHaJ#xicQ8}u9Qb*3$xE|OKYg{-2isZtQo{> z6-7$V!vi6aQ>YFDT4bG1%OHeO+u@g!T3`+CGyhiO5%N#3hZX)+d;(!d5(f}Ao3M`V zjZ70=ufhT1$t}-ycGSAD4~6@69Xq4$UN7GBp&pZ^i-RVy5)xApWsFZFWph)wS>_cy z$cj;gp@1X-JO(pInneA(k#YnXtost_JnPZvnktkicqK>qyxnhOg%sxkFSzm-jc~QQ z{n~R4@LWLWK6qS-!Nho4tpkkd*>rh*Kb*%otoTr55BMkG9E3SnjdX@7271J?L6I!h zGgZ>rk1Z>N%OuZvOEqO##eu26Hyc@{0;7sah;rP+vokW1Z~z>_l*y%jK_$1INeft! zzgtx1ri3a*p$k<>z2qA2qCMxpR}hG?-Bi{^rMzxI92KWB6WE3tZA*{%r`%>-bEOhD zzv^w3rqs>)J5^1sTDw$b7%8W}x#P0uDEiut{r8oGvWGDS(h@#}HC#6L@!OwwK%$ww z@`KR@)~!cf!B`D93OdWBs?a0Nm1AzbWX_23s`gWLvP$A<%0AHC839?O4$W;xB?j}U zj)QN&`r<}>JxnOP9d9)lJv56PA>XJh@hQBI=v;W@ym&Z!-jF!~SX{`c=~~Ie&S%%J z+s+R5_iY`ni~oc0ZaH}bKm(8*xaiet*O|DM!a22V2q~sA2SP}BVlLqE^t?Z{a#+>2 z691_~*7}G$KHus4a8e~HURwiE3C#%joJgRKS}yDyHPe8>FoUccH{ejBap-4Ur5mBIPp+4 zWo(|J`SaZAYK*f}q|&{PbY95f^CEydb1=Kus_-<=2&;hZHD%=!D!BvFX(Tb@0goLiw+so(iC?TrO?LT6G26R?#J6n~r}|Nu>>};*NPA;o6eA8}n~gVU=+l&x3WSU$ z-3cpxLL2PvTWbiI59MrUm9UR8$OUk=BrnNq2EmY%$wQ6Lf4XYK+1_5b2ZTY_Tmnvm zSk`V|#%pAS8h7olrR&Y1F!_#A3BrfxMTStcjPO&N4bmN6x2;^n&~L%lBRN8CHw#(UZkmN_)lVMrvSsk2^8qO&Xf zI?0|b99uSWEC}>tEIipiM?Q zq9g7We59;IaTB2HS6*AC)WYyR2IZV^!CNkJ3oE^}6gbU0uf;}U?af67Ouzc3FHP6D zx;ksB*q{V7t;#Tzs6%y(gJj^TN{X4G9x_Uncik2hoF2zzPxL5sWPcI2X-$)Nry^m; zC?vCBxj{u&)C%zCq_hE59T?A05aoXa$tW^ge6AmOexsgy%ftkpr$38N{Gif8l|lO} zu<@x&JB3SaM_9o;WrJu8)sgpwG|m2!Cu?aJo-O|X83|O5WGJcTaX6Bl&0tpcSGPtG0Sr1Z;xHPS_|%Zf;*!h_8%IB)Af^1Z@y6Dvt;>x0 z0BpgAy^?C5F&2lJE_-5D<;=P7e8W;8!&0_^IYX$YC(B8@408JqTTYkqc!f~egsQTf zZ3y`tBP~=#uJ&=EAq!?Jx@oB4NTswUw@{GkBFH&wfCBUgiZ-qjnix%LU8;kD&$oU1 zm>kcGQXYK*t(ebVZm9Vhg`{*WYOL6-`KT0+aidLqbpuq|evotZCbRUy`6_wK4~D zEVz|S@RdilV+#6%52<| zH95wt`jI0dyJFSr(47?vGz|_@VU!CI@_9soU1V1 z`;lW;`_aP*;x&|W>g?%-!-q1xse`q<6RH5hDCEW!MD6|9}|3_db z1LUv=LWlCB-txGSc!|X;Yq2e}cTO#j233-yW+ zqYig1y+#-!O{8=QTew8XECGLsCDVxW5aq9aG^&gPDrzLPpEwXG;l|^b=-HFU1Mo+J z_h@u${rxMJI21Ssqds#B#RH5t{y`v#1Nw6>&Op2Y5H%ze@dyAP5eyvx3ejPf$dmx& z-ahHe^*J-^U=)W=8paQvJ6ScrahYr#mOFzbb@A)FD+4@xTS36wL!*icEP;CB>qwz0 zwT3&z^h928fb>VRO??FjDKu7|{dZdRj!oSmNRL59V@la98Sty@Y7ipMJTB9@cX#By zM*gQt`~373$ehCfbPxhIBv3oqIyKNJ*HvO2cBTPIdsw|L4$O@Vl-lgRMXU5c2x7jb z2v}w=nAw`jtUdO!jyf}8;bf+>E@6_>uawum!Q8}c@ksl{c&{{13T?S1x6%c=z?zFu8V4w}ATHB67}s@c zC6>$s%SUXZC!i^T3rb*GiAufjWhwdu^+TER-&e|Mqm*?&fLz`n@+iQ{P8!d*0-V@;LYBy53W2^v-xM=xhyh+yjXzRV)muqP z#}a>vQdHbiW~dlyCpil|lsFQ!)-iz#6f?6dId`n77?T?TI97fQL`?LJHCu*ZlS(F) zQFY?6VwLrR|6a^%L&Y{rmSL6yRBa*@wm5W0%SV)wRsJhqT+K%q1U)^Y$>3p#>~IdPTip@PGB&|)haRx5!3%+$v+2)4EqHf3{1~Q2IVPy$ zFpYsK3w%F(Mnk1$fmicYlSqml_p#vAKgCmdYnD~UAD`#UsxiaFW*_yx=rLxgE3Oq# z39g1vTk{9vBf#~elJw}x#>7DGRyHc3$Ugo{GCh(&zQUb8oxh0=WaN%~oPz^&GNr6T zzaX-TB&fC|*u$a(C89DPxmBtNoA`s(PY7&>UXCb=Q7V$T6H8hL{RYX3&h2mzs)X2M zrJcGU`C8sAwW8G{&%ls90zcS}2!Nxrd-X3F5O<_1jC-#2oT_}6M7odayrg_6DT zw{D*!Tw4k_KvIc`by9_m9eH}|Q1~m)V_GXXauj=dTI6@>o7P#>6cC1z0=+?A#Oy;{ zHS{QV=5x7D_fc~?kG%BlP}TMbVG~=msHkOgHMT9{lHA|M&aP&k1bg_-!FyRt|3R4Y zB3ZiWKp2Ksg_x$Mf*J+F%WU(cW{ZU@BTA8un`3H($}*F=V}7omBlO0K3CtrQM6$Vin}57A3X-9$~5llPM;a_l9Y2hKKKP?9gC}2WWDP zcxUoXJZT+5*#!DMHtk^SDU|Uz5E~&Jb2bQNFuSokY#oNuG>r8`V$lmkkkChVr_Rs~ zAnm!=`zYY+0dXuvqR=|(5dk`J*9!LK71)ygOEY1bHeuMYV zz%+m@zCw8%iC#0yPE-mXkyA8ib<6|<_!kqN;E|qdUEhC+v`+_?J*B#-`*{N|j zlQ9N2m;eRY$bdvBR^nMD6QC{;-B++`i#OF;LJ!n47Pk>C6mAZGU?e$|`k?B(#mJ_- zPBCNf;+?v=bjtJGC?>WFB%5w&Q;7FVLH?RDS(Xw3K$`++hye~wVk{{emF`U^N5J{i z$O{;V*tO2sJ)pmM!f~4h&soB6=_MxmZo%4IowF8S3}8k*+{e}4i}smI(@$N!KJrFk z;dc>BWX0xteqd4%6=_Pq-;#fPvn@xD#)gu5#f6i82|wG+* z=)IumwY|+Ld2jts;J%rRuJDxn{onXXOg~Vn%zAkYxHI?ChHtr36qc`ay!C zUh2Q8kzeS@4AOL-;YUv;0?qL$ZnG9&eRY)v(-oiVPuDiyVlYIuxA zj8r5jjXyh0rJJw!Zn=bly9eKJ_C4%i-tQ4;UAwF8EFva}gA-sXozAo_e>(YE(NJO) z?0VfJljD?QPMqdq63sAX1V^xV{;oRNJ9v79>`f>P^{W!n)f;6Hz<-pW|_NIj-31i$&2GiTH#Bzr2^YWmt} z%t#jjLRWc&%3K$4qpK*CbW2s<*^MJ(JReg%{!KI+nn;G#!_Iqyg0^fV;8!L`FnSD5 zXdR@htsp3?<}{w?Hf&;&ty;?%bomE7R~j>?`ol_RAuz6soxBp9s08q1(%KzGD4u0{ zZERLBuMz{grG;yn zAG82ErE8x6zS81d^p%>i8JL1iwYKFeSfyG!kd|+%A+VE@Wut{0QnV#F_06;&Vg{*$ zan{So^{d)=VmFH}qx`fH0`YPr-+Qi5AB6y(QC=vKmm1A^qS9HEnKdNe#QD}ON$DpJ z`Spb_5Q3$L)!rV@L0jKaM?Qc}lbga7cYP}`K!mtWo`_=(9FE+Y*Z-l-m_~gB!|yx z0Wzm)asr`Z6`kn%`@yXWBtq zkaJ6vL31#-vc2{Rgr|K$pd!&7dLV>4+&u!(#nz31?i9%ehd$?fn=;~NkMGpzV|9wH z$D=XJd-Wv;-=)P)SJ*TvmMlsPlyQfF?c?(J`5wlU#0^Rwod&MAuVhGK`U8xoxe+aU zo3-{%keu!en1@>{pFmk7VA(cEHXCS`5Kb>(8De7Yw#aK?XYoG-yYUSUqpFvy!07-n_ugVzkK-Y`8z|9HeR!I1)2X!O*&%1k%HHCr@` z%Uk${Xbjxk0eFi}F=NNLTstSs-=4|}jRl7aR-QF;PIuSC`_{qCqKe#h`qsY%T6p9n z;qQmR=0%62MnGpp!DmFlr$@l1Y_S=z8Q-peOpJ^#eAAw>&F2h=VSR)pcF0$o&`?Gp z*lPQ$#mQ&YV9Q+~?(_O}KsnsabvYsxUiF8hxE#*M*czwd>5zZ-5hi^C<&oo*0g+?U zJqRY=%Xx_@kmw;A&;C4JWfCJ4Wl4;Zk?O=l)vDTIC@3-x^p1`!T2AS+$G0`RgX>Ine`<51}Z>u_u?6C!<-Lu{vL?#8BGmG5p+r|ZNt30rLhJU~%Ze!s17*eg-8lIL zWIbBq#Xk9IR|7r|0Bg?$oIR4;DVUMX4GX0Yo#V9s@v}w}-!I5L$8ls{yTk@yIaB1f zQAi`PIGePQsN9 zVCJq@wOD;(RZ(`(6|Pl+Fc`eihVzW%DEB68gnS21fN^uTYX!Cs$X(QPuI3JdlZ8}Nz3Ck+C%!G39u`j+ZvNrix8 zk#p`YP)YFLu=!QDQAW@l3!x+ZlBUlsZJ^afQW+Jk%@?$@X`s|PByQ>{Rmb`CVD1H< z&^n4KN0wXAt{6;DN;dgJ5JVQ?dQ3H7vpizo^VG~;#Ob*6t34q-U#yw})88$lz~a!@ z;6hyvxW83KrO2IQ>W_3?wjMH)oC@sYVCu<)=nm#0bg-M1p?fG9l=ySD;Szm(J)$mO z05R&=or4SuQ8n3P)4Xtg5TStYpFRc*V>Z8?{mxnPtt45l2j$`pz;?4h_xB%$t#ZcA zi#zIBii=^JOnnOCQss5av-~J(P$(Qofg8)zDa+J6lq>~G5h8VUzPue)6mD~C9oV_& z!2^gZ+N4H>?{(zaYy&p9V9f*L{S(m$Vq5eGkQHpk;;8Iu`#L1YM5WpV%+D*L4dL>L@X<4QjnfpH3BX zfG5wLT?q`-5$wpApcd*We=x#z>)QZVvjpnE)O&HwX6AU7JsUbaq_MX=!iYhSnp%_9 zzhSe@+lo!mC@xjse>%%<-vFs%-s}RqNhJ*!UI)_cg_+}{O!}*xzf(dqJjn9fxOvcM zm8?I}?`y!82Yty+MDB}xgp^I_K|d&LR2)VX_!Yd{#UHH$TEF8bkG<_!^{M#CqG!p&Pv8#g7raaiUYcPZ z^vlhTcSB2*ij9&hsk8#cmpsk}kENEY}%x4>i(>%rIF9Zqg|2_p31 zYo~gn#Ynl=dIKLX{68G;4_KD>EJ3PhJ9UrA@1bS-BaZC5{kjzu32N6)-;U(EVOHv! z_AHlvT{??BHj1C`P_(I@OBHiiO+*bwr1_fXC^Aot3}ilTBWgC9u>b5q)cQFefZ$y z%|tcr_{^E|4v;4%j}8AazW+t}E0@VPeU<-R`wM+ZG0v9SMO}c3yR+`5jVOGz>lOJ_ zzzF1{;+*t`-52z$PGn|HaU^A@Rx!Jx*h*GrCUo1~*T-gC)a(83aG4=bHFgsgGbb5f z33^Q4al-|6t~AF@1kT(P!R26~>x1|VooT5sL+q;PmO@eO`giiG=)4RIFjg|vPiy`t zQT6O!p-;;7oN&I@tGt%-|6}YPV{D7Mwn5h^+qP}nwr$(CZQHhO`xH*uw(YL>dD8jb zq`Q;e|Mtq-zjo%znq!XZ9@B%^;3KI;a2F~QNlVg^tKPEO$oMle1lBsarYXu3yeQ>@ zXYN|J1cJad^-mlAd9DR91&$^tY*+&qlnTk4wdBQ^^}_e(w$DXDxtCW06I7kXYgCl# z#bEEFqS5S`@VAZTq|0aRv9Uhu;c%aKbD)sE=(#`cm!D>49sT0VXH9WzdF#G)8)nnE zn3f?grP>Vysy#RBm^&x-PGJ%_L9a~lIiW?ru|EJt=blnA7HGv+P_U~b;>_^*Lj_J| zQ$sR;DAFW#F#o>Z4}WgEpo$jF&QWL9Mf6C@*ID42{o7FSOlNsFJrfg+jtoNkmpnsW z9(BZABdJ-dqqQD=y!CyYqW_=*>i%P#{Sa)k?ItFa;unm{=l`8~=bc-k&cLFB+Ffn# z7JLh1fA}8)o>l9Uez^bmcscT9nR!bh^YFh2xb@F}3HTtch#KWNIBK)?{%ye0;SoI! z>cfGaXlh@yA2;v&!rPTO*d{4xi=`3@M0d6EdOwzX7^p710n*@*LG$m9eTsSIdbY;9 z!nkUDZg=`!G)U8Fb%UQ$3~tAN5z~^%y;T-clja}m;KxpjO6~Js43|028j~J69JQJCYEb(&n+7`HZpw+{h<3?ns$( zcN!B9tw}L-*C?|^m!jh0#fUCc+;-@10B5w*1R&w!{l(+;KiAr0ASkTWc+3SQa4Pz(Qn}Nv_%_ zOKdBDVEul@yH^I~i%nDbAr~u@38SYz7*k=X98z31W%v=ehzEOe{3aoHj&I6`Qo9BE({-G(wC@w|op;c{$ ze?qvVL>l0Zed1YKrRsy)~lRir7-cj>bw|mr5}4kMM`-E^i-mgGBX9m-pl^IiX)k! zn%KNv5SC?L<#v}`zz8^{kX46;Wyq{U5nEIntd2=^oN)6)cl-OLS$75Yz|%dsj&*Aw-RHyrDrwaT~S#Mf|ZrB6>8U%np&n zD$rwY+W)lRLmyViE9Q=qWX7xH3Q#M7l?S2B$bAJME2?GN{g#&DRfkM! z%P44*j-#|b*RcSm!A>nfUSA+emtivem>KyYX#zOc$GNXo3fHRhO(iRMP(=k?#AfOm7SFM<7a^ZlZSEc1bkje)TM3r&a-y{hEbbg+d zu|_^&4AFwOM=ya2uPQww!%E!UtR8&mC@cFrdGNBE2{k)gXs|v@H!XHqtz?s&({UwO z-ZRkjO41nupYq(dI-i|Lv|6krLnmE)z<^YGrYAk8a_)58dm}s0Rmh@K-Dg0IP&L+WI zfZehb%r=OZyY-c<(>`S{p4C~ClBF57jHr6rJF%0fJ{K$fyHO@ye?h1s|F9MhYWAu1 zK&rA_!vA*c8jG`on4m55a1S6@OFa0qL&nv6C0gb33}ss~(WhtYx4Q(amGDge{0Q`c zZqNS<*SXO{JM$|T?JSrrVF)CVqV(GzT4m9cQ`>QhuzzubVAI>}`$;(8(zI`c6y)K@+9mED^Yy zAx+!7qV56@%d~a>=Y2x@F+m6Lx!+l3X|V`v2`l@MADW&~9aNud`oC7alSbx4wrkSy z_%(1Q{5%y7y*+t5d z432DjxGS*yD?6i4uMWnM-q6sqr-Gc($io!%}3G_Rqe6!%vCqe zJhnq0l)M7NL#ws8pc^M8IQ1k8`sb)SeGMCuG_Pu8{MtB8IKBB=kR@Rip+mQ7VV``% zJW9uh^GIykS<_nZilDmd|8Jo#Nr~Hoo`>tf8rD?;v;j;Cv?PL$Mr9;HL;g_zqVMbV zukmlTs@G+Et&ggaRs&b9Nghb6;7jO(EmN6DahH%whc?XM2EuDln0dl?zW=Kgpwwz8 zQJo^;Y_e?WQw43TS zDhg%uy)Q70uQ+QDzEr2GIe>8r*VUU0j-5M&T`UJ5TiFR~jdJ_^L^NGm6?e@t8GdT% zqRNPrLt;HwYEJm0tMJqsVa=*Eq!8I}P6T}dwv&I_L|qL02?7!u@a+tK#_j#-DQabq z5d+6)b>J+8=L?InzN#c$H8O2v(!z2pZ(=6AeMul?3+~8$@vcQJU^OFu+<&FImP*mu zB^8iuP(BxyfOeX!>kv^LiaUoW{3%kCCMVfVw-yk8csD$*%7AGLQ7U~xU~Uf!W(ulG z+hEbVs-HEeNI=bfhs{cy1;yCfLVl>Hn-!9JMD4!jAqycY(vtc~w%~b)+)mQRN0!>* z@9QB5EGtX*STqX9WkxqUKBT`-Vs(3u?D~IHI!eCQnLBu%!G*Ontu@;uj7G9`uJ3}t zKyrGcB1TSQG`4K)SW*$gsmVK8A8E|ZP)X=fSTSs(YM_aeQ4gp!mHWKiVtX}0q3VcV zr|4q2^_Y6IMeeE!h9P@YnMM%6gI>07(G)O9|l0!gn0ZW0t1 zSpI)hy5_(CsPyU6v+|NsN$M?zLB;y3W&dJ=(&21K=A{X@9JJ5lNlfEtv*vE%q=WT5 zZ>~9}y92Sj7Pkd<0lN*y1yk<11YBhsI?bdqtDL9SQ>`oRwfqsDT^|Q%pl#@}A^F|KsyFVh;xad&VHJ3@My`>j zldLW&n7)}jK;aEyrcra5|D*{M;M%K@=~4YJi#|Q~e=Ir(eBd@X5~s-ZTet*Q8K?WhK> zE_Q%s3vD`0ro`rZIsRMMZE!BA6%`2Aj(ICH6^0D`r{bTs)7l^V;;RlDZG`z4=MzlX zf4V>9{vBQQho zIs&6Na0@OG`YYSbtbJ zj3RD}LY0nqq-eB%2c-r4A2NE@-sm(^K}r+Cx#0tfcE}Bp|}Jq4I(D!eHl|_f9C{E zpAo$2uI)tRhVu}D1dOrX0LY;C|90ZweDrU)vx-`VVOA#=xf^6|*SsYUqC-8D z4gKyfOQ0$W*tYydG5@vR8|Y$sH?yg85es;T0Ij(yc+Ku0ViGyn9_@gJFPa-MSLal7 z;4p9*kum&}+~~B%0yu}Tb3sG)Myj+1@8PEv`*=7?l3L1`$l*9B_l#fT%$=C!*hu31 zdC(KW3##9BYd!0+gg^9u96dI285<`T`)bogwF)&%$;?R)RKx9-1eVvK7erNPxxYK&>FFj70 z1$3l|jZ}JUep<~jl8s?71*1&wnb4O-m1CVHPW;3lC zlyam^N`@uA$Sh<14~XOdg%^W?>k_vlW7Qi?rBJa~B%=39cWf-Lf%kG+LtP_hR=vQB z7jbv9pTUosmC(!5ixbL&6UO{)&!qt&1Xx7|Sw^ngYz#7=f#)CP-AjE0n66M$DL|8p z*{pX{<)w477=QRrbwJcmeKf|5XY6AK+AUci!?rNWE928gb3FfIJ*#XmxY*SWA4z6;`U!GoId zz>9r`@Oa?g&FkvLyh6Fx=|l&83u2$4oSN0bi?)WaMg*}&`Y}ZWFkJ>QT!b)0`q4*p zr#?dI*2$dbdkvzVA$Jy$YR&WHMfk?J@jOv@!E?>y=7bZ}cD@NBo?*nA{m2Xb0;yP` z1som|fw`&$+H zvOAgfgWI~>zh-~O_xAS8peSLZ7VpB~LWR6vciX~$9+511$v3#ze?NiC^)*eRTDLj} zaW+Jut-Db|H|@r3-?F(p4_S`fK(@Zpv9aT6!-<1yNCblIT4V8hM^aLtZ8##p^8~r- zi1^6==H~@=wyFvz*IQ|=mF#xlRy(t}(tIRENO*6vznH9dw`_LuOdggY8m^vekPJ3v zw8;2tP`JL1^DgW_U4uUM<`tYgcg0S_2mQc$K`Q{|kyanY0KNhr^A({dv<18bfLRH< ztS58eAYB+L{2ZBC+QA2YBOn(rI)$KN(Q6FyFska>9Lk_i3MM@`F+0hPEq-&SvE$~l z=ueJ#Xppoz(Yx+M-I7e1XOZWpiPJdNNd*Vrz6;jB@T`?sDl2K{de6bsnL@&Wo{#Iz z?yxdVs}eDi7y@z;RRR8C{S~OuT=3SxGL^xwnK0-d^Nu|`pd=*8SD&5u{TqzfQrp*> zEJqI+ss3W8A34>^335qjXSD~lk;3iEKk248^U9e?#x|(+VpbV} zV})i4N2v!`c&UO{K0oQDmH653p_UINx}h*(Dt z1PoPv?EytVuO0H`BEsbOcVR=MMDg^GA&IfF0`kWv2ZcJv;y~m%@rX=*&0T4ag~ZDG zcC&vst!Bqp>EJ|b?6T*cHAjnR3IpBogXnG4UAcgM`kktklaz5hj3QroLYwaC>#)(` z2RbYgzcw1F#8yY4LtEHgv<>YUUvB4os)2~5@?Q=!`6nqqbCE9_2p7&OLU(>%1l!n{kxwMKPr{b+tx~|rZ{#Z*_h+>uj-}y{jBm7`1C^JZ!q=$e`@CFIaU4w@jB^+;yD{4h( zeOw=fM*U7?Rdc_IEB8T_z6>__3fiA~Kv8IeU~1U9y85fGE#zCZA0W#_a1{D4qTNsN(1F1Vt7>))2m4Kaq#J|v7h-A@L}Jt~Nu_|w zldb*vS@n9MW3wgldwlssp-(b5HBKxFJ0M;+_c1e>SdJk1ixZR7)zFPA%_jb=Hghdo z3*DO7 zSy8epaj;{7b;=4w4QjLfOJP(%(S(dqEmw*}=%vQu1F8e-kgtPifGVi0t%xP3KqJs!1C$O&r5+z{#^pcCmfb-{4D9G5btRH$8z!o(hm=KG^|YtyI?E@RvBBX4ig;(TXJOx}=8d(&;{_q2ue)p?p}z zLpW4D%co)B-^@)sliD{<%Xk=IA*!*fd!lna3~!W@>n*oT2wiXMC;5h?W=_4CI&L?& zoIVyF`vgPxp_F51R=w-WgxaZKITU;0%kgqduGsgIU9eAQePk#3J1EagBsXyyN}>op z_8E+AR7%n>m|Nae7{?7UY(qC30Tx>aK*6L-7-vA3F_;MRXEi`JzaQd=8-{Q_&3Th{ z-3wph`VZ*|djjx1uCa+(@7ANb zu<%7R*owHr4_X-gF6P4dT13J^>u1!0&5b% z;>dooYx`KfdGR1u%==nI`C0K~dxr?>LM&FYF+21{4W&rtm^W_25x@n8nn)Muw{%>d z)&~Zjb7C%YS~|32)iMBJ%8s0RQCo9pd50$V_%JcX@yI-D{xr{4DWopXtp1*uqwH>q zx(;^fM8T(jO)?|#>)f~*`-dQ(R5vEg z7Idb<*B=T0u6Au$|IOyTYYnMaQ;n}(;#lg8a?fgFLp&7bzL!Psyb9R$*c|@2J!Yl|4p-`}WRX!zOmk^MXY^sfu{# zln!}#>7iv-=d=j!(zFn5VM~Kt=81J@&|0*9j0jWzTS${t-A4nZ`Q!|A5E z5nE7mj<9TiD;4X5KpMzKi2MD1FKs>ab#O8Cl|3y#%pD5zc1lccoW&&%`XViEgwAj6 zVn*s3_r9n@iYHsTCTrIsVq@9#74zP-M{X$P3|qB-aC4i7 za=qjz?*T+Zi^Wog6WGlRS)I)DjpAMUZ%}jEWZhs+Bby6Dr-C!a7I_htiF46o%6trC zr-CS3*SG%6`Ue_byE9OcbgjH6`X_z$J@9ya^+^M0cxK(&rq545XXEhk-Hf68*HOZo<= zS`3Y1lfv+5EFvozN8z|Gq4YA1W#Mn2HHbiFihJf*6gqS%cM2WsC32LLXK7|B%Mu?& z4=odQwS+{f&qIiWj7SD5rs70x;i&}(pV`W*0LT8&YX>nnPxIdAZ(zleqsdAkZhLoUO$tmyGkYjH>Y`T825hEiv503 zTrB99WPvZn+fPnYtGog09HVcAncum|q8wdIyu%=eAq8Zvqu~*8FL$)MMR7s>WMG1O zNd@&r_X%^a#-}a+z*6KcQ%avR{>p{Xv7rFT!snd+Yx?WfX#Dx(+dERHzzN{P za^~od3ZN)Z$#S7pC-3SZc(9T_s9?%0AUO%*DWBWJ>-CiF{q+t5>~~Ti;Ul(xI%@Z6 zpE?$paGBM#w-wa*j_vORIB&(#L z)-#D*S0RhtVC)U+4W#hZ`J4Do&7_${$zVwX&ijqzLSP*&x)r%YAoN~-6@GUt^3$?m5Gjl&4(8`7dm=sg<|1aA+?mSG z62GD$@R*&@A!rP3!3Py;o;`(AoKRX&WMgs|v0`FBklc~QiakQlIm;Ql5-h=&D#hUU zfc3r$x$2-)hP)CP&2h|r6bJ5RomN+2z--TxWFfNtCS?^TTzWH-nKe+cHsdN=m-sVb zKr@)64QC7CN1Lf8W{gr|YkF61@gf*FA%Ma z8V_XGTzaNJ3xJ~%s|hmcS_q*DN$8+;=U=-$IbVW6c~cBQHyv^5yz zIqVw;*Fu*8sqCaeNt!u1;!FVUKV79CR7&6eW7s?FfR@eC)M(AtY-HlTb5lr-xR{s< zMvD$zd>)>TpH?rGa8fgukHY3>A*0_8WB^t(nB5E>Np!pdy|4-$;`naf^S*y0sWd6m zTkRTHV|8Rq(uq01P+or^fy=Tcw_Fmen(TIn!BA&D5Jv1!hf*Lx!nq{Eh~=|RC3${o zGK!J4xjc#p9pD64Oa7btI|zN076&KiF+kTx?K zLAa}ng-x7-g{HGKGPJg{wDXyO_s3;LeJclTTh{o+`J}OFt+EDMM1=D56zX`-YAMTJ9dF`ZN=7E>7YE1*X4AE_R#Qzb8F4>wvnwhEoiH(bV*;W zuS?*gHe@~LNLH%AXjraC?DF!`$>k1)sg=6H4d*HaOKcRo5K7(`pP+i*oq;5^ITP+Y zi9;CiiLdeJ$RbXygRwrg$q0|giu;%4GJ|1atLu?NR#XNSj;WL~{TTt#Q z^deKJe-2_BCXqSgYw%vV5lxx|t%+VUWFWH^!vG`But4VH>~6$;%?lH`)fu@LfD%?? z6uy8!Bfcpc1c7^ckyong*^wGXjaTiVXgo(^^q$|_W&)WvIDgXp%!g(Dy*BgI5rpe^N^4;Ju`8=T(DjVh z!Cu;sA-(GL`2c8QnNV56{<$gA(=OrgG>jh83dM5{Os1l2*WA^{VK}hDEjLm_t^P{s9enogtD_JN z*cS*pWA`BCNj2eXQmQP1rI}HbNb>hbK_k#-cXMY4si@LGK-t8T0Fl(2Ssh7`w5)CZ z7}%Vv>S}JKo!>}y7>i)FLv}7{qJ%)4w$7#;*+1Pxyg2pApTErbM zb!_OVMleU~X&;4DVwY5w%&wu4+b+)8gT8+YBno9SjtLUl@8&;#T99$}5;WJS9!>-F zC?I##tT!R971-BfS~b312U!8PfnNNd-Fv}B=QczNDtC*+5W)?wm37J@rF&Vu)JKbV z+I8+^lrL}MFH0Vst=n0f;6;mnsOd%OO#RL_Mss`6`n8zulO^IK2OA? zzbV? znw;v#kg46BKWmqXWyN%>=da3jO`d2=OFOYolo|e1w_Ek;do-eaf&5jugkW)N_E0rD z4wayPOD;(yPa3)eF3n)WhN2%ANVtUcISU`L5>~pnYqA7Pe5HqJi#ukKhp+!yUz^1u z$yNVEG|2_-eJMe~k)b^A_G0`FefPf^4LcjnV0CBjn!&Hs$5YMH0bkBQU(J{r%^49* z#AAQzjO!cCNEuCw8x4yvB?p@sSTo}VyqVs^FoT_9aRNxq0J@)gWtxKCPsZryYjncJ zu%kqxyG9pVM#obD&%qr;V~VCQ?Z@_r{73gEoTwp!3oRNgAOh_t3hrS_hg}algfaVM zB!ztC2Y?%!<2u0nHyS*=%Z_q$DB~J;xJ~F)JuH6feG|b|)ZUA~Xj{R1cDXx^k}u!U znWWlfpYcge%d4ymM_l^DsxOsG>F@QS<~M}ygj=V_SkXfYZ(O4s#(~Za zXVQclURra~W*N8YB!y6xCEk%KU^Zs{YsWG?}`N;!zrWJQoUa8bnkp z9^%*+AsG6P5S^J0L*BUl!ex5d7HE}IrQdZmcILUNng$-^GSOHGs`|QS?XSRIxFreh zq1^F@P&Y=H=ul!0kzoX1ay&LRhSX=BjxD&xz7(#BFSGI6WtOxg3Y;Q^imMoH$>g>~ zsqz}%S~8^r)>U*xFIh zM6-(h4ug-0W@U_4H8}oS6${HcVy#N-U~8!qpak0r#$azL6gOB*74Gr&N4ZV$4rK?D zlfnJ((ZkpD{U=Li=A8*z3~S{zq@)#bgG7R2Zekq!eC z9-6nXj;mJ_6KEGJa-(uBI}D+%`smlrZ^r$L^{MbWtUH$tKFm88qF&qKl>|8~J+{!! zm;zg)@(uL!X9|ijhJQ5;pX+r;|GBWdcI%FUSGVtD@}D&m%BVZ?(Z{Ph!uPv!iu`x2 zaBqV1UYuVM?|;ImDWEe8GY|jd7By0DPfuh7-w?R&UVf7F9zO75CzQ)?XB$m&5SA1H zGdstV3;G;>lEc#&2%q)43K z#nEY`FnBo1md2zIA#-v>eK8t5H?Tu|q3EpPIJ+}e3YX`q5bblJU%aUaLrS%5kkdz( zW6e-&bbf3-NE#{9~41Ily<3w=#~5} zBy84uLkvhN6jJP%T*I&Ak6pEt2vS;=Vi+R;P`;BhFeW!&_rzG=Y-e#R z%RE!0b4MGho+Dz`WOz&L8hukS_Uann@NWmdL3rJTUG?%b+QraQK@cD4^X|@2lG=kA z&z;PPf6a|Y{QJnFs;+@C8g{FD!-2VSqYD~Xr_F7a{R6UUUX5LZazN&r=}R2=X2fI~ zTxWrN52Q5rvavc1?c^`C9>L@fLIJyh*`%)#hW@rn{P&T8-aD2D^6t2<6qC z=~O#~`&_PDU*9Bo==D2%_|6GsuK`CG$r5fIbM?nV)-z@Za~D~hCALt)BuMFUxvo;Y zCyGx@J?VPg`d>X=-;YnhGVMN@8k_kXRCSQ15-1j0$LDt|{3(Q+cMYo!BjE}Kx8G-5zD?47!a!paBpEwuP>JNfYfUBr_xy&#hxt63A6bn zMJJpAYlEuG(4(wK-ZRTnZn+&h@yw(fMa;yXdy%lL=x&S?0)~PMMq1w zErGs9Zpnx8a9@EE^(isCWU+WLkSQY05EFP365@ZhX1?TvqbG+bQ)%x8y0}8|8c&%h zZP6sEYy)OhNCz(L=6{_~>*2liCqu%`@lXzeGSvVB3^VCQViWf=&kC*1cF6v!GMD{f z2QL!l36DY`wqWdv*{9F<5Lcz3qt`a$mvMV<*c1=)je@MXC_^+NNOS#*OAgQ}A5H|j zpMPF!SKPO+v>0G*b*y;-r!jEP@_Jtc%+!7%+~i}Gh+kP^l}V=-UF<-P3fjAUs)BbY z&FNjlasZ-ZrUTgZk6Mp;3LRup2-p&QerzpLw}}waoH}go3?t{WEwHsk0EHOM=5qTY~FgHnZ$hx9GAQ8SLtN^NpxvEuS(XFUUXdx}D3Oq=y zF{efFUb>8jj?t+7(-t^p_V^vEQ7%ymZiks8XEc~~3y>Aq8l8LPyOIPh%!m$-E#iw* z^#p~5mZIn%d&hez%#@vasa?^EU`@&F8?NW~Z=XC@Aj0Nc@b+RndajJdETf8$<#md| z^U}7st_PG|#V4Q;&gVUNfbelRwhW@msT-5LDUQ7@1Io8HH$vttpjL!--Hrya=qA?pv za~qkl^f%v`aHs!J>^Xt0*Fl*>7}x-1a1e5X=5od-s$dn%T%n;KZEs~yMhR!cTG`A` z0`zly<7MsG%gChd%jjk4x()cGVWN)RoH@WGe1rhqXHH!zyeNBN$~3C*MPhyiOdvn@ z{-~SI5@jbqwNe{p^7-W*MLV%QYu2qffUa-?SXpJx$ZYraYx>F8oXFn6=TXHkL(rXr z=DUFYh>4tK;Ti|J{6Wz%c+SPL4ii2Tz@j0UksL1OA0v#B+Rv6zsZXv5kjFI=eCGiB% zJTl#LD)$!>kqJ^w^0Z{X8gW0hsdgF?l9oNIqeG8IL-K4dNKCIiC&HFfbnEq*$86H6 zw@*Tfb+qcW&uey58dol8%+D9cx^VK}A~CnjgYHWW1&g2oI+*5-YKkP5dCbWu$>v`o zYZf&-z{CUMitEwYjqS#%_aUFHX(6=(`*4fX?!cUwXoKWH)Z*O_;Bx%BMMIL-*M#hP zqPsnW+4BS^Ph_^_4A4yT(Gn+T{59RNR*Q(RQtIsODv&*zRzrY_j=eoqho$u4b@0<70;&DvADv8UXFdJ@I zn8@F1sN;=pAC;NZx*ozu-^s#=XSN(EQr{mL(xjyCnqwB3$-|2r5+Oco0A{xbbhn7&q2 zC`wRJZ<(ad6}p%9xAiv`=z&^@-i5pN(d?2EP6AnzSmz@zQnScu;I7OND!m1aPEY@tsZp_xFL`Oh;8)zKl+lo}K9n_6Td2W47PZT{H!F&D~& zBSjbJ>VsJ&uBGfHB4T)a3p5tMxu#q4+^?R+W)a;25kJ7nG!w6$}bc)+aXg;>kSSrhpZZA{|Ob_8( zto^DY$`hR{>w+n2(3G6}!P|4>r7H^9DD^@F7%+4UL4qxo(ynuweV655n0dkVjp~Dr zZzsIcVS~2V4jfcy)&^XCh(lb|ULit>f9kG4D}XgCdZ3xN&FcC_^|JnGX1ar5_@hRV zhYyFA2=u#)QF{br*4MBG(=Z}`A3{5d)Y~_vu-AD3C^3*I5dOhxqasy0Sj9qSE3@|J zr!GjB{+FUdGwyqU;oi0GJhOz+K-gFH*JgRQ5Tt-5E`nvKCWQ!{ZeO(KVm8ZUd%I0a zyiwfgc7Xg8i@U)g;+`_Jrva&x)`qs}i>mrf+-hX!-mW&(5`NaZfCZEH%?wEeW_$+h8abbo8@H zHKj0#W2VCa!D`fvkXsDbQNHKR|5<+Q3YP4-XHAdgAiasy+|XPm1tK z!b+)R@Y`8zpT&A}aSR1fnA(vk-Mc#GmPy%D zl1SYJ$Sc^9={1?i3ZeGqq`PuaesLqAjjB=WHTE^mD9yuF^}VjJiO52=ZgT5H)pe*) z&9+a;jONx_n5vQU`iV4oY8{u~ls}H;Em!BW!JU{+=zZbklFDt%Mw6GFX)+?bnaC>kC$jS!KD;2LC?N4k>JeBHuzuRXvSyQrpDlI;5Or&V~>O6!O z@=Kx?8zJ<)s(H0->c$#QMonb{Y7@%P7V&mR=aqSOxjxlXe*@mCmpmPABEN4y2Gcqx zFh}%*%OGg(Y|&R@=A5hS>{SD|l+NgjB#}U!EI2Y&`0YgGu!%$s&nfWNxx{4Rim3pN z;$cS^F1olWm-HaG4P}(C47hAu9H{u#;LH|PBl>_9q}f~(QO6bv)65Rq(bED7=5$s*C7ruou{IRJZ)l&^ z#-lp-GVe6Vz;^`NQ5=Vf0()jWMZJOC4%`Nk{>g&;Xl$qmuQH<8jt`3~y?qA6+2D-v z_5NAxHsD7f^UGcKq=K$Q+>|ridU0+(i(J-sr02nG!$Bh%N!z*!U?{h>AE7qvbWLa5)kGyKRa3utz?GVuOyGeQ0tFwu8hf7qQ}=i zPipa`QS5`!74w`@4}s4_!E^#dbZcISD6Z|#4(YdHaCkhvO1fcZnW7U>E)JgeOLu%y zm_au`EILhS7lj`p^R1Dd{ehw~*gFha-KV7`hQ99(rjJvfWgldE8h%`B0j&-OHS4{R z&fXg9%{V*#Ow9*S-5VkHZkRRSX$vmNym z$!@(M++rzT!P3e1vg!_$dWdGF&$IaRQsL<+p-s;>6ztS*?;mPrbb3h>XTjNdI=);f zxdv|y^b5mdIRPr*P4$Tvfl|#+7h{o{Tht{U$+@8x{c=If2yAw~ncMZBq=s!}Z5H3O zlBrAtXBf8RzK}54->BbZNgi9(=(IvxO9#ayAh#f!#|Y@FmX%j}l1hmr-P0OwzSbyY zO2w1-iZq#I&*XJ=#)q3G%mEvDuCo13);ko21 z1kO@@2b0)KTdK>hj6V`qX=F>zUph;=rSBw)NG*mpu>misju=dA39rWxy=j%QdCq#q z_WvUDqI&-BlZQvT6Rp`!7z@VQ{HWW(Labmv%WmW-KR?{?Zn{Xhtp&)c=EK)4TBewt z#4aD}jYL)D!*0eS&dxU!gjKx zd7qdmKHrho%8Eb=57e}7{kJKnClgruTwdl@?WosHbs0svVhtg)zJ%VA+As5(b-FIp znxdUzPt}~6ZvwRI-)0}rt4Tk%F6nGkJH6t@zme8a(ylrwTx!4Lece!zxzlbGHDAAf z=bZ4BPu1*U3#b$JLwDXZoOZ-6`j2kVh(nvdG%MSSDcYFlQ3>)4n=Yh+khN8jt0OpP zoU(Flw98Hr7jxXw@*wqPW%O#|3(hm^Kg~IdnMyaa&M+*k!N(jtsxF+DS*Zdv>tqU| z2m>!e+8i8F=WNKmZ28icys09WJwt1ypp!Z?4dEOK#$07(lZMFKvMG>*u50jgCky}i z^QbJT4hUz+ye1w~8XKH1lV~{U)`#I%_oW$k#dX2MJ-JSGw>ELI&#jP!KEqj#$5v6y zSooHRf{l1rLY3YwuTzIGu9RQm zO;UOqnJfXVUW%&-W|VmW4dxmM&M&uDO&H8IwGU(1)2xXMbg?XyU96ERIZ9d?;x#Qd zenoi%T?zj~vQx~W4p0ggm^JH#B_VhZ>eO>~;Tdx+cXAk1G3SuQ(3@JJ>(b>ZHIg5) z#h56l*BR7ULDZ_3^F;=sS^*!F;tP_ZwIzPlOSxp#y0D|~@~XUQ{291I5{@zBHH$3r zD6V>TWzjtM-oL)<<8>eMe{uDW@s&i+!fxzLY-eKIn%La2Cf3BZZQHhOYhv4)*iP;~ z|MQ-6-+T9$y?XWPul=j8s^=*$w5bUlIykrGpvnjII5VIpgQ73CR3FD3_Owe32W`EP ze!*CZ%69WP40n$V%*zmEj%)jG<%ia%I+o!BI8|E~EFwPoJa(LfexAfn`b73apP(r+ zfY9?WAlFzW;W#8Ru1hB_RM;4o*Y*(-+AO^8JzcLjMopqvg9@&_k|YT+Pm>kR8!Ak6 zYla-7R3uilHmTtpQ`wADgo63oBkzZsj$tM^&9m}oD}B}Afs3?e!2n@S9OL&*=&0{$ z3&Bm~rP2dvlVVr`k2|gKRPzMbenj{{{&}f1igFK}0>1vuuWJ5@seW>_^gNP)+2_VVMsvr+ zVOhjT{oefwFzP9PioI zwaySn=SOhAWzZKu@Vwzc{t2n4kkVS^qhO0PMGo~I9B_wJyb&$6(-$AE=z?0z4A$G5 zORyq_oGMtTiaJ=3@cp_c%HLo9m7|v`h25Agrp4#W=98#G2Lp1#cYAR+%Sq-HIw1hJvi3HH#UTc?TdR0Jy z@6mMmgNkU>yn*^J;uM{@h{qb;XJK4UOVBTIr_hi#Sqrb6K>s_s=t<{-&Uat8j4YLW zniF9#N9Vip?hw?EmZ!56wMsw{%7ZqVO8J8<_+%XqV!){2PTtjVe?)b;GK|GYLgRg^ zujfa}o&5@=ROITNDXjuKRJ(A7Y+?dbpA^quRQh4reY|Rq*6^uX&UL#qVXAEai&cQ! z?M%WEUjF#0M-9;Vna_k_)Hc zv1%(Wtl?2w;N8hsWEgRyj_0Wu zrI=&vu&K$-Fz+W0_2as*h*C#&yDVGkD#629mz@}@sD0gjqM5=8PY_cTv}8}NSusJy z$W-AnDm({%0r}uI;9=(8nR6Gq*G0f#qMJ<12j2zzlVQ)c{qU`z`a@d0B2<{?Ttlmu)pVv;EoEf6z=2|hV` zOG?EAy!SamGHl@FVd|Jp3WT2PZtqS711j9@DgMlfj{hxbI4cV&ECk-|#%JZ!?qsXeY0i z;|RM=x2Wx&xNtC+m6dLKh^Cs-DE6QSDo#B|9ct(?W$57L?Cayq0u88rQ@N*y@2w?V z!JZm^DGX?I%jeJR^MugAg>a{!v?5Sw8zjw;5zRk zGAfpwx3@7J1z~m;Dds?n-73f3&$CE-9#6*sAN!QX?{yjbo1Bo&u8)0bz@o-J9VpxD zI0zHjcdbr>6Ovt&jL=~}YG z**A}5seD3(T z9=8mTQ&&*wK%z1(ywz0ETb-jTOu|i#^m7YUoM6 zAE)(sm#6k&`kThxB(g$MJ6S9CxPno_DsaANJlo>4f#!jUy>YRNj~6xnj1L!M#gWXZ zp=QL%!3sqNwRieTOVD=KEgHVT0-l{td-itz&00#NA$AQ`DuE)}Eaq<=d8L}vC=>J= z07ZQbI{GkPk&uJSG1IghI8$sSdm#)Qd?0>borfie((>LS%{Nhqgzix~-G&0{*Za;T zQvjyazHNHlTX7B`-6HB~x%Fn`AT`m5!xkY;-d2NffevkFSxaNR@qMAbu!GY;6|C~TPTs6ArH+P6cWb6nQkd8 zR};&Z{8J|6O8+?=0gKmbDQ@|D>nN+Z%0_*wNs${h8p=pSd|%)N;re`Nl~&SJ?MTTx zqv>(}7lw<5_J=p8cOepuQNix%=RrV?(_zmmK1-2Eq5V4Yp)-%p|+&uLB$ zn}yMgO;FK`ORUc{`nnkt_!;BXie5L~ZBHomFZW0q?m-=pQJOGtSI>XGb>&N7GW8CO zPU@Vd9=+ewR|`T<2$Z_vEI+TfXO{q)v294uQAdQgWd{+ggm_qv=+`|&M#TdG7b(Je z34mU5tDhS8a-ZxohaKK)TA%Sf;dV_psa5p|s~8wD#;%aKK1K_7lau7TeJEgyA7p=K z-&u+n6E`{0hTZ5Pn@qiy%;%)|6cW>h<9^?u<&zHeBsb%>Yok%U3)V`|v+Xpin#MrQZVV)GXo_qR{9@*f z&BP<5Z+*vZml@8bo&uwY&$0Apm;f6XqYp}Rr>h(<$oGI}TVCvFCQFLFJV8zi2;4U_ z(d$=B;Fb7O!;!C7vnt+RHFYsb#6@7!a%e8rOs;M(D9Fn7^$CTi?~9uTWc~tLlPLub4!o4xu$R#C08jRC9=sB? zNgat{f66a!{9)LTVbLx%cxy^v9n=_g-1Pf)L^$VPXY)L>Wg>O1ed13f*#fQ-9NX~< zMaL2Q`l|w5)V6lZKtw2cEv9aBP!Yw_Wmnw$GG)Mw)yqzaNAmWP`>&!~C2wRD>&!+~ z0pkG#wl~83*lrveOOnd8oC4f>OR-{kJVX7=={A;a6^QeieYMP_8@&S6Oe27t7mX{d zqIKFJ@2lHG&}4K;JB|OY_NstG;`w{rk1)PD9N7w+y<@8;7FfhxaXpW!2uGZ@Q*!_Z z$KkJ8J1oNxZ)BE>wap85u6VtP3`Y}}iEQev6|OSh!OWk?g<;tsVL1$gz$|(`ilbWX zcwMwsJXE=jt0Zcod{0)t4tEWSqU+w+8o1yzVY|J{MC3uhfUEE>Q2=}?mg>&1|G}8= zLC1E;-S$QJ{c(*K=lg!g8vRT({A3^}(uNRFMLxVbY;n*raW!Dl*jRl@tVC(xbhrE> zY253@?s{0U#;Gv%i_7w9Mxjx{Cd2!F-p!_J%Yw$1FvF*1^v4&DS;6S%?es;0qp7bK ztLI6^8qv((9&Xd8X~srhn{?j0iHlGb(;Y7s*TaN0+StE2+{RCMPCfcpX`go^7s;%q z&tA+mI?N1w%<}lm-5*S!n@m5tm}*AvdR~7&jYBrt5~g+E<-6VWUL?LB8AaXKNbF_5 z=sk@+?z=r)<{p^rd@#J9xV&QE*KcJpo`hR#osNPR7TeI4{S*nBrK*%LG^$?c+P6!vVeO-8Dy*GI<0p~G z8jj?SJ~+78OG^88VczZuHMR5Rx&{GKfp_L(?djKloebnFUsz(*EKK9${^$XIE z#jm!kT#neB+P;h&9E5vF#nG2DPEmupotm(71lSGh&f|r5`H#a<`q7jR$$7cC?{vFS zRhL_w4AMDTyhDpSyB$dIgTJ#VE>`ONTwA>aC-$r13{UT>;S5fJt32gM9G}mFf1JE( zfuDnkiElT%1o^PRv9?)qys$89NNh4c?SZZ>m@55KP1uaYcsuJtw zi=>7e5LoS}3fh@^Ppv5#gD(^eJ=RjMdbTB81!zk>jW(^?{Ueu13U}i^0yk8N3~9mX zWHhB#Flr)Vs$H03h(<)K$o@@r={u zh|D1fYOl!o4Mi)~i|z_=Cf5;epGKakE=~AX$ES?Dn8(5z@#O%sIp!BuT3M{2SfY4X zxEvDOrEHH1xR|6T@&39@zLyIef>9xdGQsNV_+6E+{g9MLCNXHLlc1{b-LclCdgqc- zt3#i%H$_lYp3>$Z&KDN!q?cjmV6KMB_jR`53Nnb*n}70;14g`-VJBL)y{Xon@0+a^ zg6OJw(cuWwHTN7$i@1uHLUR%kcy8JUDJmj8^sg(vDNjtz(SzD8vZqBwGGQarFapG` zc(TevgrAfK34m@LiBK`v*Yo@PwF5zcw}#R|cv{T)E5o70!UB(kB_j!7wxpB-{h}Z| z1v-%Hw(iO>x%9|EtN<*9QM}*!+;-*7xqDrZCZ0aCD#Ev+T92S|oiT^TDB{N?N=rUp zw54jQPADYxYrB*FLQ|PXMJ>cc&U#8B*9du0dtvrC*3WrJdMc=%uX?Lrv&clKYQR347Ks3yLylp6QrGr!p0E7t{C*67365F_a$)Shx6 zf18WJTMP~1!S0@0{MsV?DPNPWL3oF}K?=6$jr<%VP~s9g_^q*Ox#AA@5Qw|jps1Xc zkiZ)HMGGrsoerq|cYo!S%?|~J*^ATY1-Z&@O~0t=j=_)2_($0Y zhS<1+{PeW`6GuH=Ig>dyZ?pYv{MtnHuBdT3O5##>-JmKtwf%&})!3Xh)((aOv2~9H z_)UCx3~PfEi7^5Y||I$dg-B2iM5=$J6{!%=V8G7H_1;Xe@0 z2rD#it<8MY++b-Phq4WmF==v}eElW%C6ukDRu#E5Fb^PETQ=H6_;Qq`zJ-3WNeLut z)f_sx$a#TeZHvQy$lA^1{~>E1#(6+f=rQ6re<$#$%&7Ssq*RVD@XCx?V_mzS%Pd-_ zPINs=u(Yf4n9Cp_x0V{eHN38x9DCVKNuFoge?}6F2VBf2a+PTnA%lQ*C)d@%^JXi;91V|#;9#4;0iQk{k zN=8XZwaoZXLYgo3hYnWWhJ796?$6jiP4<~vt|#{k<@y0nEA?QMwE@)0Thwn6Z+|DU z3XmZQ!C#iE9NPvBJ>Vv+b7~^7X80^W4hlz+Hsy5ntwV-K0evihW&?{xCMK&;c@l?e zsuv&*BMOeX?mpBhEyVp(X<(SVA=Ze;`T#{QcA?py`3plB$!oEXK?_xJs(IlPwmG)jE#BG`ZR#*{##>^yZC1f^~90k za97fGyw4;Bx1=(|fzfDn-{$n5as7Fo@aje)i_*x=+K7XJCuyh>zh@j@g0>o#h;>uj zl^R~!orcnWEuq{R*s7_+>-*0Z(Wt(L*sRfam;JVJ=j-bEIp)gu3s|?P&E4twzUvSD zem!$sIfur)mVv?K^9`X*>-EP>h67iv5G{05h;Yru$d%5>Fb&Ol}zT(!%s-^gM z&V(_&^V~7}`>aUt%CZWxU8gGlefJiq)>lVI?yWAFj5w~_J=b+6K zA@n0;)4UsaxiKY^`Q#<7nB$M|;{w;_KiI;bv~4QdjVn@xx3<&K=~0@^B0=#+)0@22 zbfIyWO=A`}F-IdlFbhH($gw?MFU2h+JvU7x0@LKDB-;T{A9r(T4su(RgKtMhx0Cu$ z9`^~Ip&#Z~%1D$d=cbQtcMGMy{CBAJC*9_K2KVucO&8RTymDNQIi>m1_lUH_7~|H2 z7*z>7vu?tFthJnvH~T&B$E^}SI{|zpsTa$|ca?Uf7jn8$Ht4$IoD=_H+q{8nEs$-S zi#GK2b}IbMorh;KcJNk7HM8I?SYh;2KKATJE-`V(8eFdoge7buVZ6RVHjLyTSXL;2 zTMPXm(N(2-6%uVABZ6sLj!+G{Zw===PDON%fb>CY*uG*Y16J$k5!eo~@EH#*7Q>j{wsPJ}4jXpybvH%)QE-u^x z^YUmS0Xc6)PZAnq+e)099EGeA!}J<4tA$5Ev$;>T!E##+>vTCQl_(GHA1be`DU%+M zs)b3z8?=*CmiQm4RtrKColW9E=7hLb^MN8v9O=Ma|WQ(0hnbs7Pi^4r!Ox} z*U^&OWBlcQClGZD*AO`G^fny1nIzcqwi<(FNRNNhws*$+LW2vCgZo9P_QtHOn=#eQ zO^H-IL^--tdWXS}!HXzd$YP-pT_5Oni4#HlEBpu=pcDa)z5SVgJ3ebwjzp8YN-KBC znw$GW--ZS%4|n#@MfdV5NHa*cRwEeLhgYP2p%ciP<@^T-Ge}V#z-qZwFaP2$Xrz|; zvFPtm03ZYYA&<|~`{^I|>)Rt9%=ffNVngiET=dS%Lc^}Gm5hG{gmT}^5UeTdMEnjh z+ywSC!1>GHA$D^HLCFbKg?8B{W?ax8UjjiGH#v);Pbl7?W9W5*C+XZu$CBI(C}|Rqe_n>V z^meE$(|(W#U731vRzJ2mB^I!v8A1CUD^|g6VY=>{5rARJjBV1VbGUFAd0FMRU|n8Q zcm(&iJML&M`tnjG;KmZ5kGA*#vJs{*s>>3>hEYmK8ZCG+NjDF8Ym5d`zOGWWqs^eU zQCG4j)}IRq^R?1?#HsnF*(ynZHzqsZUNORZBf`&t7=I|-F8IEPPruF1(8bx9{>}=J z%DRh%xjEQZILV-ViaC?vr0%K2ty#fZJL7vmW2wY6Jf=7|e3sKAK@PVnD+5yY%Lldt zk(Ugli$$1!y%Lh(MNeV4>U5;HV3#-ThEiydrMe+k-z9A{FCqfy%AG59!lMp1Cwace zI$)^PNTKD29fEwNZZf-Gc)d=!=|i*Bf<<^e!kw%qwnJzE$Eqhqw8w4BWyj0dxyk81 zf9deVtovM64bH4(`6yf-#_HG*=dg5jI2G)CvzY#64+Nun#BoHh2Dwe9C?`%4EaM#u zm1U@P8P%b!$Za~+R^@SPv%!2C$fqR z9@#-B9cAe?XRj<7$xCx_cOENnEo2tbS+M(LVtz*dVqN)XtuF~G zfS`&e^)I-Sbjp)|AEq5{-dQ~Il*iQ4RwsSf(PWHuPu)j8f{5!FR7v4$spF6}5)z}T z1S>xM%MIsUFbLMMa3bWdrV`cq4(p9+!>kZ1TX9nn#r8nU3p{=^URE$s*k%OR6_O>- z;waG=Z86cb_e@{9uE5`puf{un^`Fw-1HN8;FO;eR$oVr>j0e!AKFp;I)>&7D(F@>F z2Tnu>b?0_zNZ-saOTF1WWv%|p<6n`{BCoEu&%Y99dHgQlT&X?@0NW&Q|59By?s-*x zemCOyI1!7yDrc#UEXnX!{0LH*UOT|8qfOF`WS@O5J_X2C<(W8rzzF& z3jx{e(9GxrZuta&k@oLeu`D1LU`uX&(`Z7|rlJ+c;+|U68g7aC!wJNBK7rM5TDj+r zU zqJ&#_{Yj)L`m;AeA|+$Ply|Nw)cCetg^D_GNuXk?aZ(!wllPtu09Q-@_%CKmosfTV zhPBz?y=yV90wmu`+ERN9Jl)NyPJn<)Qa`;J>7KUW=SDD2^7h&T^apNBlJVfhg(;5Oi05;%Mmh}R>ua7ORIi#OQ&@-@KCnTRwunlq z-g60Hs*&%N72Hc(0Sb9GyB3v&r(I;9wLKt%Kr!fied0Z*vPI-Zs#czAnyj8!LKxY* z*}#?K4|)Qgf!d7SVT2|CI3LgIiZ9c`9mQkO#1P}~zrj)J&n0wYgFS>3$~T~S*^eA` zL@QNK{*}gpun3kF6nkk#239TG{G3EiM@d5vhml{3yy$?^sU2#acmkY*Vjt`8Z5G>a z#o9zVGMsFJXBND1C3&gs%CEiEYN`#9^llT$T9BdMOll0!aUU{)20$E9e#Pp%F>%O6%%RhqPOUeNCs>o0)}fhxfvanylOQLOnpuya!=y5CQoU*k`rf z$L>3eYw6dWSZBcx?&I^pc*44Rq2#&}=M81suWk(O;-}Idku);IMB1Uj1S?#}-ugD* z#4I^NfK^kN1R~N2nY}z^h{Yliw=>WEjwz;>!VL~7)dRr!%_NIK>qLI*P8MPlGI3h&Tsv?O#ayfAKuqn zaCLa&<9Y+HY7B)7Hk$;IVtq@?Db{aPwY|mdSqNEAV>;YKrf8`&OB2}v<5XtYg)zcS z74fItcz!oyB$wB-F+#ou=-7+?pPqH9BV@8hs3lh{6b6=zz(o&m0epDvKgNSZCTrl+ zi46a-tpFp!5TNaV2N)w-&=ukpR{}Q_cB1#mMOQ%nl9X~o=!lcZz=?<#7&0uqyGsMn z;7o4r#G!FXW;>TJ)H&NtMAcCLjJ!@D(*(6A0s9}{K_bV0eT!$?_p|yL^N}zbht}sq z+)OIT2e74zTKaLNSTGUfUiIRpM3a(Mgrt!@KKz^B zRFD$~3&ItVfp-VF`@vO+W{R6)XD(Il@?I2d5lMj=&poM&h*e+n-@*f!X5|J$p39Kh zE-kmAt*guuat%ztI$L*DUDqx&m^%;#IIkdk zv~3Z*N2ySv5sqJw<$V@nx_CEtWl01q0$kuqfyx77mbG?=^m7T_iXqo5t$>Y*^Xt8l zfgLeT3L82`G(9Fj8jm@%hmtFQC`1w zsiaZ&(ruXLUc<#if4Lc_3QOEMvR^gfy+QQW`{>uebpduZ z-UAkAyGYaMSee!1OKo4U9r$Feor2=c_`^UeS5NCxf{rEgvL5LuXJPe`)z0uQGCXYZ5D+>{@^ zrgGm^`GxTEhw9C8LmZi{`@+v^JqD@6eU1oB%oKwfj*Pmp5Ps0fquaImW+B{v+;eOC z1X$x{ZCtn&JUl#S+BiK0_ey{PC##E8dKK4t?-rwW{;lRs+}Bu_)?+At=nPC<6)_QY zT@~GTw@UW~auaQT(S z%%cTTqFzWR%2#ZV7)y%&J(g9@ZVOac{HdvHu=O-`LO&7^ zU312$7G*L1>pzAr@uPc)#l=U0*gI1DHNx(_qX*Y*AFWDWq&Sr#b{cOu3k-s3L-o@5P?6IB&~)-C zX<24Db^9DsJHRa0*Oh`7VR2%Q1V2b?a(F$gXg6lVZ_E9vlnQO7hTrbnSX)>A#GJ%8 zJKn2|KQ?cfZ*-F$Ui=>a_8Pp(p*!J;_$+*{P{A%;e5-E!L^fAD1`V8cW(do9qimS` z(KcIapXArFC^)DNUhn-_aaJpZ4HOC)?P~35pq0qZam)R`I-zmRxa0gNZ|w!d@WRX< zrDBu*Ld65DfVM;7Igt4jBXo+PA@N8t^dx(KDkC?<(iMv{zfW3?p5p=^T4eN>500P_ zzTgZ0Sb3|V+!+|3JX3G1R3l09I%GrYnz?hVC z*h5uNTB6aTNbs>}UBm=fGC+&lzP5|JqkWsONzJ;T(nAKzd#ySmOGKl>pB9)Lkqma? zcn@8cy4wNPenqJtCD>ITWbsfE)NnfIx2H+(u_(6oVtI=sH4Ys#mPH0nGBW`lajN=ENGurR#L@qN!g-}uYyuhc6#Lh+F^>iFLS9b{kl9nP#{uKo8=(Q+gCKgH5P*1!s#Wo0blCTnNhT$wG5cOr=)Et_Zq|9pvc;Zft@8Yy5sEiS4MbbG642kx7f zO-K7cGbiFK0-3Ws9H+>-G_N`ZXb_qFmw2rFS96Gjql6Ayqk`*c!AP%$#E(AaNJ8g! z@nP|cNaGz++b%4Ir@!-80!5>~Mvk-)?H~Uv>L><lUZ}Z>0?MG1;snhx_@T*s2yl*7z)DICklf#l^C%q z$ibsMfp&`>uZeZU_$UieTKnCIAP$;k6pmF_J#EhM&}p+K3p`e>ZN=Tzu9B=^OI=6{ zW#9k;-XjK_cxbA=P^7%J^1iFu_VPX-d@UsUEVQS;-|d4>GpRZhoy%zC3WkL+yksPw zC!@O+;H`vhsq$kBrHB45fq|9aIy((l0z@5<9q3#C0yTNMh#$KNq)Li7(%W+cBf4ai z$<-JG9t$ux?oL$$-sz@iXwF)5?#!U9RRWu>NvCazgxEx?$|S0+f& zFf+?W?GU8*pxEYY2r!sHrDxeg#GW!IuKJH>8neb1rtEMl>}8cS`WDcKqKY1yLml;3sg-apj_V_miM!6@UBuL{l?z_CTDh~ zrreQ6f$cVz2GLL&s~J);wZsBNPTM!n zGU_|SmZNArmn9oy4M(^Qt{b`F3JQ#z#ig(zo0xnuzl?Xx?5l=BSbTHq^Mt|&3Cp4W zvEouWs6G*Xa5|W@aQx}LDDNy?;D*49TW z!@SETbwFqYrj6IGTpyr4RP7| z)3O$ph-|P5t|6H%!knj0R#OF)lH3@TwVs*GRhH8OfHI}Q7xBNY(|5o79#b~zq3T>| zHD!CjtA|rDSXo}r+#_KTji0lzCM!`v`^vcFhj?CC+w)q7a_i&N^hBuKcO@ZJ_IB9u z_(I9cVCPR#^9>r|jF5Mh`iHEMnlk9zfpkHurl zXt(DxGpi}JeqLtdwbK?|9z9x^E*LeL3m3CT0$@@&JUUM*II& zrU-+-;nwxRHq5&ZMEqAlMj#UlBkTb)p+vnZEQjMmGnsL&Jx_?bV{RRmUVdP#AnvSF z-r&r0>B5KFj>5zdq$2LuCPXMiL0or$QkY=z-kuQk5TkTA5pdo`V>L0kYj8{$%N*sJ z=-=32inI6PcSqb?^2E(OE56%IM9!Kyf}X!<-~Y#;0y#O2|05KK?r%=*LrK3~RI7DV z{^pUz7DDS|{D`mGju{CI)I*ymg>_Ck-5o#f zJM?lS&vZu@?&lycy$@48sTZ&L>n-xzoI=GA%8kU=<>%jm`a)CD%Z*T215ipowx9}M z=A}aaeNtpXXp|Tpgi!pEo+?xCr>OJ0de=P$;S#p%@Cl>ay=ysLEwyu1bwLBKzH(Q$w`ZC+ zxxc^VYmRbvlf6naUH?~80aU&`#R9?D|L7|Y7kVPz`Ef`Y_Xu;~$UzGy(MY^hdXb-w z4|^2t!TeZ^VF>5-!_lgGq`#3l=W*Ph}XD4kkB2oJZ|kMpQ< zb;qPfbBN=B7cn@?Nicxd{g>#)fek2nS>d^`CBkAu1DF?hGLct71e5&06dM&r%Pm;W z&iwUgdH$TyBwwW))*6_!$tRs+&;F4{PSW?2V8=pr-j}t3I^3cDDHz8M{A7iuo7~C` zBgOf^t*BYBjbyab3?_h2yPv*_n;l5u{?xPA$VQoWBoy|dQ#(TsdZ8m zYZnQMS&_NwM}-~(HEhF@)&}CJUIKp>&%MTFSHV_t=}=f&W%?s4(Rtm z@9gq2RZP1R7xXwJ@k_UE9?E)Tq@jb zR(-U1RYNY9z-KpAGuCOhvT306yH$>a9$YIB^7~bWvk`&*87;m~G)@mbRUM1Fy0%_s zZh;cFZd^nKxlUdNYSpJ9>f#8>)})I>qqr>lo$DK*k;LX=Z(O?3or_OvFA#M^_z0 zqMYR-Dz;K9D0K1(B}D&nye7gS^&@=nbGanCCF4%IlF4M!9|k09A&~-e(U2AckzEK8 z>$s`#2#k_H=rw88=*5=^*~DJy9M}dwxBrBbUi}hj%gxLxZqE50e<=R)XM`MvU-wvWbAL9_$`F-gOV^8+5*D`R)i=IwDKFUW0KzbGmS$Z+5~#S$FsF zUy>fQy2{7S0OY8VeM4 zLLyS8`TW$+Xz*^p1op+YAWjybNn0^v9s^N(-d@1ni(TH@-`m+5Cqp$?eANW(s`SeF zUt*E4`|~ECNt@yyO+I!P*`+6opBA>3eL7Zpa<5vhpK1vXuNG{3GZb7|vVH6I-@kP~ zwp3QDv$t#9DV2Lvnh8j2eB9N$2{bN25tLru2<2vE>@CZ9bLB!|N(sME6>47_ct7f^qmO zrnL2;91Xi(num5DBVzuzdRc?mTzO$#d&?=#5|C$CGwdDc3j8iE=-V_|;IX??CC~3r zIgo20AkMTN9Vc9lSAEY;P0&?eux$A9S%oxl{i|z;c-MR0&_MpXmag=xDRNy--lp~g z+-vJ@TvsrdXg_|Kxs6z=UIqgpx=LE0wSPx-tlEQ%vAxr|PV#`O8?x3Lhjlyop+D)p zz_kPEW_Hv#ZJ=u3%=TaL%Ori|0Zy8L%?;|Ur%1Os7_6mt+9VmglF)&h2t{SV7zIc* z7RE<8FGeB_vN8hb{&A_k*R7iksa?gvvee-2@cNV<%R%T{>AL4A>R5XsmSs2fgiH8I zmy47|aItkl7KJ3oIa}KGg%2;om0D8;({`&pb(??8;4TdM${n^4ixNfS-#1AHvQf;7`UW~eGo_&2vC0kP z<~z4nY+(jYDsFon)`wZQlwxrS{*I+A8wH;|06*^M@5Blqs7CCQiTXbBx=Zgq+Hb2< z=%K&y`|~DG1zIJ1#)3eb7YUiDFw(-Is-M9zaH@M#&Z7rv=cjEazeP+z6=dox+qmKO zbiTA&Dsh0k9rfwK($S6m4)mA!#Nya3bNN*JlDNIFDW=WL&q|?x0vx@zt!*WBgJnOAh5Uw(b33pi?BT~YS3R-j=$3#eeRHSeZ( zf>fSbj0?K=$GozPKtLgy$o`(y1}-$jmxsPs8YqD2J9c|xxy`S+u?(&TikPbK!v#}0 zd^GGRSOnlPBd|aPDef3p1l&m=e<(n~gpG#n#KEUGJX-0dk5jvUpxTumrGEQW3l!BU zywhA!<$e7o?Y&0{2rY;s4~A7$zZLnX%0$jKxj&VaC8aEmpvTYa8?J$~9oo}x_j5LZ z`3N87Pzfx9+wAZ09vO3|K|T0{EmZ8V!WjIT)E`n%2*adA;wf@XL}F-iYIcDfyuuP! z4$9=xGgu|`oB!Ly%dGTaEI*AeoP9oyuzRboG#xkye=aLnO(@S$F)Xn5Ti7pL z%yr`KD^R}*Ck4VHeSsW|JIOe$WYi^99{!{ZHRZ4xGDVXbj)V)*!VV?sn7P|PD($%2 zf*+=#ml+4ZsX9pFMgFVS!eQ`^ylze+JfAL4Nb5Rd$rkzl`QfZD5C}U1FzPhp^G-zWTD)2=f3>9W|kP^X|t?V2{y(J#sObYc@iV{@!n) z%@o4=PfpsqdM&cc0OjCLxp}#czs9H7C%_mhA1{6ja%WI)e1{U%_}&axqdcpirWS?FygihSP#hiO{Z zh3rGm1vlfbW?uoGI8{ba8hIbVpBBNqwH_hUcc`>WBpnVure-2ij-SzHF4wjhimEn< zd!VOJy2Ilu_m@NrJ)J@=xjBsMa8vzom)(FQcRIZ7VtUJvgJ6}7eW3*7OQnVnx4b5i z284a`m4KP$vf`oVWN7f-$N&fP35g_Q_`zFXHh&afhyW{95Jz{KZBc zy8YzVlfW6j1zu0HBpe{tdXtUf{pS*Rs{B9qwC%-%_%f^k+E=EUMjc)4M+3(3XyiqKCY-F*kk8byBX=r!KyngJ5Yah zoGF^w&;lMBWui%W|nJ zQKf&v#c#E25atau%ePs!)ROs5q-vhPn3wGS#1)>JQdeB8#`+Z3Ts8^2`KP9}PxB0} z&V5~kdLH-bw2FS9fwiZU@W3&w}>g@bLImt44)!vsHyJczHYDIP3UbSZt$Iuy8^w!l=c zdRCSPT6i|+>0!Uk7qBDznw%xQ+qeOSP@%K8syNi!PjJU?ix1LZTIgB&{K8{hO+tXG zf>3|SyeOP}8C>$NS#DQttJZO)mn^>0e(3-KQuzWhV;mXb6m%8TsWp6}Ul#O2OCZr@bl6*G*I%S=}P7)H5{uBHD! zNE82kV<+6I$fw!J6Gp~fZ=ZZjfPJQxcA?d={RQewQG%FGIEh|-qaVv5*#bwrZ9UXdeG4n3Yau7{+_ZRNA zM{3{MPV+a@M%cOuo7rR3Pvv@2dS#>pRQ=(lJc`o9atPxZD(P$zUe6AujOeYpE^qo( zttu<*6ZbctpBJ6~Ume<|OluUo(AG<*6Vo=XB;sJrFipCInmwC_Qk3@2GiUhkhZ zr@4kiaqGvbmr<=&8uj6KkEn*25wSu%m`e4CJYqEo&I?KE=Y2$BrS9V_U~I47C}57R zwG@SAE%4#|e+~&>=MkH+_%Um->diVYvs|gPhp!d;*DZ z2=>VOY${}Wn>KbMTz~1>h0LdNwZ>I;fFCDiIY6=l?^u-6Ah`Hslc>{syP z>S%7lTo!q-sy>-)H@mD^PE9Gz>|G?ZK4A4L8QoDW$$fshc1|Q5z`R7+?6@}KZNd#- z=!eN8T4BV!$Crk^n54MaYl}84`yy?v8W?;HrVp#D#6RD>G~JXFeb5Sv)0Szm9}S{%6o z<927WxJjxQl)hTTpWF{QYC#rLhRIlx*uhnJ-X}vv$MDqbqE^zqVLSS)HB-J9h3j-~ z0ya_0&82y*?AaRm?^XiLZZ&*XB6Tg$N9w#xt?R^k?6dJ1I#cBYB7H8LhU`Eg+sLzA zg$uDTd#3D^wQ@g80nbm|l`BQVze3HLrTc9T2$1IoJH+U+aEdsUVUsEGEpy3c7kF(T zqqpLlBn!`VgmbQb90K!6DM~N^x(wUb{b5#4s)lvR*4Ea0FOcKI$0H~V=my`%4-siiXXYPthbS0O?VWK3QQ4{>+pI4#(OEnqeP05<8BS|<2Tk$ISQ6w|uqMH|8=H6{(~1ysJd z6a8&5b6)XWO~06rJ)Kv*@F7e6f=JEjSQK%pQKFXLjJ7dOnYO2$CQGS-ND&#QC4dr) zYH~oF-qO|6D(-A^G1JwSH?~)FT2YEU88xH(e*oP;BEPtb)gDH*7sDobmk%91jhOo@ zc5c^1LoNhX-#owU`Np@;&%W;Y%K7(i`f54*vqI)0O%(Q>J?>r(H-lK4!_LzFXJ zhd~x_o)1WvDvjW&H550ib&xsSSE*}uRyXr&<}*J-EHw{f!_i99E2}@ozQLTcoo28q z>g%Q7MDvZ>cNT%O=`$=`*8;7fHLGy9G$Hhwr?EJ~K_H%iElN3yP?>5*O8(N8*_5C$~IHb@V5n6Hsi9y^xzO0a=)6TK?i*CQN`OFfIdJGbxIgo7Tze?fE4<(&nsdx?~pWi=P z{0hY*dVLt_y!cg0=fy#!^V?scY<{~>$*@GCJ;nb0wFrkLp+3y#^FxW}S1Fx62&Y0S z(P`8N{m-ZW_VmgB^V5ePfB(~u4`zR+v&Gr$#ZUkJ=wBzF|E_dxL8(npnqI0 z!n_gF=7j!n_N~_X%bQ_9yY;;84LD@xf*ZLDk5(${!}C-qt{ss*S(#@k zXYq!_Y*COhk!hl)gv0ZH7%d=YPC-IiP?E(o5!;*ISbuVAD4-d=j^YTzO1@2R*$p6u z0bPARXF9p-@h(D7e&MD3n_(HMrCWh3YG= zP$+AUxv6B|q`&?o*&`mx;hFJQhlg?ygb~4?TE5Xe_MRquo?ZLNO|;OO@&mvbW+H77CER;5TC5rYM1yH$dWIAnWk36Qx~gw8m`e``&{h_+ z&pxrhnZ8t4S6A2NSAr=!VcjU}t%%hOxQh1kN%EcpT-U~S_EneTO24+iVt4GLn$K!D zs-|r(KC9=b`c_-`%#))q7v2%Uee^mtiMg6FH8Nm3tJNJeof&ZDq$&OAGUB*yXFzk~ z0yB^QH%rl4w)bH0nkJjre%peyg6&&{YfXpib9{Xc>?gtTpQP;mjOKlSt2WUL6#yFrt@E`*FE}US-;fRGB!777fP{ur+VgglnP%_@tAeqEJ^9<_NykS2g~VEah>m%3oJBJf{hrYP1uaJctt-hTwDokB_b%1ysU7 zl0xGZ?V>+GFx9jgXcFp-<9rbUV9AWBKBypcAs0H8^fSFwG>vWXluVVGJ`$#+X|*-f z*2XgHYmDUZvx{yicznx3GG5C07wvKtO>>p-aB_ZT3t+93-I9bGmh6_o{kEdzfF|gp zTku65OPV0^kzycSvP$#iXoYpN8C%xysRG=GTAUMJV?#cX@*$e%b2-q*$EGKf5#=PH zqp!it^duoz>Q4T%it89nT*jDDp$Ny40*DYz%+6aitJQkleQfbSOq2meGHKs>ai7xa zU0UZjc4PoHUu6$$^Ps!XhgE;~_cxqcke|8<)(Rq*!RoD=ZaHAp(4HXlmPRr9BVmWq zSa2e8I5tX6?+L>1>W#t%0Lr2jB_VJYOIWJ@+y>mGfy4HMT9penag&-71oV;`oA&-8 zxT11a);5l)Yi2LMkCG6Oir{NIK}QlxW*7Nn5(N=}U;%zsy(ct7Nm$n!xW1tj)Qpjy zu5H(|Tx}ljW}z0Q0p+W07GfiC+mMWJ1Ov{Nf;8}AAR?KMlM><6}dCdc877yo*hr8HyH<+Hhb&97N`#$7EJ?Ae?y+y>?Euj!)P zmp$qm8vXh0oMrU(XlPmf=I??hPp^BHlzl#z+h>t2uOa8w4*%(O4=2zBT3sN=)9W4# zvL}_EjF0ol)9c=NnK98n>ZfecmmB_>?fbfSquH-%9g!3m`U6Za<>7px8pSO=130k)Rs#}iQv?v7~3L(`DD1UGy%1zfiPzcS) zo)URC9LRP(e7>zdZf&XC;5w=%(RMJ)=QM#(4uEMke?x6bQb`{rbj))U({@?CR!-M) z*4HYWbMvQ8h{5CIZ=TdSkMZ#&B}#D?B9a(l@;5cxjjF4y+bbsSlA)AcAJ8C$l{LqC{jWFlbWURV4JW6feoqF&2)2fvucIKYw^Tte8+F$e;S9 z(MAxYC{IPn_bmghx}sI69L&tdZ^uPR_M|xsWgaEbJfA-$haQ|HHI`{}r9`Nay-D`L z7OetDrO2PAbUvq96p$!nNrts#oUMr{F7TnYsF;P>6G|+5Z`Sjahj}1XY;JCsfh)~T zm3USC!-TQw^oS(X=@8n)qtP_lVrB7iWiM_{!i95*q7Z0GlZ>$t<6E0sy)v;;_Vl3S zl+IavN(J+hL`sO^so>m%K$dw6vDP>#?+B@t=+n3RHVpM$|LNOD&OhHCeA^s^>M1&_ z?BnI9!0$!-jNzfazVKe9IqPG6`Zm^3mGzrR?SmfFlbtq~D;ba;jH&G{HKt9Fwmqh| zn;^j~$%!kW6NlyDq>$H_p}H;&13n*_zqjp$!Jrk;iY7~9j}pAsl(#e9+f@w!YxIqy z_l%e;4jxcr7Erh@rsF6}X}WZ6X#q{z@pE&*CV5Qu1!H8G@Q|&ZcL#liJ&zVYh(--~ zGKr%gQzjRlX0*x3fX@|3zto=;-+IWj+r1oJPsZc{V!ucK;tajluT+ zhR)f`d9Ak`A6F}C2`RK?V`1gZHa+r>YdF!MPz8k)M zbnvb7w}TBx8=vCet5=bRmz7T2@CKft4KIjh6TdV%yny&&Kz z`lCW&yrv$F!jMs?;E6Whp2k!(`T|~{$bL$CT6iZc8!1oXz_#943FHdOqDaNr*!K+J z+4CP?pPan`u(I=$tMB{DGOT`b1>U_JDg>OmhgUu1CBI+U1wSj15fW$_X_<)qgm`>uVgHHo@_h}dL7^x5vD zu%CbT@xEKSNe}eW0wrm^xK*8<8{*9$*Q!}oBG-K2O{oech_824oGH^aN?zne`aUd-DD8_|U$ z>tG^$xpL!T!jt0OgaUW@CaHz~cZX#7Lz!+B=Lm)+LYP7GJr*t3F%M|G+QWqpNJ}B^ zNQn(&bHz{(xtWY+AyidTG?|z_8~YgZJPBzEhzh6jyMZ066GSMxhFCpR-4XKuwM~0W zHFiYfnBQSEir{mW0eFj2g$fZ7*edjmmoq+eUH8p)FfI9XVb&AuRmCu&nHlaV7kX~r zr8LPj+_E6Fv3c;6L;->5DNa}d4l!FrLLUi19VO+GZ+q^zk-B@9KQlf=tnMO1-nZSGn%%XDHrA$iTAXCbKI{E@L8>N}d zW!u`h=%s#ziK7focdxl4K@!-Wdx{&LLs5n_d@V(?=y_RI12b6GB-L zH0zeVBwd!+VTak4g)>W+F8XGh`~}-%Qja9+z~)>2qQo9v?TW4jAe1V)gIU6tT}L;07-Rma3i1k<&GV3 zqj$Rb%=^~a{jG|yWZ51!)m z{$1w0iQ^UpkP(338z@;!TFzb@)d;3aDo~0p3rB0=_$={sWAh!3*Yf?jWWQ9(F63L8 zJCe?si&EyO)=j+en_E7)#J<8z}Yds8q(?@x$oKR~s0> zY4lm`R~V^_nezBU##6+MH^1a#bHeC`RahVS=f6Iaeb5lYp=f-b!Z~ot<9x2OI0xkK zf+y!xa^z4BXQ%~?o)Vb7$@isSSD2^JkO@={Qbu(!kI3kJQE2qU#P48pCe|4Le0wxz z8O41ff*G4rJw?7?$;tWIUmjl;er{4mO&-5vIn-7`Oel15b#)+!Nom7VS)tjwoMF&0 z^_Nn#YZ~?;?Wu1HLG#qb@f(tth(EC!@uq;v3~sVrM7Pwm$k;**$$udfhDBM%_>KyI zd^1KHISX@loT$}aXS#^~!cwskUEi$y%O%3E3K$Ew_?tXGVEIhMiV3a9z;t;lNYsWX zs}oWeb>cPxp4_q&4O-JA`o**@j9H&%Ok}7DNiu@^2bSeh%X7L^X{01ioc5}9%PFa8RlC5JM!WL;47KGKr=+=J6ch&?h{-qiKlSO*NAz z8jM6sLxrAHt^fW7JccT|d%{y^IprnYK>C7f@Z#kuIXXIij4K@(!Ckd%su_%xI3@{) z{5!%vNYx*aC91}AG$d!|LIuiY+Ampk!8{(46Wfh)2Vmh=9h^ty-8Bp(iDEitG1tmX5htY+5*168DZo)OU6qyQOI_TWl6G$ z;q5-Ul`EPxl_OjT0yyj7?wd?)pE{?=?ihdyu4vRnJ#hzB^6pkm^AS0*a{#*E$m7>d zPq@)EbJhzZ>&?ijjT#^~AmN@xU}J&2enUpNlZ=qTE3&i*v1S{K?lQ!dlj`W}kyl71iu9c*+#nPnv6$C}E{>_B*;VQB3YU@7G zIM&rWencsZhPD|^!alhvl3I39XgpzAQ{$4R*mxyZe_uSiq(Jf#F7Rfv51YafnNJLa zo)k!OArvf;>`t8=lT}W{Db?CQL9BFJ0Zh}8^tdUqe2q|Rkz8eVbT%kWs!T`Dmqnt7 z+^$kJduj_%MXS0POVP|1NttY#v4dP;Vg;DiI9%uR3W-zaZ#+gP2D zBs{4+b6^P!s9can8A~Hd=$PNKz6J?$4;q!TuK|1D%&l6bf|7>wPH7|{+k8)B+3Z`b1 zbg__c8!2LnX32HHdQavj)8s*4ilKmoV2iH-n;kPUjcyqfWl)i5`YvV{$Sh_|)2X~J z8%&|PWB$}uHQ)aVtgR)=3( zWACK2Z(VQSkm~NNg$hgSNq&k1>nV4SldVP!*$lo0T$&)ozq0X=XR8Z{(t`9#slB}e zsp9qYw0nJL05y%MO#uOD3x55C=k)2Gqdvli&ClZMr5Bl<(dh@2qk z0`@8Mfx1<`zB^iWy{IvBybPQB>#z(7se24pyuk@$p{Rzu1s+g_Om&NP{FT^gz~yeq z)FnxeTOs6uHeWSfr^1`=U-edYh*p6+R>y!EzcCI)r+&CYfsSl|HplI3qocF02SNXJS^V(W%&pDl*F{!Q^{VM96)sTD5d{7Eq0USdI{{jER7= z$lBRtb5nV)Ll~~Zk{P$TG6PkxP=34M0x@bU83f#2tb!bhN}AN5=GZEW4l$KZR?&7t z0>Z{~l-AEo+I&9JmBuPmY5~*5;uM2U@(faTooF2EEGyBXqIoAkr>b{{CA5w0T?nYG zLH16oSFn}T&XJp|j;L2Nw$vtTyZS2QS!0_;VkHVFY4mm5jAXFRs=;Bb982dgeT1V^ z!8?vkp)RBX)ab!N9;WY^h6Vx?+{A&1BT_RyZvR8G3sw_+18>_5VDwcmte~gGqV|HJ zI8#}s@CWpDRNLALBLG2T2d#XJk`b`1f`J8w%z|p&h0n*JSEABhYQK*Lvy~A#U)5Y` z_?&4INsX5OsAiluPUPqf4xr+&SKh_SIjv9^vmjVjY`dB*Y6c}mL+fbjjyqB_8fdiB zFx>IucBvd#p>=`o0^+69BhV3iQwN@ienKA_D7 z6h6s-6>E4e8;@CVwb2YNAb=@L-A8S5b00FvX9uQQMA0l`10Gj7$aN47r8IC$hL4rHj63ZlTqIp^J+~Tkyd7G!VmG~visnMY;0?LP}GYU zjTj+aD6(B_kbB~SY#S5gLGVDfj|H+t9FT2efOOngo0C+XF+bXo^%}4~yg~K0hw-sV ze2?v6du$!oV|$n$+s55I<||^ zu~mGI&0}-;;&S+4a(Ll!v|@3z<8XLjaQGg}+s5A5Cho?zF*mk~J<$Ts z#n?P91u2*80Q(NDDb#K1raX033*$VnQtGY{b!34MDrt2rH`bh|1%s0^n?a01ee_ix zv!`TFuy``0alF4c>J$5q<33p&4be^V>={`ctN;G;OZmIp^_9cHSK&I1Z^9Xezrufh z`6b!k-~W6@#s1=G`0kyN5bxeqTf{$pB;^-ndwY9(dk4@Owsl-;3%)D;ST|y53%=N| z9GC2-x|1)ztTyFT47mI;IXEES5=#n)Cz=T1vW_9cvuBnJZaazyqD4KiBtUqRgM+=U z+^eF>>R1=pw6gDeu46`iDheNcoK-ssbAqZ*uLaF!b@xp?h|Xy?JBLJ)n%6-6e@a%1Nf+*` z7vTTE`t>^43Q!erc&X@=d=zR|JP-J%ivAWn^DX@BrN#3ctY?0>y4B!_7%KJV?PhNU?XYPRNGy{e8_1 z|7DvhAd{#r(BSLB6jgu|H5kB~U7as!6z3^3Hf#btg=_&ZNj!mj-kc`O!Y~WB%j ze9Y&V*sVfj8g9B1@`%RqBR9CY+_P%NWEm@0A@~UruD3xwNs8bkkx+>TQZn>a?^#MG zlPFLZE1TmlUzV&duK~3kq%2_3t=y(}8xeKQ7kh&6y95Eal=-QUk~cJBzc{Rh zwzUD4nlm9}8I9r=eC9u^u*|2fIsB=!^#9rTxd{PqmLE{*F#ob*Tl7~_6E461@uyeM z8#lNcOVgNmkAseSPxZ22ijG zl2;uJ^2EcovsudX>5N1furFr8t;%oT_D#FSKB^*HmWyKildJWbT-A2+6cJNQT8`8W z)oD~}Iu|A_NYl?}_y(p$w^Q^IXnksxPVyL6AxJ)FHM41Zc(}?;UNZ*dB-fzSPymDF^sL6Vx)%RP2*nFpu$T z3Mpxs6tC*T=F*5Q3IaaeR?M*#;Lwb=P)6m|@IWGSK>OiZTwvwh|Mi)^s z9g>stv(_%AIh6_xV$;_TYqi^vj7~-ZiZ4<6URMeIBX; zwEK7!mUN%C%Fymp;ETq*E4j?x3#izE^vucH1C%YDkhjJnHJ14-eB)Oa#C`DktZIQz5;~$I79r!L?N6dOGNK9#U})z zLhvA>ZIyoA$Jh@P+G*mxl6MH$-aRwTTT52P=G=>m&%RCAm8If=0Crgl}9s8w; z+q{dwUI$Z7F7vUFhe?v@k#_7;BfD15%k*#X-k;~Jixt8?ay18bHKS|^MQjQ*>`gfD z!A9)8g#Sugk$CDKJ0t)7NXmNfDvE34r`@$-e4H!D$>48zP5k_e-~Il}y+?nz9t{8A zyXy~64nO|S+dueTKk(^%3Bd=?pY;XIUqFf~fq^1bMWc0G!b;h)?qYs*_@@V2&9%th z<(`9&_tiwd4ol(vey0l!K8^6lO}$h{<5xe082vaB*>- zkfv4}yl1J^A3`1&9pd=O(G#OXeAQ8h_;oHpM|cZbD{PLHr-n`WAAwS!@)KRbR+^in=-v0KlN1aIA@m{pXVe>1AX*E*jcbW+1y-w>2 z%}bU+DU!Q1%2=Vkp|ym#(zIyIxrg=UH!n@LZ&K;7ykxT`l~2N)vNdtBGozSiXGYnX zQFdmOwr6KX*_lyxW)%1Jof!q62Q;Is<6M6or77RGQyn|;a;C$ZwkE&d2E5P-WRR7m zienX#5JM(1Re%I*wCK=J(G0cXK3EXeHiY?Z>aco%I6G?}^6E;}L0m~80q~zOvr+yk zUK(kyvIz8eyn51Eah<~%TApjAbBniqL3XlvTmW1fI;s+nfxIlV>5iIPyC{vX zS6VS(Dv&*x7=TPHv*@xbOF{^}?iA^u(|heK`y_&5wo>iAh11sLC+i-BE>tqKg26f3DrYaauc%Eng=E^i&Thy_`-62f*Vo?QJ1XUFRo@6PHV~uCV5|JwtM=?*u zyFZ)H!kuzeI-yl1c4eI0;4e>!szQuqm7xUYB%0=4F+}(P!A!0WcA6(4OXDQ~3KVPW zbY7}d8O3X{kX5$tBOSN%sGE{N3?7?P6&C6Om68Sfs#ZeXih1`}%0Q}Hvf8z(2No+o zHjn9oP2TYAoTc+9%UGy$m{ym)YB|08+sv{jx^f)@oxm19dW~2+`o4eT((%R?-}dgw zCN$*=|5ssmBmNF1d@2M0m8(9E*}ThSe6yR^X|iLUvtR4$n1DLP&=a@PMX!tX@jh0g zUnc^eJWv!qSvTyM{7TXIWZi3Nm#BQ=a+=;}T|Ql(-EF`?P&d$qX%ngKiY<|G7k zvn@VH>OknLE%O7w08qkG^K934rLapA8o$BPld2L6LTOIWf^z!i z*+=5&w%h!9o(U#XkWY zM@~X1m4Z${K~ZV0@;^Jd+U0ZlmluQM!{ejD@z>vcb%@|k9B@<+7&_v~!D>3RO0IwN zV?BUQ)uXR^g(cL*bh`3E5gKIQ)Z|fh-Z2eP7pYAOeKwWsY3!;t0l3&Z^j+-Gzq54` zYRLK~ysaeGkab0HS9i}=l5EI*PP{djVQp$PmKCac?sN3Cmme~SPF2;16y{5(E(`cD zR(I*Pfj0eDsPNI$=-$n0E}sOnj3`!|&@s(S9T z^8trn?*iQWu5AyF^(3E#nNZ&;Wc^^;k=Q zI~OJ9l$z=OsSjG1gJ84(=%csTD*~SxzXL2 zYm{ECOq=;vo7|s1@YVh-cs0{7S1iOPaoZ%O%YY{$OY$huePkcvUn z>4LIO)Bsu2>5;NUOat~ZkK^+W%s}p` z?$)O%ng(JdjxsXF)8uA!Lj;p2PR5l?FF@duETvH_xkZ)O{qpQ`{A)-s_RTkgI^t7c`5; zG1GhF#xl>11{9)8B=hUZ<(Kh-RJ-|Fh+n9&jhR1qzpF_9ySIZZ*c2K+6 ze|F5!a+c$m;w6_H0U=x$!WFhtW2C6heMq1s-|s4y0wlk>Cn)kcLJr$DN)FVNQ_L0FQ{ zSBf@t(`5>Ar!*sZ@;>2riS8B-bO`FCxnK}FOU10~YiUI0aZbqpJEysVS-quhR z`bv-Ls4qa+51)`52ihMp#BRDMU2+w>5B0KpcoGc}?&1#|9 z4wOZArxa2)R(r3s&OW{neB8>j&?tCY%FXSOZ##_8xMxb!?&7H-MFPUmG}Tsy2Q=w0 z!18h+A-mG7ewyDBL(i^$u2ssfO|w0?8z=eFqIBypXCtMlJ91Fkh~MahcQ z*$f*N=6iomEG$GP`gMsyS=(Eof2VTI;9jP9EVpdWrhtZ=PdkPLk;MV4pYs@ zyR!+8V}1vo7%YbCKh8&Tq-H$eBG#ps1_iH4)rjR^?pPcTK!NKLG$mWHaK|=%s5Fux zxl~cLG>(^~H_Ng`57K931Ajd1&?SH?0EC8Z;H$454{e@akp>}Wn5YGD5?ypZOA+X$ zZ>*;*VJXq&fSe3H9YL*_*k3!WTRg9YQ=NC1*eiDqoi;;l#JIe&tj1a4w%gPD)?dyR z_pRL)0To@h#R<{f>sB#jR9<=HWd{Nt_U~p)N0pZfS(4kR3)9H)TKeh=W$I#bi7N}i zSqJ1DO~Q9D2DJ;iFpST%E`JmAlAH4ZJhJNqu&oum);Vykd(aw6fUSeD894)Xe*BmB z8Ep5cziG%lgIB^=)BrXRr-BV>iHT`MbTVNo2*H)y`lWtll8k>`xXDt27}}N4Y11uM zfrHKsWcj&=BpYG6u zcj&=8^xz$Ou=DJSFzt#kH9xx|O!d#M2vgg$E5fuZ!sI@mh)HEvglYBJ6=5>Z&Wy4% zqwLHm70=F$((vreD3#C7jMDV%%qYKoGfF2S`X*qmbDBfKWfZa`vtT4T=TiI6IiZV1 zyd07f1)Pi!11INa82u*vqUtbF6J&Qxg}@~ID1lQWWz0p=CNaBZv3FeX075dJl9y`0 z*ii!U%TY=Ko+=`aKJoPMSMi4=jsr2Q(o*)r36MoAFoLUK%$SlV-7F5j+JMZr+f+=96mxl{HG zDF2EEzH@RifNXjXGOV1#1)C`3RdORm<&9G?2D9#bH-p<`4~84$BIEO}T-ry@=8AhOlDQdR3mU#jFgUOmBW z<;{<9V-fG8#X{a#&JvL^8uo3CG|abv<%QIuF=L6miU&*x|J@9&s0l#FDGOM1%Lv7b zF;+C{8eF>Vz|!pol|D>B>9&JO?+YB@8w@%imD+>nmsJsxT{^`>xXTwB(bnsmpDtcq zAo`rw>#o@J)~h|QSa}+&p=?XLwv+7?qq>6Fr%J~}$@I4riu!9I_@e2+3Dz%xCCc}; z1qt6pGJ1E|o!sOe*&aJYU1x+3i>ONxS4hEO?qFsM&kkmG2Q%CL>|kbhFte@C4rX=- zGrNPC^?Y_Pv-j&`2QynYhi>ifU}iVh_zq^)@1qA&ly@+*e$NhOb_X-N-F?4h zFtaXwD%v?P)n7fCil+AV4%#@QE9trjDyh0vj?1N~KiNLtFx{SQ znr@Z&N1NlhwSot#n69d!b-Avpt!GSmExHg$H?mO@t$Dzib~eL4HT3DmK=-1L4Zzx%KpWxc3@+ci zt@W;94%uJRrA@w#z!^QuvIUrMF;$@JLBi`>fW3eoe27KotyWdDAZjflk%|3DpA@Yg zWf9ssM!k&H4Houo%ZlzuxeZb_T}2C-3=8G~WQsF~QDPINQC43p4~8Q8h3&Uf;Lp!m zVn+)TYq;xdV`h~Xmn}`LO1s+HY8f8g%4D2~^KH$;*&3Ug!ZhXiqFMACr1)MlP)awq z@OQFf9aj#cuyrILF{vD|*qdT;o?*hWJD$FelIigMAH^`@y*8&F1h?gh)d^&~PGmvf z=2=bku%cwb(zGqRy+Z`K4Fdn&$L+>}dpZN(M@fqf*sS~|OK+o~SsCiK{69oVs8|07 zqmMwMS)K+A2G__CE$#QzkUio;pW`ec+R}W6UIV#(4cD}{Bo(_fp)p{s2y6*UrkI*0 zr*BSPzaY=wT#}RpJPlRu+ng>*9No6fiszY#LKD9b#JP}y1|n?*W?@23Y&4lfK^|uq zWenbMI_9}Y>|e&xxsdHUiJ*YzwE$Nv6D$vJLI}v{fus$F`@86B@_-4#w(BiakO2U7`>> zAj-*YUP{nQhIt;vp|!NXTKp6*}L-ts$wZ(_vfg zpZaj7LpUZ)rz}&|ESo!#${3!7dg7wLN~?J^on>w*R|6ufC)*mXpj1LlW<-T({K~(8 zVTZDXp2Z4%i~ig(Nf}QCyt&J69R646xWwa&l*{FcFmBQSGbr6ohqgK*t?e#rPMRyZ zW|4s0m^@>ksp8y6`y!u10$UubpM=J#X=(kxu=NWz5s)2qfOmt0Cxc&D%2hxsY=M;N z7+t~VjIf1>Vku2iK5x^7XH4EUg3P6k#+!kLL$+Xu*rQT!7AXrNfMB6*nszy;76rB# z>h)39cS;s44diQ6rtyLZ(ygTfO;J;|H(|Jr>>oLe$7~P?W+#*L5 zWn@OBz``EMG-Wi?D)M1p_VoL;vddsZT}ZH3Z<% zAv}H}u=zDV5!fDw)&dLX6?@j*-Qn8jbD@e|n}t#*u@!_3lu-8beK6I5Sr5!h2jtl^ za%jxpVCn$Vw`#l1hVBGi%3-yIS$cSo+I&X}DXETTzUPky?@~}n)+6cQdC|opjx@4_ z3lB7J42eetERP$Z1pX>_&n*<|79twQY$ZoS8yd{dW`OF(z|*F30~y#!Qs!qgDjPXo zpZqroW}FMSh1em$+@NE5(nyUs$l_(6q)c*tlX^@O$VnY*jZA86vK@;tsE8ZT#F%w- z!UPCG-y9Y-ZmNa{n?GHoOr35P(@@W&kHi9;rXXfCjhE)W(?DN&4tStlU2#PnLK6}t zu%?R|SAagSPA<3&PTsNKtcJ8{nk*R* zi@uNo@STmz1G>_kb16mx%Vr3Ze{zD+I$R;ab~|7P=^0<7ggX zk6>#EsF3muw9Y7TsK!&NAM3TOZQNag;-vxe76FMu=LOz4f&rIFDfgHYSlh{s&J|n% zZlz0NdO353uN09R?HrMPAR{*`7)5aoc!G_a!@~&IQgp%pYHt7^6vC`dvQ;pOs5-EP z)}~aPl%z?_!(h!eNt$Of z`BI>+_E}0ZHjS9*6Zu~Q*kqss!G+#jOX(s?rb8*Nn>_YfkdIuf)<`s;ey-H4CA=3x zmK)u+NyBR)0xtq?;R{RwFYj!7;F-brl|bkr33^tCB*h>DV{Girm#JiA{XvvqXh2&B zPH=*1beOQLcQ7o@&&5RrAiar#>6IMO(nohx73$h2Lj@M-gE zHhT)ZLD@V4RmfV{1P>XALbe)=Lb^j5K3q@=>6WG59-KnTtF1#y?i)HHpPo6%dUAc7 zXp*)s{oQG#E12X4z44^mYWQJ|ZqPGNy0da8QhLwbFIjfraX1WsF zOG5BV&}2y<@LH(#znqv&9la)Vy%K<-sy z&?zq1AJbp_3Ji8BEw~B7_SNWGKlLss=wC`uRiN@3bz2cZ@6v!>p@Sa+n)|^^0R9Ta z{~o^V-@_LCdw^1Z4_M@{dwIXL3j5s;e|{5r#Jbt>TJS-P)_C?ts8+`VYudgc1o zSfh?4?SfwBU0u$wYBX->!j+`M0;srFkUhGAuTkt4#WnNEsF067g+rRrETzGFmfEv8 z7F>l2 zfYHZA2yYq>VQWq93!NtbQHBhI#~_Nu#8^0KiHLxt1H6P^A{fmInT-$?t&W1NM&DSA zLQ5x*Dz+MzY)XaGam?IkW27;J)N$W(-wsN0izu1K#q?vAgb*I->8I62|Lx5BBuXXk zOEvHo&aWB2BXjTytG01IO50z%BhR~MF(|}=Oq%dKfi#Cgs~8N0=^Ro^Qk3(#*Q9*0 zaMO=f*eI9+A-^u=ajY?kP309vdKaqr`30K@p9`Z6VpcJjm`{O0%udQ;sniL~2P(R# zAY-q?Pm;$ZW@2}F60$Ugko=-F=&~fKGIm0$z`(*I6syK3 z@4_Y;V-O4BTabX)nD40Xtv4>!Zfvz4k3MW_tu7C}Ncn9PG6eZS_zHzZq|(mEF`N5M zVC7T+-C-3ap<82hxip}cm~xBy3}|h+n}NbJs+DwrVYBbAW6gNzXjroKh*+{-q3?%G zonvq&QQNKKOl)If+qP|EGO=yjwv8utGO=yjwvChb{myslbnU9%-F;X8-FL5E`&!Xa zq?wAznLf=3?t)rGaGs{aBzL{;L>bDhc|=Cm*#r*ESwJWd+75c&Nf!>z+xmgYV_oq_gj zptY@0ZDjl4gFVUdBY^pq<~skmdDxGID9(kibvr`gcjNhd={wlnzc##cDsj5QuF}tN zanw+HTSYEO^5Oa`4PbO98`Zr3guqk7b})pYqYgaU-E9;KMLyDK%Djj6*XPP1Q{8me zd}xlpX4@yyCSIIBpLx}5sv4}jl78*$)hS!}y{`pnct9P)0L_k{UG@jMP%J-onwuIY zO73&-Mn#+5;e)*m)RDGFH7Y3J;M~aVLCLu}9qb&i&0}};9AMI5%|MWp!kKz(1(4hz5QnlPdA3^G-XpDDfB82#Y41CogIEzf$&X>tBWr0{4dlyGj$W z&EHOx7)hJ#Z5G0A~Lt*sh+iCY~7oh_0o7P%mNe zZ_uLRUw%6ZKxBaqoehsWCpRw@);e@*((3#@7OllC?X)8xT@M#<0p(nklCznD+(lX_ zum@-VD_uJh#4N{vZS|D#X$ivlvYki&$knHsMf}8ue=vWiboVeUF$VNRgY3`R$+8H< zpa(kq&ThX?pb6cX(nSw}YVZ6dOkIkZkl2S%hF~c>cCbF+H1T(PYoV^Q=km8W7FMBE zH`XR%Z_&qeYeGW|ZKy&*F-rt#_XvBZsVRss%tcWs!N_D-OkgJ8*YycReD2L}!pw~_ z*5bOFS83XSRlJhGx~Iyq^#0g<8{XX>;9Yy0gx*6m8-a+#;Dz4a^kdeI6rJd)nl zqS2D=9VmjLqf2!0UMdIsZR)s>uM&-)^JE11^nrOE7xAF&o&KLzjR>#&O9M1YO)4NMBK;fo zN2?AMY^axa6llTi%=xUe7kEw{+VhqYMg-4|%gm)&qdoB7c%fu-$o6VLkzQW1(Rc1t za9RWCPF(A$HvHcD&|~6PL51$VXa2Xdlbtr(IoH;t%0Rvpp-%;?XJaraU z(*SD>FO7eY>csaa%ad})A!XU^O!88koS*(1yV>T@fxY@B)UMu*41)wWR3$85QI^sb z=R>!2!(!N-?xQL2zY?|DJC8{L;3Uu+e{?pT(XTKTz!EIjJEg}e^_t3!J`Aeh{n00V z@Qm&;ONN{@#GoRIUf?%$oA6+w*?b~s)@ij9J6W9e07^L+M_|MMc~&tjoawKe)k294 zfp5w0Jv#M!?HcDCPde{NF2mesKJJn#$MHgW4m!6@^iGRlv1-{!@8ABD(bbxnDxjlg zsCWlrZQgTQdubc#;nOoi+RJ%3MOM#T=A6t-%F35wboK zOL%}ui>I7(>o+U{I7w}FK^$@r*qSBrg6yQOelmo}1?YT@ImWMBN#nQL`19fgdT@a~ zI6?h~^@!$&M-0~^74?0`_j<8)$EedvzAbg*clM^I2(l8CVw|QXK#o$PGgQs8NdHLP zf8xETEZYS#09+m9m;qlWKH~ z{;8UN@W*I>&;8g^%pTcTr_ohd6dqm!UlEa(-;Bht!lXA;@5$R+MPo4Yb^(XISUj+y8I- zV(aOme!HpKvA3!_xUT=x*7&Zg+slJAk)t?s|0Z;&`1vics^Xl@U(^|pH8V)02R|AP zVmxrLn0U_|m5gLP%bsQfro>bt^asp6$7RQ0_l()$n;kEP6-aVU4j6F zQA)B$8C(rCJ`g$yJNsA-V6Ho<*UP#|j1A%=82Ico_7((JDm+&~gSw5AfD)^6?7#?W z_hl&|-vc(}d~;I^A7%Ntds5(ORS1U;cEV{_N@LCcLONYbvg0mQiaC-`*$>Op%HSM_|;%79VsI4mp{zssG82gVv4IIrUMPmdE zKI5@nj$UC^Vri1p*hm4jrz2q#hAeFeA2q)jo3L7E8l~Xk8hVtw>=Zr$b>Dm9lk+|AMhyw? zPZ}hwLW6BJxLyfU4S`>CznN2h!u)!IZdT)OI#{>OqIs{r6dUxa~UdIP~@#K!>%vAMrT0 z{#(=nI$YuL-@2cNIqw%exBqj2?r_<2`*HGs12TM%9B^6CB6{HQIHxDFh`Y| zq4^)?Ba1ojrmD7wr37tJMTH#g!}0r+l6s@vAF6Oc(_D5KBDv^-?UZjSdumnzphcjCobd~P<{8Kf$a`nm)@6;xf>gg+fbsVXBf7M6mFil+r?vV1P#^^0y zi$S!9sBKNpTZ`kz3%&clHkF5;7?aE#=FY1d_A0bl>o;U28ah1JY2{6+H3mM@Tocp8 znFYL|1?P`FRZudiY*4fy%Ud+#=zsG1cmDWF4xM*{%ZXi+ixl5MR0I(=7dVnI)$yMu zn$(GPebgJ6!O5bzXkBt~l331N!5Fl_EQLXa+y}+)4j0F(T3$d3m$h#g!N1%$tld=f zv0x{SPfiso>2K_aL_ppxsrA`q;&Z(^&U^P6p2#U29*JKv{9uqX3;;K=T;ch^5|*V4 z=Fl zMPWx_uqRYz#7QKQf~ShSS33CeCQ*pz+6!1On4X!Re)6=mC z8@q0-V#`v;I;!8wv}p`PXYIjpy5H+G|K#-k>q%jcxRW2fwCCMM)q=3iDbPjnro*b} zg{BWCyA7In!80nQdUIs5-peO z^_hDPM-KkOdvstb-9=~^&hl^SjpH!pF9^C}F(M0UN$!RUxnpNcB0-52mb8PdW8kKc zNSFE(btGft)McjCM2%7?hyf$UXb-6%Q4loa##m^WA_^S6h>Fep>G2I_6ax;o(k*tg z{cQmoP^|?zdR%`#5Ro_pPB5QDCOg)!RzW{aM^|GdoR@zo9u94h;>bNC*x0&z6qWu< zh3ly0QMyXK&b%CPE6a{FZi3+=+-9Ci6dz0`OcH-sTBspP>aq@w-&jyN#YoOGUghzq zHj6U%*}33QJyaiU=8F|gIpxq?DYj-7BwR&d(X-fbHTqqvh$adoBOMh0;nL?^%UPDC zkkq{#E=J~6)lwcEYzy6$P+#Cygj1D`#fdY#43*f1H#kyEV;!{QCvjm0G8|nf;Ro>t z_4!=nE4QMMeKT+3&k)U#t6RK+lmSwO;xnExNYI`$5mSbVEC~g*qoUfvF|O#9#4^A= zqQCp!zkhOnaL+=|VUvtrf5Y+WS&F`5t9+j4cK{BCl10768ZKmlPY)L-w_PDOKAAvMvveuzvdxm&@gGydx8D&&*|vzB4Z4LXxD8_a_q?r_L~ec>jp$SMMAU+TN%vOu{7izE_t0`9H>0CEnaynTsPI@jt9KT2A#G{$*|7u-?#7# z64;Y61vJuJiyg{^Hf}Pg|Bvf)%W%I5 zI>W`+O8P{oj=u&7d=9@Tul=gNTS|k2v@mCXQ$lspi^6YWPhs%v^(uldf9O(UKuAzr z+qOtYCO%HxZ=J%5+w-Fe*9W>zF|;$)5HET~{WpYGk9(I`uSzl4b2i|`yvh>LZyo)n zX8Ney4WYYaiYHqYSicJ>#+tJDp+zek>l9+yiKgqXsWw(?zHgD-sCh3*FFOY;DP%6% z|Ii+tXxwOG?ed`V?o3!FKP=ELqE+U~1LA5nklm|IofQA?F)lG zI!f2p&aeMPUv{#-1~KFlzDayx8#jD*cFu0;z1!SL5;>hfpayn$KUBtbD(-KrOSb5) zd0ioja|e=`(!_;_cv2Md34I! zF^d3l=98Mi%bgmyKYXnljD>%w_T%*-C%oxoTG1lY)p@*V-( zbtn62-H(DiKSz3f#F<^hQ+0tje39?U{(XE6=j!o>LW@#FG$hFpL`ffWV?H^oz{ixC z%PI5knKH9s&~zo20<`?Wr!^8pS=eY$7!={sP8D^mFkTKO8inrH5dx_w z`N>erO~8DF?z-|7^g2)M08PUAA0Cv!(w9Q{Yxvs=6sEDS;Rn^CzU_fV*L(Rq8&SDB zJV}s*G*Dj}_hR=O+HEI$F4mCjj6>qus<5`NvU1BmP`8F3-eaQ0zfx;uT61D8>s@z4(;+d@qibywL1FpqJnNX*~i*{@M=YzHFwcY zMRr}!OKn>5v8wqdom||2u7fz>{lwV<*^$-I!l=hZt%BQ(i+N{EQu%Gxc))&h%I|0h z+ywvIHl?7+>biG_RhF&pvl-kRe7yyFIRk$A_~i|EMLuAkUvl+xH1c|AU3Ign;D|3D z`Uq8zR;Ps?X}CXl`PUsP?Dn0u<7=131j-iOekr zLMHB0=itXKxJE_;KjWqsZ7&eKBMA1S%h4Ovj|9UWpb9aX7v;`12v&YImYtz`tj~x& zv9P0ZD@iUanqN&Zf#g+DWAQ<*IkvBn++A(vCWpecXhzQAj!4b|+j|Ov|67+Ax-7__ zBzTB=P1M)#Pq{hk49No4@GB8mPXd;*w}Rk_5SUrmePz!-jRG{vXs+vVkFR*K zy>ZI^Vg$&lYYczoNYFJOq2lZ6+Loh13Ia8a9e)1jw4pI7jNHu~>_cprRm z-HynComEoC7D~|eB2F+IP?9LMl+X@MO0CN0Ke$$D(9lb$CMpc8Ju+6(UniujY?q(H zcA|%smDae5%M*G&zex!R(0Z3$0%Ax~Cg|=)NuY^<Raz5VfTohHX=jLiuYE*R#M10uzts+D0CL2 zKlp?AgowPqncmk?tOu}z|JHc6CWUBaK*!YAX$Hi0nhCMCe?er?f}8IQ3Z=|a3eI^>8UB=sz|P60r=N#klUqUrK^17yGG6lS3o?J;TK zckx$e4irXZsFgxRB~0MbAf!JM9C-+Fv<5UklzoW5IkDqms&IGA`-cOHThwmzjr!aR za~lMP^XKmn6i6HY!ZT=Puz7&gc#^v@3|_P?lP`DPC&?>|B*ybgAUSV(PL)u?X@x%Ea_z(SJQMNt+LqjGH>XX6QHEMYU_utu%1zw!)2V>(7h+ zqxW23XL-9{=Nvz|oSmuvnA`@J&(V9Pp?vqEYndj}))Stp!u$F`GRoyaHMR-FlrHmP z8p%`fV*Nf&EM4xrWil-AU65ZbplAPJUVnDJ7HiO-=OUtHcz{gP8=?Pl)>r6Ei@2aF z2I3w}tSF;(tJ7W?wm4t=ruhcJEYmszG>uNIW4CCG5fvl*Babm7c!8p_LQt%2?B02+3-Ex7!XGHni$j|((!^%b&~RFuH?11&kGD7mcnsLHB7 ztgKPxI6jikMhqMt-sS-~;_vTEN+s>lh>$Q29N1bk2Iw*0y`i%9*&oiH47;{Fy0gtB^P`q|{3&G^D`=1=Z$^_W8PT(O}G%h~s~h zE{rCSP|S%)xYmZyau%&n;7m)8-j0b(xR7+j9OIEHaOd-tg6HLsw4j+kk_uNK_DsA8 zq}2kCk&5S+J@t}npde5jNr1H+<f``3I+Y?f~q?@Kf1uSI1i zwbkKqdH?OmC#-&9Z|~hsDaWPZw+HLWe5!Ny#5G9XGIDNfI&~%jUQFe6Z3~%90&7nh zTXw+!%>)#6A#(Wfeo4X_dSPc>YzQwtCSTiim_R}5JT%#q0en)o8cJK!j+P2+prsQW z@oOwbbzGjjA(}ipU72CUlsTuxDn+if01-;bu)gMf!W#H{c$hcJI?5Y)O#zZo69eL2kgMh zZ@BD+)O#&kPQGfj1!N_&!GW)73fQfyZyts3M~UzM)IHYTUPHznFyJBGFG>FPV)uGK z+0j0>g~W+t;~VT&uOWh?r_OHPh2s&%(L4wvA295)XHAUFw*vE6P{@Fx#JK z8;a6$T*(aSXoK$pE@kbQ+}XkgHi{W@QGOC*fv+)IUu@QM;7e#n#RLEI0CMW@A=sn* zARgT3Cd-Q*Ojsz_i(=iy8x1gf0Phfp|4e#lyphvjQ_30ex9+S%9zjbIjgM%kyTc%<}3;EXG%&|NRFORJNe0=KB0XXk4m4ELI3VOtA;W z{T`jzXMAowY%}`G?Tt^W1XS`A*oJ~J0A5VL=bNPjUn>TwoGZaaj!OkdyGIw>KcFgg z?NbSmK!fBycE&URazfJ+Wf?5-Y^HmmsC8t-L24+5()x+D57sIysf1vMeQz|Tlu#=G z-O;GVNqZp9TaCeP{Z>{OzI7e+4}X>Tz{80bv+F%~yWRcyFAq`NB0B>k)r|(6G;B&5 z{E+_ly<40T@lT4urRF^BE4aAX2Qv9b&=zxU(5kKU5YG)JuQ(bBs0!-^%pMNP9~%?v zM!}_e7Rx^0-rxAMbOio=lPl`rc$cj!cu7C$Gc#6Llo4Saxc@v{Mt8{4pHd{ zyAosATR9b@=8R1(G12jkgkR<}|Ene6E_qwYh4mrJc=fX-HpF$&mpxOaBdrCFtpG-R zsaNF1;c#d$h} zJTlJEQA9qz12fj7P+57A855&7+Y{rFJMtVVBAVQxD=4=bd6G?k^E`s>1}ZuoD*W@6h+B6B^V4YPB78T``K!jA^F#?gvA?y z#Nc_x^NOIBz(HBe<^Xv!jwhTj1pt0HR(=ElJy?YfJFDDUj@j3#F(4iF$n;lHu2K^o zst*H(PUWSF@T!Z0z?GQ}lZEiR*lUhV11QCIq59--t%qatO#Ko${WNJeEYI+)S3vV{9g*gNTlN@Ar(%2eXp$%5*M z%$8`U*E`5n7d{mhL!L3~@RQM9CPgf8O-58Ey3@Wg4jpmh)*QY&j`{$SbVpj4 zTuHK-F^VS?t1>8!wyrceY1c9$F!;h}xapS;NNQ zH-FNwR>Po#!F+fd8dVB(1N86VMVXIHJjzCM@G;)^>zo;9ue9NyCndr*fIZ}afyM^u zm@;~iKU+sW;lTa_>uIvDyH}|m)<5a+tD@mn87`z1VoVX@b*yg(kN(0{tx5MgO2-=Q%=I|q1%sD3TJ@PMmduU)*!ZODg)OX zTA|6w@Zp~8!?O`qiHs9Mu56b0#duz+Wl`K8dsdE!vFS}7G!QVXyhZn0M!lQhDq;u^ z)=2uNNoxwxY!Xa4%S?aW1CmaE{uBp(q|+1h%al{Jh#RKN5-;r9*?6c(JpUOwQW?kj z|LK=)*eOSbAiKejwOn0d(WO=_go?p#@x}i}W+XHgWUA=2H#s_pn@*@8qu9W1IiRK9 z`d|Pv$tDG`OVDOBWRZwccO-A(Q+8<%cnWNj1;G_mxtJx5v?yj;N$VvBW!`E5yN|yp zcUVeIN6AT~dK?el!kjz=gW1Ii11iSd?6=6N$H^y7LuOI!b*>eF6S(b`YZ(vYjSVl+2W^i zSCO+$dri&Zr!zCouTjUy8cr7RK#o&!fa|(w)9g_Ik)svtIuac^OqiRwp*`v_7X=!a z^MbWqMOffDvw@fOt}!66IrC!dvpNmM+u!NKuPFJWsbTpC$ih5nO7((R%D{2@(|nJyLZnKS#7^OdAV8RjUm!9df--TN?x&wHP_l>8_@`GDBEU)?8>3sm^?;?E zJ3(cJ-{$6D8A=AHLD^vJ)c5y4v``_AZ0PjG7Ne9P7<^JHFFFV-#Q4}_MKUMg2&&dV zWl-IqI4NpE4^z3TG0+;cms*HC$d}3#&wPsRjtKS=mGg|^PM!Y&hVG28a3+YZ9>8#r zrCQ=O)}=b6M=}Dmf*nw4DVG$i=W10%FU#*tY8K%)xlZyrskd+n=7L_d=meC5S4+;c zrk(M0E69Lh@!_YCmZa4Cb}%Ff8FGxXXzr*C!J>pot5G=Kos(Mdmc3xHkxbIR-4w04 zEt)Z3dxgBJvYMMaX5+q3PzIyEaL3gKf&WtUrTt>(qxRPUH6--6{0 zDV}flVy>-)G~r`N$Lo)Y+w1`a`$njf7hgzrvP)<_5lc8UTxR4)HY(>?s!N4lEiDhe zQktE@U1R!j|S_p0a|*SLP#=Vz980Xr$bhg zJ&atEkn|474-^=GjkKaOW9MW5=`t(hJ2N{&*DEC_N2=8Q@wSIHmH^=%v=awPm+|`w z*IKTDTYP^Z9jm;|K3hE{qJmN)!cxa zw({twz{mO0_}J{nKM~XHP|=-JXw53P@}=a`V9iPV!tWw~m{^=7Tku>+05@os5*vCJ zYA~=pD+(4&@mD5TuRXT^=OEYj2LJYSbJKX+F5I{6dOPBe>GHUnT$b%BvPS1hDCX|% z%8OZUpDzzg2mcO4(2gf<7dl4d5_ztc=P=^Ji%1)l+qJ;mVz2fN(Ek^t<3a;#h-Eiy6b`b2w-==ZRq02!)Z-Uj!02B?7g zn!LG=fj=d@aHsn%wCz~^G*7g(S(5!Y<@{zWxx2CM>HaQZzB}8#`2!3zk3tG{`P>qA zBepHsl&*m=+qBXlDZ|^p()RbXJ9T;4OQ`aRpadt?=Q5s@M1xx+iG8U|ldc}#_BpWzG`b_@FJ)}??IxJb?gU%Cjvpc7 zL-e-Hs{Czft+k*@y}wO6tA9~Xsia_SFCxo+yyQ$O@?0Vv3#}o=_#-DGy&Rq9+w$;_ zmTkp71*{g=*X_kCK#%w3n&{VXxyK+M(3|66f|mDXjn#*;=;4e>Nq^yORw=CyRpRh~FSZj=dope68hW`eShw+5uY93YG}V zD#q{U3&en_hwT1TC6SkDxAs$ag88U{tXqQZ$y3;eqX|Loiv;i6ZxMK*9B0D&D{B_= zoUv9PW{{J?anMIM+hW$_fTKwa44>n1akWP?Ij&j}D9b6Wd>%r2Raf>Q-vry1Zcdlz z7fc@Vz?Vqt{dWPuBz?Tvc$Go_qRnHXi5)r?stL_2xt|-x+jUF+?(!IC)75mE9iY9A zrjs2#G=yM21fi+Qx)Z`@TLEhky=^scsATy~yYh{<&c7uEzHqO9!!jN)xTfdF_Wr$J z10VVHyE+KRs}60Pz=Rah{vMt7jPlbSRHqnsj8}?B)LMtc3sH zn4oec&bNY&v1_ZM-l^33`{D~P%G@;iVj-nwQ_I=%>5flYq-ftiR`$r^EoiQU88p6? z6vTXHfOr0+I!D@^GT&mnYB=o%U&zUmIqK3yt8mXQO?HlM#e ziC{2U0?yGtyZGKKCKr>QLs@K8Z*+c>wzfYd({lX?fHjAtapd_NCy8bSfyliu%7+~3 zf~8mpZmo||ZoSedq^o|Vphlp_YCE+;BKs9)Q*L_pgYE=Z%Ab~7 zg^oGon10xkz}v4eVt0t61!)SQx#deKC{jb1*8nGmDtw0cS$o{@Rfw{bIwyQmyEZ;k zM%^!}qIN2{0+QmtG?XxnI1S-O?QKFFCR}HE^(0p)T%#J$XPIxw!A89r&;;LtI)>wk z!_&Ihf|0-@@zoN2Z36-kWkGYT+C7MsP_f2V^RsTPL|{UruY zShNxMvd`K1;BzE8x^}O=2fP18?oibM9NeZ*uyD0mL@a|Ou%%Y5^Y6;ij742aB)4XD z#Kbrvw`+#|wS9(n^VKq+@w@YE zhd6(%Kk^f6#}MG`G$44DkmUTrdU-30Z5bV-vb?u9Hhqi+lagzw$y>Lg5fo)(6?@!OjuPpunI0V8IM<+9!w&5+NHXex zUgu_D^owvW@?8L42!|=p_ z4@ixN+K~wDs7vSHkCW}JLp)b2%BpVfeHYT_==9s2Yb-q}4*ks0>HFIl@a0>&e!leh zy?I&6jqvteb9)cD^gW%oQ+oD=P)97G%TV!L)0sW{x?HL_|Gcc{E34~keI%{={)?o5 zFPQCB7|8F_T|tYVqUw7!X{qVHTgO1xvbMY&8(Au=%v-x8$Q-pCLFaz#A<8W5l?svG z&qde<8XgKY6LS&txiiQriYs++bJ7n+!3fQfKnC}C*8Ifz_u`WGV8M2(=eO4=2wk4> zdtn6(+a*YIcR!CQw;D#|eUG}Yf!b{GjXs%J0K|b~|K_$o_Mkr31l_lo5MrNK{0T}O zsAp=n^Wys;c}O}6)2@A1El$RCY8^GA+i{oemTBrxG2+&82&2VY-SaFD0WDHyh0W8V z6|5VYdAB})L!KSYIEcH8yXN;H7j!*IzED4r2`Ud96e>oI?Nn56eXXbL%Dk3Q2RaA6iJvx6E<(h6#t z0m}eNHN&)mNb9n%5Y0ScYHm&@Zh_apqaER`08)8Vi`7YLOa`5^5XHCkRm&{EY2T%s zWPCSH+))GR{g6MVuQf|Xda5X7+!q^rpR}-TyBO^w1Fy5Ie+)g#>4S60TZ>x>2L;_A z9EjGIG+?OLkBlW+W9tBM=Q~XUWAWzXkv&1gFlT^Mx+zg$s(`3hVnJpg0XN5w98?@r znAF(JzzL$EheT0nEZ{JdJhC_9$^-7wolujBr0!3BJsWXGg*)x}+v5U~uXXkZRGotXVTy(KZ9varh(v$pyM;vP`yKk33DNnK*=T{yE_eYQ9m>)6{Gch?+Y& zszbX&w*;8vCHfP~Fzvv%<`L1{!=;jgi~0cgK-o$W_)$=yD_Ls2qyH+=(|RoT^XLuZ0Pr$3h0u35z`jgjJj z)MqJ39~m4&-%x<8Ye%EL-4#_To@zbvy4I&dK7&Bz>GrGZ7CHQ+TLU|zr!4-59C40)Ri zo1DkEng<3NDgkZIH4R1hCa~gdQWB%Q!wA0P#_Qrwnr3X<8s<)2>63cXtQSkPrED1q zJB?(@EtX;4><&|FkDwiRBj}`@)gAdwl8jq|-DTZ6+cJ|Atwhbb?$TlPW9lMXBvc`# zgewoYbWw{i4v*0;kAR(|5(It$&>r{~!Arw*eHI`)5+{qEFhVqwJPVZRCy13sN+!Y5 z0jXIsg@I}}Y$E47eV>yVRo=MQED)pOyMYSH$_en`i@iaOgx8_rNg{ZI&e54RZ-gZ* z6h^C5jOTJ43e|4l#nJ^6{)L3CBFFLMPXdb`H1T>zs(GHAUxX68ra4D~y*d2l-ONQp z0D}U#9oQ@*Hy^O&Q(b)l>ycj5vfS^b`N$h{3y}I4{P(xFm2nxqab~uhQS?(u{`3g< zaeSlnR!sgR>F|K@l!HFNlch{E4I|tN=*c1UQkhKDp;PHB;vYrJ@guW3@UiFm(b4|k z#|pj&)lSQ^QR@eoMn5|qwycKfrncxG(hg}h2%0)}zg8Xtnq?^!KEts$geVr3ZRv zM=dAys)1^0E(Ch)lENju$4t7}!yvLe7LY9j)0P`}@T$840R7{=t}dqL)p`2`mF`Bc z+|Nd3({o-I#ZD2+l%+!EkMii!i2(;oQpCwq5qn>@$o8(^DZfAw>1;SEF<}sNEV{nu zq5+t99*C{q_mU*l5;sIpEI`K^4=H$MgC?2uMyPr=?7G0*>I`#UjG&We5Ie;%niHpV zI}WK??NL&iQI3i+N3AI;evW%x%{z=jh*|iP$$O7R14r%`&*kK1=_ih{t4UXXl@=(I zpz}uuoI=PWGzH!7%vXmAe7}$5+L;%7z5bT^Bj`6}xvaCepTpxG z_Wer5?_2wltM!Qx=<}@b{i7*?Pg6be-?%G(BJgq`^LBszWWPMJp8M|bbdFezMuZCC zBiQr&jPD0~o^fdRomqWWtx%JXC{h|Kkw9#(e?U#14rUoBP~UN6$u6?M6%EJm$keLt z5ms75I`&7=OTdQM4VJ?6gt$}xJXw`Eo*iu*DFKFlTKEy+*|n|3B=vdbGWTgDPCdxH zKr~iD^8w<~pI2uYrDzI%$q+i>yRW*;Z^HM1+Rj@C5o;YDC_Lw4q6(#kv!At3raX;RXm@h zHcT!U8*l;d578nk)LwY^u&U#4nDkpfAFtF&5saI}A^0WM4m8k@=Q}ACk)qbeU4QO0 zP;U+zb_12$=}-RH`fX5JJQ5x!x=Kn*d_m-_KqTmtkINr;03sRxPD~K2bOM?ZBUpgu z7FW7Maz?0o-Usp@7z6@u;T-(J{|3rB5dD!g>lNeC;`oWUAr@m2z4@XL%QXH%^A~#l zcMZGJ9VPn9CWKg2?MR?s)tgUKYB@#7ign@nD9FfLD1YX~Ho^lG;!}=k%n>U=H?9O( z&Ak+ETaVolGQeWr!n4}Ezy?XwNU4wEXN7O@acmx))R5?ars=MA87#591SbXkC~R;^ ztKP+9aU{4129MZgb!$Q2daeItfg=RGi_4p#n;lRN7#*$5M)@YV{$lWrE;v>hyFt5z_9|(9U3Mh#uFB zO_uilt$w~cSy)7kHu6OiTf%8^qiU(++U^M7!>d*rIZgxIF9&N{U>?pKe7ds@OE(J> zUmtCrxe@Y5-TgH|W>>$dz*)a!Z*6m+_Z`r>#6qSSMgC0$&hjuHd`GDCb& z*P>WNU)*$n!&&fG9DI|VB7~C6)zOA?ca8?aQUs*sU|`c;?xdE%$P5)Y)5S2gHhlsO zD^fu&Svh_-?m9en=csNRdYQg+Rli8@R>eC5>c8S(!;B#ZnHr7Eo1`!vlRvqmm0qq0 zjEMLE6^2^Hj)wYCZ&Ub4H#U=3&C%3j1k0e8oMj)V9(xL+TW#>a;ChbE3CJu%XNvS2 zUHWNzBfv2qhl0=|KLqcTa6Qkb{t&0#ZHa{NAaP|F%8w4HbLwF3Ym01$d0usCt!jvk z3YIb%-TCF@vrD0_aG@T~ti-FZ;=`9w>?#> zJdt%1UwJy?&cC)Bjf65AB3$Ki>41!15x=e@Jxfe1vU)c8^>YejPppZRyRdP$SC^Xp z5LXuM>VlNXvmwKtB%7nwRnCsM5;fLq;@rqAh5vl4=(SvaFIIds>AqT)0xUB-?lp>B z=RIZJ-Zy?MICbnyer6*wIL)LMdTmCEB@k0TOkf8i7?S<7Xi!B zV5EaIAR)_+moVcxixPnhATmC_O&sRFZ#<=gHDU?+dpK{w%Zg_t^cbS+H@8_1INH^k2l@SRV99?J!pXJ4&B4e0LS#s@^lig` z$-4?T_4S-~X+wD1uDNCQB(dag$BG_`!o3YEc2KOR&Ac<`zGxoxEj5?Cr(C^q`8{o2 zB%#qg|KsV0qJ%|>@LG_xqgXWugd9VbUQdl&-SVw^`gZub`Mi9+M0L3PO7UgkHIAP4 zj-I}MB6yzJ<8-a@^KkR?dVLD=`ont=+DBMmH9uG_Jwz;p;m(uz>oBFEh99ClFh+<( z_@GjhrzA89!jSGEGhdxlFSIbGmJKT+<{h<#kNzodHMuAfmjT;_sR)S@Rgu%sS~w=X zOAi+%$~=n85!ooBQBVDGzeP~~(k6nO%%}BQT>uHAN;OJSF14SxyCLflVL=k+mzSF4>Oj>{xtLX-Q`Swg#ogaS1iLo7}SOtwRy?{bxJ-a>B) zoeFythoptAq_iZO1iE9BlKTBsK<{BA@#=%Yo2CpIgaZ$RJV_=-YG~&5?1}*4H_N=g zKIF%`3vxdIoll#V%Pvv&N?`^xXagrQ8_cGaM0_(tvXlZulv~9p+!EYEaKR9qmaFL$ zo)xuCNXW3%A*CuN?9=14@pSO0V4eUN87y}5(D~C>L4#TU2YEn-zXGGsQ&D84DAe6z{e0AHbr%~nCG3_?vIJtHvs_&B*rj3F1rH&9O9m_vH=7O$`z+_z zn2kaKM6T5_K#kE11HF3P6T-kud_Z;TJarUfHHO0eTuhKwsiCxcdroe~JQ{n%fW^EJ zxjODSyXM;O%`?Te2}|feAv6hk}Tlk2nkI4B)5n1Y&X(`-7} z;)XPWOQP-Fkrt>klTy%OV(4~#&)90XNE>&&eg^E3^~SRRG-ABIOYJ;VXO%qx9M&G4 z2BfemT3{=Y&z*eRI}`=lkEkmJj7Bg`JPh9f*ab6}I&Ghw-eB6qR+wFe>u%v~;WH|V zD#P#!-v?|=lOYkq`OM2|w>??2Yg*HNnIwUlEQ=ulufSZSJZh_57|;ap=q6X~z>RQH zrp7KLox)wCk_D84Q&F`fU#mNK(N$z=mp_I`y*ZHy<%w#Xa9PN7ykh=MhTd};B4|LxPwt@v7v>^=>mr*IQT~BV6OJ z?Xt}YT*~tJ095pGQX3Rfcn%m#NzNh$lzcF)jN=ZWWdBiOMSGq`BF_X~*IxQ-1zjXW z+adWuu~kr1*Dl|1R^&`4Owzd8D9m`r%%{qXMq}auh$s>=m?9Ske8JD6Bvf&D87oR^ z6N%o4Jc)0(;x!-w;TCAeHT)SwW15eY;3TFrDW<_NXRJ+lp0jHaDMCJTn``+`4QQk- z)>iCbrto-%(m8UTm4k#w2^5*m5;|?WCmGA}s+I6WGZwzw=Ck>h76Y?9Gh)Ma4zvX~ zXvf>26RL>re}diFV7C#=3U$E1y02Lz&{Tpzv`I2ttG9a-u$V)lJH_Rh34t6fhC|Gl zCs~rT_5b-K6M2CfW9fiqlr>ifWX7yafdKc&jH&~w&>0_~tZ0{>T9i;ek@{P2af2y# z;zQTc&6Gt>tOdZyKxc8)cRkPR4a|Z}UQ|H9 zLTDzhIypVWjoJ!x*Fn6`&!V)lkSutiaN2H4!ACd+Q%778IW4$vxC_hj*13=}0D!4w zM50vu6aLLH5#)_5d7+k?un}GYI=byg$6qT#SEY)J2prrAIB}^(ZP$xq&OO0jD@|Ct70==;d3Zi+lfK| z5Qkb5#&DN0#1`*&L%aGdD_3peN=sRgk(#fX9?Bazi+F|#f1mZO1WU~Njbo*i9Hr!URO;jkg>o_BslpSK9)0Tsq~A0st@>1=`$*^FhJLCeN8ZRe zD=1IfhHv&nc=R!x&MeLw*be9r0$exU?bz1X-Bx5VW{PjBI~LNy9XGu;=L=VxPo1Pz zIX9%9rVrmFld)Va6JxK`iGv~$m6gn1)m5Oyna3fp+*=Ru$Mx_#`d@a3h;!Z0>Xv)5sCN*<(uyzotV3k}rhi`piUO_VdTvruP zgby8^QCH^3-GH%$GASV>xzEOg4x?|U>;DEwn{#lc*3jVP^#0>XA3CSw4$50*9MJa_3s=^(jG>7 zy_l(M2(5Aw+6aBg;|l74JVjGAC`;pVV%XLS#u&na@}JqxI!yxryRg*e!({z!fe*;b zI{qPG=GiS8LFA+gU|T0TUKHL}l`L*6R3~~J{**;dVm<_i8;{Fv;NYEVufb%5-FUVl zF>IJk+Z~%B2#eD>qKL1ZvquT~Q$u^&JU4+EYgOeIwp@24Cdf)FJgTT=tfW$t1S%Wy z1cV)J2|!uZae*=Mk+t5y{W1_Jlob$!sz{T%Mqp~P%vdg2 z%+L^|j)Au&dLZO3P(fNSClZZvhKN7aCj=xicFQ75 z=7p?o?k1%9Ps!Tu896*#Bd>SQ4$lm5e>^;Y`~Jf@`EmF3bocoD@ZgNRKlRP>@86K! zyMENX<6+?1b%}dxd zcx$Jz?jsc>0cB?~W+I<@sup9(DnwrRDua}b5x}0^YGn$_slQt@SqHwjkIb(OM|rTRMvDD9#s6EnLDSrR6J|@xTfg zZ^ez0giw^U00Ve>9lP~`M@yP`))32cYqJO_arI+GNF5o4`2wfotSFA6J57;?23jYq zWF|gD`m7E-o_B!F(84BWLzc$aVl0xlL3K{^2~Z-#Tw5r*<6P#svzBSiF_n^G;20`V z+p~J(!BjIFZb48-&%x9(^EVzgdTgVe3nK8r@xHoOo7~{w{qD)h!SVj#Pkpt8Hkd}c zFZix|>K#nw#@dnyA?GVLXlpl$sy4x})q*E1&k{wgQJQNzNggupNWxNG&u%a!gPcZJ ztdL~w<1cGYNWt7u&~R#y38<=;`aDTGBpdr8{l@wWcxTjf{-;e$c?V*u4&5CvHxDfx zc-OXPn}rZjtUP55p&-=b1VZv7BQ%i$Vu01xT2E@IIDCtEBPHfu2eHd}P{R$bO{)Xu zTvotBYGwi{Z`QJ$gW_7z;5BtuR4t#{`9)2WQOT`6UPI2^x9BLXH4Ag zZg&BxDNjWy8(tb8?;|>p&{(5P>`72nWNQ2Fp=3jSU_CH5zg1lr=|qtQyv(#R-7xh$ z)j}x{N{e5X;qi0;VgR}`T2bH`w5EkY{$&oR+9^8N4!h7~6@GmlC!#&jTE5P*0xvT? zE-N3*V=fbER2$`lOB+YqLNrlXRM7#WFcmZx<;Kdn1)+`F7zSNMl@f&Z8O zG5-Ij2fO?44#G+N1;$vC|K-W!?sm=pf4leW$%Fs@*Z5htB|usq^}l}EFrh_WB;uyd z>L+5Br{wMV`3V8lximF!)%}(T8WU5_9z8pipuw_4Oj{Ek<-*p92lCAzaYAc-ogAix zRZ+HDX9dlHSAwsux1Wc%I)$6!oz<0hLk2<=vdC#B?QH~AxvgK_4k|~z@|!#z0rhkF zXxc3l(J`+LF^O#?xje*gp~B&1pM1AGK(lKL#%c9RE<0XkvM7%`--oT%VF6*?E=!)h z>u_zbXzS6kf4}Exvlnd!b|$z%_{S4@S7OpR*u9&r@d zzFN`6*0~^8jAb~c>xW7-Iq?WgV`f8d6vLUuEyajm3m#)3*PL3`9~dx#444!Ns@+Ix zwEX7ARag-zu!pVIZWIa7#wOFYPG}N|G6#1)U|)eR7i3r_L!KnaJg1Dsvfpa;Lh}Ba z<+<7yOws}2ns((?CwHCNa^vHaP7;re{vD_} zf^SpN86;xRnNV46b{jzJ%RKAn{VnCM*qEOi@sLDTqRl!yUM zWM|WmQd!Uhsxae`$QdxK5;9*XeE4|#3rvGNdUU-*z9&23i?I9X5&6imDU0V!2B^@5 zdem9xb{K&6W}jTD--i5Ns$EwDX*~PJoY$OXLh?f7Q`15{0jr$`C8=LOdZW2OXvj-k zm`B--Y;lHUuGQKvfwrRG26*i4o$lMK!D?8lrg0krVT!!sLC=}O5Mw)V$xKjG^V)k8 za@oLIe<$;P{!S`QdSUMg3<1#wN8gIcgz45lU?>OFF zCxYVvZmTQJVDrqi+l1b`Cx_&RT$GvrHS_|P@ul`u5n(AWRntp%5npQFO5cxouCXmr zKqcqauZ;??)%FenbXBP1vJCgDbE>`d=U3g1dq?la9X1%eaIfZXqU&;J7HJlCIS)y_ zE}!2M-Xp5*1M8!<&PoE8mzM)7$1Nbw1|bY}uHCij<5o-L{Uyyr#MPZWj&h&(gS({C z6S&*aRNH9z-@#UIWA2=F%Ehl>IGzyH_&{6EN}M?X@~x;%Q+ z$D8|l+p_dGVC}Dcm=<7VF|LkgseABu zB1Zl??L!6Cu+{2&s@V&aq59-UwO2UXoi@^wC}-3U2*ru2SyVIawMjG#aeU}tzrIPT zw}l+jfXU(_%V`9@MIFSZ3zJyz!i5Y;nEwsJw{Pls=8VQ9qB$Fu30Qz#nNL|0Kn83m z6pLWx6fKUJ%~wE=u}-|^vEx{fk-EP(b# zjacu%;x8C#c zw$(c0X~f8NudWvI*c7NJBFXvQ3EYz(_D_f+mJkLBHEFN{#m14K@oTNH+9a1}sGhnE zTSvYsORK9U{FcRDib!?gxSK-iS%uqO?OWgaIA8_UAp zsy@)29V1th*uvM8DQiPfg-bo95W$KJ=8z_mT`JUo5ll*3ecnKy^OuwHe#6rr~glr5b4?W;}`4jhc@#CPo6(}@wEHwac{E)xaL3+s!I}d zot+)<9#)gNp}OPSXYm!N`x5gBME*fqykNrau5mij_lH}NjJLJ}PtxPelBf+9G&L;iQLuPBA1zpNVTSs+q^pSM>gu%4s&0L)eb)~2i#>g_H2R<79 zrxE?x&XewDYiRO@*z}BN0&$8b3HpJ8f*v?wz#B^f+k{;1Tdn9N5jnZsr)(n9Gghc$ z-NHP$g@D2@MwyLwT!?%;IEp0FU41~IjkrNmQArpEgxR@RyK3Jwja$Isx?2e5I^?;# zK*LsRH-UWH1;1v=v~38oF*|p|ov>Tw-5hxVDh3>S8ZoFpWR#|t=Ds#3P@fs-h!%)` zAtC`lRruQ0l--caQ@q^5V>)4h{|7AZl4P_{6L(aFrc<(!h;*bbrC8jg1)pd`iSyP} zJp5smCfOJ{&1ATBW*%FMY`xbH`Jv=7$T55Gk9G2-;~z9@e?F$^6<{<-a|#elWCh18$JG0tMwfvW5rCY-Hj0#Cz9T>iElEf-;XdDwT)|!@v z+q-m~URu{rc;gw)A@(!a#pH{ojdh4M#1<(2GcIlp7o-vP`aP*Vto zA`dbV%g$zh9z?y-P~ziRpRDz^pMegzw?@{D%t~DDGjNAgExiItBp_=;A;LsNG+DEc z1~fO1)Mi!oVgL9{Ljd4!Xyhf?)h4MNIqokAt%Y#@GpAMSZK!G(dj0IahK{y6ckn4kd~NK9%% zsBx}QYuh{dKt4!_b*T{wB_P@YNg$l3Ws>mW)b!bzpRft|Nvu8TzT@fXYXdw|Ak2tn=Zs=6=Dq}%j?UjibDdbY<8O^kjX)vDeE@(v0@!u>dA&B zgViDL(2RFB$<27$Z?(QB2L`bVET^dkaWUCO6=aoFEN+tl!yG1DSJ%~x!ek)6%a$&D zT!~qeER`I>lVVy>@H!-tP9U*PxE`+}^b}KNipHaQEwSI^B00XO`_WW~OSas1f_DWOA-JV76eFfKp z=>RdcdMp41&&Q7Mpz%a)mB=kI9E$vg<}r&Ar;=%drAB=p=nu)iZJ5W3Y^v)UY&ck% zn5@w(3#$Z99W0}{SR+9o$|5U^mzd7-MYr4StN)p~LMlD9F-_=|sl;WWjDwXN=k-0I1?adn1e;6h;s75ArCiMNS*e+o5_-wIi57=N6=9bC=$gprtBZtC%h ze0m~yTF5^6xMpn#Yrp8hcViQLPbNH$6Lv#$CP}}EyclSio5O2RXQ5{1rmp^R%Rv&T z$n3bKbm?L$kak$Rp^iQ1um{Y#FF?92R9@fE>1NnkC!Ih2JNa1)7?x?!F>PcGjR6z3 zMlvepjWFkik^w6e#)*`Ls*jfMUW!+-U!Cez-CwQmw+JkObnWntu96=( z%LqW=gP~%}zSnsvS&jn$b<|JI!urH4wly<-?^IVxqvCqr*`2xbnsBCG-9lJIwf-6| zdl^(T6LJUI=T7N-+Gki7AIaJ%HG_EuP_3<$j?|Zw4X&eXmG%!O4=Jh5Tko;xGqJ)fGV-{WYTfNXu(_W=6a8$CQ%)-`o=;4%?3)@g? zO+DM>Li2(b9uriJM=h)uvz2Y`&SHQ?yyaxz-FyVMlkB$wvK9n1;~`IR+re78R;6Ip zC_eF56&tKVayEy}`ePF^Sl0@to@RXJs3Q&2GVI}r37yqg;m&_Eqh04lC&d&YDtBLL= zZ7zU2%-AM`s1-{mSQ-K$gx%KA5t-D`5pdZjmesmjA3jfI1md6>G_PC-k)FK|YQ;%< zXF#!&4U6`9MmtlGMeJV$c;`y(w*VgXNymGJpFz1&sQIRKZ02V`qbpXgP)!U4ovm%w zOlB&>sbf0xw0^XKeeg70A|<;&o`L*rRGA;qLqR<^&L8*S3r25bkS2pb_Xv5Myn3GY zuJRx-gL=k`YrqOx!xz+Nv6qr;x`V!erX))O|O(KLt>QG(wa_^xfDv$l?ABKh449;ihjp2N;-oI1*xn2g8RHOGi9qTIX3}fe%0lPyq3Cq_xn2Lc;*^)^6Sg)(Uo~-lU8ide6s?)r zXrf?gIT^6rDPJ45my#c7!EWgE?i)N7H$fpf*5NA{VNY@skAgbnJS{~j!I|-lur$i2 zx>~&5V#{3FD-PE{v+TsON!Wg!yyYn*uqHpi?8woxYE1ep!Z^OMiZNAu(K8R5@J5k~ zp0#CaXtnByGrK7bNaJ-sx?&LU$ns)BGeD3%S8n+o&DJXCR!?v*p;8{hP@^jrB+mkk zZ|qh}Sh@@d&LEBzPMUk$X#G|Dco*O4i5aVu#nKapr3s{#vgS3TlL2foTw!&iJhr({ z9zWjsWMHe_Kz+Ww{v8&mDTSF==rW%d>1Dh!x6V!uu^s=|piTAd(MmYF_b=9F) zvSX=l+ZzORB4FN{U>8qm#0qB2)@|dTp@e+R zWF9dvZXsbMLq>}ds|Z%ZPJkW*sLB5EnFokWp{qLI2#mTyS@OTJKIv^gf5%&jRH;cP z#?+p$Lh6yVB4k2&(kE-b{pP>BfXC$b-w{pLBZ}3VU4>&BO;~W<-41ESL$4(yYeFTl z$fsmoEykGC(BzMX(&i3jK}YIVTBYMN{MPR^PUYTMv6tz{-oA$Y>=W4ISSKpAm4G|y z{KDwruTrEfmR=)of~R2je|$JSxY#>7JUBkTINWdfl=rvau+NJ)l^2m2_`yt@D-1xsmK%xiplaQ6Pg>E6M`52x=xoHX}f;{xIMK{r(! zK2LeEXB~d3H{G>J$_Wd+gjgC#;E3EOgHlch;-W@6%Huig#Rs@o24?isJp_$6b8^^67Rq z6>;PCt~5yI`13`mvQl5_2tlmCz4ZtM)>*8Ch#c|&V5dC0fIrFK$*+Q^8{f3Q*@RB- z)3nq~6|8Q&$_C+wO;#fEXRDiU2(X)VQh-?)2Py|c zJ1V$L+K%>4_Yr)R)*j^Dr+OBPKKEd#n8Te`>$UZfX~>pZ!09@>|EB z4&3Jf>2<^2HYAGZ^q#hSh}L=j)h_UL;v(V-mLvw+0BkT)BCW*8IwgY`Scl7QzgWQS zZ!drBDS%!Ar)pS33#!k1=t*%|$%F=3ozU)!G5wNg7hg3`o%@ZE{r6-HLNeN*B{AYV z$~IcTa-P%SkVl3m((0vF1*>r~){*Qjqp|0mTzDJzsJ3wgVPzFxD>SK{qOUTlK6VGV z#aU9SgP^6LmY=^+$0nOZY*MqH#3t_OD`d~h6e5{Zk)n5%CfGTnF{A{ChmdX#s@{e* zZ(?eufPuFdqN}Habksz`(l}NF>O<*7fY2AdC5L+9rfxXuGIMbgOBT6GO@?qA)4B6b z(31g*Qjy{r^e0l=8~He9dGl2>p|=Uk*+7)}sAIkl2BJjkgf?X1P$mZ+Pdj?jmHWx2 ze%+kw!t8t&{tBXn^u<;jM7HW58Tq6B9jQnn`e|U$W4?PtCA3^O3-yY_iHOUD9n%SW z`H4_kTVWI(O#Je?7xuyz6~@yjR4R&>1Fd+mNg&k)VVr>?mKRzdn?t}vMJLlHyL;~r z;3KW{#e@?IPTF&W{P(l>$EMQExlNaCL(l=MyGl^>WYabjJcgXqSR{4Kbn#?UDo*t= zrjiWHB*BPbMImo;UNG%W3dyaDu)-l$gYL^*LKL=5Q3gZEG0*T0^pZy#uSTzq4kYYH zAvSEaUVcw@)2amStL^--Xz4G-GKFbscbnQO1=lnJj0I=Xs) z7m0}~@U(b+UrmR&-k9hK)d1wuO}?69&dc*=S8@q(#C(n<%ejEdR_8X;X=Q=K;j-|G zVxWkD($G?mVR#MdkjPxEo>Ki97+q5?++i&FT;QV6u;;*|$hx-@j@BeaeeDU_+^nm>SJK}+!{Pv?qcTg64 z0O*t3+uIdX#*4MA-lFcJXWe^qv44Dav3qieOS`*Lv^KEShXVZmL8`<51PVjre5;Eu z8V23F12wnh-JEdDyrZ&ze5S}pQD*&C>rwSn=MlnFa_PUi^!z#>kzH?tAwaB53$!}z zAD@x`AyT&Z_^K&g9;!P-b!>BJ)<$$3;qJ*HIajEouc*qT=Y$~n-}t^lE;0xyU!2Nr zujAI!!K^SCQ)BaW0wse9>FHwWp!*^@jjF)~bckj=(6s2MpMIJdyS{ci7lipI%*9-m z3S>?LeRm_2Z|8zvuj(Fe8B~s9e_>MuoJU>iQw^>dcIZ(^JejbmzMa-Js(N_Pj00lL zjJ1@Wc~s5r#tiMZnD6-}U?`U5hG)E`SK3IgzlPns;Yl3PJPtH)0|f4ZeMMq^JhydF zBobqXk6j3KK-Rq7TQkodg|(-^9p)CejUcVyrw_&*03+n!1f??s1px0j8&@`BRbm*V zRrRfxvpf+aP@PstNhV@oMxi1*s5ccK>#=lpR*%)JK1id>hEU3*GopAHD46-^k(a^r z(IY=XUgtQ+piH;zMIxa!ILP}h3i=Ok$E!E+l1=kr`9#h7ApKQLL$YfU;n(5>UAYAh zkY47%RNR0x#ill`nq*Fk;>AsngkND__szi9*Vx3$Yi#r#e>GDNoDSTmHg=22q9I%h z=W<%wh2MTo+({!8v`R^8|sokZ{9}_IldEx9Xv1l?{=mE9E3(Um8Zk?P}!mBtjdORfhgw2vdgKieT8n5}P#$y(dtIf`Fq8w%}E@u)nfvv*T;qkHc=*ML77S zK-QKO{a9A~xd z2PIEpd}@vv3CZ8dC}$Z7c1iCs30{*O^42Cq(F~$Z^MJ`8G-_dnfw?DoD9k2wW)Jr` zqq7IwgIec$TOV>anG+H3n%pc+(wfc&jZpv&kGz9FOv>8;tv#*k9rd|~yE1ll7(z^< zd4Pr^1c=mgy4D`o!C;EH`<+apmVaJ#nymma%Vae!!KK~uXv-X6)v$6Vv)1|18S*zD z6=Sb+6RoIHEfU#TFA^E(W}CJ;71*N+@U(gBsD9&%=t4@ZM!fs)z}CkI8Sp zBeRa80LEO!Ecm&hoyOQ^UNHhYl}EX}GO?VcQ>E4;@}>9+4g%DuSa*)B{brBepj z$J3F=JqHAhCPx}EKVDp@b9-^|i>G*zOdT0D2>I4~oU;+T?UVoCFezDD#1}}lFJwWB zQeF(o;gIDQ8zPCBEdHLd8zzg*i*T#b1K6TLGfn=j=e?m3reTV6k+santIc1L?+Zur zE;13L*QHw69hS8bKHB^@?>TZwM<`yX4po15T8#cezxh=RbZ6BN4d5)V6_dQvHR|`V zNJVbeXm{3O6C_4ifB}_gSn#w=n7T0Z@!uCWsW)GCo8^5{X21O^1}`nE_&a&|lK5d4 zLj}1f6Yoh~HX|7C0b2Nm05G)$*DUA7v`=)w6CY|#L2S^doJ=V2Xf^|exJlP4-*}a+ z(R=gXaBg8HV)Fa%inw_X&2FkUN|=G}Jj&y+$%N%7`OTHAG4gN9ZivLx>RywPYvK&D zk`;v!Go9GnKt1L-Tk3f<@qjS#?=-RczSa6p1MK@B9ht&$+Jusuv7i%frB35xs)ax8 z*ACaLa+@l>~5AAqf;nM->F4S!TN+mhtR2x(U}&v)Z;A z+ZffXW5iQGc}?_jMa!7E(DeI7=81WtWepfJGNL!Qm*F9(iD@`1s~Ve`$f9VrRy~Yu z=_F^P*Q#Rj$VRc%(s>5Dr!W@L71KF9)id2-q7DjCmAh4<#gcUrCQI_~5m z_4!L9^_jIieil8lDKIAx)dn1~@9Gn?gkQ6KN;YQ3-TacoY~)_mFSeNrqHeuGJ4j!h zq@jc|!~s5P%|waTyb>L{_7~u(ha-<4?>KLOhS*XMmWzL~LyeWeb1ST5c-&+*}jp?9b-6j9t3IbORW9AiVX1p)dLsRww zs)~j^cqUmvqCA$BiY)fc8pMa}<|Fy?x4<~nYIF!_#!Z~Xecp7I@~NXb5c&z$K2f{* zaQ!`8e-GE6y8iCL2V#~idwV}TgEycm`HZVpu6o!0qx0TB{NRrvBv1k<;VF~%UjbrC z{g>^>k000TzwGR6Kh%Ht8b9kz^(!4RXnUd2*bz|{@Elmrk^KyGb}_qViO9gU90(H@ z`HFS7HbPJR8R9Y4XAU~!E`zd@gsO`$0BMjL79sDMu_;= zj{R&?s~5enQ1q*p(U?sr87Z#SCBW2nB{!D-u5q+PNG^GbgJH`6KM#JDBHh#>5$J~e zMki;`?#PbeNd#)(a3XhfEem+!j)4SMK z@>34N4S@Jkt@E;VX4K+}Z_Y8r10o&HQr%4~wa!m8XCxLWbNNYms_@i|GCPP~?Imu- zk7HgKx3vSP4sv6kK=c^ayt@|MXt9RPCOCqx8DN7ha~(f zBG&J}!xNUq*4G-VTYI-|O4uYTre-xPCa|~xD{dG|F?u4)x#F9lUSlOSI@X*9e=Tr3 z0i7%}sX=tPc<2Irge-p?NZG>yTF9`c$|65Ru4pCNqJR zc!84GYTnj@I%kOg)VxYlMeq9_W6}NJ+j+9x?e^;Te{cKQ!~Op?e%4L&&XE|wQQz4P zyJ44*KYiTIGAB>&guT$KS$gksrv;JDs`@V{|yA+m#*obCrnB@VlT0WKSv@F z`Ab=X8H36Acx zVrm|W1yQSAd1TeVTjTt36c4c3YCU?S3xJZC7Oem15!vo;KMuMtg6(GzuP_!l+t4=s z%|7YpN{lM{B-0tmaerEm$dKP!6BoJMJ9?ud3NG=^1vl(Vk3e6lHjEawD*W4Wu-ONF z*6zvSNkUVMPv1Q`d|jq-!X%W7$5Oo}iw2Td9n=SxSj>mRmiiwFf)OtWwakWpISiVf zws;z|Tk@nAv*_uwFdXhYr7z-`^nhIGxABwSvz<7ac^d>l^H{B|t*trZy?RB0oySkw z&&U@3di9DJ?#l2~=QcE5$2zJH@O>?jH>vVr?(({)s!eO_ zi*kD!GKwR>@S(NNHO&>jY1fXc4HGe{!x0VHJRP0!zp>AOq3uZWzcJ)*Nu~43%5iBB zsLOJ_Hb9scyrglBOAOG0t?7MWS0&o3C&UJleKX< z2f8 z4Q-NfHP=!2)4;Hh-Kj&$8K(9MIsde@_i!u|Nv#82u2ZkP-?G6a}${TJ+ ztZsRAB41!vGoVRiLGTA0h81m z8@o0B%q-7EjNG@gL(96-NS%N(3J*Zl~zN)3$`b1^Otb*o$ z|F8e+|6fzis9pW?Y7?s%(fX6mRg65yxo(IDIrl-%eUNh>i_vabtZ|kLJ3%-DH*Uaz2+h}a&XKtx!KoW z+4ODb!%Yebj10njnGAf5Tkdwh*_mW@n9SS#orm3@yZgQ8O}h^@N%ThQjqj8H_y7KX z2v4&Tv=lr>t_68DJm8ftK|_)x;%0a6-NEar;)JkZ$0WE8=A+E4}&L-lTNm443s34F}iAZg$)$wy@HT>*;c?He(_Re#E`@F%O!s?vJuX zT7ga;v8BU|JSy+9L!IOzQ&*HaUf$iJcn!TR&>BK;NX|xF7MK{*{JXFBE#zWOQBnnbbbil;Go`O=GQ+tfhO!E3#S z?nM%lF_%!j4m@lNC7LN1L86viB*}nAS7hUG2;Q!e6>Xa#$}hJA=fW{Cy)O79t&^Nx za|P+QILHyG>_`vwL`|=jxY~R>;VGY#lYZB(X4fXqQ(P$70NFAUX)HI%fDJ`n3Dt#^ zW{N)nke(g>@R!4*BO>`Ir3v9K^NRI8mgBO3)B|e3g5?vQ0`2=Drx810Ifu-~YPddm z>Sm>cemz%R#Rb#*!I!QIfXTr>V5G#H_j#G7im2+TLrD?JCL%p!MaONfS36t%Q$qMI zlzcInV$@V7JUwMJp4u69VO!S8`)iixJjVVLe$7%QWhZAe=IUQSkwZ&4O38+00_ps9 zg#t@k)lRO%itn#W0$rNgTPAHImXk8YWH4i6#&Si@q%OIF6<0#tf#plF>XGpZQ-2|H z`i)LpKDN~$q{voCKHxHxATZL=)|uAl7)NrEl2oLDIW;ahCvfAlb6EWZtPJ}5nCn8A zssRp9)cFAl0U-f5TrzSZVsdyg3+}g2_}_(Bt_E`e3tP03I!JLG6u?%4)e2)EC_I?e z(!Oel%`Ey1x;7E$4NLY83oXVo_+i@5dSa>`+t}}lPMA>Hw;3q)S=4qOEBR{buD|qa z{KA_?D7#hF8tVO-yFK1S8s}lY^QW;zYLBtLFkTrhg{60?dWj3j24o3UoBu0ShcB>c zrxc})Xij+gD+=Xs&H70XbQ-Y*BVpLLH^`7D1^Ao#Uk#=vZ7zPl3H-zJZu=S8g8$Fq z9zIB@FamDIF4|v?X|6N*sDH8({NmV4mRDiY_HgJ-#E{J%`J0gJW?3>-2mMl=+hYvZ zM$!KgHzQ7Et*jL!n*5O$dBcIF(E;oJm3DmF(yU_6}|x z{~HTb2QpC1w&J}5#nN?fFJHW9Z$Bnm_^W9*iB5UplS=zSdgP?#`$kj6L?~v+)_F%E zD+bGH?G-S;GY`?wid}wGM0}siyu@(I*JV6n#fqC!+X_S@TZmP5G7$%{?K>Di-@$dS zv)NLRa>L@NpmsJ6_Uhjgdix=@JP$tN>8^XQ)zr(X63f<%H~-emkn@FxMHhEvl4OAm zaz6j7w`Z@Oxz(>#iiH$4UlmmAhi+9Xe6B9U&7?BpQd4DHEVN`u4A3$%nFc!TVg%Jz zw`{^&Fy}{*?|ln?-Bp&{t5$d_B_pFm3?OOu^)}`@&xxF-1-)(Q?8=NRi59rt3A>#M z*QK~R*V{oMg6o~mddhBs>zx3*3lzy8BrGucfWYRWJS`J;1|Pxkntf`|myrZ2c_2-c zWvlYI4>Y5;7>J{;F@puYmSA%vYp^r)I($)mW!yT6yV|JH4`l9b8V`MX} z0==)*4c0CFDqtpI5;uv5V-sa5RhO6cR=UKT?;1*>89_(KZdH=KHec{2ty1&t-kh5V zgx5+QqpkT@{5~7P0P$5ms}A-Fy55cMpHpc8}=dlRCxuq?83_8X**)#HgqN zXraDT{F~%F&oiM67E% z#4%Y5f`#PIBdU92nx-s)99L^lq;0maWbKfx`)SGGP(OVJI#>OB=1{L&rO?rtwWwI* zp?WA8I>qsn7o2)_JS-xtk^TJW?45|&7r=F|=grVfS^>4MZfM=uFb={HDofy@83Rn0-&GR4<{rT`YjRE`IN z<}sq&cJFz+_n2(y->+WHw(xLHC%e}3)D`h{J~1d&?arm9bcLNtP_+p5TU)gUcjnlP zU_|O2or)yk>F5I*Z$wVsr~52n1+>LvT9r>gzwJNJPAPQ;y=xzzmHCKi{d2>23v_P{ zE`eTu&gWyL=A;!k4M;8q3hQbQ?rc*TGf&SP2{7=-{OpZko`&NYNh(@zr2y#PtVFs}oR9p%d7$?-Wkf&|1g*-)VMja@S zRT!+cpD+V;9I0Lv>gptGT01Xli`LF8R%gE53alncZ&vm1Kk8oX-0NOFe$jqGw(!@h zSEL4#Mz|RfRkO$+&(sKIMxf0Kx)fU>Ajm`<*aV2)b2AHfo&t%31Tc5mS&w1x+T+cZ zd0@7*@~0+!US8BK_wPGww_DlX>Ap{u!It5frTj`?_HwMH6Mzd1w&Lk_ySGiY^zT=% zNF{-*y|l3C6x#L5JS9)MJ7_B`#=1&*DxAY<)pA4-1rH`!F}3xeyxisPDhGTtwHvez zP#2B1Y99Zxp{XZIxztM__@Nz9vCvw9$>NZ_H`au<*CB)vXk2yOwTWV`a1cy>1U1$}iFZ)|aSbwC4jyQ=74W*%8t zXdT&sGm~tSu=D_OK#jke=OR_?=u5200?VDSVl3j9l^pK4_jyjC>W}5^^>HtvaYzn_ zBw@n>LDaT7h#O35sdnCLr};tmpie&j;thp|8?4Z3ql^~j7z>96W}ll=Ry}8W3syL5?wG-udiD&iBKY+WK2bhSR1cJ%`u!a! z*Wvvis1eU$Fsz_u>Tr4}Q%(fM1WS?IOzAgvTZ^HL?>rKb#Ww)RkcC@%SR8 z75&uF)xbt6&*o6xnti4KV;CW5U-ss5HI|-gm@XK6vE||2W>fk$q2E| z$qn_FSSGYatlq$PA}zor39|m7b6J~=oWq!_$-hZ98@iN6D<2Uca3Pyux5Kz5Dj3ALLv_UQG{=w@HKeWlo?(yMX zo4naQ-#u!RgVWRZr)~1%?&)zG_&4kn52tF|hbI~+1~!XQR2gU|Vq`u~#hysiS%w3% z<@LR$I$xWGpnBYfN#O)>wm5ZIM+I)si66Wn$W6`*?KGj#0$esJW*OrNYr9&odL>#X zq$2{n_4)k*H{!)40KgCnz;pxK*H#j=*7{=HdG1NUOH& z2z+vmHL@JVzJ3-oSa~%I8Uo;snbB&~wd&EzRHZ-HMcZOpYb7QAjfzTr^03NTBw}@+ zuWfg`?VWBn*y(PsnJ;oy+b6y5MC$O?N}u|C)VlG)sVcox z_%>vVq(WWeNCQ(z9Y0axS3A7RjMZFNEp&La$ zB{m*8_Ntfb6^G`EG~TCu^G4IQ^*V?|ieHmjwE0V)AksKKuw6=1=+FXhPQU1L<8|pb zP<@`_2bIE!^Sd)8@#jv_C{wEQ+q&DjeO|43*{fxwSOp-JDbB*<(+8RXRc%#uNG%)5 z5XaYLbj1ohS4yNyqp8I_yDMwmu-EQ}JMCV$-F^~w?TtIY)_tdBVB#Yq1*i>lJb!A;T7v~B|yn<5t z&$!F&*11o)LbEmvN0ify>A3ysm+GM`=p=Jr<2>IMMYe69VNJkO7W14%g@-j(D^VNL zbG@rSIjiclnm|B4{$gI{&5vE}T^BO%>h8K{mAbnXG_C@r-o%4TwV4l{>YF-@s&8i? z<(;3ZXJY-KQ)Qc@)m%3CtE28Jn}6rk6YaGg(}Kog_(e01|Bo z)iZRl5T*xA6h^4lqEqYx)ohQSzGy#rLbe`1eWrfDdR1WX zrROYRsZkF5l97bf(Z04~dW+qiu%!79Zs*J;YHQvaHwgW!t0wckH!{o>eiGB5CP zgY#4tY(fT*2(y~b$>{}j_MXLK&gSq5k?Ab8iJD7&7q%-!j<48MKUWfiao?yXfAS_{ zGX5-?j?4SA+C0EWv~VI(XCs=&iMnvLrp%T=ReKtVYjr&= z%pK+C-IPXXCAvJyv*=5an$hXW-aiSYL5u7s9%3L!qAc{Xsm+;Xoa93%P8e_XTKcCt zTpmcz1L^rECOuYLyAE-65rjL#dhVo#FR*Dx&F7l4n@%gxkNT}G^RK)5{2JSjZhsfU z&uThqLPU{dRS{>kK*u?&&(t33^V?|@dz7&CWcx{b=PB8Gvc02zzj{S1tiB9+f8ZqH z=Yf-aAm{%YLE?%}L|*9BTGj|@p1YJ~gskIg z-K%Ap#7HHXUTsvH&I|miZSuc*Dn0AWE=V_o|Jta!G+j;@P1SyVV`BFe<|%AQ5;7H~ z=7NXd$_;Qg&ks*zNPgBq;5RfaOpgUd=KxCU#DhbK7EhVlAm`tV<5m2#?O>)e&o_Hr zue(orFSf(p)8}EY+YNhN2UhiNS-67fc*aTJWOd+DJ8#4YV6-l)zSOHDL1UZaPUNPy zV-Yj8sc7MN+I!aS^|r~@)86Cui=8TF5$Ap5du;15Pjr3=YaR~*vTt+F7c?I!&|1G~ zMI2Hci4M7(+9q?K5?~Hb00!jfwSgdZU zW6UPg*Cacj*@Fm(cqb%6d#_T1;{?HGg>qAIdJC5lU&?RiOEu;XGSubOQT;< zUwP(7(@mxtns%Q)DeVSpH^v%&XV>j#zyBnN>JDl%oWq@NX{z8a(x1U+!SGHqA*3R% z#$t!s}(!LVD?`Y0wT=y#> z7-2B`n8%5Gy4BPLnSW>2yv4T~$GUrSe@?59t{W$O$o8gD!YUB?kCMq^7dTkR{5uPX zk$L>ydwj)Mwwv&4_Kx13VkffkrD|A#-@F0u4voshNcHD#eKoFTZeR0nordmU{hu;5 z%&uhwR%}^4=HRGn4hNyqOCIB%YiWsE-@8~anSN7PqkRItyATKKI^#NI9D;K(#HKQu zy#T4)pJmB(uCB+AcV^jo|EW!U;Jx~ER^JBDd0pO>V?btdWp-0d*xQ*uGQa7h>O1qC zJ~QZc56QpIVMS9++OCT}S6*u7Z!ADdpL(^dYUtGm5Q4b zLpXHqJ`A_dr#f@BC*#ox(@F7$#z9u~wRb}POg`+Nkd3!$kj+qc4;2v5JqC+aq|8@A)BD=Jbt$Q_{BQ>5s8U{TJYrgvlmah z&mQ;w`9y}VHDT|d1m>XVc~{VV*9ncUSzd7Orn7|qL5jTFq&`JN zGHlaliAdI)xw@5iC5dyz-hV;C_X`qTyKkEhvh6>WY+GYU)p0*RIzt!!Mn3eDup^NV zLi8t24bJNqIIxNIl8Vk;r%vw*@|@PsE0joeJz=Ww1Xa42eFvOsOh-Dmsc)2wSYDhm zDUxfJ`_E%Bp*;2OC0H|*BkmK10pN;Ra4!jwH1+GstDk@jg$U<-uU-#mKKpvz(+0jz z8R*d|6w`Re<2YeAG-nVXQPD80s05t2E@6Mn8og6~2C8XS9k{~Zg z5}sa>0V{48OVN6VH4AJ005py9Z9GlsWaf3}PycQPJ1lhMl{EP-F>{n^mX1`rYnEb) zg_Y9@S-`BDXMv4Uvca8h-CpwMz=bnGlin-GLq>T#|HJL35B)Jr>ab@!-FB}_ww`sL zx1ZMSdCtU+Y_C^&1rxi_6e=#E&Y}>6UJDMjbB76!w7;2>^=xESzm6Lor|ja;{D0o? zE8fvMtUz@VC^-kkGg&cW_pCkIw^Dmg@5wT%dvli2nPX;*$Ehg5fb7N1t1*oOiqSf` zJaS$k7H7jcL|dWhNGF`(x=^=bGkDApy^Ze5G*x?asW2fb5*RMfY~Upkxvqd<9db;1 zJgoN9>$ZDO$kwyxkJWF57%Z0{R_S=+buZC?Ne&X7)os!B4>hmPO*f=*uR9sZjNUaK=-HMeY^S{utm?!Y>pSq&f z?w&=|MWV0{>1>v>87vitWo4n*o$& znMcJ+AyhQ5q?Yk~Q??o!1h9qWE|soHV2?q3$(*WVP<&!_|K#GVNMVmfV2szbsjit`kIxXWEAq`~4MZ>n+ZNwS#N1fpT zaYn~|@$=hn3Hw;&^fm5iIU{OVBaTUZNNPjzDT|pxlGf-V7)s0H1+X)fLs|5QPNys= z?4b2$obWQ36UxbTHJ^ptjTe;|cz)e75}MA1+H%&PDb~AF7igAw)qN;fgpey_%1^Mk z#4(ZMl)Ye2eu+# z7wHF@hB>Bvq| z^n(0LUC<+!=v~S;HP5wghB9Wl!6RGnIlxP)x`h9MO@2tz59YOUB$aAtl_bEpXt$-y z;`sRZV9?gCr1fiXEZTHi#Ar z8YOVo(me}n=mcPw#~6e9?+*?5#)$x52rNyvhV70H>ciZ##HebV37=0&tabp*l# z#P8A&|3qhMQ=SQMsZ(R8r(%CowSYw?_uPkOBz#>fK2ung_B4Sq?nk>l>waw3vB(j`=R5w2KH}ekPrDAiDdM5aXL%C*(YDUGuMzY`G;?Ouiy82Zg1!M zOmSV`ZwAkQGkB&b$$G8Bm&RDTk$y!xgzzqUyK~K=fYry%^~_nk*l)F-K2^5{0O@-A zl=OT31GjhV_6DuiQ!kWu}H70-i>;L?}qetHwDu)(nO zCpmU{U)1$q{s-hWd`_0Q+Qh=sXy!7GMdjQV3sdm>miULb?kp+@H9_0rTkfssA|{ij zr>!Un*++6TVvGh;&+GRG{qUF(zt=lFIB2=9+f1$HIL-!&2s;GOA?!9p5V zNaA?ZTNpw6W5J%nKrkK&C?oc)iU@8jAg)$d1x-RxC_td!^)r1;{`>#&-$>4G()@#^ z+$Wdcot)yvxRwoWnym2X0Bmw1JAc2R$TkCD6Qb&{epFX zx!5Bw%eaWL*n*h{%eF#w(eAY!!b{Lvt6S5#+Fe1q$Y>E^mLHOrF*C9A_r;u7I;2{} zin6W#Y%u3_t9Hki|IG06Zqrh~sto7PcdhH@H!pT#@VRVv1T-(6UkRxIPXg6@E*FaA z=5NlgPQiHch@JRNf4cO&dIh>8HK6)xM}8qF?y|{<;VvEgJ_%&Mr2R96?63D+kHt^L zbFJ#{$8|M(7}3>z1zZ;A$U!5nNa|d5sTO zJM#qwtPE4bONM5;`V!O65g@}-mMn$G0s z4zsJmg-BcWQlrc~lb1_rxmHRF)Q6m>>4!2SuJJ%nmH&RABdz{`Ce+0Q@Lkc^HKBoL zJA9!X#c~=m?k>jZ4dy2@N)o}`#i>zuI)M+o09t4%V=RX?vD7?U86vj4Y_L4F?S5i6 zYZ|Jv3uA0*K*82}De1(Ew^pX|?XNrRo7|tH!C~i^IHSRVOmEfXU-(JA3yoLaT0DXB z!~&pR(UcCl0mLz{%%7-b-3gHJR4)4DsEyaa{9e3t4Je$n!Qq8`f6ua_gchJhpePZ;D1fto6aZl z-UPaR51f;(H}>yZ2pwBc;W>_->N^I^EeE7biYQjv7N}}at*Ti|w4pXweV5N}tJU+p zzJs+refsM4o99oTj>)y%sp}58R<7{p-{J5)eJT%*r%z1;MF5;eFKCPnsA|3B5I!Ul z$V6S3CFe>;*4>jMC0R8WBc*K{`^|tgKMSv0OPSpB`i;uu-IcqWl*zp>%H$2o` zYql3FJA_!h-1b`*?{`tq_PoBCS^vw-e)gH|A2-je()B0o#+uzS3sMLKQ@ZeZIU#a- z8_8f%wM>BNS-!8@5-^rD#&S{kW>GZTj=n64Pr4|K?Fig8tF(d2S7Va1C0%4{!I5Z@#Y`Wk6-!hY z@hqk*wVW{w7H$*^Izw-NO!*rnO3cK2Ly{JZYf|FEp?qI#!@Ld>P#?}|62?qJ#e>6| zs7}JQ@5VjvVcrs~{OQ|lmeY`tSEB7tpSD_7@{dW*sJK^?Qht;sWS-tgA70GWsRtCc z^m{Zez4uxW1E5Aw@({i*R`tl!r!)zlKE)<|dh1y*noPst#Pg&X?ZMVFarZhPj`)f2 z3%2#FA&5#k?Q8H;~0 z=@@=s!hE8{sF$yGKd(tKr-=^7YE=OlE$yB{oKUl2MLv=z%$s>|fQrVs7}Jr1GJ^Ax z<@@zeNxTTSu8i3=nsD(#{~^_KH*8YPH}cb{)*q-?*J|}%uUF~KPped4Q>ougq3-<@ z8uc~Pz4MDOXSV7PrWH+k-H`OFSnJw^^lMn_KZm7$^$S_+``Z`$FV1MR$z=2kG#LHl z<|6;l?;H}x9}PNwPl%TGJwnLWW6EUOyv5^68vXw3&4$^Zs7M9*C0 zOx&lgySmKvKKYk_slKCGbiHq-F%nIvBlz#s0wAHhg7xBYWjr;_qHh&hD<~&Q!m$#~ zq}{|0l9ikboMhuTyAU;Q(AmRhf5>K@%Zg(pOl73_Z*QIsxaP8S>~RzO}KSWrhJv7q|B zgU4S`bITEZ_a&7@$?T5nW@AO$SB|LZlP{fyw*4fFhZ)fFF?rXPrQ4Y5XwWIn8Y4=@>X3Ul> zwqod>UtYex)YkmlzCL^P;O49W%1o`3iD`wqD{d3AQ$Aumqe zoSb*C#t!+z$>pmKaB+($lpVtp*(B96rNtSOc6Uj0F(7)V)ab?OOnol(JVr@?1`&Hk z-sp&anf61Bv6||NSr{xNt-U?cKi;57?|BCg)S33YgD*PMjXKlbvDTS#wpgJ=;Cx1u8*CX-uC7V)!aZD3p(&UiW8Oy17EZgOg z--C)6Mh=OGP^W(&sF>)zYdc);8qe{YMps}c?eDi*&_LS(ST2QdY_i*7N=w(paB&xM z;<@fL%>(ADgoK>9ADS``)($Bb7z0eSeih^)?_O`^f5V#1Xd$jh3?s^k+!K&z)96Z- zpr<5SSVW2n3SML()i@G!jw?OwbwiG;Yrdccn@Hw3mpV)5|HyJD2GBc0_E zwHppwtWp5CIm2W?(!(r^d2td)luHeRfdvUw{I$OB?vKH390jWL z@4j0ptBu?T>jl0V>$R|URR*?TZ|52nGZ|lvts78n4;lZohHcb(Dvmck79&rJRhFXj z&m>PjumlpQs&jI4`1{7!2aRFp)pPjHCc2(?aQ7mEPj5qG2M4_{n0lTxrajb#Hi9H{ z7)1;=R-qHRc49q&XXK}|Eb)k|x} z62YHXXgieAEb1MAO7EMqYBw<=`^^o9J8k2UvUH_1U3GZo>r)2|##dJ}|F{X>-^{IF#W|dH6xmzcq zp!@^xO4Vf-ZO74{m@5cySKK(o8SiFk$h)9Vv3R)x3P3xFSlM`F0*{}vBADAM28~RG ztrt^R?}qXO-_s+oSY5JN#EX3OJGQ#g>C#%pIuk~;kIJ@|zILa@@ z`NjC9IL%hIpVTkKX*Q5Oo?nVn@k?z!4V3ef&q}5tCuIPJ@LxZ@9+!sR|ojv%Y1 zrW`?%qgN8A>)S#lLP*vXFoN~iLa`iRo9CRTG~54{v&|hGbVk3b&G&0b)b-2V9};OcQw>ts9R~)u4L8 zZ4UsrjM8FW$t(XE_b~(1-A=t}QG|26=8@ znq~42>sYZPEwm*_X8YpRutgJ#4`w4&ypW*GbCwkGN~guQTkz)eLdh*5d2@aRe@HqF zSxMHr^{C6)X;{uyRT98}%e|*UmjN{mZ$~Hsfe{#dOQN8vhfu<$U`Vn$6pGY#2KGLU zV%8)@!iy>&9~^)e*+-3WkIB(UERJ zQKHFd5CXIqq-;R9a?BzFbAf+a88`BtjO#9V^s0Q`|5P z$k;Aec@+i2B%HS)5R6c-kVi zJo_=7078d;0F%9>=D|Eo()_$S%sj|xwub)+Uy6skpo`1~2@vi4p(wJxeufZsmn@8O z09w%#s4pzFDyvuL$`gH_wiL{(g_QD>&BIPTLA@$KI)tgRdEjO}K}-$^WXnszcoak( z8U+)xeTr03K->&O4vo0R_0V+XgE49Q{Ubp5@W&&+KSVH`gTY~EI3&)&sE=7tstjq% zc6xaFbds|f&BIu9S!$=0t2;o+1?iIIN@^h+lB$F18=A=0Ci)rQG}Ty2mfe9%L743Z zHih;F&Ht2%VqJB;N2)HJ>QVhJ@0x?)Q5YE3Q|DlncGVe~YT7zy(bfj|&m|~$$n{R% zy?-yJ@BMrGBSBtVutEO)ZRJJIX6)mb{QswM$&w;`pO!^d7VlAtd_O6tQ!D>)XiIy90nutVeQ0iKdWY6e z7uRssYHRFGy<^P~zcj8aK^g;ih7^9Er8h}s(%Hu>ACofs^N;D|8|_W}7xK+Fq*wWH zDmpP-RG!7PVZ;B#1)F^=)|ZP~*Gra1#cE7$XfCed)kRn{sn`X}#e(LmF=;DFUi7A2 z`zmBS$fFFGa{JGJCjSmw>1An1{_+RF)!K2u?| zjJVh-U;AH!q2l$+lYhLpe0_R_ZcwjZK7VEf!{I168hM^{e|o6b(_v4DzmE8Ev<^6} zB13hEhzEB^y zPfetXF7*Qzs&K9T2Cn5lm}~i8xYh=)HFWzUmBYu*OlESZ@S0V|w!O%VDiCud?-3P$ zQXVa`IGV1M_pRVmDm4q-SEa+1aa#pe#{_c;(pVzTkvy8sfgecR+uK7JU@_gDBYcKT z{QYTo+#mHlPqKyw=Mw205XT2@&?2>_SNxP)j#QvRc)&lMygYYtv50%*G>VxgzIcYg z=VVFqNGkBaX*{DG5Z(b+TPCC7EvL2J_YyqSa_QuS?w9!cSdP9IrPzyp=a@MD5bySi zrVeAayuMLaii$#`Pj1N&F-yR0xqB^lkDThHGpLDFUY6o@-RaWS!&qOgna~0I{{W%? z53tGWl%%s0f}FdS^SIJ@U@ys}gaSS6`sF$KUGzrJ#U7OF_9ny9K@o$lq!5jh7 z0b1Pqk*CRTNibieA#s=Fu-B`7&z^5MwK zq=*(w=USD5ObeS>c{LX6LOBXq8f($F;(yI8Ti^t<~l(P&dG)(W%Kq@!8Tk8cxg^c)kv`SD=z8~GwiPR!$8)5HGo zH@3Ts_`OCB9@%ADtu+lgGN4L!QJW3btdEE$0;o{_!7*;8HE+!|mpCoM?BWvFaxLZA ztu8Zf}pE{=0%wiXbpOFDSzJa zwsf56U#!!5xngPSlGbz8TQ_GkjNmtpRl3j{-rYlESM9NAC7XHT$F+PT2h80A4Fe10 zuZCf&ztMYJKD8fC(-i;2tP$}u7Soj;njyXu>kn}4<gbjP_fk zIy5cYD2@rl4?F&dIQ>Jv*(t+zw=nLrHRO8C87%#=j8Fsw;N2R)*$enioHa>7o(O?M z#%_1W%m@+6Y|FxZ@`T@tuWse2747Isk6Bp_7~3`KhoEGEfDmaz#vnoUj5?2Dy@E#>r4nwuDjDTRVffu-$CLr zG7}!c8i>^j%kqHF;Cpm@1a~YW<%uF$?6s81-Oi<5q*8@If%lS(MmYh-gll<0GxV^Y zr*X*jW3NaTu@p1O9yys7GT(%3h7K78;w4g#@ zT*;+Qo}gU1-yxH-0C)9(Cfdt8<|(24gFZEcyrxP@&t3T!T8mUcnF9g7w`|Fenu9@- zt><8X$0`SdT%SAUV6d6Zr%S8wz+4C_=)&$345?_?O&%46P9Z9~dJ3aL&eNInA|g*t z&tL4rWwi*?(hB2vlR|m9RHB6Z|E^xY>cEfv+n zkyB_!l%RDkN@iElpV->C+CD`&lNMl^5l%~DVk~0t+tRK+f@6MQECbahTcr6)iDIIW z()a*16mzyvTo@g4SV+)-=#ev-*CC*s@eZ2Cm4_2e$V^C?@ruk@oC%=>MlcC93fx|` zcVpuBdb;8l%5mCaTh>f+dn&h0p(ayXD3z)ovPd)`9{ow>W~=tAUbSvhrP@39NGe0| z?}~#uT6TjpWPD88{a&v#==Iz|uisW*#=hfGQ=C`ZZ6E#}Nc z%25);WhkCW`unP}bEVF;8ZY>~x+jAFA|Jz!=|DF+BxfNF3d?OmvMxxVrY+$XH3(nP z9vD*VT%-hA>NO3p+c>}$RWY>g$qYnCY>)l+q%7uX9{q_{jq`eTQ1Ei!tTKjOYqctV zDSNg;Nx5o3Fu!($Q)+=aL_aL0;o(uoKP1j@Fc3@X+i%G%PA8U>Gj0)=v|Se;d*E-8 zu$v|7z}wZgoFySm(qy$rOI~t1W9@Y%nf7S~eX~y4j0vyT0yn5eZmVbsX`$$R&B-K6 zXucA)oW!y5(pCYq_LF2Id$K~PpkZ#MVcj5(x^T;X%NYsEJYJDWu6#B{qoh7`Os?lF zUZ@P*kny7UrrjVve)H#MXgd|-B7Z`t%QtoB@s2C@kOxx9Hz3UXr42Vo2p~H>KO>i_ zKb!g24qe_CG=I)rZUXrO*;-s`+)eO-J5|^=G-?&Ml}_rpabe%2&o0vSmFieRuMGNo zZ)x4%w+Ks?u=9{9U%YS@G)}8gkeI&lx#$k0-hN;!_0s*oR%`WNJwLsC{$^8^ zXyo}FTQyaQFPrL&$d+bu3FQrqDyl<`z?i9g?F^; zN?6NvM_j?bj$=rOq%zpZh{H4?Ma*RrXb_~i5Ov}e=pUu@0JEmQ;&Kv06?`G5)b^c} zYdVRpAlg}3S3q|Sp6za0q19A6DDx$|Fu~0gCFd!;9QOV7hlA09I(4MCuyPhQAWc?h zq}5E#(^VmEGwaI%pNl#2v_Y}tY+A-7nu3bshJs5846d;VSe~|bTSk(ATO&}L5@^78f&>W4#T_3INW8eHgsnH-s9-qI=46~Ftf(>7hwR8JN;wg z93AyhE3DtPK=aE38iQL|&EWBa5Qx*Hpz%c-p2!cyEg3>kED*Bo{^<>h7r@$#l1rAw zQ9wCZwBQ;2Xg%x6hf2(LF{eraGPug;r6yO2*Xt)&R+>lX+-iM8B)PXm6ieyfeo2=s zr!!`~9h1Y}JzIjhgHO{Kl{DKNtzxd8r8kMa{0q4LVc9=KNtoVfyT_o{GarH_GpcbP zY}-W|a=TGd4Dsz}HIvF=Pn>h&qQVQo)Yc5});r0|FVvHQpt6>n#xz=B-s{oPai@Po zoTFo3<|%F@4oTUR0-Ki;z~qrvN=XzI&2Wx}SdNzysi$fy26<{HRu_{Si%VDSzU1uu zDfnIpsbDv@NP`9I?pch$)pTnNf7A98WiM43bJkd9Q$5XlXc3&#IA+PrT-<`GcZb$0 zYHUHHc#J>3mF_=YkS;We}!%H^JkT0VQP;vRue(HjOkV>|;g~ zAd;Y@CuO^?7G`B)NtP_dd%O7Edc3FaHr5`JkH#d7W>G=oG+;ETbTbUew1n7DHPG6o zoN#LzC}wqJ;R9M2CR`IVWI`6x)pwxGlpz=ciw)?NR^d@D@jdvz`f%jI|LS28Ta#-^ zLIfJ!H1Ea;Hzw^HHfftxc~*ecs7Pgcamz2R(X zW8#{y#=K0pwm?a3J$N`N=n!*3BcQI%a<&xJmtvS%SfcMzmWG^!C4>}$s2-$o9D!?4 zN1Xgt-QQ@f;_+YrkWr)lsB&DNpabuCT{lzxU_%0rGztT8+|OB32u2d6$$qO=^rRN{ zqeR3xv*LM8Vv0~kIG~O|+9L5Bw00HOkgvJ%JK&!3#nEW2Tg~i2nm|lf zx2h#U&k*B%V@&V7i>lBie_$jFMu3Av&$gyqUA)ZNh00@o9vvN6*q%X>lc+VfkpG@p(>{OuH+4>aF~nL`f)5 zR{$_rh)qQkOeICZ(JN;$8XF5W1cJ0@yL)MBVr^dJj4iS%X708{C&w>JW-ePs;Is;U zUaHA%rU`xa934t!TWi?2_^=a466QbOTW9PdgaPqx&HnRs<$;C zMn|UlxX7br6tfw7E`(eu2Zvz~Y5Eaex4*`0q{uC0}IbX+h|8%7UU6P0q_;E~f6f8Uily_b)1OqWoHPNsF!~ zZ;cMJ+ym2^YWC)S(=7Aq8R0md#3=cybs)zR4s!JgcUqeja*UATrk|m8J zA$A8W;S3}GJe}E4QMpDk*LS6(Ze%JMkA>5XF393DIC*Inp;V5Z{8s#z@AaC(zaEO# z-TQ*p-58`9B21Xfo>>piw9@J!{!F}T0AH_>EIF$Ic%(&~$wh8b;s5Qg|M~w?(OC9o zIK6x(Q{xXlM@ssmUjO)LdgysFChNhWSUtbjfshry*Eu-Gh^$Y;ILWPyQ=K%Az_EbW zIFH0@Ht`5Y^9W~+M^v4^WS$WrLg=hf(z#Pme5nh1JY!oaj2^BC;*oBo%!42J_mc*>EGIi-*7IWoWY-h5f z=($*|sxX+C6(F>lVRa&)+o(fqbx^6Kf%FE-EMHqB720{U6a>XlvNO>SY*nWzGqu)} zZ&{HDkChUv?yhOIt10;xoP3hKVyZMygyeaeV<>_iiI^6GSvIj<&XN#aiK{ZRJ7ER& z292o`zR1p>GIc_4(7KyY+utQ~ftk{^N$!7{A3%aJLt7^ZlZCX1|OJAQY5nnRI`p-XTnJqS-P^_&jnvi`zGY%FZ2EB=bIO+7(}}N z>AzuS4Rj+4XciSz`AUlW+_mdkX#%dv>G>I%#&lMZ7(jQ5So@%G8xVy>tRZa0#pTWE z1%@dk5ZNoi`74w#wi}}rF~k^93?NLgl6Xt3P>p#!CD(RF6;~{RYf>h>0L~<%#Y_q= zj0OZ>38k%6*(tz)q%%~=TqGGS=3GO!rg@=oUW=S29NQqH0JdlG>mhFVCzgtO;ZZ*v zd0u}qo%+4-p;FOc1ex+j%{ZQWd*rpP@>K)bHG{~5Ia@G~yhYz{!ANE*86s+lBq7ZC z0(u0U;m>lAlS0(o;NTQf1@Qzd`avn}qHZqdT$c+_l-y2V8fzC&jh(gRFASK5y% zo{#E`0@j=}X&$;zQA*e>lF^(i#B1>ttZo8YxOD`R`;n1N%|t;}?j9Y(*3>0y&F~Z+ zceM%7g5MI(7`QX5(zkf*=7?g^H6(aRp2pFXodN`_O%!}2Pe7ISeNKZ0S~K zS5$b&9nf{fIqD5M{o^`!*aXW*!=<>}a28%bde?)4gF$s;HSY9ZGN*X>Hvf5X3-X0q z{8ZdRGHS&p#K6Bfzd{@md!Y3f_Zr_=W)lJ%jdgkNc|A7|Hr(9ZJQzOwHYcd;dZY6X zAL~Yklzss>I{!$#eVfg48Zz=KEf|0LwAC`Ha2NE)G$)gs(GP+Pl=!7b-o1=wGMH#q zM&a!lZp3tS7phQq*>{W7T@JeY=)Vr>%`96W*zD#sFT7UktN_n!(HzU^b}25-kj^EV z%~|fXPGafchZfrRpe4=IGJCJ%7(D4@nR+F^2Iu}HEliR?t>pi{oR)6$xYN$A5d+#C6v#c@mZ0W(Y!Q5X5=mIg$G zOn@c{hedSlt0KsD`>+hRd}w71+~J$8b>ehz&Dl49S;Smk$G3d~t{Ypvz~@qQYWxn_ z;M1q*?+lwx>j*-X{&9Z{GM0fa=-9{xpcj#WLI@QEka!hU$CO4f9u(6O5><*aIw%m1 zSDDBQ5JTaxl?1*Tlkp@?7vnW;o~4e}yW=Sd(}0i3-~Rf){+ECI*Z)YOMV6;a6KP4n zjJ#kvLT(4WAIXEykaIi;kEfGE=6O>0@nAzxzt{2m#DSjxvb=^U8Y$^lRf?<;@Q(`w2|A!uV7qj*J@eT4?dS4lxXnwax@GU&a8-MGtvi{#uS z1;v=FCc)7O1TM>%UBO3S6fmy5wtfwkR+%&2swFZ8a}S(5ILU}$8>h*P0cuy+K_eLi zG0_?GWNLbGLs=}DItCECec<&v1T++FDF#efK?gE^U^y_>B_;pLrb=}m8MNGb$aT@w zn=CG85oRryzZw-v$QG&0tl2y691&;W_hf=&lK_-JYrpfXmTgcz`zdoqqOA{eM#3j3 zBtBvmNf?qoY6knq7_nIylKbVCldl$05=uADG4Xo~zINN;vW4d|8R!lf$2?`e3(w@Y z+)hqpE~z>hs*=+0kn0T-o!NMe_mwYY+Nra#!L4}-BP zn7)5gEhC63P;5oj2HA^}X=S(c(2%rccqU_F9XbL)3thpxb$od47QXnPQ$Hk_rT_!gX)PAcw64dUGHG*&E zOe6VW_oWk^y>zmY&zqKxsmt%#xP9XLvqpG8T%{GD5Kf-xrC87zhs3-zj#Y);&Y*oP zSpp=E1VXZ5pix{@OM} zaxm~m?K><|n^?oDynX$sMQIbd|01-h)W>y=jMU+iNm?c$%_9kh^h3mpbe7WvFz~gG zD%JmYx>ObOvfcCicKykq_Qd!4wI@Tb*WSRUl$M>dL^{o>u1j8-GqX3gEC$mDor~8r zVU0l%QZQbO;onNb5Cy`nv%VjNvs8U=ZM<`i!ioBd`U1!h1X zQw776XgiHW^{DV`M+J7(_HwXevff^vV>TJ>kS+#7bW0r_mDJ&L3YR&C(YRI=#q9Fp z)acu-wxQvBnx@^Q54fJJ(!6Ifjf&-~Zf7^L4%2&1mT5{+MOu{ycXnH70pk4QaOui0 zZ33B;NfKe>eBUT{(wbk zZ5q>vS)K*5Qini9=^Z>;*DI4Psrs%~tojYN%T4l|Y1f8Rax2NY&{k>2+F7}k)S56- zYgz5Uv}xVxs5Io?dA;7SL%g0Z{^`T7;vexR{59+lzeD=sr}(w^M>*sTXRK+>!`Z)S zq2Tz=+ChMi5FE&MAl|f)?!J6~c=P7Mia=anVY0>-QZM%R=mPc+<8Jrw#diFM@!yNx z^ACS7xWhkK9fC%8yH$x!oFA1nZK58l9sDFxhpa#g9ggN+pWy`C92oa#C)k$oxKDj# zZH=G%bSKoU5q3Y(nRHu(ojfQ$(ViAZ($8>9e`Truyat=wnLVVH#rT!3AqlFbUSQLfknHbAIpf{bX%@` zq!a5_RXt?SSmOo`xDv|Tq?V}bHr|srX}b;v{*g(iL}l7Zcn|P4KZuWr-#>zwD!=|( zIu`a1kB`->**TiSqGT!oGjZfk$|AkU(`gi2jS>=Kn9drjMcTUR@yPEVsxqfu9VSS^OerXWptQGIbi zbGjH4-|Owtxx>*w4(^O4et+~`R8%^c?qY2kz$*wY*RE8o7)%ci3!=STES};B0bGqUM4L;m&Ne_lSmBYMYZNa#n zJ+sGKFFTsEq-cI8de;1ALT58N1FVMV1$djY z5KiEoqxg>Yqfq8x`Qk3N;F_7V>E^wg$HfM2X-80YH{Zs;T-3f?)V>IEzZyaA%SG+W zMeWP}{`Kx}d4c*Kge`^2zX>R^NWmGS(E0x{dHov7C4ip|4?9Q1IXaNeQYvz4&&GR_ zRtpP4OFn4?;1c3Eo3b3Q45v{xXZckbL9_&#^7k5Gx;ECa4%4LrL5>>3`TL&lKQNvj zNqh3ekeN20<%PBC;>SxqpncbXR%c31QHjF(+{9ltaSHCOy`x=r8a6qrq*|}L3(*O)y3k7+i zA{kZoy-AwJj3#73vn)zx9TIuWvr0xBqa(nx+k_(Cu!(ZW#CBA|*hsZ)a;v~nhi2S? z>>BoOwIX0K>$OyeILp~GN=pvmn0hSbNO+MRLGZb*j39b~qlpk*+!YVk#f?vxvY*u{ zDroiJB7>KtSCEt%SS!Vd0CBQ)$fPXDf_`8G7D17cfaWr80V4J>(`%yA>+`SH11O@8 zV;R~4o~4zz_%tCQ5wB$m;Cw;@llvDD?Nl<)JdH6=qRzQ($GfK{ zUXNqHb!~O2e}t}OkPMX6^CTlwFa(iUTS4tgF^oK8 zfoBJ(yrK&wPfAsq-B0XhEd=}Q!uSDM0eZ5W$=@n5R&kv&Wpv*Z-wh$*{liYbPn^U4 zai`yF#B}|qv?NzQyncKBjJ$gNMrD!_%*6otU_Ke+pK9$~uA?ZRzJe4FfHzM~Gvye`hoE*Rr+DgF|$dCFHX> zvMuX0ko4PgG7#Tpw zY+87x(#l#I_3ROQrqcr>Nax!2gWH_kI10*Dtk|;)z{w=%->D`e0bL0&f?==Y_lR>i z^s5&fy&~Uo2AQ036@qWrCgfNUUe!IHg_=`G389MOc}m0YXiSqpg1X>}4Vl!O_j{w> zuXsO*(xRu3f;-0>GgmK8!jOsMhxENZ%8UVs(H{VpbU_ob3UXPHlVwD$Rc#pVMr{A4 z90Iv%2QG-CqmF+>oWrAoj(<>J5pr{wR3P@|u%6a8hj{fko5NJ{iFb!p$sM_Q!=l#x z|Fte^3*u=d*fC@rkcrN)lAPLry&WhG3(}?PY(5K`POR!OT$1j47CD{011e>)ruW&QZuZV=PZ$PY< znEt1i&j1;7cd+&%=1T8}Ak+SVxWA2hLyU6fmVCblp&n-!%Y({ahtdZH4XQO|f{vud zi(g`W0{0*71^aP)-0^+ljE;SIv{<0CdbNs+ z8+1)yTTFbDaZQJhJLq^4$Gmc{6MeA${w~4@3Z80#B(UQAX^^L!SFW#awJy9l>Z)`d z7IBYUs7tjad)^=*A0AA)0tHEP7y9+V@ZU5hB4&2l!Q1$&c@$ve`f;UY@fY|WU3C4gmMiZ&& zlA{A^6{%4HWN>wYa5BqjB0*BwlI1H&QX(>lUll+xfb}6pU^S~kYL1Z$gII_`y)Z|V z^Jtcc^GfO;<<=z%yjjSX_8Ls{hHX`W_>>{T#sYB&@M>Qy5TDxu(RcmhDu96CHF=p7 z(Sm7p6oHd8#1s^juOV}JG9&+?6i05FG$rRCG@o%*N!Xqn+tL>UjIJ?*q*EzCfXc2aY@lBxWZfByu8}Cg z9Q3@L%@|iHn9ceAWbgR+aK9OmV?iT@JzD!9%hQDz+8>iN%|jmjC^n(aW3q)F81ISzNoM%6pXUh@(=ui37txuplBC+zajU zcmWgrFKAwr;`o>_^Gz6%X%sW9;4?5&=q^L%^j8Df$fX?LHeE9Wl?7SIvjsFc08@c_0&*uH7#m9WJKE^VjRh z(r^Rn&4Tf{fw&Pn!sM1DJjiJlCA0mO0$i8No)ejM8I;qn69y8mxZ^}Jwn%zG#?c48 zCc2m@@asSSS(Rp_t)?62NW(H_7{b_)#~llc5~{#bpS?Y=@A+a(%t<8`h4zJaTPrJi#na1YQkq`( zq3ib!!L71)-0?B{utJv-EZ0no5VmD5@KoHbgER@HZ)K!z0SIY^a2TAC37e*fK+Oe{ z1_Kbtv{M=>`-sHpzCwCq(r*btPs`}!3i&^Q)<8AdDPz3NPEt_*fp_&4-_6p{)g`Ux zs<*Dj=yK(e<3ewEcMlV%*B*;jvY97-T-#@qlvCM97RXF;G^^H zu+twjdEb&sT53F4l~$!>txMXevinp|`t6ygWT=>`S@5H> zNQG1uK>Bku+exNr4pkrk?`)qQjCF(WFsm|o@=qr(&t*#P4wkvP|Q0Vd4plD^%zK7sB@#rvduJ zN=#Id#a>GtT|qSy{sIhw6r;v68s!Ao7IK3H&G0@yPh$WR!N*>aE@D_Mn1TCXbR=$z zLw|&_j>(7m7|Ab)o%~`w&*^Q+FT^=i&xO&LGje0*SIC7ytXvrSmN?veOMDm*50dzD zOWbfv?74k_%Fo#nk}tMxICThRN#oE)wrPM9Y1dHLcPyq#NsoqI+*2TXXObc$k3nD! zS;2yW1ZkeLpomvwInc75mGG0#DTxwtttHB9MZmsRUKKel*lgwHX>%>@7U?7WCuW zgz8NCm0-yz0hJ{fO2wwi}jmAEruvwq3Hqm-^(@!)_2NVkl>fbRxB4B>Sr`4_EzFCphr@zBe!i<7i(R!TuPZM$UVg!%q&IZlnraNx^{n$H0_1EWga2w zKs3{yTAAE>N%L-ACS9B+S7rIH&dgfx4Mk^1dJO|p>$%y&D)R!~$XE_%W(r3upQkrM z){fH~*v?fN_IL;pzKvt=8XCL}MGWh((>W-!eO|%=p4xRsoR`wuRZzcVF_^vJ@%WB7 zdPu7~I6kaT-gv(18__Zhr>aC?d4m@ zYF2x9JD;Kj-OQrkt@8=z-+9d0cW#+`XWPs>pJ3jd4YTfSnR93Jj5{0Wdq=LTXLG|$ z+des2o`OTLkt_L}<`T4C{K_uyi&yG{imSBi5}9x!OGEPP)s+-WJ#qqQn$eV8S3K}V z=dZDBm~e&vBkw9NqMR3hh>H0SSVVjmCj1oc`j~POmoT&zojT2RL+6~Pt~DKO zV!vLLaeO7yET}zfJ!?9;7pqG)i+GW*e#ch$omi_?HnHg=)ebP-L{k>50sz6&4psW0 zz5KGAT@`6&%`&Q#t=Y90Om`9`U7O4Bn6Zo;^vscwrMv)Tx9-`e|)+ zFbOk7*d-fD=WJHSG`E_gim6i7P&71g>=Dp5q0g8~NQ2sPb6(4YW|CY5)KO8jZ54{AB?I@Y4PnW)!cHeuErwc6-XqZmjDs`}*#IcUo zHhJ3g91t=?$)_EpIcuB8A0okQ+Q_NfIMqXND;GcdeQUSE5J`%*dBjc#gC2PD?2>mT zjB!#jEu^|KEtEcrMXc?|mMXBx5SCQ!a~So?DhfofP2OfAvoCrUy=HHTEh%H9(Tdi* z7H+R;ivvTYhwGjUK-+TsFm;Jrg#INV`lQs)Ca1fX$2}!>QWo0FbnaMYdAly z_pO?gv#cNqs#6x)&dmyOc}uO>(2g7cxqmz4hD|!gGiqO_1+vk8qvGqDzTT?4BSBvz zR=0FFRnDW99gw_JUMTH9?l520lD8&}mc^VUg>)8{BUIlV&i!|XWABbuP4z#n-3_8Y zvHBO}(zXteG$*f(;Wu+a7g%0>BCJFoJqPnTe;e=rcTPk(rfvd_{|Z?-llR8eUFLS7gu zBfbtujjixvkEYLGjk`;4t_{y-xp-IQ`L~_*p|i-y<*7sc9|EO%XL!zXKUM zF35HFrd2ZdCpULdvK?_fSgcD=Ca7N;zs>#J!(ovf>l~(1^ZMnaPAItEz7%9OjHAKe%0NnT>;b?woR?~ zLS3&^UV~mo!cD;Ic9j|2Htef|A}^6>qBODa6N0)SxB(&DLQlWOw=Jd$YWlIM?hFV#`|fL9)QVFq!%W;r#BsfE zO>7xvYEn(?Vi{)ZRAJFgD3^C!5K=Vxhy!JduvsdqoCRBClg*i6SP=b*&Odh~ugfd- zOk*vjJe$Z9%W5Z=Phr^%t{xcms>$+d|#}7 zaZylk+4h>3B^4H}dL!ib<=9I0X1y^G=3n@N9OwSS8N;%FH{Nh)Ew}Uold*HCvMEx9 zJt2P8OMBT@Bn!l_`uOpqq4GMP(InzB5O2>tB9K-rTl9$Cz7*6YpYF((WqD!@R z9&|&fVU%wh6E(<&$bARZP^gb$jl`WG=ViGj+<1jq>5_KO^V`+G2bI5luV49l==Iu- zjQQ~(_mH|)SE$NsOqqbg^_ZZ`oo>*l1`NZR8u4X8GJPlvzq$idxRhTx47Cnj!sM{Z zmHzGJIRa~G#jqFv(H(U-qSanPXU!?t?b&oHBoIsEIlH_#B|7O+E2sYfByt zMom@nfvrpv1lbR4Ww)T72KMs-s;Nda;HlNNC8h$?0?PvyptU)?O8gyG*mCcIw(Vk` zV_O%d9FZPd8>Z-P)`wX&Kek3plWvf~YSrFX3bU%H$zfIncap>m#ci_KR_Yt1u?poT z(P1mm4H8*}XtPX)pBOFKz1P}iJ=xkat7*!tD(|f;Q#7jDvIfd`)|Z(vtZ2-dNZ(gy zW~yk?nl;t5o8HXOt!U1g2=1mkvo@5iJ$opZXuhKD$RO^n4XEsjnm)k1Th|EK@3i>& zg_AUMlKx|`k|xdCc5ZT5S&VnkuBl>{e$AqE2MwDlrF3i-m7TO~>U&Gi_GN#4*qbUO{ZP3Zo^ zY*T5})!Ah3rma&YoAh-i-cD)kYEK5WC!n>fJORC3Gn0Qj&7GpJb$6x-YwW$Ezq1?m z86f|gba)jR`N3K|eLGpxYQrbf?DZP4j$t@5$8 zdR9xC^?KV|^JtnqQ%$38uhNR2PP=ECu~ENQ5f?s*hELUC>G&{J&Hn z3t_NK<5Vi}NU*i>Q+xy-Q>l6aMbGzhr~G;9g3gTq-79*7=ZilqbD$P8^nvo z6lRqH)&Qb>=epHGBgOoIgOIr`C0@e;~0r`-jKJ=H=|1Em=Gkf^4du z;vk=tMS78^khsulpz&pFY5>+zQMeweFGDsdXI9{!cs7gE360-S>A8UqvpfRUcSRRj z45Mw8`H`|2%XRf!euK%@-(H?$UW9SCYesK)bTsO!59Dq} zyLI+(G|ggxklfIhAEsOnE99{(xIK17M8CI4NnxRQL{S%6T&WO!K~Ss(-kjh@ZtVjVK9^d-y2sVjQZI# zdp4|PN^_PJo8F4vZhAMNvl*Q+jKXXBgvFE>QD9d2meoD#n@(WR*&EdMSZzTz`rJeU zp$29r_T^NWm(wU%Ze?7K#kQR7Gv#b%Sxy7Pa<;K6$6{6u)i$y!XN^%g>x;wL#-tp> zqMZ9NC}$IUayBrh9XbcB$!TOv&L+0x?9P;&omi4nV@OUDJ96sG$Z29lj$uU3z1Wb` z#Dts%7UVQBAjf7u_gT`&dN!@CX13#OVLHx6mgC&Ua2$)>I6E;Lr-{`#TNsTLzP^W^ zs#F++=CcyOnybkyF&snjp|3f~(vY|0FrBC}z#3iBc3phoK@4)jZe+HEcKy8&k7<%7 zt3_J!lG7P$x16m6oZE`a#J;C0-L^>y4arigmr0OShXX*>b%qB=5?$9QlTFtuK%sgh z$&%)g3~#B8*Bd=nlPID2ss&nT904?tUA%tw{?*CL=NK^r*(_e<=|YDfK}^>rn_4kR z@CbwY7ObFxl|okkCbCx-C#R1=8=^$Tz}H&sROmWYs?II#T_cCBeF#l#rxl5L_4?)W z_rE{6#MHwwc@Iw)%w5vlg}<9VfB)k0^~?9CuV1}5`~LmQlM96Y>h(HD#5wd28?oSi zwykI5-$oTZQQX z?$t6J(DjC?JVb?{%EGgYN?IpNHmfAZSf``Mv_?ojuTxs@mg~pB`PKz@Uc3C%d`Lh41>sSNFK@w z0(P1%1-I^6X*^nt5;F9q6=dfdb_klQz8ZloQr16*$|;I~$3E z#AS+I0r1czBqgq9K=Y6Lo_{zJf?C()gLH|1)Q1e}Ua#xxgo(9}ou*Iq&cM7!Qu|i{ z4kVEfCLv1_@XfVB#PnG@y7a?{d-R5PlX%hs;|Y#gZD+Vdj*D)W{8QTc6G(J)6(zHn zT?xUpLl8jjSxIC0AkE1os!;Vqxt^lz1zkk30uQ(8$O;t1`q>4Uicce*PUY-kc|d3q zcGDct<@Pb)_h@tsz;rzcHINCpix(`>`{1moLmYrR0V-#W7M6=;&B(QQNoVXDQk%0J z(AVRoOk%s9G|SHGxhIA-;$q95#xz=34hrkf#Z4Dd47`L0@k>U-KjcxtUMGkG!lOTl zYeIkYGQxhyhRJDdV>YJIu;20f#2Fp=5}`=Ww?uZY!zHz>Oh5`r%OK?;q!{Dm^x`cf z^Ifn-ny-{b9K~$$9D>xjjlumjw=!CLEkoVtDg_nBrO*wRxU3W#vDaH@9RpT4ChcMG zWh9?sWwla+#!@~ObL`5TdR0zCMUJV)saN7ORiOtG;4tB0C-Jn3$Q5iTi3-RHA4t0p z59TZ^W90x)*q9w$QcDv6R^`$SCP_((*qhd;XjzlQLeF4N9Bjs(ICwbr#K9NriDvAH z-pKWP7DC~F`mf}>%jYM*JA3s#IsM_})%VZEv|1Uia0i(wMRY;wdl5v*%u6$t6dJs+ zh#}*Fww*vul{l6t0;((`87csTNsjJa06<+4E(vD_&2Ul1MP%i$yZr9tlq_fxO~uyH zY5WWEm&)WnRiFlGq8f~r>07}854Hdl+#775|LKtfjt`C|ba?1_5<=ji$N~Kkz(kEY z{-6OkpkVnTN?-wgpVNR{RH3X6dlj^?MU+H~a?yY~rnCqNW1+h1ml>?Ryi6dKn8Y3v z-02x*i!`}nMfaJ36ch|SPh-Ke6h0Xk9(6MK7GyI^#MxyaxO&p;_u979D+sZ!h7g05 zzlJ>y&QJxL8x% zH&rN_5>>)LJR-cr?bwQs085D(U;9F8^ZjF#+SXweKMSg&1XU#WfmL*x9^OBTD%oI{ z9v&Wa{2_6MM}FsUU2~8o@yh62QeKD~jJjd?y`Cq|CMnxL-iDL}AFv}Og>73>VVX2= zN_W>@?XWMk%ITJk+0dfu)^ycO>;j%{Adoz9s}`@$t?L^}b4Bfy1lv~=jgtQnWbhju z4RH%8nG<)e5F<_UKEz2AM@Aa6Tyh7@Rdu_fZhONL+s3n81*ASmJJp`5e4 zKu2XZrGl@09g>K@D&x3%|JWV*?BH=PBfdBI^p}yr!EiDON1i8dB@exf_`M-0kl?2@ zO*EwGujS-#N?aRp*>9<#GLDA|`@zMf>B6$TS6+XW-~O{?)8Ab>{HcV)gF`?ZJ~$jm z8{cR0S!@c4Xmt9i`z+q#QN9stwc@i#ZgbRH`@nVp0-+kS9}oKjAzN>;p9?x*zmL-*%R*eBNjj|vnjK{r+^uxAsO*F|_^ySt6cjNu)|Cd=Yatp0${Si}dLzF?pVa~#I}$cHf>4V%VXl7ZqT=={y;MfdHq3klL-!pq;BUWi9G zY@!UYRV#1AEn6sH&T8SnJeRKfRNE!Pl=0;2LWljVfX~y!rWF-v+k`-ExJ^_mGgust z-=6q>4N@)uT;GLFCU|sd7>WC?b;Z9hPb-cd2Te1#X1pd_jMw_w`(@r9W8RDxhdpoN zDa_m9APDj;c;k$Y59INGizYxh3xQy(Jszb5 za3zIJ1InlX2;mX?SV-;2n-s7atKWit1zjir7nJzD{sA@_)?dO`tN50dHp<_mjq)F^jq<-}qc&)x4&B~i%T_Pd?4>X- zRn-z_IhG4Yu-zroIC%T+n>R;C#A~`5(#&S^C;$U@L@_@`;ignu7rn)^i1DhJ>j&n_*YzfY&b1k2rp3cu2newnb`TTcr7GiYNel9 zt34~@SSG0gl}#DP%3tkl`YJ6hFj}|Oa`(i^Zv6JGHIHYnwI|@?d5ISyl{rByQL$gd z=^~G}rz%v|-cL5+G|}TP3y39rEeB>^PTZnQ;%glZQzL7|+nOXh#e6N-L#^0GOexWx z-_=pG48&CfmD4=6P>iePPcNUXl?9HG82pVVr^;1xU+v6}6&-9XP#pIrut;lD+FEwp znld=DD3gT6(&BjB^JO`4yjtEk9yv>tgv!aHEJ_;3E5besX;+-h(nh+Ho?H^$O;!;b zueSPaOgX#JF==J!qw_dZnsC)oX>*oCjw!+trGV5E4FJ!MOZpJWI2f6RL z0Tf&dSiw{b>S_V6ZKoEes_C@9tgDfs-KRJkEP@fU{87@}_^D{Bo8D{mO7j7df2Cbz zz``kgYb}=rO!G#w47^X_j1rW{H{V#a_H_duiypGNI0`5q6TjZpG!Dr;60+Y4LE+FH zTY=8xX&g^z@PRxzo5IDAv!bJK!|k(wm^*g)!FyIJ3BuoJemPU<5Y74aqq{*&dY*?>5Vxm zK3j!5`FFt>{0yACoS(a&87`K`b%Sy~n|IZg*5B8)YJ21FOSK9oTW>ZxJvR-@g7LW- z15!c1B0R`x7A3RBMn9M)=-|S-^LxGNfHuE*P{iw<#`s=zu!-lJ2iCaLSNbo6Hj+-K z;!Xp199(S8ExR)fG{VW^r@FMQIj%(Z$#bO)qZkWz6n_jm}qL1%6 zI8Jo`eL*MR0D!zw+DUs5PXk)G5PziV}t@AbT)`hey$fa!HPfZ&(n z-!jbHoCQnF(JUS$(MMM>>mnU@Wh?N9f&I5JIW3%j)wYm_SfXV?_uF8V=I!1()F(G= zteUDON}|GyFfh!fp|_&VHV%mXz%(q(M;e>Ta{avpyjojc zrmfoi0UCMHO!G)5`dZSwo0mx!SFo#6H?GZat(j(vXf2|(C;OS;SvUq#|G~{ zD(2+`IE2zWDD+oQmjrW~7hR;)9ULFZz^=|QaSjgX zSBUnHSE6fO{e8+p&%=b*LLy&8IWPVY74sjki1;o{INs=#>$mdU!9)%+lKHp~fZ#_X z>2T6GFKYOcFfF(}{?aX=-EXgd%)*4Pi*&&AF3LE*f%yM>Bq?t8B>>~@t(*FuvQH~`J zcjI^>v$DKm>{s0KKyI~MYE*Lc6%aD35N;-&vsoF_ z+-i<0){?Be5jo!q=(RS`4DDX+AkCS@dQd;q#;tEXmuLWs6_;iT3 zVh}FIm2&}4H`!+O#^TFzzBb(C#7wyhn$Q`#+QRXl?`yvb>+WV|rn%6V#H`>f3G!7| zRM>38-f*`40{GIrNS(XMmDP?|jgV}b=d z@Uq>v+VzM;q2&zw)n=j zVB^AOW8FZLeD` zRZZ)g>S~3g+OcD1+)4sT5+e}F1wg4ZvlHPfhr{9Xem7qGi@kDq9pQWX_xKNZf5I2} zzHcTHAgB{1b*ue$7 zOl@o0NqNhJxLZ3o&hkrbB#^TYr#f0iE#PjbjYK7BYqzyKb?;lDADIp>wX~fS{z*_t z#%Y%DOw6yrMPI;8D4w5`tfkEsChSB;Q5erZVXcQu*bnichy+f%41f{~mq1{~J}}Yq zv#1Dn%;D2@G6&7L_$su^{SYCK z4n@RszrA*P5 zj9|`DqgY*Zgo(WR=<7VqySWtELIz)3@EQ6gl7zz^YNSs?GV>P>JDRab z%rYiaH=D+egtNGaSoe|glpn}FZ0KXFlWJD46$c)Dg{K*O_ZkR4kAdeK19a%_6io?7yyYMHO-K=;*ul+eCzW6#>bboZP_s`btbOt!>-M z^P2vEy0BA+0g$|=1-vqdCYQ&E>X1{HBG#Vg4Vzw{HN39Z^uWbkYO#DPyiOg@WEz2e z7S6xts~Qc_VmuT>S&(NH7+;^BgC;nakI4t!y%8~`02y?QO>$F4i}zw%av$ zxX#Gcf>Otnw0x1oOk9fOIz#Len1g(^5^-wP^s+EZMKoh?K;K=jnnk?srfMS2(k3K< z1@bCxg87$9CS&wu%tb5`o@3V9UJXS3oC6vU<17=OL3dp8jJ?6U%(qQ8U1u7nd5b&w z-pyzyY?MmI(+lIV`D2Pz2kOoc>y79ywDE5bg!4u$%07|Krg?lfB?nrvbLR6@q)nUr3%1{RB6t>EvxSIO8l+0CS$Q(UbUmAa6?Te9tjLc74}NdF z%XeFD@bkio*4{I&X;ahszI3Dn*Kq%a;SKQ5G!H~G0FmX{I`w6scCEVC=`_2YPOIC| z5qXA0+sQRY{*BZQuThvbptViOWSLq*5mAu;`G6My1lBN~x3Yz3LHSJ@#(uO8)G@+3 z*YBoI8ZFQ)p$4}Ar@KimTH*_YTn}QGi%~jMswJZ+I;YD8KuAsW)l? z_{N0#go_4djx@ZHhAgob4I>k*XKW#B4Sb4P4sC+lwN=Ohh1sxNDm9kg*P-i67)ecXWr$o_Qp7%h=k1`Z6fBkUrn2d4n|D$ z8MB7oi`lAdYv(5Z&|Q3_U7>TEQA{zgi0p_z3`qCgb$!Cd^FNR z9Jo-EyjV{iJ@Rr*2?-`4;uXsbGVhhDpfL+nyNmVIpbL@`eH#m+K5PX;;bZpufHBk` zHAls7nP=63FLb%&0FZrV(A2Ktdg-b_q<#{vaQCSH`OoaH@M+FU2JA0?QNzzV7|Q@G zLvbq5VqqZM~ zZNS$0lnUmrljxdF6YWA%ouWA2gq<%$w8ViFMXc3IMfP>Q!Y%UkpKXUo?k3d<7dF!0 z*JYPra|4*_FZJ`*dk`E}V`rACl27L@XjFiDzZ*D6PmH8YUvziixcpP@-WGNCfyhjB_oKlpSs8IRV=EOi-)_FvdQNb> zF>!CgnkznK2SmCT4r}%kpwZD$6KW`*(&H*`vM>Thxr6O6oPi#eF@&bsm^u*1q7kp5 z>Sw?V1(6o^;agj@kI|f71`SjWbeP>fU@L~AwT~zpXJu_bW&C|wWEcEW80}gFdGsM> zytIuxMvL@X_9|+|Moeqygmt}6E`m)$Nm$;;1F($-oess!9v7bQiU% z*qpj$607U}&CTML@k-sc?>unhDbE`vC96T5H?8#E6+nQ1QlOimDXcUyoizXhYN3V$ zrjmW&*CJuVB1NFlN-SI}s>&?tKV}|%cXoE%?rK?Dgq52^eCwsmZjzGNV8B8&kz8ts zOjcDNW$u3nHzqV|MW93?AVhW%%c~e&+EnO(X*t1@s9HE|{rMCx?MfRR4% z`b~FZ5!({1yOGq@47dj|y4pi=2eR5tDp$SuZdsGJ(4B6q#SdX|ty)7L(hl~iMC5wU z_kwTU^P1f*YYciL^}F%Sb)oT0N{1*y9A7TWr>8vGJZ;R5AJBe=Nq^10w{rHCsTOZe zKqa1g+@x3dn`e?$0APDX?{shFEVLTbZ`%IF@7YnN3_-AYG!ZRlQ5avCj9xHgs$7X+ zqhe78CI^*Hw}0__OG3}^Fp|!ZntPNLxX5!AnYt~WtNSiRjNa~B1ZiAy`6t-Z$66NR zI-@9TUbB&_OszZ>4{mY4$=!Rtt~aZ?(5t$zTo(c)n0X9Nwe;IOzsD**$Ls-JR0tcT zGG8xc2y8yHDD*Q7e5fsvX>FTyq{Pc5*Wc@#<9mD7T^ z$*nSm?4!@;zjy>l=%N$j5gOFf|mW-isSC6SIgVX>&lcAPJ#V-QwDfkiC~+_tj90dWX7DcD%mVq zKjl;I^@XT`R;d9aR>Yx%Zjp?~-KN)5LLQUJUJ|5{c4{y)Ch8hWp*5{(q3dC%)wLyH z3F^S1hVVqn^0G*nyWynb?CB!>JX5*_#lOd&Dem?CMb0hMs>Peinh&3_pBJ zq4#rbeL&H=V~5}=<_;@J)7Ub)lKx8OAfz(Jxc=F}G4f~8-=7YTtz3~EduG~s%+3Mb zxawAJ)?>c1y$x+(v)Faxh;E5+@-kbP$9y_G&Py+>;{QmlgIrxQfdW*tDshpX@M(7d z=d+)##i&1FPIa`s$CdXKpL=$2e5XfSFL~!jZ`@OS^ryq>M;rX??dA0v9Q#f{c{{at zGYp|xG(xTE>+%Z(={6an*s}WkjzOAL3J&?YV9YlulT<8ot)^P}SltGkZpbe$g7Gz?uJqaJ!5X7||Zs(t4vRPLPs zba@d=Nt4ZX9Jk%|tm8uufcTwG+a2V~7Q(|&x?upxKsLX@Tg5`PA%Qa}GdSKG$n6uO zDqoCJhhL@bIGVyPK+-4~_bo>6OSxIfdX_UKhI|Jvb1wU^fu1|I1mXX^1Zo@Y{1xFT7 z_)=s5qL=1Gy{EbIx@Q_NZ-HyS!P&+)?~a>e))@Bsn*(L9FdVH9fG5J$d%g^#5JnEG zD+$$`>Ss`Af57q$%9#63CgGpdjEIh9u)oe^>hnk$K+``8KXV|Nk8wI4#&fIO|85Ob zIP3N_wrmc)jK}zA>ljik4F>~+KO4G~y;|sumFY$)C$4>LwSn|&VM(n-l7bJ?7o-pz z>mwP%Ivq84!X;=yiI|~BVbX3Ffm#CTr|oqrlGc132BK}+&018g)K(4T8LK*TGzG;} zsjil$n5s2Nuyb{i&&4?lV>o>xQW;%BI=0pE4XE#Xyi@}-&v$vP26<#2>BXx2x;Cuf zo?3IlGz;T7yaOce!6+Gyn z)Adxfpcht>EtdF!aT%Cz^TR{#vmUL}oC+i}iI!U_1+Xa8+kg3*5N@PTdPU>IN zFb=|ap4z0zXrzUQ`#Tg33+Kebg8?LAndXORBf0=ZzLd_GTv zvS807C;>cJhB0mbCg3A;XWntn|Al%jW~rrVIFFT`OY4)i7WRD~7PQNdGg~Y&sSuV) z(|q2i+MH&jt5<9?;H9#x22RhQ)i}*l{4 zCIp{oN8ETG<%60VOll*qy43j0)|p)LEcAg@B`7)rv^7yrjclt(BeF=`2y98FfLS8TE#!`&YD~Z|cHLbO?K?n(BAH z59>6xA@Bjt$BJEJCgIJ&ZpKXt3xZbbtO)$oQVI~nc~Wv6#!^GcSl59ER<{&5M$C`X z32f~l{Xn%N-yvYNhMa^A6lZucZQZm%W2h^wnZ45}G{Ab0h5PzAe!sp8^;o0+So2+% z@5}$kS1YHC{fOoK6ZX}g|I8dBvvWRTWlpPn3{idl@|UlyhBd+FZ^ZSage&<0n>b8cd#p6~wqAd)Ir!jN_}G1EJgg^J&QgTbG2<3KIF&bA zgPE^ZI2H8f!!*7lP@~tG1EU{i-k{s`l%h54Qx?fBRI__`oh^8!S}{JwDbK=m79tGc zq5LSbQ+h)U2#%05kn*X?Y#lg7e=wz^pd|-*mP@tJ0ECB}pU4w@~ozu}9|M#TFltG#49u6xLkTREacq zXUgD84&q0A{l=rcJ+xHy`X*sDq?0}!1K zaMXW@)sX!@OyQ<_0dw)_Q2Vj~^xd$ni%K?zn%qKcynky(R>-cb~I_8&5?hDK&?^!SXGkespF6 zH=CKZdLDW=RtT5SS3>m4VyYG(zzC`h%xhJf5J3Rd4vsIRUrHuYOTA!w{c#_8tR&#x zXFQD1`Z44(%9dS0{9^K;xf4Q9mDZo{*o>sQb|k(*{-7# zi>Dqw^e&DDG;M1%{U6z< z)jZ)rUXgeRjLaxcs3qAbZ#klpmb$vt35=vDH=#3)oDVKrJ4ta;4#kB=B^X7n9Br~C7F{As>pUwy}WOuZ88KYr3=%6(XX zA>}C#g26sRdV+M;DdVdUbf1*H*&B5SZ)?9|(?swKKqUFsfBs+o58WaR7(|aL@Mc3N z%&74yN6pxAcO5mViJwQ!_EFPQqekg6>Z|?F{|_U^f^{5ba9C+&G795)VYJvj=?K5N zDS6;g2*Ip$Jq6CaRNooKfzG>8OUJoM2|ia>2%b%Hg&{XwmCb6-lOGN9Rt=dPB!?@F zRr~3G#ry>%hyLq7|A+sR#o|g?{ObK{ztU+_rZ$hI>lHkswr4T6qy9Uu9IH+4*4$0Tj`W;RaY*roghvfY{f~}vsw6ApQk*4V#^l6phZ7w z5e#lzj0A&>-9j+9BY7YcJrCUGh&B2{aJz5RJU^_sp5AAN;(A?T_jqNwk5dg#cRg0^ zI(&iAPf`@*Ca*eVv-aNS zwT&6~=IL9X=R=W|$p)&b!0LN$by=3Rq*VJA#?E->6=nSMg0f{n>9)LarB~q`v>qoB zE18CwOs>yO0W}O+K%Y=%Bn#GtIckmTkpqs|;}fUa)WjxOkoKY!n6|Gwbu``3T| zAO3|M=?eJ#>!Qwjt||2m(v0x|zX>z=*5Pu+{Y)3(Y>tk%_u7@lwO_HxQY@viOL(G5 zB4M4BGl*8%ob?#B5*k6o&Lam$MJZnO^xK%v1AoW|jzjy|uG^T~?6Zd3RMugQmAYQ$ zsaBE)<41qJ2@62NPAD;st3QerM*w3GTSZC`Gn1gYkIzlII@L4`hE2CuVXT(8Dy@%X z=e(InXozY56zx+xZ@Q3IF-EpQ^(?kw+g3_vtz&GkWkn3@aEs-42rZ&EvIvrOj9Kf} zvmySO8b*l|5rHxQhbL8F049D!zt})~F!K6Z+rD=rEj3?T;BC?Eb;pCUHM#lHy4Pfl zPS|vvUQgxciR*Ox`ALEXp0MB5(?z|>>MdXWHp_6{nf$M!r5|Mw{X&q zo-%#TX4NUM@wW)KWkW9HLMP4SpW1d z>^%>olCpAqdaR5+Yi3=#j@NInH+!Rwdq1^lRQnY>6)T?bOh6I0!7Emi4k6f-W|gjZ zauKOdLf&*eIMg%yZ;eL2&51MIdAtmN9xq$Qi`R1R75^JMLv{84{x9~obn}>?Dfv>H zFye8m!H|epUSfm=y+1i;A!KT2(ki~hIzK2|WN-F{V^0lBptm$zgiYctV~Y&EK%@HP ziuZ8TnRa?p#~}@TXT`e*p&9i9wG1|EI&HgKx!Y;0e*(^R(nlV~xo(Kl*)GKCP`TRg z02)BwBY2%s;VM>reGgPZCxQpRO~Oq45Mv>EiZof?==%`u1}cxFvi&;c>D{~ZmF-^o zYVDZYd`^R%SHQu~E8zAOu!B41|N7s+vc%0QLwre)tOA52YOSeY*HNp~VEh&u`N#jr zj+U!LUJ7Lgua|b@+QP}z9@}4G&cnw%)Qsse#sjAH+&6o}5oAlKwf8_-Y`8qNz)_-P zX@*Qa|BiLNE^j3ghGiiC6nfF1a-a3oa7(?}8xCP5o`s*^P`y}-pw`|_SQuXl4CrX- zq?bPXWnK&yiFlqZP>z@ukkdJw(Dndt*;Nmj#KOPGLNPJYBu_Pco0Lt(f?tL*QGzvy zZyKi%dfS7BrtA5H9m1D{Z)&y*dea1!M@o?mL?kl7!VG%S#|ETasucy^0zFOe&#(WM zmHkd|SMTjJ1TH-84QFG=p&e*e z2kQ1>ztTc7ZvGPZRwn{_twy);4NZv)}#rqxuLx{`dz9EO(ki*65GCW(8SA z6_oa!@v`rPKK(dhT|7(x?LGC?`{M!Ss_Y7FY4LtiHu)A4AsFzA1MAvR-sJ?1r;EtOWANNr(j34%$>E_K3 zZ9JPL$>#3Rl4x6n-t6?Hsg2U7erS(KhX1zUnvJI1aYoOtDgQJYs@HP8RtKV@O7o-S zSa8{cNsg~TBB6_vMo8I-FqAgA9nvjV7HKSboM$gxcAs9WnGT2j?l^E9Qg3$FYC1#E zYdXV%IgK_SSfn%~tDyeVTH!FPs+V0_TsL=~RkWUmacZpe^7&lF{x#3U6(^&%+Z(Da zyW1N#d)+EFQuT?zf=>*Wsg*@h$&so-Cd>S&d4pQ{FS4Vyz(pW8==y$2|<8fb$Y$QczeSK*Zt1vpy}Z=DJN=oHU}_S9D{MDLkLg*P5nn~Hd zbb(z~SY6Zb@2WolL04cBfDTm*hI@P<-3`$B^f=Ilf_iDX-Etd(OA>17!2+`_N5ENt zup*nT;~)}_Y18KuXt15hw$B|u$!>bwYCVlY-+roN=gnDc{7vHvQukemYyBOpD8JPU zq3jLa52d&Q==4oJNkZ^@T!`ztbwM?FV;_L_Q+Gi%dm*mv9^^n?XysbpJ|>V7?)zc| zm_65pFS9~>JRcR9kk1k^=SdJ*n}Y^|02qB=jr%n3p`MJV7opO?!r66sT0Rl~c4LEo z8(6XL&A$znsSD2NevgQ!i>CGi$^SMi!k?ZuY!|Y6O#Ka81v=+0^5XL)P5RMw|yLt@;@w41#Tx(M0<8T7T!J`D#}s zfJ?nq4CY#Z`1q+^;M})B<{4uZz`FJ{eV!s|63fJAm~u;=u{XY4E@k|-K)G$4yHP3`PcKY& zAa{`NBoGq%i;75?apo;~Hi7H4cWk3W;!;Em=yO0rdUta2!->Q8BM6&8npY&}fFJ{x zqL}~;^G$ZV|MBRc$=>gu?SE+EtxfjZ{gaPP@S_}keE);l9`5#FGb|qO`5+9qcY>GX zf%9B>F+7OYI%MxegDpEzf9IX3|HbV@ZmUbt;s5a8t6fDcxw9}5$4ZIUdj;vt){@;D zzRh#Wx5k4Bb^PxR&;T!^fScVyJroie<2k^?K?VU^h-jr+(QDRs>nUKQ&dGjL-55N> zg75Zc?qK9O4z2vVF8H1c`1K9?{pK61OziLMtXC5oYZXJ0Ef}!0>e)%Jmpo}la;~2Y z_-r54wXK40I<=kCa;g+WOn$vqcc*Q@tAYC(d-uDM*25NtCh)Vtknv^gizH^^QY6sNuc`LRRcp-y#)_)GS}T+3B0FSAlDWh^~2t-k$W*7I+ueFJ4! z&;zoCSmx9|k?@t?E7#d-ojGOLGt0*WF~GUf`=V>yS5_hcsl>j>sTcLeH(~YiT1uGf zP9*1>pZHNk*sz^LPa;G8geMXr4YtDDO_)W;_}=hL-EB`Hn0we-_6$jtd5uSE4xRb% zXPOf{VG1SB)~PQ8kxp3M>vWpkPN&uFc=i06L}bY|&oZ%GWvT59VL%ic2efx6K`hf; z5=yVre?6f405u-Q^H#PHtr@fy#(uO8)G-QGSb~D5=|7+9aU@7}(j++)_d}M~Q!gQn zRgKsD6c~=0aD^EuQhByE^^B)CKhEsS528@S*{4*Q6i_FWNb`(EfoprCJNBiI)g9H5 z*8W_?*@Pt`;C@y-zmMU7KhY>Db^+c83vXIyzzYQu(?pR_IXEUZtO6O575lvh4baXc zK&?HtKg%@H?xhdmoT(5os;O$%;z6M6m1ZF^BpfJnqb%vK%aw1$(gcetz37Jd0uJ{lqH?;8{|M>O z20(}A(E!*=vXe#Wf#&roVic$kouA4f1M(#N39Da;X&vDTU`;Es^kC7a?zoPDJPEB2 zdlXt9%g*mR-B)DiBMu&ToWVP*;nS(=Pkk0SO(o<9tHw;~O#|j^;gCgr0cLnt7da`R zdap^Sy}Y=H{PDSqm0lbq)UhR04b0HnSwg)pQ9|9qurm|UuuRC96|sAjyt+eMUe)fn zmo2Y<`mew(=1ZkiWWx5vnVcP6th6`m_TOqLFZqQaghFL(&ce?k&=dFRon@jo4mw`o zIOH|kJvyTHIF}N>7wah|laqF%RE6)>Q`n~|%luc`nX%1nn0plU4QhEirw%OE(^j^Q zqjM(Wz$B(x&6e}3h=5;5?C9HIlDxU;c;f=v2TP5WUSWGtOQFP-!WgDHq^gyJL|Sl% z#rqFV4ma)v^r|?gH+^FWN#EwQ)`37mi6VgMck3y7p!z+?e^$TaK`B~tgLYfXa|A*3 zN)HI+oc^-%>|Af?bexXkPDZZR$J1dvi`Jim>E_jWQr@UD8tc<}qQW{@k@xVp5P;S7 zLDTD;7!R+@bw3lNonD*hSUn#V6Be(d2#Y}SgH~YQzHREoqkC>ytCDHgLXbx5u|f_eYP!XG$8nn-r`vQLuZh`*jQk#O_k`6uPQU3oou=pX>!xwY##r)r z&7%{{1JBjhFw-L_EqL|J>_a)RFgDG}B*0`LM1Fg{1aN~i>1WIuASHjNluBFDP>vWUMdsQypJhZp^UAup{tei=HY&;i0qD;z@-7a zcZW%KduDKXmff6yeV0t(t=-%*(V#d-FVGJhQM!R!2UBUmw~}I21Bc&!Wp1_7*w(>{ z$pj4Jx7LSU2P^$iOFKrnRTy+rrP<}Ia;Et(g_f;`^P!^e!(#1?W)q?I$q*2of$-&? z&71oT220gb*5o#0Zy*H>l$5e8@;2AT$yV9eil^z7OoF>LrmrqG_MmyMhseFB{Qd@B z=NmKJGCofs(!--D-qrrz!g!=-n>wP9cl zH+dmq9I2Quk2Ha?@F8!-4DCzLq<*VAChYU)&v`39By%2zDcT#zhnK7U#KN3OE3H{3 z^Wv~aRpd_hqTccIta+8QMyvJ@oHBU(eP#>T2|vv+`&l1*^bu5RJg`JS-DP>wd#}r- z=^B^j%ywzA9FrL)7kTV92*+x<*j|-q6U4S3D1DFy*;~tnq{p+aS9r5G^oGxn-sf|- zKO1nzA=l;3>3stz%2hwESE_h@=u|_0lTKW|L1;5538HXL(XDRdfGpNiNBgz%tX%Dk z_$mdyJ>({un4%EX?qWSHxDIlxj|u&`5xCTcEu<2Cs1j`IDZoRlrK*_V^y3Hx&Yi){G&A7=C+O@R%!XG4&fDgm z^SA6D{-Jn|ufp@U`bAHvY(qT=V(lWZamH*{WMyBl^G%WneTpW#64Pc5^6=KFDi{Mx zobsV*-sVqklI0enu}-j-rk(aLe$Ni2b&6ffwLP{qv=EQ4A%IBOC~B357r{&ckpZ3k8a5=O@B9`(}FbT-NS_5HMGP#&V@`_Z- zWjF_hgG@4|B_=!y)$D?V-yHGQK-8DMLM8!%K-Wo5qi2An@3~#hM;ZL>sh{wbFj#My1luMI-sZu%$|UPf_Zh6dsn_#e zf9g0iX?J(8Q}z6SJXE%O{Q<7^YM--}Dp?9pw~W8pgrW5z3;3i?uqiEbtiE}fPJu6= zckkfk&M#6g1iUq>@qdSM8;;c)=MDQrgSCM$&XCP6;yx61OxRz!g>&4;5;eNUocp7k zLT7SAOuuPyU}8A8c0fnUwQDDZu&W2OUqc4sL(I9yX>< zr5RtYHXFoI^j(&%yp3}+skXrr5rhev%BAxaISuBVox5NT-ZE?|F02?htAeSVf7FfM z*kkRMCl^-VjZ&$XyZUwwg(pIDQMHrSvDvXqvb4lI_1$_3ORBE(0hw)7LcMUAP12PR z{^G}}GL+Q&o|31Mxag2ihiV_ba=v0=i~v$^_6Fm=Ex8Tv%?p>DiO?Nc5Y8B3060GO z?l-3(rLirgS7g(8+5vuyg(|60S_%@g>rnE74UpV(C_96(JMPR}$04m}cYyCs({)(` zemmskJ`B@j4IAFK>tHT4QS35|_icr|;-J_6Yrq8hl!^jYxWkU-u_QuQ1Bgz3!@psk z(`9X&L+5Xp>$oEaG9Im@gqy!dtpraFih$ZXwF_e%hgmCATe8yNu0_^lD}oBHV0uk> z>@P&p28LI4tGctjT1Qda^;F}V*fpUBtt3(`lb>KN)mwS_N{yy^FFbX#eU7T)gKv4nV_ziNpJ^X+s>pmgBLfc%tf1N^036laPY!@g%yYb^M)txQ z-IYj|JjU=W858U>P_`Cs56K)7;WY|nS_6mY8yY6!9D@&h=j5T zoI?7uJK7dMeUV$1H!R>25NxZRl42L$zu6lMp97 zV7=T9@C1#@EaiNN!dRx-ejKPodzh``SVX7*jK>{U__WVO&0`zh_4x9YiqJpe1zpPtYEU+BQ}tF+u{RRiKTHAB1wmJS|nNF0$|X{ z&tHgZI!!50`N+jgA00QWY0|RWq< z+2ZSYnLErt?Jy@|#sMElJ--WLT#95aK&UW(lvKf#KnyufU(Ys|`p>cVj5@<<&>1@p zZ9=>5J)>cB#2TX^hPQU(bZa5TTbGCwAC15d=Es4Fw27HK8FJ3BjW zcMaAonG|X6gD*$~hmBq{ARRJF&CMUBraB;#ES4D>iX6t3#fbuA4WLp%9|rO%3%IkJ zL#;r%&{lHMO|Z{FIb&S)3FECS5VJ524di&g zgPc*FKKgkcq8NNxJ8(t*quG>)PRHrLo=urNmH+r3$y1rjJg4F*k@PsBWWUsmuHW-8 z&UhG$B(3EFtjy_o!2+CcHQVQD_alQ(qQ?;_ zcjOsBWkF}K?+r%obA*ifxHI(!jzea|uGYh#3k+5G^UXJm&tQ+fwgI783*XY@5#`9w zI%QtxF4-qoMV%zVKYjJ*Kj(nLI*rv)=jzO1fBDN-8b5k#JGz(>+j8iuIva&G%WWfsIngzbYsMugFTb=GXi1Gdm{_+=-0D zd9(26w;@FF&oSQ&OS`sz!E;*c-|P(ro(>BSUR78aWeZeXGP&YOAcF6R&RPktu+)>T z3ZC}o2o8^@eLnMhjzbIA&cWeMR~ZfJ#~o}s5_XNBvJI=dzoykdF zwNo_M*jchpv;2!0wh3kp0ruuUZ@t%7w0`wAr=BT&Xp7e{E3(F#;}y@Jq{gao#sIQfb_!NTso@NTpFILz#=u6ZT)uqP2*#;724U`wnugaf6NuwA6GK?QJDttp7(sqH_or#{#D^j z#*?|osH#Ra3&zKN-%c0m=yRKeI{Hjip-%B!RUOT?lALla%GPme52-tj%Ve#ox6HTU z5k$NxzJDmM;(|29=T$Oc>(!tCD5p6hL=j}zj6J~e`bG$y>wPG zV1N0G+Mlh1di1C>Vaft%u%>$M1Jb)L2SW3UPwcJqHQBScl}=`%Qix8lZuQ%*<*;6LwR|c7@6Z2a- z&o`55Zu)|8mM2I$7b7(y*#7Ym(<$YeI-Z9yJ2+||9AZ2OAqG;1y>sRct6#cPk#QFa zGB-aenIPVX!h}Q8(-v{A^h<=fjp35Pdk$O+iEdhu$=z&pa1c{LozA8;(nL` zXanh>KujN2QiHrX6WlEj$vk1ynKgvAAYTVJKbcqJ|0+I$~YXto> ze}Gf7HMAnMD=k;+(m*0L@rLwwgO;qhX8Af>#PHugwUtoYdsd?@t5H6mCt}VsaV8;? zn+MA%mVbCeKl zFU#I53Q!{QGzH6Pi`T2<8>-SHnV7`%cn%MZ4564<#YSP$p?1l5w7tlP`A$ zX$KR#)LP->s}pGD&yn~!9J$0hrVFHhzlz?WfpItgWL0#PX%D0dvWtA7hbC*n1vE zY@Tpm%+`_maDZD639B0NjsWa^nIyu`qHCD=!(7vURgr)m0dVl-A`=QJ}jfh z>ZR0P14;I)B$R6T1VH#>`h%$z5XkZoEpNG!31YBA+VQarz(o)BhM5+cYS*zB%~$2K zMAV%`A_Ew0Rc9YgZR`^nvvU)LKgX(!H+zHrb3lIgIvwtfx#Q6E-*wh^N08ixKO4Cs z+Y{#Lg5C4wTNG2MNa}x#EPA?!>H&4BDWj^s6Oqd3QY3KP4Ef%x%7LXJzZ6S}dDI6c z`&?~hnxh1y@`|)4*OCfBu2|JDKmsfhAb62+$_9fDWO4XQ;ruau4qABL6TR8Ya~xU` zcFr2>gU=6tzWK(gQk`tnhp5SQAa(J9RsErpsApj$Ecq}FZoVsJl0@m z3&HA$Z`QJ8T!&jAQV92`1%ND|Km(H`>ljNHt!HDEkyYdtK>;%yo>YZf49GwIQkl|V zJoI#`&%+xTdHozX1XF!CUsd;&QK3AWuG8zO{5)};uIsq@X5#RMBJuHdgoX@RxsL%0kx@Nj@G zr%ZD*JraTG7MK&G;RC>xVL<_CUs?ARuJqdqh}2||F=Z`S@_B8e>w9@A0w^b?pbip` z2H|B0RiG5Cu)bCwtL^~^`FOB=yhGcJ8&FQ z7ItR`!@5O_qXo2* z0poENwzLo8UJii=x&w|fD;Ak^!53nmki?-Ln}|yhYgiK*&!SL`{-V#Mwc+sC;k{Z9 zb#%aukMM3#Z?uxZew>ARfKPN4lHO?!*GU-9$xji+b3(zy!|y%|e+@}idGXSQ3#L%k z1b&!zpI2(T!t}0U)e~zW_DXdXRrz9N1`5g>Jc>8Z;&9)120rH&uaAAxT^&6e!ffn4 zM3#+hC1{OpC1|&me%-YMZMPCK`~EwL>@GgYTnAKp(BQT0K@jo7fx<3`DguK+V3HY< zAIOiUI`TJrgMRm|wR69o8hnx(TKVrF9WP9CII&-XdQ4(kB~tbK>38jJ-y00QvE$J8 zy|at2=QRhcp?+)^pD9bRS?DyWNZTS5k;x_yC@6oJy(di0E;UF{TsgGi2gw7b!6q;k zxe|%`S}9uy9%T!EA^eNf6a$fTCsd5Bmmc+(aXec05qMaq)4B6Ysr_*&9QFxcM@@;j zE&xa9l;T42dQcT`N}mRx8WuF5-MWE{)ExSV_)V zcD<4ix0;FtzYJw^j?wKJ>F=3j=a(LqE0lSHwIr1_ z?~b0qn)jwb-<^#dhZKaJJ^rH+P$8&a57K-&;qr#@oNy{yn!=3id=2iP?S2c+0*wZL zwa!f;ObXh+6bYY;Pgxj|GCE;{POkjpRRyaAA8OrUpXAl;J*>azi};DU3|HuJWLg7c za#zUT-fVYbz zgj_6adeE^mwpMCZq?w3)L3x75`bft94hd-vA|5W&nhhIXovRFq$n$j=h_-1rYhe^1 zZRgsT`>K+*I(_1)`)^^rnei}MCxTJixDBG{i+q8sW41xsA#1t#UeTi7vlex2#bpwi zs$Cop9j9< z(AKs){qmsc0sS)kR@07dX9z9xa#k>eLRs)8Rp%2Bbuy-B|JfoD=|V<e} zBI4I(rFNn6w(=B|2$mLh7y3-&wD176m0@MF)j-X>#7({H{zSbqdqv0TR@S1u=&5az z)%Jscor}*|!hgVE+&N8J@VIca=pp4A;!(ju`g#23=_k8C_6E~n>^L;*ch6THHM^{# zelTMtr3~@|swJ-#3W>~7HFVQoCvv@-U~U4$pOg~xPRY*HtYwmNV1WB|EtpV0koLh- zWm1uA{4L#m6th$=1@n0-QUFZ{uoqZhAyG|`?=>&lZ-S334n)AFQv=Hsy56 zQjUG2>|`s`@#+1&- z*H1dih~*YTy>_{p8hpNtFGY-Y;VtiGl67*a?CE2zLUj)Vw!)nLKhN-LS!G7*U+y=# zf#xT{_6xnL3+-o68lR0H#2ArEpxt7bC{4Cb1tVw@3^yBK0QgplDK$ND@tUC8o_BKQIU1`_|Mp zD81z?%^Rb$O7bT++0`QS7p7he>6;yUJw24xDOw#(_jKHd$JfADfsl|)tz=lC0_;N~ z%a_i(TWhS!TC?YNWkBUc&+Um)3xCYkQ?VtY!qW?c_NN_$al`eZKNTnsHA{#U&bXH- z#Ll?Y?GPqPBCmc_=EA4dJmG<0>dq$fGxkfS;dt1ay+L>M))v$&*-4C`Y_0mcv$Nw< zin7BpW#aW0&tPiKM9||St~6@cJ9f{Y=wJp#&KYf2N$rsEa7#8r!bLf z{dFdf6FCcQ&YV4{J_+R9q%{{ifX^_Un2cO+psx%B#NiDzn>sd+75( zsj{&_Bo-#nAGw%|9HBI&YfeRSDUweoA55q%M@a1thoiQ>uzceggamyVr&;;bF;Dn% z!d$0QE$#Bl4n|!g_PK~%Z}e@LmG~7`iCpnHMLzLe^eHs}1bOEW{P`n9W|g7Yf|IQ< z&=&_`3Lh!U#B!CL2w%prQX-YK?D65t$YjBqf+5Y+2|~{guTv@j%@3`3nqJ8y$PfQ1 zTwR2*X-x_HooQ}E^y8lEw)rY-UwZ9y#pBeHu{d4vxFnu1&{DHs0zQa1Q42)=H5U9D zIE*I`o(kQ*+FKe`BhmgOM~C*;$WN|#BI0b@S@pKt&Q1Az&gbGd5wq}f)g>b0X%_nV zD8FHJkG%XPQsE~eJ2NPO*6pD$-o=+;B4Y%0t=DTcdg=XSz6L)lOzIY^w_13@fqgF) zSC_bF)C-%@=+$jTGr=>2zlg$_@UQ&{b-Gm|(oC+9K|!Wjn(^cr{H5-gyWOtuIJ8gg z9!Nmki>5ogweWSR#_u|cPGQ7B9eep$ksF?}Os-GFJWR9X`ZwYluls25hmWN#SneC< zT655L4XhGzn#q;r%@d!6Z~a*);A~IBxNTQ)rjZaU*6ZZepz6z=sxN1?p$6KoMOJ8a zg@u+Y+Dy#hTwS$}!W7NXy6sb`rA}%f3$?B%Yb@TMu7kPAAa-+Tj(!UVCxwYPe8m%y zkdx-fAWEv?GiZimf7t5_$Duj6>(m>&YU+($q&+SIvC@`(2l~{iD`CLR^%dLUB=!IY zBAfwCidAMxc8`Gbtpu_M#B%J-UT-|MMAv_Hqe_{+Bs5CXHmX_UdMI)uH(>Fu(NAz2&iM~2T{kgYc0=SJy<7~;|KhqieuQ`^Lkaaf-idhov!C|k!Fm?j7Q+^1@tsi6`%=m zo<4Wdoq1x^cO06LyZg9%=;Q98GWJ*mVaC3r#-pYJ*cOf3>1-0J*+(DA0bZO> z6@`W`bv_NY=4y|eVa<|BMg8E&>F+9&{ud|{w<>@AGA~8~+4ODMRED&ByUM2b1e`ealGd zD|6Q17GPy=bHjtEYDucKDkc*{^PsMW>Z2jS=&!>(<3ggb{bD$==q$QS|<>(&E zUltwcAJ@yN(sgEtPb6oUw3dtH4WQKlvlQx6F|@?K{@Q8_lI0Qs>{BUK;@EA=C}0be zyPCv_0MaU@MZzaaB=Sw>`fReYfZ*M`j$<_OxdBxBE_c%x|3;Ak$xI9#rmEH+}IUYSS4LIeie0b@DII*!$7rhcm~ zngQFkMzW7AKM@iSq(}^)2C2@#E9kbBWt=Z`ZE$bVRiNKBOEi_s=8l{1@Qd7hQ8apk zfw}o^xyr7I+acBL>uS}^XUxIL;nOdb!tJ@j8#@lInL96)UGQzG9|Ydfsr%)SMIMd- zc^o7%O+V)BohJ4{=igDDnYu)atq}Lvlxm@oy&^rK_6)T!`<6%gsv?}2tqgp~>0=hfEidr6Tr|>s9Vh-9s4H1&<;T&oxDK%KVvgH^(mbm!hp(6H6XO6a4w6Pz^=y z+c-VYkFp%MdyGe^gvhO3{_~ZEU|lR7TE~G%)Qq#+fReryN39_S$1J&o(>C6|3olIBxOa$btXsgIQ#KT*}m8DOty0I&Gl-LKmnVoLHu0Dgd3{XK~&ZQ!URPu&?o{8IBhB=)q3{VxP$Fci971(f9p0G zuYf!S+;(3smst6#ZUKFm=&C}P_@zDLwdhCvmRF@Z9w+kiHMu5+mTSTtR|Q}O&R{pm z44lCiC>agzfi)PG#~3|`%=)L=S~w)6{mP^cT0Y+)?I3_%ivgzdxK*&%HUXyYH+M=7*hy8wFxrS zs0Nv8RDn!2YK;;GR%Iu;PuhtZ+XHMd@)Zb+y2qY_H zho;)jwURD?_oyG&EtE>$P$|i_R!W+(#XD8G+Hm`;V`&`Pj7Jk1c{X@*rgSchD^F z7Akr^ov|{R|Ah|gjwyAZ_1(#HR2?1!fESdcNZ9jii+1bId z4G{_X2)URl7p|8nCIg^pS8GBsZ@a7O+n%EgY3zF5%yDSR+I6KGK@@w`rP_xul7Js; zpzjMWI}_^n)#3rz!v;cFwQ<59$VE%7`g^7M83qAa_kC^Zn1Lr8QAIV9ilP~ z_@z#Bw~Xio2#~Ayd>KaJbHGJ+y_qitGsmH+zH@!kU;vY7Fd)O)6to$&)O9?k>-1^{ z&{odaX&BEVahh@eqREaSDs;H!5gm|;o*L$$L$*1J>iQT`?I(6SsK9&xD%}}7I%YEx zD#0}#9bfj;Bx=h<{d<5ojTWIsTFt28%h(sIEN#=9r7ep0t1%v|dDH^nnD(ANkIm*E z)p!Y7(1*fb1GO6Nu>-^%_)aF_pQM`m$1>O_))IN3%iZ?BC7~euD-6%6d7lg2JRtsX|#9hQ;bBo=99r<3|$gmE*mMvMYL$D=Np;jiz z{9;EKM0vi5(Qqbu-18lW7N^~vY$J5CX&#iKm+h{;u!bF8Y81jtjmq%S1L8ZS^Qnjf z9?ST8Dc31f6&4-Bm1&@tx?tf_+z;4U+S{`Hof4g3;OnQ4EO4_&5fGacY z`ny6S^uIJ{1e8mshz__l^ryu1QwB?i<6!0~eVi7Y-GilAVdrgD*xfx^YQ;fs%foxd zaA;))-HRT-wzn~pEF}(_Yc1u)w_Wg%p@KSb2O99cRHI6WHhrrX11Y>p?{FmbT`YdX&!-7RG->iki1uOBt&l za|0ugb=4*xkhK5|t2g!+xd0#;`}^=SIOr@eV2kj0B@$n$kn`t=K8Vhs-}jY5jFWz6 zZ>a}egMcsPA&weG!{0mHoYHV%^Qd-R@u0^e@B{3%5Pt#$s>;c?|suUWEgSm#NBtR{W4DBoJ8rbV13p{AnL zg|R#caw}0kTxm!SJHUXt+ADb&r`TS0y%J59lAg*WVk)M(af&ED{Hb_<@zJ+G6!;;8 zZ&T`N&ZIMh9WAYaM(egP6OWE3tWKfYI)2MOLRa>Co8OWmyF(AsW}Qyk1!5Nc*rVeT zUcZh3H+G8wH*Sjo?+{HLRAs8Y$i>Gcv>34XEAyiJ7UExJ#(00%vcvwDR(1$-K`=x+ zTTQ!`_K%NpR&OOFno1`&aCT(|`HK`)r{#7n=LkT7S>_EgB2rZj87T&dWBME+%2{V1 zrvAWjXoq`Y_-xN+wl?mJi}r8bFs#gze+`rO?w(C{aB}#JZq4r0pLY8l$Dzr*^Bl&! zc~|GnZ>s@0I5~U}l-RvIox-pDvM_JKIa>kL@EnxA z{obrU6OKb`>0>ORBV0l;-S&|6o>#&blC8uzRWd|-cUE_G+{I;Ku%OhM=O;b&uN zk-5JgUmrxFh=HtyCPgOM*@si)Unvv`b*q57UaG{pw;AnSOD+{)UHx6l?)qO^*&WEm zH4IJ_>x$m7WL#XFo-;Zxy1YLeI}Ru4NF#)diRTz6;@j3qekzC(BB*YzDgoJ$K6po zP%V71GAR;goE;p4@$u>K*aVtvk6bENJmHy$o*~pY^mxY=+;M0>+&R?fjUd$Mjhe2f z_Q4X1VIf|%p{{2@)Nhl9ZA1*KU6+0&*MZq%DV++4{o+|Tf4dO@v|B+}FFM3!wy63% z_jy!>i}a?at0vVG^+1qubggc%t~on6zEd;yc&cdT8N$2ergshR+6nSiR@lp3Hng6S zt0=|KlmjwU*;+4OE^k(sehUY;8ryFtEEPh#B=qXkQth>XEOxIqw6H#^?66lLGn;An zEf^BO611Q5rD=*FEb5ED%G88CkHhHv830OqLAN{b9f$U$UALk^uQ_B5`0qF0l+v3j z6ScyWUXL7HRtDFn6xlp$l1JNCJxZ}{Cv9t4T zgyjjNLDPlZB9il*4;p=H`|E5W6GAhdupp7E;spmX&P1HG&cKMd5MouUHEc%cO@vZY zpjv<>?dy`%S+xEfOgFE#%2_+3agI%D1I#sw0CNP=v;|;J*UjGWAn4Z9l)*w_?+8+P zym6nvmNzN6Qy%Zk(cLI>bX)w_8hfe8e@#apiT~Q5L?IrP27J=T{|mWhOMVU6KANo` zTSsbpnt$+M8M8cmWx1YmEUKd-?LUVlg@qZCDamz~h5_V!Udy$zYaw;6sqbE=f}LNi zr^3%7cw%cNlPjJC=S=B0n9a#qD*Sa~a?oj-(2eH=eGXy0p~LLQseeN$IuBs(zki$P*tcESSNTiDsS1 z2*GXDKfVp)0J0>2wuaDgO$4k+=1Rntpp@_ov2861PAg}{xL#{51I3%k+_E@^a)xyh zW>i!L&*y0x&SPc8klv$XQ~SOT)fbl`w>qtC6{{$S-lW!ex+l)JJd&--tyj6Bjovff z!k_jcXJ4=7jZ1kJn3Bs^q2BACAppU-7YwG3LvwQH00iK*45;XKBLK07$cP~p_pIYE zYh@zMU{qdo$b{+irTJspXf&8siPa! zVT}96FvgBMs*Yj2%-NtJA|@<^a{hd^%^_iVG6#T|AWY#~*K$d{7Tu=T>UaiB0|t?? zCs`mkjxXc42hqG1g{DhO>Y;??g$7AZvP@I1XoR!rb#A;Hk-e5(s7vYZkhC0IRW+HM z&m(lfmPXk#Y)bBMHXOQ+L%Y+?n-Zic4@Q-n60N$G`$r}(M4WS>ouN!{932{YP?&@M z%<0kYM=oJ4`@`zIpBFs*3bh1KL(p?ZwOk&R`98y4B$BUo7163_;1!V8q9xzT?o8-Mylqj}-;|YJ%OnCHikGEqLlWEjn~` zjIiKE<~oy1E#d&VNQzUwGCk`B4{^2Qs7no)MQf$)PaRcPBl`I74y<*cQXPK5LONR{ z@`{NhkqL6=h|kLI2s0LOW&W^?&n@v(>cB5kJRP0jcOkB?WD=xrCoB<5c_~1nTZU=I zFN7tVN+tLu%SLS>3&Epo0SOA}u}reJ6GOGBRwsEWk|YF!TPb>)|F~V^X~yXL)9)tz z0iRCCUB{tqWq0&gWV7~&#KhiB_SpU`qofApF<}dyvZ)X;l9Y&`2}S4X0(AGK%3PNQ znRt3lz=i6Hb8a%gO`^y-i^4R+kYSUFIXt!EIyepqBc_ASEQ|#FN9{Xbx3L55;5z2Z z(04MqjOw+9zAKF9#lM`K@#^a0CvK>%0lX%zY`UnCjQPgwjc^|m^kQm%>z z8?)yPD=Erk99=txl}o1C(eZ@2W6yC1BggG@95p6s5B>oMo!C0$WRf}TY!Rj`Ow~?0 zTSrPK)V>mv@~j(#g^|Yw^9wRim`OnapX^E`Y9gh~o)J0sSZSI}*tpZ_VBPg2X2P&? zCJY|1^?*w3uNS&bAtPgz>OZXI@~B+5cSJw$eR=5TMjrbCtjC3#6D1eB(C*0tG~DY= z#n5qRMSf-^0=!q1d_U_?-9?7u(}crACUCe*j&QMopIyUN4+0_A}u)PeNV2~(>>oUu4WlQl?# zRQeYpdp?rE{-8JN^T2UviQ0K(!fX{vRw-#ixqbL|w#mi{*zHCLc{(km@GHAbQz0?7 zLYmD>p0ty7+{S{3ma+8CaSsQ5j#?a?O%;j5fOU>@ZE0^oy%&<(~e6 zr_v_x81&a#Tq*;eJ3@B!zCg$h&EHF*Im*TLGD+u!*>yX1`fe~$LG^=PZ?ma z_UyXk3|*xQ4P7EN)iKYFO#T}Q>>HINZdFwH2;_7Fi5pz7LE_e^E+uGeDJ5uZEhTu2 zB>eFfLiiUsE8LdnZCxiYBQOYZ*m1LNcvVVTcUOb4`=uF-otEnngCnJ&?;js&+tCt6 zg@*Q`g|Vrzb}iG{tJ-F}yFwy%zcffhlt%{#M=GOB!S=eHZj-hIyLJPs5GhX(*gsuM zS`~}Ui3PscHXbDo3Y59$=NKD9Kt^|B@k^a z_X$*6%vKq9>JZ+-;_o48J`k58QWGt02Xc;veR~~;pMOLLLi<0<`1I?AOf!3aRhD(X z==oKp$#iSEJSsJr9dS^*Um6Z7$fE-ZnWsd~TBuCX`akXr5H1IAk2FXM%;zgU4Wlr- zwuD!?Siel+b#-bRq<+X5yW*L@5J5#T!*j4)4yL2N&mD)>@11b~0O)e0aV{SP@41v% z+1NeJ^NuavD^(NSr0Z!ErVA0A76|Az+#mT$T3OEa;>Uj3hyA@=#~I>v>f|Z24L$>T z&oBtwzUw$N8+O)RTyUnTADjlI+^TXC6@*jkcm}~<@zD2tRjV}$%E6^AuIxXt_w~Jv z+gQK-+n<6+aBrtqHe*SC4W2&OY-VPg`*dc4OlFHkvDnfQZL1@Tx_ZgPTlBkM@Q{=! znNH%!cCv|6U|j3n6weFK`JLZk0)Hk7Ft1kz&N2_Pn)Ao#JxfHrYot`Rz^f6UdYT7u zOcPNyE?9E-R&l1vGbm2Ua!=*QLBb$pvy%dl#ee0`{NTD*qOr@cNlKF&X(jmS=}AkH zPnCi*G9^G?wBQKh(>%7)$NZ zRB7}at}}X$2o2O0JSq)W6)u4)fMvf}WAJs)+mD}-z{z8D7RTWd1yl6fTy&8B#*(kX z5dQYyrqlIR&&p6+Yno15JLx8^YXIXKG4w*)wdD6aVoyg?jHL=_>@Gk|5CR=7RC{zug|6z1RKyTf&2OuNP)26* zZOd{)aT(zy6t5MUWbz{g@+i*3P|5$r^drkI6Pf~mv;sOdR=d8`dDSiZO{(h50xOTQ zFqO_3vh;Q+J71?!>JA(SV>$Vn&N;^g7nOgw_9|NcE?PmfN-HSOiX?3P6uC~X=c@GU zXDYCBBm+OS9L)k;e>cfs!tyMLW+&x|f^JZpo`s6F(wt-lN(osiz;6#EZET8&#&+n_ zX%K;ZQ|B<%o#E(6ZSrW6$@ER4Z}-`P1kuV$l5adkHJVLSVeQm5m{>b&yH{8{`O@Iw zWRBKj$sDa?^iJINl>fihx`Ka2O3}z~2&GZ*IZFaBQ!8$XAcC&xq7~zL5YK7yIS(MO zUmi7OY(kRaN?xAaP|T+Vev9e*h0q)4PTLtvv_%;W)96}n?- z&>bTnrwJm4Yk`8@K$8h$llhk~6ZLS7&^Q22lt7u)T+cozUy0Z2Q;el#GfkzW|f*jP*TqP61{ zjYHy5q*0KfE23x8i1hNW!Kh;)!GV({1 zU@YxMV}S9XJwz7#yN0%fOTQ}pRxN#69gz4!UCCUBa@u3&W0@hj>kyD-ZS;z+YcWYv zNfsW57})XoQqdDAs$A{^b;?~`%2&iBNDy~#rRTdKu_z#)v(QhA%}{|43J5gNe-PRrT<#eN?@z`8&g-1KSeMPh)v)B@dt{NAj+ob=zpahdBhRIQWWq<{(k=a z^ZShxWx8U0J#MG0$P|vdnW_~y(;>STQR-74?;$zj_59IbfU(pfjl)$V5w059l3e0H zfxvf%bh_&Zd<|^6mU*dnt+kmX@*aY;!cT>I%mx1`Uz;Yx%Y>!ohiEW}v&)O3d8vHT z%3EoR>KIY;x^h23-r;MKYb@z}(UL3cDY6n+b|ZrLyGK3v(_x?VFqXo)r8LHHOKFU5 zk*W~m@$hVgu@2U4T9o5Hx1tobE3vtz>5~x&XR(2+ye(rt0nfi$5$n(a^)_ zzmSdX5x#9%)f|tt%kBgQH+^k)f|ez7M8=aeO6pzYbc{8dPE+b>=ebc&gRI*H>MEk& z1Q)I5F&OJHU+PFe?*(tp5_*aj>;{&Gd{9_2Ba!U?x`)8Rc-nV7cZ{*rg^e8rD9D6= zS94hZ`N;;!^m0W*K!w2OQ!_1W7pYOytp3^(=_=D} zlRRBc*zKu}U0W;x#cq!+79{dd(XU789P(=(|JR!@n2$PFH)zo93V7_v|2g`nUbps& zl$R*elJSKCM8oA)M3Rdxwh6mk^3A5Uw!4?;;bhn&T%x6DH&07LY+HQPfo*CE{e$J` z^G~0?{QMSu{B*5%6E4#RcXtz3U?jFS2 zxxU7JtIO4EF@+WR5(_1vc26dqhX zXPK+#?!k2yFG0V!dLbD@9*dXI#yw93UJt#8*L_-s>rdnyhoow8;j+cB5QOV0NU%K6 zn6pIp=PXOnF&4kRRMD|ZZ1o53M4m$^j+8CX(2b-V8)4fuB?I;_G7o2YtB#CQj12VH zqS~N5hhd-Ovr}|Fr`}f(N6_>lbft~BA##2g@y$ovE*dw6Y=%O5L&Iu9Q5*87@kn3Z zkdH)Tw>*m=fUz(mDW5~QxoX2TJ1yUa zauCcr5h}mPUm1hjIqLOXy@|wSxm8)z(Hd61gG@bErhu%1&1OL~YXew;KSwEK%7*M* zrl!Mjf7HcT3Rh!58Z@FEy6xU*3pM&s({626({72HcF{RddWU=yzqCh_2+0T;k~%knd9_mg z88D{&slFvamKC%M{MVhsu=437*DC1E`Ooivz}kKJN%Fk}5&FNMKYeV&3xYv5jc#%B zh2V3W1vj*O9VyBqNv}u!wj_KLVhp!dFdYC^QR3sfURLpV#ncHRL?T4eW#r8h7BRjQ zBk3F_r%F5%G|8t^$bWtg{!QzT4VX+>S(MONq>yAaUqM(0ju!ObQKA7!(65xn{23N> z!ICAK&?%GS4uC0DA4nHvmNcYZMt#KcEY35GE+Uk&1w|f7Y1$U+LHRJ;n$8kRvT%v! zG>lafArg7C>>X73ZKqsqsXgzDtnb6rhL~zVwsCS?q>RPY#MdJ2EN&pyz8>?rVmorW z-L~89cHFLWR34MiELoB)ql-98_2s+FulZ7!@F!oS<)d@+V=TLP*yD%60^UIyo4DDW3v?t*o`J|^OMWkF+lTHSme1~kgP zq+F3e)k4CGYsp7icU%3?O>fI@*g2cgC_Ck5m3Uco|5={RSt64x^;^MnvnZoc*0~15 zBu1cxW+9tYn}{LN08H$_K+hG?Z!#5nRNtS{$R`ntmJ61rIrk<+r!Tt)meU^fjh()} zq!cQFMf)p&0j@OblBtV1xuJ!@qJC-AB1F{X>OhTpp>cOqh|{VcY;DI6zGs%->jzuw z{osbK?o;I;U!JSmt5C@RazWOm?4h$wcjAtFV~nMb+c>KU;3o;}SO?ueb?C;OU=5*V zgrL@$XSMnGREdC>Hy;aNryr%NKx$t(hEdn|2_YEEiP?BQ0?NlRlevnNZney@*sK*g zO0uInsF1A3QXyFnq(XWuSJ7w<$K^pV9w8WZ(Hokj*+tC#b}g1-EYL~#dXGIlVQ z!qS{H&=I78j>^PoUR7KsT{SODxdqD0T6GshlTz5KoEUZD#bx1~T}%Pa2K5?RA`RA0 zMH-BuE{6Zw=-WK-=IVM2N}?16+4m__pwWmgXIO+t7>cAf6p&1bM`anY+J14FVo1a< z$PyCh#cGU+r9F2U#ha7vVnnI0S4xQc@tYM`+~Q{HVxsS?h3@P-E5~hDObO4yB{9i?P%J&kTp#*KoKn9uIck#^z*H!;X5+y&d&l*z_FAa(C4_ zG^=8c_fSqToK6OV5yo<+KC=mGS0-qGqX}yCq8io*I``HGzPJh6h0KnCj#dDs()h*+ zi)o@kN}(P|IO%&x^*Gce!y(3UB5$pkgs3ujda9c3B8x2}vbYGI?*v)=U_|i4ki~a^ zf(v#SGbp&&y&)*rGOs+XH7if+&Xwom7lua4)`LcSgho>VlNFgo)8KXwF_XSOb;cgX zQh7DjSpvq~zrQkJPp#uO)`6XMI#8rV*6PP5!gO#Cwj)foY$-*}yk9B-nlVvLy$6?o zjQy!U!dS{#WAW;NOVE4H{iQaRxV2Ix2~Zy=RYP;o;viLloQjT z1^;%QF+O!Y5{5c;+cXbDV4%w+w_ioi9=w&XXB@156YdQ+n5jp&Mg!{7i%b~!m`{OJG!Ws^&z&0X zBH)(VMI%YBH`7f0;B7UJ_IcZp@oJ8 zl7Z#uNYf=op3%b;f5a3QUi;fiHLLdk-yma=B9jxld1v=-+qRJfpZz+1W4m?tT4aA+ zlO9n|U2oF!jZUfm}VN8py>akVrckN+D4Ibr*kir6KBk;@iPy~Of@Z}oT_95e- z^*VaoK-3#2ZMRuXsj!T+j|YYI2!+*E&d=rBzluet&P2v%@*bEVMz%8`X>nq0!t1sPlbJr@4;FeW6TUlEPH1eJ2%w1)MuhB_nbvp!a~F*ze8a<+HJoKt1M%=ES|na0=ZE{OlJ%psEaKLqUBpXRs)h0e*5+9R{Vh|_-`Yx`zKr_U z1NGLXfqH94fqF|p8WpqZDzCF@)?hXhEbu*kzd4Qg{rK)5>WPUJ>rm?1HN>k2J-eBn z?ROm6iwbB=(|k6gDW3^N>>HOMZD|38X5E8F@AfDDbd0gox{bNry6rKt;NQRe#ZV8d zCjttJGZ^<;HBF5kU0s4pblF9TWa=W{r)UyHBw50VVW@SPW2#wgxg}a(SgTko1gHQIs^g2u^R$rf=i zL)$S!=~LRF4J{3NkfrHpRwAvM32PSy1kvaQ9#5;&#=V0^Yp&6HRji{{qIn|?#Q40Rx+eIAkoD9EJdsv4G%?Sa_P zAGqV`(7{;F*{!Ym4)%6y#?DNc^<$Rg^l41*iuG@3d#&}hciR@$SWR%yUmNQ$R|{hW z(G3X$A5B9tOEG$LY!B=`q~p4DNC=%`EOpoxAg&{TxEc|z&#H|!6s=aI3ZSO^A8z)4 zl$5b2{xTwqzymbuk!X&6)ahhliYst7{^flT^7Cktr6+JelHGB}SGug9@Rcr)T8-Ly z>vC!gHy`BmadPTOKO;`q@6^jsJP$&avUo1~KhN^Or$Ap?##W3mt;6_lJpKifTATzd z39=<%Iib(|{}x?x_%;@0^mY#kRlnaSy)MC6>dxkMLU!9l7XJ_lRh2*$m5ZumJ!3Ho z*=+egba{%VBnb0_c6_!VL4+qXBbraZU&p^$L|cGM`z)J*ipymzq>0K;{rXRl{kvqo zK=3^B;&^6TQ3wes3z3eGx4 zpJ}F)y{z?C?-Mrh7is}1ags;110ew^x|@QwM|Rig3HT)>ECtyV6J1n)&r`^X^2?AE zC5&Y)t2T8YRq2sfu-yg)%d4NT_!Rwm_Vdp`I*?G}e~QB86=R_A(`A~`MOjagKDH`<-zcwDkH4FugW zOr9X}xesjcodwD4&HIEc_RwT)I_i!cim}u_jk)uoz4FkOuqox`7urU694Yk@nsuPH zQnBkRS3q*lSGsJqEIA57pKyPrVAj8)(^FWP6qgjcItvnu%fj*EYO4q9_qVFcUJ(42 z2K^Nn2FUocsU-Q1DA#J=XMhNS_u+Ht4+^Y70h;1M&5bvJN-ENI2-a*xx&)yXH{!BF z0EQm=+RK$dnoqbd3u~X=a1U!AyYIN}c!IGMuI5lgK>*ozWRI6xd5fVG1tDlardVj! zH6WKm!%vZnh($qNnosx@#GI$-?_w;)nn~byVEKPB)sa_x`U?IT_~uXvXHO(ASOSdX@=s2Kc`3czzjeK zHW^QSjHOa*UVI4INplzT6+L#0J{Dbb!17AtucaHIT}2!Q9!a?x=t!L;RZ@B28ol>B zp);CvSWFX=u|zQxl{FGStZ*G|7Wxa=G~e6rNZ{>Q`ZxVC9L=&e9rUtI3Nn;G~6-*%^bWd=&2 zc_$1(*KEsvF{$bX&sQ*7jsItsCmy|mpCZDKic47acj#jK#C5doL%yAR(kJ!+s=CT? z(m9hm$i@zKaj(@v$3?~DPb>-k&7zEim&`wtd?nnCg3>a~57i|8soeFan1s$yuc(2j zYx*v_k+Th=ygN5Y#2Y$YA7eQi8-u8vwmm{t-;r6hRTNb-yiKcfj6TCi$s|)sq14fw zEVvhF(-EWoP6pyTI;ZyMPaod>>+fe*Vk?p_NF>r0%Z?r;uN(oX!twzA8avy-0^Rv= z@E%T~<7VfEBpp$CwR*~@>!03TtveCYhuZ0u;eOWoyBQAu*ZZqaAO3az>Erv0zy0gO z*`;W1GiF%y_KR^>+YghtA!Gp zg7w!{`3e1hIZcan9ztH6pQ0nX+g%)K(|8SC!3&@ayrw#Z@Ui0a+WrC0tHWi z-ETWi-3#2r%L8og13ftF__$?NnCJ{_8vvaPqAM*vCbp4VZCh7v1h(!}>gA4X9e*Wf zuTsfsHm_QYI4?J4B$?6d?1m;}M!#f1Sabv)bRT(r(G~llw-Cl((5RNWLLw?J)s{?U z5rK3sZGmV`MQ@PPlauON+h<;SlBYE300Qo$xNg>wFvgQA?lZpe_5k`U)x}dS+@C~U z=;Yb5RtLQ~9uM}AO{WvznferCsYsqxy^bv!%9L0`Us8H;V>Ueh_$JItXKCwuG-iDzRhC(|>VLvCdb z^){MA2191!hri-AbI5(RbEvj_GvrLPf!h7V@&^OkwlS77YzsNx0pxs54Q#fM^R;%8 z^L?WHtR@FWz}O3w1Hr3&&XR3utmWe#}$Z|$&YQvfNSI?(w0kRqfWxbKw$#NKFR$id0jpWvyf< zEvduJyah+~{d{oS8Zl{1aM zvL(wC6b4^|Xa*xO?(vZr%QiDx>GjYt^=z>A(aHfGgI9`+J{DtSiFOuEG9R0w5{9Rwas>TgwDG^^sGnH%@%J{nr*qoF%|G*H9P zb7wrRs^OjJ#!?ZQUZZfH>b-)hu8Hv-c_GV7mS|LvtqTogtUf4}im_GLi&iSaYJ!PX z#h}7%+e0qVn>Zua#aQZ<#;Y7hG>mdwS?^vi&Aq1xmka0?Drl{3R?u3WIC&fBeD?LTPyE+zAmUxoCL=HXoP#B8yOkXsn;$kcUUoe%r zD^jE;`jLnv<+Xe)PQ1vpMik&5f1A^&inrpg5N<6egM8)DGz>hkCX<#T3(nNfEWseq z1HylsCqXp(Ebbmevx`~8ip}qCsh0!tL!H(U)uRO+ObHs{OY6*=zq^gOVS!n%@9YS? zA&FysD?%z$aEdOX>K?h^s&4F{KmI71F`y&0z~ka^gfRN^PYuPg8?KvDn;W5!FIte>Fl9%C%EdQ)XS09`(CCFW6Ex;9&D@_8q2S!uDTH*EYO?ct@??@;Y4 zm!jefwOD&gr+i7wb%0PGs=*+rD$zU=E(IrmgEA87eTw1WHBX zn)qQ}v?37=qrvGAD~WxOAGvnFH{u!uR7q0}(t~R2o~*X6#%;~yx|M+Gqr;$&r@Ul=#bX zBwmq+2P5&3Wl)E~k|3pscnivnty0zhjcheE#!~(lJv7{ANtUsN=(?yz;l5LZLzkBi?M3B7$e5Sx)%sz-2;TN z8rOCH@uzIxQZMT~M(e9O>nCVMohzrU)O6l86l>}_??`_dPFzWUa`&!Q7TJGQxLUzo z^)8wNb8kVlJAw8YYvDkA)`ZOa>a%YV3SxdN@N4YB^B+wnly)(e3Z$vt7{jV^EbArr ziN?AUZB_Edt)zUdH7Q>tQod*<BzT~bgXBYaUDh^;3|#@|5~qnbQ9X@B zJ|b~|vU$St*&LCmXib<1a-R&Hl$lPr5I^UHpQPeQqARe+SLe`9`=?J|etwHSe!AvX zPNlzDgyLdhATCs9c~icjl0}snjm~cTz&NRpg#J&u03)cjHMoFOlJ+{fKIpVxTe-w55dH9MItF&?!?4fyTQa;PtxA& zK9#ardoOF__FikxSl8am(t}l&xxJUQuDzF4mJbNo(61ne)O5D2KCn#H2iA_$Ub<3y zZ7WjfT2(=ODv8wUao-$|+fy zVW8M@>b|C6N*AhYKLoQx^2k71_{QZ6K5kn1h`3LNh<#ykS;YKgL)( z4O{EUW*dW8&5=2egt%A**^3F{V%-68Svf&NoZJs_(Ge#*>QU;h!}A@)cVqD_DrLSz zL58mR>Yx~XwImyKizV3__~2pSA2;wH$X8kvxRmOX>(V#JgMD;_o!C>_a|p&#FK(gG z!0tk&fuM-d%UI%#t8A?8R@unQRSKyM92oZ(*gUk9#@ZvjMyVaw#GDU8y0MT#K>PEz zAoJ$v9JFB=L>Xjj81lGo?2jKNq<2OUiXcKYhENG1w2oVMgba>b)d<0Z0tA)#z{=9z zw6d?{-l`8|OrShAfAWM?L+c#2hxu#AtwP~#mshBHsb{6qGp>|JZntK$Ub1;CxBi3W zI(Chgc)2oFn`BiWn~q_VS3?&<(|;pTCMYhsGU8(>$S?CO4SX1L`27;}*On*eDMi2W zH|J#`zt8RRH%PThE)s>alW(-8>v@5hK!sDQhNUPlhIcGSsI{&ZwJ1fcS;G};vRZLk zGe|XiboT|o@NCoWD6^xXFpV@NTVW|#rQoexmOo`cQv{E#xE=_Au4L*_J|$cmqjR_( zzkWu7D22=Mhi{`)R?|anjZ3n+HlKX_WQA&Z7OjrdNk(796LE{Sv?_?U55eIBG4OBDFyS8mKY!X$)jR{A=#Ae-kC?6Jkkf?qYI z(Mk2#A6nlX{$BH+T8fc4?r^tZLGi-h@;$m;SQf%(x7)3Mc3o%io!uJ@`-8qca0lOY zZP)2L-=Xf7pTqco&eu{m1=>{2dp*_a*mdTCHE@_fm^!)S^Fd9Zt}K`80{p zPuJI%D52a9rotTp1;wovnkc_+0bMOr>jAU~yo5=Enxbz(Hb;E*gj+2Eu>&^$|0&$(!Ul1J%-10_!3U*w_&fX^{tkcl{{8;|00960zKewv0PGk5 DcYolZ literal 0 HcmV?d00001 diff --git a/charts/linkerd/linkerd-control-plane/2024.9.2/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.9.2/Chart.yaml index 21e62bc9c..ebbb84bef 100644 --- a/charts/linkerd/linkerd-control-plane/2024.9.2/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/2024.9.2/Chart.yaml @@ -2,7 +2,6 @@ annotations: catalog.cattle.io/auto-install: linkerd-crds catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd Control Plane - catalog.cattle.io/featured: "5" catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/.helmignore b/charts/linkerd/linkerd-control-plane/2024.9.3/.helmignore new file mode 100644 index 000000000..79c90a806 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.lock b/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.lock new file mode 100644 index 000000000..a0cb7ec8c --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-12-06T11:42:50.784240359-05:00" diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.yaml new file mode 100644 index 000000000..aaa8bd3bb --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/featured: "5" + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane +apiVersion: v2 +appVersion: edge-24.9.3 +dependencies: +- name: partials + repository: file://./charts/partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-control-plane.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-control-plane +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.9.3 diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/README.md b/charts/linkerd/linkerd-control-plane/2024.9.3/README.md new file mode 100644 index 000000000..a284fbcf8 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/README.md @@ -0,0 +1,321 @@ +# linkerd-control-plane + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.9.3](https://img.shields.io/badge/Version-2024.9.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. | +| cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | +| commonLabels | object | `{}` | Labels to apply to all resources | +| controlPlaneTracing | bool | `false` | enables control plane tracing | +| controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to | +| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments | +| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption | +| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) | +| controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components | +| controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. | +| controllerLogFormat | string | `"plain"` | Log format for the control plane components | +| controllerLogLevel | string | `"info"` | Log level for the control plane components | +| controllerReplicas | int | `1` | Number of replicas for each control plane pod | +| controllerUID | int | `2103` | User ID for the control plane components | +| debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container | +| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image | +| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image | +| deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy | +| destinationController.livenessProbe.timeoutSeconds | int | `1` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` | | +| destinationController.readinessProbe.timeoutSeconds | int | `1` | | +| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | +| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) | +| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on | +| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | +| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 | +| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability | +| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components | +| enablePprof | bool | `false` | enables the use of pprof endpoints on control plane component's admin servers | +| identity.externalCA | bool | `false` | If the linkerd-identity-trust-roots ConfigMap has already been created | +| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster | +| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity | +| identity.issuer.scheme | string | `"linkerd.io/tls"` | | +| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format | +| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. | +| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install | +| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| identity.livenessProbe.timeoutSeconds | int | `1` | | +| identity.readinessProbe.timeoutSeconds | int | `1` | | +| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token | +| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | +| identityTrustDomain | string | clusterDomain | Trust domain used for identity | +| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | +| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. | +| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec | +| networkValidator.listenAddr | string | `""` | Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. | +| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator | +| networkValidator.logLevel | string | debug | Log level for the network-validator | +| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| podAnnotations | object | `{}` | Additional annotations to add to all pods | +| podLabels | object | `{}` | Additional labels to add to all pods | +| podMonitor.controller.enabled | bool | `true` | Enables the creation of PodMonitor for the control-plane | +| podMonitor.controller.namespaceSelector | string | `"matchNames:\n - {{ .Release.Namespace }}\n - linkerd-viz\n - linkerd-jaeger\n"` | Selector to select which namespaces the Endpoints objects are discovered from | +| podMonitor.enabled | bool | `false` | Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | +| podMonitor.labels | object | `{}` | Labels to apply to all pod Monitors | +| podMonitor.proxy.enabled | bool | `true` | Enables the creation of PodMonitor for the data-plane | +| podMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped | +| podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended | +| podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component | +| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller | +| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image | +| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image | +| policyController.livenessProbe.timeoutSeconds | int | `1` | | +| policyController.logLevel | string | `"info"` | Log level for the policy controller | +| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | +| policyController.readinessProbe.timeoutSeconds | int | `1` | | +| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits | +| policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use | +| policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests | +| policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use | +| policyController.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the policy controller requests | +| policyController.resources.memory.limit | string | `""` | Maximum amount of memory that the policy controller can use | +| policyController.resources.memory.request | string | `""` | Maximum amount of memory that the policy controller requests | +| policyValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `policyValidator.crtPEM`. If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| policyValidator.crtPEM | string | `""` | Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.externalSecret | bool | `false` | Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). | +| policyValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| policyValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| policyValidator.keyPEM | string | `""` | Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| priorityClassName | string | `""` | Kubernetes priorityClassName for the Linkerd Pods | +| profileValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| profileValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) | +| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | +| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. | +| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. | +| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). | +| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | +| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" | +| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | +| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | +| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | +| proxy.enableShutdownEndpoint | bool | `false` | Enables the proxy's /shutdown admin endpoint | +| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) | +| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | +| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image | +| proxy.image.version | string | linkerdVersion | Tag for the proxy container image | +| proxy.inbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to remote HTTP/2 clients. | +| proxy.inbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. | +| proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection | +| proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | +| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration | +| proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | +| proxy.logHTTPHeaders | `off` or `insecure` | `"off"` | If set to `off`, will prevent the proxy from logging HTTP headers. If set to `insecure`, HTTP headers may be logged verbatim. Note that setting this to `insecure` is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug. | +| proxy.logLevel | string | `"warn,linkerd=info,hickory=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | +| proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | +| proxy.outbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to local application HTTP/2 clients. | +| proxy.outbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. | +| proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | +| proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | +| proxy.ports.admin | int | `4191` | Admin port for the proxy container | +| proxy.ports.control | int | `4190` | Control port for the proxy container | +| proxy.ports.inbound | int | `4143` | Inbound port for the proxy container | +| proxy.ports.outbound | int | `4140` | Outbound port for the proxy container | +| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration | +| proxy.requireIdentityOnInboundPorts | string | `""` | | +| proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use | +| proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests | +| proxy.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy can use | +| proxy.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy requests | +| proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | +| proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | +| proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe.failureThreshold | int | `120` | | +| proxy.startupProbe.initialDelaySeconds | int | `0` | | +| proxy.startupProbe.periodSeconds | int | `1` | | +| proxy.uid | int | `2102` | User id under which the proxy runs | +| proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | +| proxyInit.closeWaitTimeoutSecs | int | `0` | | +| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container | +| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image | +| proxyInit.image.version | string | `"v2.4.1"` | Tag for the proxy-init container image | +| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used | +| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server | +| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init | +| proxyInit.logLevel | string | info | Log level for the proxy-init | +| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. | +| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 | +| proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour () | +| proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 | +| proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy | +| proxyInit.xtMountPath.mountPath | string | `"/run"` | | +| proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` | | +| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the proxyInjector webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| proxyInjector.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| proxyInjector.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.livenessProbe.timeoutSeconds | int | `1` | | +| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | +| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.readinessProbe.timeoutSeconds | int | `1` | | +| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. | +| revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | +| runtimeClassName | string | `""` | Runtime Class Name for all the pods | +| spValidator | object | `{"livenessProbe":{"timeoutSeconds":1},"readinessProbe":{"timeoutSeconds":1}}` | SP validator configuration | +| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.9.3/README.md.gotmpl new file mode 100644 index 000000000..19da2a82d --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/README.md.gotmpl @@ -0,0 +1,133 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/app-readme.md b/charts/linkerd/linkerd-control-plane/2024.9.3/app-readme.md new file mode 100644 index 000000000..351eac5f0 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/app-readme.md @@ -0,0 +1,14 @@ +# Linkerd 2 Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs the control plane core. You will also need to install the +linkerd-crds chart. This chart should be automatically installed along with any other dependencies. +If it is not installed as a dependency, install it first. + +To gain access to the observability features, please install the linkerd-viz chart. +Other extensions are available (multicluster, jaeger) under the linkerd Helm repo. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/.helmignore b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/Chart.yaml new file mode 100644 index 000000000..23cfc167e --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md new file mode 100644 index 000000000..10805c9b9 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md.gotmpl new file mode 100644 index 000000000..37f510106 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_affinity.tpl new file mode 100644 index 000000000..5dde1da47 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_capabilities.tpl new file mode 100644 index 000000000..a595d74c1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_debug.tpl new file mode 100644 index 000000000..4df8cc77b --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_helpers.tpl new file mode 100644 index 000000000..b6cdc34d0 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_metadata.tpl new file mode 100644 index 000000000..04d2f1bea --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..276056395 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 000000000..4cde0ab16 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 000000000..9651b3bd1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 000000000..a307b1407 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy.tpl new file mode 100644 index 000000000..7880b394c --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_proxy.tpl @@ -0,0 +1,267 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 000000000..0c9aa4f01 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_resources.tpl new file mode 100644 index 000000000..1fd6789fd --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_tolerations.tpl new file mode 100644 index 000000000..c2292b146 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_trace.tpl new file mode 100644 index 000000000..dee059541 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_validate.tpl new file mode 100644 index 000000000..ba772c2fe --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_volumes.tpl new file mode 100644 index 000000000..9684cf240 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/values.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/charts/partials/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/questions.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/questions.yaml new file mode 100644 index 000000000..4ae27870a --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/questions.yaml @@ -0,0 +1,19 @@ +questions: +- variable: identityTrustAnchorsPEM + label: "Trust root certificate (ECDSA)" + description: "Root certificate used to support mTLS connections between meshed pods" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.crtPEM + label: "Issuer certificate (ECDSA)" + description: "Intermediate certificate, rooted on identityTrustAnchorsPEM, used to sign the Linkerd proxies' CSR" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.keyPEM + label: "Key for the issuer certificate (ECDSA)" + description: "Private key for the certificate entered on crtPEM" + required: true + type: multiline + group: Identity diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/NOTES.txt new file mode 100644 index 000000000..4bd1be9fc --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/NOTES.txt @@ -0,0 +1,19 @@ +The Linkerd control plane was successfully installed 🎉 + +To help you manage your Linkerd service mesh you can install the Linkerd CLI by running: + + curl -sL https://run.linkerd.io/install | sh + +Alternatively, you can download the CLI directly via the Linkerd releases page: + + https://github.com/linkerd/linkerd2/releases/ + +To make sure everything works as expected, run the following: + + linkerd check + +The viz extension can be installed by running: + + helm install linkerd-viz linkerd/linkerd-viz + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config-rbac.yaml new file mode 100644 index 000000000..5f5c34203 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config-rbac.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + name: ext-namespace-metadata-linkerd-config + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config.yaml new file mode 100644 index 000000000..a9cea5f42 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/config.yaml @@ -0,0 +1,39 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + linkerd-crds-chart-version: linkerd-crds-1.0.0-edge + values: | + {{- $values := deepCopy .Values }} + {{- /* + WARNING! All sensitive or private data such as TLS keys must be removed + here to avoid it being publicly readable. + */ -}} + {{- if kindIs "map" $values.identity.issuer.tls -}} + {{- $_ := unset $values.identity.issuer.tls "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.profileValidator -}} + {{- $_ := unset $values.profileValidator "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.proxyInjector -}} + {{- $_ := unset $values.proxyInjector "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.policyValidator -}} + {{- $_ := unset $values.policyValidator "keyPEM"}} + {{- end -}} + {{- if (empty $values.identityTrustDomain) -}} + {{- $_ := set $values "identityTrustDomain" $values.clusterDomain}} + {{- end -}} + {{- $_ := unset $values "partials"}} + {{- $_ := unset $values "configs"}} + {{- $_ := unset $values "stage"}} + {{- toYaml $values | trim | nindent 4 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination-rbac.yaml new file mode 100644 index 000000000..38488cd04 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination-rbac.yaml @@ -0,0 +1,327 @@ +--- +### +### Destination Controller Service +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["workload.linkerd.io"] + resources: ["externalworkloads"] + verbs: ["list", "get", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "patch"] + {{- if .Values.enableEndpointSlices }} +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-sp-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.profileValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.profileValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.profileValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }} + {{- end }} + {{- if .Values.profileValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +{{- $host := printf "linkerd-policy-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.policyValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-policy-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.policyValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-policy-validator-webhook-config + {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.policyValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }} + {{- end }} + {{- if .Values.policyValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-policy-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["policy.linkerd.io"] + apiVersions: ["*"] + resources: + - authorizationpolicies + - httproutes + - networkauthentications + - meshtlsauthentications + - serverauthorizations + - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["*"] + resources: + - httproutes + - grpcroutes + sideEffects: None +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - apiGroups: + - policy.linkerd.io + resources: + - authorizationpolicies + - httproutes + - meshtlsauthentications + - networkauthentications + - servers + - serverauthorizations + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - grpcroutes + verbs: + - get + - list + - watch + - apiGroups: + - policy.linkerd.io + resources: + - httproutes/status + verbs: + - patch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - grpcroutes/status + verbs: + - patch + - apiGroups: + - workload.linkerd.io + resources: + - externalworkloads + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-destination-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-policy +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-destination-remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: remote-discovery +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination.yaml new file mode 100644 index 000000000..4be0d21ab --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/destination.yaml @@ -0,0 +1,435 @@ +--- +### +### Destination Controller Service +### +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8090 + targetPort: 8090 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: policy-https + port: 443 + targetPort: policy-https +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: destination +{{- end }} +--- +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.destinationProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-destination + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "destination" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - destination + - -addr=:8086 + - -controller-namespace={{.Release.Namespace}} + - -enable-h2-upgrade={{.Values.enableH2Upgrade}} + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-endpoint-slices={{.Values.enableEndpointSlices}} + - -cluster-domain={{.Values.clusterDomain}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -default-opaque-ports={{.Values.proxy.opaquePorts}} + - -enable-ipv6={{not .Values.disableIPv6}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }} + - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }} + {{- end }} + {{- range (.Values.destinationController).additionalArgs }} + - {{ . }} + {{- end }} + {{- range (.Values.destinationController).experimentalArgs }} + - {{ . }} + {{- end }} + {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }} + env: + {{- with (.Values.destinationController).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.destinationController).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + {{- with (.Values.destinationController.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + {{- with (.Values.destinationController.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.destinationResources -}} + {{- include "partials.resources" .Values.destinationResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + - args: + - sp-validator + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }} + env: + {{- with (.Values.spValidator).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.spValidator).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + {{- with ((.Values.spValidator).livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + {{- with ((.Values.spValidator).readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.spValidatorResources -}} + {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: sp-tls + readOnly: true + - args: + - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990 + - --control-plane-namespace={{.Release.Namespace}} + - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090 + - --server-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9443 + - --server-tls-key=/var/run/linkerd/tls/tls.key + - --server-tls-certs=/var/run/linkerd/tls/tls.crt + - --cluster-networks={{.Values.clusterNetworks}} + - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - --cluster-domain={{.Values.clusterDomain}} + - --default-policy={{.Values.proxy.defaultInboundPolicy}} + - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}} + - --log-format={{.Values.controllerLogFormat}} + - --default-opaque-ports={{.Values.proxy.opaquePorts}} + {{- if .Values.policyController.probeNetworks }} + - --probe-networks={{.Values.policyController.probeNetworks | join ","}} + {{- end}} + {{- range .Values.policyController.additionalArgs }} + - {{ . }} + {{- end }} + {{- range .Values.policyController.experimentalArgs }} + - {{ . }} + {{- end }} + image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /live + port: admin-http + {{- with (.Values.policyController.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: policy + ports: + - containerPort: 8090 + name: grpc + - containerPort: 9990 + name: admin-http + - containerPort: 9443 + name: policy-https + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: admin-http + initialDelaySeconds: 10 + {{- with (.Values.policyController.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.policyController.resources }} + {{- include "partials.resources" .Values.policyController.resources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: policy-tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The destination controller needs to connect to the Kubernetes API before the proxy is able + to proxy requests, so we always skip these connections. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-destination + volumes: + - name: sp-tls + secret: + secretName: linkerd-sp-validator-k8s-tls + - name: policy-tls + secret: + secretName: linkerd-policy-validator-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat-rbac.yaml new file mode 100644 index 000000000..7b127543f --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat-rbac.yaml @@ -0,0 +1,78 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat RBAC +### +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: ClusterRole + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat.yaml new file mode 100644 index 000000000..956537623 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/heartbeat.yaml @@ -0,0 +1,94 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat +### +apiVersion: batch/v1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + concurrencyPolicy: Replace + {{ if .Values.heartbeatSchedule -}} + schedule: "{{.Values.heartbeatSchedule}}" + {{ else -}} + schedule: "{{ dateInZone "04 15 * * *" (now | mustDateModify "+10m") "UTC"}}" + {{ end -}} + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 12 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 12 }}{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end -}} + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 10 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 10 }} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + env: + - name: LINKERD_DISABLED + value: "the heartbeat controller does not use the proxy" + {{- with (.Values.heartbeat).additionalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + {{- with (.Values.heartbeat).experimentalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + args: + - "heartbeat" + - "-controller-namespace={{.Release.Namespace}}" + - "-log-level={{.Values.controllerLogLevel}}" + - "-log-format={{.Values.controllerLogFormat}}" + {{- if .Values.prometheusUrl }} + - "-prometheus-url={{.Values.prometheusUrl}}" + {{- else }} + - "-prometheus-url=http://prometheus.linkerd-viz.svc.{{.Values.clusterDomain}}:9090" + {{- end }} + {{- if .Values.heartbeatResources -}} + {{- include "partials.resources" .Values.heartbeatResources | nindent 12 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity-rbac.yaml new file mode 100644 index 000000000..6efdb4e10 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity-rbac.yaml @@ -0,0 +1,49 @@ +--- +### +### Identity Controller Service RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +# TODO(ver) Restrict this to the Linkerd namespace. See +# https://github.com/linkerd/linkerd2/issues/9367 +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity.yaml new file mode 100644 index 000000000..070cadd1e --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/identity.yaml @@ -0,0 +1,272 @@ +{{if .Values.identity -}} +--- +### +### Identity Controller Service +### +{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}} + key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}} +--- +{{- end}} +{{ if not (.Values.identity.externalCA) -}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-identity-trust-roots + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}} +--- +{{- end}} +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +{{- if .Values.enablePodDisruptionBudget }} +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: identity +--- +{{- end }} +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.identityProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-identity + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "identity" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + - args: + - identity + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -controller-namespace={{.Release.Namespace}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}} + - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}} + - -identity-scheme={{.Values.identity.issuer.scheme}} + - -enable-pprof={{.Values.enablePprof | default false}} + - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}} + - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + env: + - name: LINKERD_DISABLED + value: "linkerd-await cannot block the identity controller" + {{- with (.Values.identity).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.identity).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + {{- with (.Values.identity.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + {{- with (.Values.identity.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.identityResources -}} + {{- include "partials.resources" .Values.identityResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - mountPath: /var/run/linkerd/identity/trust-roots/ + name: trust-roots + {{- $_ := set $tree.Values.proxy "await" false }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- /* + The identity controller cannot discover policies, so we configure it with defaults that + enforce TLS on the identity service. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The identity controller needs to connect to the Kubernetes API before the proxy is able to + proxy requests, so we always skip these connections. The identity controller makes no other + outbound connections (so it's not important to persist any other skip ports here) + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-identity + volumes: + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +{{end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/namespace.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/namespace.yaml new file mode 100644 index 000000000..61461c132 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/namespace.yaml @@ -0,0 +1,18 @@ +{{- if eq .Release.Service "CLI" -}} +--- +### +### Linkerd Namespace +### +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Release.Namespace }} + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}} + pod-security.kubernetes.io/enforce: {{ ternary "restricted" "privileged" .Values.cniEnabled }} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/podmonitor.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/podmonitor.yaml new file mode 100644 index 000000000..fd2b5d6ce --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/podmonitor.yaml @@ -0,0 +1,128 @@ +{{- $podMonitor := .Values.podMonitor -}} +{{- if and $podMonitor.enabled $podMonitor.controller.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd control-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-controller" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: {{ tpl .Values.podMonitor.controller.namespaceSelector . | nindent 4 }} + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_port_name + action: keep + regex: admin-http + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.serviceMirror.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd Service Mirror (multi-cluster) +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-service-mirror" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.proxy.enabled }} +--- +### +### Prometheus Operator PodMonitor Linkerd data-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-proxy" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;{{ .Release.Namespace }}$ + - sourceLabels: [ __meta_kubernetes_namespace ] + action: replace + targetLabel: namespace + - sourceLabels: [ __meta_kubernetes_pod_name ] + action: replace + targetLabel: pod + - sourceLabels: [ __meta_kubernetes_pod_label_linkerd_io_proxy_job ] + action: replace + targetLabel: k8s_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __tmp_pod_label_(.+) +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector-rbac.yaml new file mode 100644 index 000000000..c2c84c5c1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector-rbac.yaml @@ -0,0 +1,120 @@ +--- +### +### Proxy Injector RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.proxyInjector.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.proxyInjector }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }} + annotations: + {{- if .Values.proxyInjector.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }} + {{- end }} + {{- if .Values.proxyInjector.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }} + objectSelector: + {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods", "services"] + scope: "Namespaced" + sideEffects: None + timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector.yaml new file mode 100644 index 000000000..34b1d3ba4 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/proxy-injector.yaml @@ -0,0 +1,222 @@ +--- +### +### Proxy Injector +### +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.proxyInjectorProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/opaque-ports: "8443" + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "proxy-injector" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - proxy-injector + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -linkerd-namespace={{.Release.Namespace}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }} + env: + {{- with (.Values.proxyInjector).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.proxyInjector).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + {{- with (.Values.proxyInjector.livenessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- with (.Values.proxyInjector.readinessProbe).timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.proxyInjectorResources -}} + {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/trust-roots + name: trust-roots + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The controller needs to connect to the Kubernetes API. There's no reason + to put the proxy in the way of that. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + - name: tls + secret: + secretName: linkerd-proxy-injector-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + config.linkerd.io/opaque-ports: "443" +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/templates/psp.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/psp.yaml new file mode 100644 index 000000000..db91fea67 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/templates/psp.yaml @@ -0,0 +1,119 @@ +{{ if .Values.enablePSP -}} +--- +### +### Control Plane PSP +### +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Release.Namespace}}-control-plane + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default" + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +spec: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + readOnlyRootFilesystem: true + {{- if empty .Values.cniEnabled }} + allowedCapabilities: + - NET_ADMIN + - NET_RAW + {{- end}} + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + {{- if .Values.cniEnabled }} + rule: MustRunAsNonRoot + {{- else }} + rule: RunAsAny + {{- end }} + runAsGroup: + {{- if .Values.cniEnabled }} + rule: MustRunAs + ranges: + - min: 1000 + max: 999999 + {{- else }} + rule: RunAsAny + {{- end }} + supplementalGroups: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + fsGroup: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Release.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +{{ if not .Values.disableHeartBeat -}} +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +{{ end -}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/values-ha.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/values-ha.yaml new file mode 100644 index 000000000..e3b8cbc07 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/values-ha.yaml @@ -0,0 +1,63 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values-ha.yaml + +# -- Create PodDisruptionBudget resources for each control plane workload +enablePodDisruptionBudget: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 + +# -- Specify a deployment strategy for each control plane workload +deploymentStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 25% + +# -- add PodAntiAffinity to each control plane workload +enablePodAntiAffinity: true + +# nodeAffinity: + +# proxy configuration +proxy: + resources: + cpu: + request: 100m + memory: + limit: 250Mi + request: 20Mi + +# controller configuration +controllerReplicas: 3 +controllerResources: &controller_resources + cpu: &controller_resources_cpu + limit: "" + request: 100m + memory: + limit: 250Mi + request: 50Mi +destinationResources: *controller_resources + +# identity configuration +identityResources: + cpu: *controller_resources_cpu + memory: + limit: 250Mi + request: 10Mi + +# heartbeat configuration +heartbeatResources: *controller_resources + +# proxy injector configuration +proxyInjectorResources: *controller_resources +webhookFailurePolicy: Fail + +# service profile validator configuration +spValidatorResources: *controller_resources + +# flag for linkerd check +highAvailability: true diff --git a/charts/linkerd/linkerd-control-plane/2024.9.3/values.yaml b/charts/linkerd/linkerd-control-plane/2024.9.3/values.yaml new file mode 100644 index 000000000..c998afcb5 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.9.3/values.yaml @@ -0,0 +1,664 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Kubernetes DNS Domain name to use +clusterDomain: cluster.local + +# -- The cluster networks for which service discovery is performed. This should +# include the pod and service networks, but need not include the node network. +# +# By default, all IPv4 private networks and all accepted IPv6 ULAs are +# specified so that resolution works in typical Kubernetes environments. +clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8" +# -- Docker image pull policy +imagePullPolicy: IfNotPresent +# -- Specifies the number of old ReplicaSets to retain to allow rollback. +revisionHistoryLimit: 10 +# -- Log level for the control plane components +controllerLogLevel: info +# -- Log format for the control plane components +controllerLogFormat: plain +# -- enables control plane tracing +controlPlaneTracing: false +# -- namespace to send control plane traces to +controlPlaneTracingNamespace: linkerd-jaeger +# -- control plane version. See Proxy section for proxy version +linkerdVersion: edge-24.9.3 +# -- default kubernetes deployment strategy +deploymentStrategy: + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% +# -- enables the use of EndpointSlice informers for the destination service; +# enableEndpointSlices should be set to true only if EndpointSlice K8s feature +# gate is on +enableEndpointSlices: true +# -- enables pod anti affinity creation on deployments for high availability +enablePodAntiAffinity: false +# -- enables the use of pprof endpoints on control plane component's admin +# servers +enablePprof: false +# -- enables the creation of pod disruption budgets for control plane components +enablePodDisruptionBudget: false +# -- disables routing IPv6 traffic in addition to IPv4 traffic through the +# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni +# v1.4.0) +disableIPv6: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 +# -- enabling this omits the NET_ADMIN capability in the PSP +# and the proxy-init container when injecting the proxy; +# requires the linkerd-cni plugin to already be installed +cniEnabled: false +# -- Trust root certificate (ECDSA). It must be provided during install. +identityTrustAnchorsPEM: | +# -- Trust domain used for identity +# @default -- clusterDomain +identityTrustDomain: "" +kubeAPI: &kubeapi + # -- Maximum QPS sent to the kube-apiserver before throttling. + # See [token bucket rate limiter + # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) + clientQPS: 100 + # -- Burst value over clientQPS + clientBurst: 200 +# -- Additional annotations to add to all pods +podAnnotations: {} +# -- Additional labels to add to all pods +podLabels: {} +# -- Labels to apply to all resources +commonLabels: {} +# -- Kubernetes priorityClassName for the Linkerd Pods +priorityClassName: "" +# -- Runtime Class Name for all the pods +runtimeClassName: "" + +# policy controller configuration +policyController: + image: + # -- Docker image for the policy controller + name: cr.l5d.io/linkerd/policy-controller + # -- Pull policy for the policy controller container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the policy controller container image + # @default -- linkerdVersion + version: "" + + # -- Log level for the policy controller + logLevel: info + + # -- The networks from which probes are performed. + # + # By default, all networks are allowed so that all probes are authorized. + probeNetworks: + - 0.0.0.0/0 + - "::/0" + + # -- policy controller resource requests & limits + resources: + cpu: + # -- Maximum amount of CPU units that the policy controller can use + limit: "" + # -- Amount of CPU units that the policy controller requests + request: "" + memory: + # -- Maximum amount of memory that the policy controller can use + limit: "" + # -- Maximum amount of memory that the policy controller requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the policy controller can use + limit: "" + # -- Amount of ephemeral storage that the policy controller requests + request: "" + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# proxy configuration +proxy: + # -- Enable service profiles for non-Kubernetes services + enableExternalProfiles: false + # -- Maximum time allowed for the proxy to establish an outbound TCP + # connection + outboundConnectTimeout: 1000ms + # -- Maximum time allowed for the proxy to establish an inbound TCP + # connection + inboundConnectTimeout: 100ms + # -- Maximum time allowed before an unused outbound discovery result + # is evicted from the cache + outboundDiscoveryCacheUnusedTimeout: "5s" + # -- Maximum time allowed before an unused inbound discovery result + # is evicted from the cache + inboundDiscoveryCacheUnusedTimeout: "90s" + # -- When set to true, disables the protocol detection timeout on the + # outbound side of the proxy by setting it to a very high value + disableOutboundProtocolDetectTimeout: false + # -- When set to true, disables the protocol detection timeout on the inbound + # side of the proxy by setting it to a very high value + disableInboundProtocolDetectTimeout: false + image: + # -- Docker image for the proxy + name: cr.l5d.io/linkerd/proxy + # -- Pull policy for the proxy container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy container image + # @default -- linkerdVersion + version: "" + # -- Enables the proxy's /shutdown admin endpoint + enableShutdownEndpoint: false + # -- Log level for the proxy + logLevel: warn,linkerd=info,hickory=error + # -- Log format (`plain` or `json`) for the proxy + logFormat: plain + # -- (`off` or `insecure`) If set to `off`, will prevent the proxy from + # logging HTTP headers. If set to `insecure`, HTTP headers may be logged + # verbatim. Note that setting this to `insecure` is not alone sufficient to + # log HTTP headers; the proxy logLevel must also be set to debug. + logHTTPHeaders: "off" + ports: + # -- Admin port for the proxy container + admin: 4191 + # -- Control port for the proxy container + control: 4190 + # -- Inbound port for the proxy container + inbound: 4143 + # -- Outbound port for the proxy container + outbound: 4140 + # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores` + # must be an integer and should typically be set by rounding up from the + # limit. E.g. if cpu.limit is '1500m', cores should be 2. + cores: 0 + resources: + cpu: + # -- Maximum amount of CPU units that the proxy can use + limit: "" + # -- Amount of CPU units that the proxy requests + request: "" + memory: + # -- Maximum amount of memory that the proxy can use + limit: "" + # -- Maximum amount of memory that the proxy requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the proxy can use + limit: "" + # -- Amount of ephemeral storage that the proxy requests + request: "" + # -- User id under which the proxy runs + uid: 2102 + # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) + gid: -1 + + # -- If set the injected proxy sidecars in the data plane will stay alive for + # at least the given period before receiving the SIGTERM signal from + # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. + # See [Lifecycle + # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) + # for more info on container lifecycle hooks. + waitBeforeExitSeconds: 0 + # -- If set, the application container will not start until the proxy is + # ready + await: true + requireIdentityOnInboundPorts: "" + # -- Default set of opaque ports + # - SMTP (25,587) server-first + # - MYSQL (3306) server-first + # - Galera (4444) server-first + # - PostgreSQL (5432) server-first + # - Redis (6379) server-first + # - ElasticSearch (9300) server-first + # - Memcached (11211) clients do not issue any preamble, which breaks detection + opaquePorts: "25,587,3306,4444,5432,6379,9300,11211" + # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. + shutdownGracePeriod: "" + # -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", + # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" + # @default -- "all-unauthenticated" + defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. + nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + # -- LivenessProbe timeout and delay configuration + livenessProbe: + initialDelaySeconds: 10 + timeoutSeconds: 1 + # -- ReadinessProbe timeout and delay configuration + readinessProbe: + initialDelaySeconds: 2 + timeoutSeconds: 1 + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 + # Configures general properties of the proxy's control plane clients. + control: + # Configures limits on API response streams. + streams: + # -- The timeout for the first update from the control plane. + initialTimeout: "3s" + # -- The timeout between consecutive updates from the control plane. + idleTimeout: "5m" + # -- The maximum duration for a response stream (i.e. before it will be + # reinitialized). + lifetime: "1h" + inbound: + server: + http2: + # -- The interval at which PINGs are issued to remote HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. + keepAliveTimeout: "3s" + outbound: + server: + http2: + # -- The interval at which PINGs are issued to local application HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. + keepAliveTimeout: "3s" + +# proxy-init configuration +proxyInit: + # -- Variant of iptables that will be used to configure routing. Currently, + # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will + # control which utility binary will be called. The host must support + # whichever mode will be used + iptablesMode: "legacy" + # -- Default set of inbound ports to skip via iptables + # - Galera (4567,4568) + ignoreInboundPorts: "4567,4568" + # -- Default set of outbound ports to skip via iptables + # - Galera (4567,4568) + ignoreOutboundPorts: "4567,4568" + # -- Default set of ports to skip via iptables for control plane + # components so they can communicate with the Kubernetes API Server + kubeAPIServerPorts: "443,6443" + # -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy + skipSubnets: "" + # -- Log level for the proxy-init + # @default -- info + logLevel: "" + # -- Log format (`plain` or `json`) for the proxy-init + # @default -- plain + logFormat: "" + image: + # -- Docker image for the proxy-init container + name: cr.l5d.io/linkerd/proxy-init + # -- Pull policy for the proxy-init container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy-init container image + version: v2.4.1 + closeWaitTimeoutSecs: 0 + # -- Privileged mode allows the container processes to inherit all security + # capabilities and bypass any security limitations enforced by the kubelet. + # When used with 'runAsRoot: true', the container will behave exactly as if + # it was running as root on the host. May escape cgroup limits and see other + # processes and devices on the host. + # @default -- false + privileged: false + # -- Allow overriding the runAsNonRoot behaviour () + runAsRoot: false + # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0 + runAsUser: 65534 + # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 + runAsGroup: 65534 + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + +# network validator configuration +# This runs on a host that uses iptables to reroute network traffic. The validator +# ensures that iptables is correctly routing requests before we start linkerd. +networkValidator: + # -- Log level for the network-validator + # @default -- debug + logLevel: debug + # -- Log format (`plain` or `json`) for network-validator + # @default -- plain + logFormat: plain + # -- Address to which the network-validator will attempt to connect. This should be an IP + # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP + # for public clusters and a private IP for air-gapped clusters with a port like 20001. + # If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. + connectAddr: "" + # -- Address to which network-validator listens to requests from itself. + # If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. + listenAddr: "" + # -- Timeout before network-validator fails to validate the pod's network connectivity + timeout: "10s" + # -- Include a securityContext in the network-validator pod spec + enableSecurityContext: true + +# -- For Private docker registries, authentication is needed. +# Registry secrets are applied to the respective service accounts +imagePullSecrets: [] +# - name: my-private-docker-registry-login-secret + +# -- Allow proxies to perform transparent HTTP/2 upgrading +enableH2Upgrade: true + +# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note +# PSP has been deprecated since k8s v1.21 +enablePSP: false + +# -- Failure policy for the proxy injector +webhookFailurePolicy: Ignore + +# controllerImage -- Docker image for the destination and identity components +controllerImage: cr.l5d.io/linkerd/controller +# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. +controllerImageVersion: "" + +# -- Number of replicas for each control plane pod +controllerReplicas: 1 +# -- User ID for the control plane components +controllerUID: 2103 +# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) +controllerGID: -1 + +# destination configuration +# set resources for the sp-validator and its linkerd proxy respectively +# see proxy.resources for details. +# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields) +#destinationResources: +# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields) +#destinationProxyResources: + +destinationController: + meshedHttp2ClientProtobuf: + keep_alive: + interval: + seconds: 10 + timeout: + seconds: 3 + while_idle: true + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# debug configuration +debugContainer: + image: + # -- Docker image for the debug container + name: cr.l5d.io/linkerd/debug + # -- Pull policy for the debug container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the debug container image + # @default -- linkerdVersion + version: "" + +identity: + # -- If the linkerd-identity-trust-roots ConfigMap has already been created + externalCA: false + + # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token + serviceAccountTokenProjection: true + + issuer: + scheme: linkerd.io/tls + + # -- Amount of time to allow for clock skew within a Linkerd cluster + clockSkewAllowance: 20s + + # -- Amount of time for which the Identity issuer should certify identity + issuanceLifetime: 24h0m0s + + # -- Which scheme is used for the identity issuer secret format + tls: + # -- Issuer certificate (ECDSA). It must be provided during install. + crtPEM: | + + # -- Key for the issuer certificate (ECDSA). It must be provided during + # install + keyPEM: | + + kubeAPI: *kubeapi + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields) +#identityResources: +# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) +#identityProxyResources: + +# heartbeat configuration +# disableHeartBeat -- Set to true to not start the heartbeat cronjob +disableHeartBeat: false +# -- Config for the heartbeat cronjob +# heartbeatSchedule: "0 0 * * *" + +# proxy injector configuration +proxyInjector: + # -- Timeout in seconds before the API Server cancels a request to the proxy + # injector. If timeout is exceeded, the webhookfailurePolicy is used. + timeoutSeconds: 10 + # -- Do not create a secret resource for the proxyInjector webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook. + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - cert-manager + + # -- Object selector used by admission webhook. + objectSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: DoesNotExist + - key: linkerd.io/cni-resource + operator: DoesNotExist + + # -- Certificate for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `proxyInjector.crtPEM`. + # If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see +#`proxy.resources` for sub-fields) +#proxyInjectorResources: +#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector +#pod (see `proxy.resources` for sub-fields) +#proxyInjectorProxyResources: + +# service profile validator configuration +profileValidator: + # -- Do not create a secret resource for the profileValidator webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `profileValidator.crtPEM`. + # If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# policy validator configuration +policyValidator: + # -- Do not create a secret resource for the policyValidator webhook. + # If this is set to `true`, the value `policyValidator.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `policyValidator.crtPEM`. + # If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# -- NodeSelector section, See the [K8S +# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) +# for more information +nodeSelector: + kubernetes.io/os: linux + +# -- SP validator configuration +spValidator: + livenessProbe: + timeoutSeconds: 1 + readinessProbe: + timeoutSeconds: 1 + +# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see +#`proxy.resources` for sub-fields) +#spValidatorResources: + +# -|- Tolerations section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +# for more information +#tolerations: + +# -|- NodeAffinity section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity) +# for more information +#nodeAffinity: + +# -- url of external prometheus instance (used for the heartbeat) +prometheusUrl: "" + +# Prometheus Operator PodMonitor configuration +podMonitor: + # -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) + enabled: false + # -- Interval at which metrics should be scraped + scrapeInterval: 10s + # -- Iimeout after which the scrape is ended + scrapeTimeout: 10s + # -- Labels to apply to all pod Monitors + labels: {} + controller: + # -- Enables the creation of PodMonitor for the control-plane + enabled: true + # -- Selector to select which namespaces the Endpoints objects are discovered from + namespaceSelector: | + matchNames: + - {{ .Release.Namespace }} + - linkerd-viz + - linkerd-jaeger + serviceMirror: + # -- Enables the creation of PodMonitor for the Service Mirror component + enabled: true + proxy: + # -- Enables the creation of PodMonitor for the data-plane + enabled: true diff --git a/charts/linkerd/linkerd-crds/2024.9.3/.helmignore b/charts/linkerd/linkerd-crds/2024.9.3/.helmignore new file mode 100644 index 000000000..79c90a806 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.9.3/Chart.lock b/charts/linkerd/linkerd-crds/2024.9.3/Chart.lock new file mode 100644 index 000000000..a62a03063 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-08-17T10:42:52.610449255-05:00" diff --git a/charts/linkerd/linkerd-crds/2024.9.3/Chart.yaml b/charts/linkerd/linkerd-crds/2024.9.3/Chart.yaml new file mode 100644 index 000000000..96add01b9 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds +apiVersion: v2 +dependencies: +- name: partials + repository: file://./charts/partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-crds.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-crds +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.9.3 diff --git a/charts/linkerd/linkerd-crds/2024.9.3/README.md b/charts/linkerd/linkerd-crds/2024.9.3/README.md new file mode 100644 index 000000000..f6aaa7cf7 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/README.md @@ -0,0 +1,71 @@ +# linkerd-crds + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.9.3](https://img.shields.io/badge/Version-2024.9.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| enableHttpRoutes | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.9.3/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.9.3/README.md.gotmpl new file mode 100644 index 000000000..88be73954 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/README.md.gotmpl @@ -0,0 +1,59 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/app-readme.md b/charts/linkerd/linkerd-crds/2024.9.3/app-readme.md new file mode 100644 index 000000000..59010a6b2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/app-readme.md @@ -0,0 +1,9 @@ +# Linkerd 2 CRDs Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs Linkerd CRDs. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/.helmignore b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/Chart.yaml b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/Chart.yaml new file mode 100644 index 000000000..23cfc167e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md new file mode 100644 index 000000000..10805c9b9 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md.gotmpl new file mode 100644 index 000000000..37f510106 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_affinity.tpl new file mode 100644 index 000000000..5dde1da47 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_capabilities.tpl new file mode 100644 index 000000000..a595d74c1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_debug.tpl new file mode 100644 index 000000000..4df8cc77b --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_helpers.tpl new file mode 100644 index 000000000..b6cdc34d0 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_metadata.tpl new file mode 100644 index 000000000..04d2f1bea --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..276056395 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 000000000..4cde0ab16 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 000000000..9651b3bd1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 000000000..a307b1407 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy.tpl new file mode 100644 index 000000000..7880b394c --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_proxy.tpl @@ -0,0 +1,267 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 000000000..0c9aa4f01 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_resources.tpl new file mode 100644 index 000000000..1fd6789fd --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_tolerations.tpl new file mode 100644 index 000000000..c2292b146 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_trace.tpl new file mode 100644 index 000000000..dee059541 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_validate.tpl new file mode 100644 index 000000000..ba772c2fe --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_volumes.tpl new file mode 100644 index 000000000..9684cf240 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/values.yaml b/charts/linkerd/linkerd-crds/2024.9.3/charts/partials/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.9.3/templates/NOTES.txt new file mode 100644 index 000000000..4ff5c1818 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/NOTES.txt @@ -0,0 +1,6 @@ +The linkerd-crds chart was successfully installed 🎉 + +To complete the linkerd core installation, please now proceed to install the +linkerd-control-plane chart in the {{ .Release.Namespace }} namespace. + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_grpcroutes.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_grpcroutes.yaml new file mode 100644 index 000000000..0050aac88 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_grpcroutes.yaml @@ -0,0 +1,1507 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes + the capability to match requests by hostname, gRPC service, gRPC method, + or HTTP/2 header. Filters can be used to specify additional processing steps. + Backends specify where matching requests will be routed. \n GRPCRoute falls + under extended support within the Gateway API. Within the following specification, + the word \"MUST\" indicates that an implementation supporting GRPCRoute + must conform to the indicated requirement, but an implementation not supporting + this route type need not follow the requirement unless explicitly indicated. + \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` + MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, + i.e. via ALPN. If the implementation does not support this, then it MUST + set the \"Accepted\" condition to \"False\" for the affected listener with + a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 + connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` + with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade + from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). + If the implementation does not support this, then it MUST set the \"Accepted\" + condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against + the GRPC Host header to select a GRPCRoute to process the request. + This matches the RFC 1123 definition of a hostname with 2 notable + exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label MUST appear by + itself as the first label. \n If a hostname is specified by both + the Listener and GRPCRoute, there MUST be at least one intersecting + hostname for the GRPCRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + GRPCRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the + other hand, `example.com` and `test.example.net` would not match. + \n Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted as a suffix match. That means that a match for `*.example.com` + would match both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. \n If both the Listener and GRPCRoute have + specified hostnames, any GRPCRoute hostnames that do not match the + Listener hostname MUST be ignored. For example, if a Listener specified + `*.example.com`, and the GRPCRoute specified `test.example.com` + and `test.example.net`, `test.example.net` MUST NOT be considered + for a match. \n If both the Listener and GRPCRoute have specified + hostnames, and none match with the criteria above, then the GRPCRoute + MUST NOT be accepted by the implementation. The implementation MUST + raise an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute + is attached to a Listener and that listener already has another + Route (B) of the other type attached and the intersection of the + hostnames of A and B is non-empty, then the implementation MUST + accept exactly one of these two routes, determined by the following + criteria, in order: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n The rejected Route MUST raise an 'Accepted' condition with a + status of 'False' in the corresponding RouteParentStatus. \n Support: + Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching a + gRPC request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive an `UNAVAILABLE` status. + \n See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, `UNAVAILABLE` statuses MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive an `UNAVAILABLE` + status. \n For example, if two backends are specified with + equal weights, and one is invalid, 50 percent of traffic MUST + receive an `UNAVAILABLE` status. Implementations may choose + how that 50 percent is determined. \n Support: Core for Kubernetes + Service \n Support: Implementation-specific for any other + resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards + a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed + if and only if the request is being forwarded to the + backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + supporting GRPCRoute MUST support core filters. + \n - Extended: Filter types and their corresponding + configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n + - Implementation-specific: Filters that are defined + and supported by specific vendors. In the future, + filters showing convergence in behavior across + multiple implementations will be considered for + inclusion in extended or core conformance levels. + Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` + MUST be set to \"ExtensionRef\" for custom filters. + \n Implementers are encouraged to define custom + implementation types to extend the core API with + implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the + filter MUST NOT be skipped. Instead, requests + that would have been processed by that filter + MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations that support GRPCRoute. - Implementers + are encouraged to support extended filters. - Implementation-specific + custom filters have no API guarantees across implementations. + \n Specifying a core filter multiple times has unspecified + or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + GRPCRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations supporting GRPCRoute MUST support + core filters. \n - Extended: Filter types and their + corresponding configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming gRPC requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - method: service: foo.bar headers: values: + version: 2 - method: service: foo.bar.v2 ``` \n For a request + to match against this rule, it MUST satisfy EITHER of the + two conditions: \n - service of foo.bar AND contains the header + `version: 2` - service of foo.bar.v2 \n See the documentation + for GRPCRouteMatch on how to specify multiple match conditions + to be ANDed together. \n If no matches are specified, the + implementation MUST match every gRPC request. \n Proxy or + Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing + on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number + of: \n * Characters in a matching non-wildcard hostname. * + Characters in a matching hostname. * Characters in a matching + service. * Characters in a matching method. * Header matches. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n If ties still exist within the Route that has been given + precedence, matching precedence MUST be granted to the first + matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a gRPC request only if its service is `foo` + AND it contains the `version: v1` header: \n ``` matches: + - method: type: Exact service: \"foo\" headers: - name: + \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + description: GRPCHeaderMatch describes how to select + a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header + to be matched. \n If multiple entries specify + equivalent header names, only the first entry + with an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + type: + default: Exact + description: "Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified) \n Support: Implementation-specific + (Exact with method specified but no service specified) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_httproutes.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 000000000..b695c51d5 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,3881 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/authorization-policy.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/authorization-policy.yaml new file mode 100644 index 000000000..7d86520e2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/authorization-policy.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authorizationpolicies.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + shortNames: [authzpolicy] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied server + resources. + type: object + required: [targetRef, requiredAuthenticationRefs] + properties: + targetRef: + description: >- + TargetRef references a resource to which the authorization + policy applies. + type: object + required: [kind, name] + # Modified from the gateway API. + # Copyright 2020 The Kubernetes Authors + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + requiredAuthenticationRefs: + description: >- + RequiredAuthenticationRefs enumerates a set of required + authentications. ALL authentications must be satisfied for + the authorization to apply. If any of the referred objects + cannot be found, the authorization will be ignored. + type: array + items: + type: object + required: [kind, name] + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/httproute.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/httproute.yaml new file mode 100644 index 000000000..6d2e8b07e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/httproute.yaml @@ -0,0 +1,5328 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n\n " + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + timeouts: + description: "Timeouts defines the timeouts that can be configured + for an HTTP request. \n Support: Core \n " + properties: + backendRequest: + description: "BackendRequest specifies a timeout for an + individual request from the gateway to a backend service. + Typically used in conjunction with automatic retries, + if supported by an implementation. Default is the value + of Request timeout. \n Support: Extended" + format: duration + type: string + request: + description: "Request specifies a timeout for responding + to client HTTP requests, disabled by default. \n For example, + the following rule will timeout if a client request is + taking longer than 10 seconds to complete: \n ``` rules: + - timeouts: request: 10s backendRefs: ... ``` \n Support: + Core" + format: duration + type: string + type: object + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/meshtls-authentication.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/meshtls-authentication.yaml new file mode 100644 index 000000000..58ee815f5 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/meshtls-authentication.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: meshtlsauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: MeshTLSAuthentication + plural: meshtlsauthentications + singular: meshtlsauthentication + shortNames: [meshtlsauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + MeshTLSAuthentication defines a list of authenticated client IDs + to be referenced by an `AuthorizationPolicy`. If a client + connection has the mutually-authenticated identity that matches + ANY of the of the provided identities, the connection is + considered authenticated. + type: object + oneOf: + - required: [identities] + - required: [identityRefs] + properties: + identities: + description: >- + Authorizes clients with the provided proxy identity strings + (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + minItems: 1 + items: + type: string + identityRefs: + type: array + minItems: 1 + items: + type: object + required: + - kind + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this refers to all resources of the specified Group + and Kind in the specified namespace. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/network-authentication.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/network-authentication.yaml new file mode 100644 index 000000000..cef15d3c4 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/network-authentication.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: NetworkAuthentication + plural: networkauthentications + singular: networkauthentication + shortNames: [netauthn, networkauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + NetworkAuthentication defines a list of authenticated client + networks to be referenced by an `AuthorizationPolicy`. If a + client connection originates from ANY of the of the provided + networks, the connection is considered authenticated. + type: object + required: [networks] + properties: + networks: + type: array + items: + type: object + required: [cidr] + properties: + cidr: + description: >- + The CIDR of the network to be authorized. + type: string + except: + description: >- + A list of IP networks/addresses not to be included in + the above `cidr`. + type: array + items: + type: string diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server-authorization.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server-authorization.yaml new file mode 100644 index 000000000..33fb65900 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server-authorization.yaml @@ -0,0 +1,266 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serverauthorizations.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: ServerAuthorization + plural: serverauthorizations + singular: serverauthorization + shortNames: [saz, serverauthz, srvauthz] + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + additionalPrinterColumns: + - name: Server + type: string + description: The server that this grants access to + jsonPath: .spec.server.name diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server.yaml new file mode 100644 index 000000000..0af41224a --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/policy/server.yaml @@ -0,0 +1,319 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: servers.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: Server + plural: servers + singular: server + shortNames: [srv] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + oneOf: + - required: [matchExpressions] + - required: [matchLabels] + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + - name: v1beta1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta3 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + accessPolicy: + type: string + default: deny + description: >- + Default access policy to apply when the traffic doesn't match any of the policy rules. + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: Access Policy + type: string + description: The default access policy applied when the traffic doesn't match any of the policy rules + jsonPath: .spec.accessPolicy diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/serviceprofile.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/serviceprofile.yaml new file mode 100644 index 000000000..ad12c96a3 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/serviceprofile.yaml @@ -0,0 +1,274 @@ +--- +### +### Service Profile CRD +### +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + required: + - routes + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + scope: Namespaced + preserveUnknownFields: false + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp diff --git a/charts/linkerd/linkerd-crds/2024.9.3/templates/workload/external-workload.yaml b/charts/linkerd/linkerd-crds/2024.9.3/templates/workload/external-workload.yaml new file mode 100644 index 000000000..2e6e43ae6 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/templates/workload/external-workload.yaml @@ -0,0 +1,303 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalworkloads.workload.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: workload.linkerd.io + names: + categories: + - external + kind: ExternalWorkload + listKind: ExternalWorkloadList + plural: externalworkloads + singular: externalworkload + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTls: + description: meshTls describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTls + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTls.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTLS: + description: meshTLS describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. This field may + hold a maximum of two entries. If one entry, it can be an + IPv4 or IPv6 address; if two entries it should contain one + IPv4 address and one IPv6 address. + items: + type: object + properties: + ip: + type: string + maxItems: 2 + type: object + required: + - meshTLS + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTLS.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date diff --git a/charts/linkerd/linkerd-crds/2024.9.3/values.yaml b/charts/linkerd/linkerd-crds/2024.9.3/values.yaml new file mode 100644 index 000000000..362145168 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.9.3/values.yaml @@ -0,0 +1 @@ +enableHttpRoutes: true diff --git a/charts/nats/nats/1.2.5/.helmignore b/charts/nats/nats/1.2.5/.helmignore new file mode 100644 index 000000000..240dfde2a --- /dev/null +++ b/charts/nats/nats/1.2.5/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# template tests +/test diff --git a/charts/nats/nats/1.2.5/Chart.yaml b/charts/nats/nats/1.2.5/Chart.yaml new file mode 100644 index 000000000..ba01e289c --- /dev/null +++ b/charts/nats/nats/1.2.5/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats +apiVersion: v2 +appVersion: 2.10.21 +description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications + Technology. +home: http://github.com/nats-io/k8s +icon: file://assets/icons/nats.png +keywords: +- nats +- messaging +- cncf +kubeVersion: '>=1.16-0' +maintainers: +- email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io +name: nats +version: 1.2.5 diff --git a/charts/nats/nats/1.2.5/README.md b/charts/nats/nats/1.2.5/README.md new file mode 100644 index 000000000..0916999df --- /dev/null +++ b/charts/nats/nats/1.2.5/README.md @@ -0,0 +1,329 @@ +# NATS Server + +--- + +[NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. +NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). +NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. +NATS can secure and simplify design and operation of modern distributed systems. + +```shell +helm repo add nats https://nats-io.github.io/k8s/helm/charts/ +helm upgrade --install nats nats/nats +``` + +## Upgrade Nodes + +- **Upgrading from 0.x**: The `values.yaml` schema changed significantly from 0.x to 1.x. Read [UPGRADING.md](UPGRADING.md) for instructions on upgrading a 0.x release to 1.x. + +## Values + +There are a handful of explicitly defined options which are documented with comments in the [values.yaml](values.yaml) file. + +Everything in the NATS Config or Kubernetes Resources can be overridden by `merge` and `patch`, which is supported for the following values: + +| key | type | enabled by default | +|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------| +| `config` | [NATS Config](https://docs.nats.io/running-a-nats-service/configuration) | yes | +| `config.cluster` | [NATS Cluster](https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config) | no | +| `config.cluster.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.jetstream` | [NATS JetStream](https://docs.nats.io/running-a-nats-service/configuration#jetstream) | no | +| `config.jetstream.fileStore.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.jetstream` is enabled | +| `config.nats.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.leafnodes` | [NATS LeafNodes](https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf) | no | +| `config.leafnodes.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket` | [NATS WebSocket](https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf) | no | +| `config.websocket.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.websocket.ingress` | [k8s Ingress](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io) | no | +| `config.mqtt` | [NATS MQTT](https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config) | no | +| `config.mqtt.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.gateway` | [NATS Gateway](https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block) | no | +| `config.gateway.tls` | [NATS TLS](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls) | no | +| `config.resolver` | [NATS Resolver](https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver) | no | +| `config.resolver.pvc` | [k8s PVC](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core) | yes, when `config.resolver` is enabled | +| `container` | nats [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `reloader` | config reloader [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `promExporter` | prometheus exporter [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | no | +| `promExporter.podMonitor` | [prometheus PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | no | +| `service` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `statefulSet` | [k8s StatefulSet](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps) | yes | +| `podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `headlessService` | [k8s Service](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core) | yes | +| `configMap` | [k8s ConfigMap](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core) | yes | +| `natsBox.contexts.default` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | yes | +| `natsBox.contexts.[name]` | [NATS Context](https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts) | no | +| `natsBox.container` | nats-box [k8s Container](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core) | yes | +| `natsBox.deployment` | [k8s Deployment](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps) | yes | +| `natsBox.podTemplate` | [k8s PodTemplate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core) | yes | +| `natsBox.contextsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | +| `natsBox.contentsSecret` | [k8s Secret](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core) | yes | + +### Merge + +Merging is performed using the Helm `merge` function. Example - add NATS accounts and container resources: + +```yaml +config: + merge: + accounts: + A: + users: + - {user: a, password: a} + B: + users: + - {user: b, password: b} +natsBox: + contexts: + a: + merge: {user: a, password: a} + b: + merge: {user: b, password: b} + defaultContextName: a +``` + +## Patch + +Patching is performed using [JSON Patch](https://jsonpatch.com/). Example - add additional route to end of route list: + +```yaml +config: + cluster: + enabled: true + patch: + - op: add + path: /routes/- + value: nats://demo.nats.io:6222 +``` + +## Common Configurations + +### JetStream Cluster on 3 separate hosts + +```yaml +config: + cluster: + enabled: true + replicas: 3 + jetstream: + enabled: true + fileStore: + pvc: + size: 10Gi + +podTemplate: + topologySpreadConstraints: + kubernetes.io/hostname: + maxSkew: 1 + whenUnsatisfiable: DoNotSchedule +``` + +### NATS Container Resources + +```yaml +container: + env: + # different from k8s units, suffix must be B, KiB, MiB, GiB, or TiB + # should be ~90% of memory limit + GOMEMLIMIT: 7GiB + merge: + # recommended limit is at least 2 CPU cores and 8Gi Memory for production JetStream clusters + resources: + requests: + cpu: "2" + memory: 8Gi + limits: + cpu: "2" + memory: 8Gi +``` + +### Specify Image Version + +```yaml +container: + image: + tag: x.y.z-alpine +``` + +### Operator Mode with NATS Resolver + +Run `nsc generate config --nats-resolver` and replace the `OPERATOR_JWT`, `SYS_ACCOUNT_ID`, and `SYS_ACCOUNT_JWT` with your values. +Make sure that you do not include the trailing `,` in the `SYS_ACCOUNT_JWT`. + +``` +config: + resolver: + enabled: true + merge: + type: full + interval: 2m + timeout: 1.9s + merge: + operator: OPERATOR_JWT + system_account: SYS_ACCOUNT_ID + resolver_preload: + SYS_ACCOUNT_ID: SYS_ACCOUNT_JWT +``` + + +## Accessing NATS + +The chart contains 2 services by default, `service` and `headlessService`. + +### `service` + +The `service` is intended to be accessed by NATS Clients. It is a `ClusterIP` service by default, however it can easily be changed to a different service type. + +The `nats`, `websocket`, `leafnodes`, and `mqtt` ports will be exposed through this service by default if they are enabled. + +Example: change this service type to a `LoadBalancer`: + +```yaml +service: + merge: + spec: + type: LoadBalancer +``` + +### `headlessService` + +The `headlessService` is used for NATS Servers in the Stateful Set to discover one another. It is primarily intended to be used for Cluster Route connections. + +### TLS Considerations + +The TLS Certificate used for Client Connections should have a SAN covering DNS Name that clients access the `service` at. + +The TLS Certificate used for Cluster Route Connections should have a SAN covering the DNS Name that routes access each other on the `headlessService` at. This is `*.` by default. + +## Advanced Features + +### Templating Values + +Anything in `values.yaml` can be templated: + +- maps matching the following syntax will be templated and parsed as YAML: + ```yaml + $tplYaml: | + yaml template + ``` +- maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice + ```yaml + $tplYamlSpread: | + yaml template + ``` + +Example - change service name: + +```yaml +service: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc +``` + +### NATS Config Units and Variables + +NATS configuration extends JSON, and can represent Units and Variables. They must be wrapped in `<< >>` in order to template correctly. Example: + +```yaml +config: + merge: + authorization: + # variable + token: << $TOKEN >> + # units + max_payload: << 2MB >> +``` + +templates to the `nats.conf`: + +``` +{ + "authorization": { + "token": $TOKEN + }, + "max_payload": 2MB, + "port": 4222, + ... +} +``` + +### NATS Config Includes + +Any NATS Config key ending in `$include` will be replaced with an include directive. Included files should be in paths relative to `/etc/nats-config`. Multiple `$include` keys are supported by using a prefix, and will be sorted alphabetically. Example: + +```yaml +config: + merge: + 00$include: auth.conf + 01$include: params.conf +configMap: + merge: + data: + auth.conf: | + accounts: { + A: { + users: [ + {user: a, password: a} + ] + }, + B: { + users: [ + {user: b, password: b} + ] + }, + } + params.conf: | + max_payload: 2MB +``` + +templates to the `nats.conf`: + +``` +include auth.conf; +"port": 4222, +... +include params.conf; +``` + +### Extra Resources + +Enables adding additional arbitrary resources. Example - expose WebSocket via VirtualService in Istio: + +```yaml +config: + websocket: + enabled: true +extraResources: +- apiVersion: networking.istio.io/v1beta1 + kind: VirtualService + metadata: + namespace: + $tplYamlSpread: > + {{ include "nats.metadataNamespace" $ }} + name: + $tplYaml: > + {{ include "nats.fullname" $ | quote }} + labels: + $tplYaml: | + {{ include "nats.labels" $ }} + spec: + hosts: + - demo.nats.io + gateways: + - my-gateway + http: + - name: default + match: + - name: root + uri: + exact: / + route: + - destination: + host: + $tplYaml: > + {{ .Values.service.name | quote }} + port: + number: + $tplYaml: > + {{ .Values.config.websocket.port }} +``` diff --git a/charts/nats/nats/1.2.5/UPGRADING.md b/charts/nats/nats/1.2.5/UPGRADING.md new file mode 100644 index 000000000..9cc177991 --- /dev/null +++ b/charts/nats/nats/1.2.5/UPGRADING.md @@ -0,0 +1,155 @@ +# Upgrading from 0.x to 1.x + +Instructions for upgrading an existing `nats` 0.x release to 1.x. + +## Rename Immutable Fields + +There are a number of immutable fields in the NATS Stateful Set and NATS Box deployment. All 1.x `values.yaml` files targeting an existing 0.x release will require some or all of these settings: + +```yaml +config: + # required if using JetStream file storage + jetstream: + # uncomment the next line if using JetStream file storage + # enabled: true + fileStore: + pvc: + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-js-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + + # required if using a full or cache resolver + resolver: + # uncomment the next line if using a full or cache resolver + # enabled: true + pvc: + name: nats-jwt-pvc + # set other PVC options here to make it match 0.x, refer to values.yaml for schema + +# required +statefulSet: + patch: + - op: remove + path: /spec/selector/matchLabels/app.kubernetes.io~1component + - $tplYamlSpread: |- + {{- if and + .Values.config.jetstream.enabled + .Values.config.jetstream.fileStore.enabled + .Values.config.jetstream.fileStore.pvc.enabled + .Values.config.resolver.enabled + .Values.config.resolver.pvc.enabled + }} + - op: move + from: /spec/volumeClaimTemplates/0 + path: /spec/volumeClaimTemplates/1 + {{- else}} + [] + {{- end }} + +# required +headlessService: + name: + $tplYaml: >- + {{ include "nats.fullname" . }} + +# required unless 0.x values explicitly set nats.serviceAccount.create=false +serviceAccount: + enabled: true + +# required to use new ClusterIP service for Clients accessing NATS +# if using TLS, this may require adding another SAN +service: + # uncomment the next line to disable the new ClusterIP service + # enabled: false + name: + $tplYaml: >- + {{ include "nats.fullname" . }}-svc + +# required if using NatsBox +natsBox: + deployment: + patch: + - op: replace + path: /spec/selector/matchLabels + value: + app: nats-box + - op: add + path: /spec/template/metadata/labels/app + value: nats-box +``` + +## Update NATS Config to new values.yaml schema + +Most values that control the NATS Config have changed and moved under the `config` key. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in the NATS Config files match by templating the old and new config files. + +Template your old 0.x Config Map, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/configmap.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Config Map, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/config-map.yaml \ + nats \ + nats/nats +``` + +## Update Kubernetes Resources to new values.yaml schema + +Most values that control Kubernetes Resources have been changed. Refer to the 1.x Chart's [values.yaml](values.yaml) for the complete schema. + +After migrating to the new values schema, ensure that changes you expect in resources match by templating the old and new resources. + +| Resource | 0.x Template File | 1.x Template File | +|-------------------------|---------------------------------|-------------------------------------------| +| Config Map | `templates/configmap.yaml` | `templates/config-map.yaml` | +| Stateful Set | `templates/statefulset.yaml` | `templates/stateful-set.yaml` | +| Headless Service | `templates/service.yaml` | `templates/headless-service.yaml` | +| ClusterIP Service | N/A | `templates/service.yaml` | +| Network Policy | `templates/networkpolicy.yaml` | N/A | +| Pod Disruption Budget | `templates/pdb.yaml` | `templates/pod-disruption-budget.yaml` | +| Service Account | `templates/rbac.yaml` | `templates/service-account.yaml` | +| Resource | `templates/` | `templates/` | +| Resource | `templates/` | `templates/` | +| Prometheus Monitor | `templates/serviceMonitor.yaml` | `templates/pod-monitor.yaml` | +| NatsBox Deployment | `templates/nats-box.yaml` | `templates/nats-box/deployment.yaml` | +| NatsBox Service Account | N/A | `templates/nats-box/service-account.yaml` | +| NatsBox Contents Secret | N/A | `templates/nats-box/contents-secret.yaml` | +| NatsBox Contexts Secret | N/A | `templates/nats-box/contexts-secret.yaml` | + +For example, to check that the Stateful Set matches: + +Template your old 0.x Stateful Set, this example uses a file called `values-old.yaml`: + +```sh +helm template \ + --version "0.x" \ + -f values-old.yaml \ + -s templates/statefulset.yaml \ + nats \ + nats/nats +``` + +Template your new 1.x Stateful Set, this example uses a file called `values.yaml`: + +```sh +helm template \ + --version "^1-beta" \ + -f values.yaml \ + -s templates/stateful-set.yaml \ + nats \ + nats/nats +``` diff --git a/charts/nats/nats/1.2.5/app-readme.md b/charts/nats/nats/1.2.5/app-readme.md new file mode 100644 index 000000000..b4511f4d5 --- /dev/null +++ b/charts/nats/nats/1.2.5/app-readme.md @@ -0,0 +1,3 @@ +# NATS Server + + [NATS](https://nats.io) is a simple, secure and performant communications system for digital systems, services and devices. NATS is part of the Cloud Native Computing Foundation ([CNCF](https://cncf.io)). NATS has over [30 client language implementations](https://nats.io/download/), and its server can run on-premise, in the cloud, at the edge, and even on a Raspberry Pi. NATS can secure and simplify design and operation of modern distributed systems. diff --git a/charts/nats/nats/1.2.5/files/config-map.yaml b/charts/nats/nats/1.2.5/files/config-map.yaml new file mode 100644 index 000000000..89ee3c281 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config-map.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.configMap.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +data: + nats.conf: | + {{- include "nats.formatConfig" .config | nindent 4 }} diff --git a/charts/nats/nats/1.2.5/files/config/cluster.yaml b/charts/nats/nats/1.2.5/files/config/cluster.yaml new file mode 100644 index 000000000..719cb8ade --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/cluster.yaml @@ -0,0 +1,32 @@ +{{- with .Values.config.cluster }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} +no_advertise: true +routes: +{{- $proto := ternary "tls" "nats" .tls.enabled }} +{{- $auth := "" }} +{{- if and .routeURLs.user .routeURLs.password }} + {{- $auth = printf "%s:%s@" (urlquery .routeURLs.user) (urlquery .routeURLs.password) -}} +{{- end }} +{{- $domain := $.Values.headlessService.name }} +{{- if .routeURLs.useFQDN }} + {{- $domain = printf "%s.%s.svc.%s" $domain (include "nats.namespace" $) .routeURLs.k8sClusterDomain }} +{{- end }} +{{- $port := (int .port) }} +{{- range $i, $_ := until (int .replicas) }} +- {{ printf "%s://%s%s-%d.%s:%d" $proto $auth $.Values.statefulSet.name $i $domain $port }} +{{- end }} + +{{- if and .routeURLs.user .routeURLs.password }} +authorization: + user: {{ .routeURLs.user | quote }} + password: {{ .routeURLs.password | quote }} +{{- end }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/config.yaml b/charts/nats/nats/1.2.5/files/config/config.yaml new file mode 100644 index 000000000..92fd96f1a --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/config.yaml @@ -0,0 +1,114 @@ +{{- with .Values.config }} + +server_name: << $SERVER_NAME >> +lame_duck_grace_period: 10s +lame_duck_duration: 30s +pid_file: /var/run/nats/nats.pid + +######################################## +# NATS +######################################## +{{- with .nats }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# leafnodes +######################################## +{{- with .leafnodes }} +{{- if .enabled }} +leafnodes: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/leafnodes.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# websocket +######################################## +{{- with .websocket }} +{{- if .enabled }} +websocket: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/websocket.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# MQTT +######################################## +{{- with .mqtt }} +{{- if .enabled }} +mqtt: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/mqtt.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# cluster +######################################## +{{- with .cluster }} +{{- if .enabled }} +cluster: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/cluster.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# gateway +######################################## +{{- with .gateway }} +{{- if .enabled }} +gateway: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/gateway.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# monitor +######################################## +{{- with .monitor }} +{{- if .enabled }} +{{- if .tls.enabled }} +https_port: {{ .port }} +{{- else }} +http_port: {{ .port }} +{{- end }} +{{- end }} +{{- end }} + +######################################## +# profiling +######################################## +{{- with .profiling }} +{{- if .enabled }} +prof_port: {{ .port }} +{{- end }} +{{- end }} + +######################################## +# jetstream +######################################## +{{- with $.Values.config.jetstream -}} +{{- if .enabled }} +jetstream: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/jetstream.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +######################################## +# resolver +######################################## +{{- with $.Values.config.resolver -}} +{{- if .enabled }} +resolver: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/resolver.yaml" "ctx" $) .) | nindent 2 }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/gateway.yaml b/charts/nats/nats/1.2.5/files/config/gateway.yaml new file mode 100644 index 000000000..32d4ed9f7 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/gateway.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.gateway }} +name: {{ $.Values.statefulSet.name }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/jetstream.yaml b/charts/nats/nats/1.2.5/files/config/jetstream.yaml new file mode 100644 index 000000000..17262f643 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/jetstream.yaml @@ -0,0 +1,23 @@ +{{- with .Values.config.jetstream }} +{{- with .memoryStore }} +{{- if .enabled }} +{{- with .maxSize }} +max_memory_store: << {{ . }} >> +{{- end }} +{{- else }} +max_memory_store: 0 +{{- end }} +{{- end }} +{{- with .fileStore }} +{{- if .enabled }} +store_dir: {{ .dir }} +{{- if .maxSize }} +max_file_store: << {{ .maxSize }} >> +{{- else if .pvc.enabled }} +max_file_store: << {{ .pvc.size }} >> +{{- end }} +{{- else }} +max_file_store: 0 +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/leafnodes.yaml b/charts/nats/nats/1.2.5/files/config/leafnodes.yaml new file mode 100644 index 000000000..3a1d9a14a --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/leafnodes.yaml @@ -0,0 +1,11 @@ +{{- with .Values.config.leafnodes }} +port: {{ .port }} +no_advertise: true + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/mqtt.yaml b/charts/nats/nats/1.2.5/files/config/mqtt.yaml new file mode 100644 index 000000000..e25d8a3e0 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/mqtt.yaml @@ -0,0 +1,10 @@ +{{- with .Values.config.mqtt }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/protocol.yaml b/charts/nats/nats/1.2.5/files/config/protocol.yaml new file mode 100644 index 000000000..288c80d75 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/protocol.yaml @@ -0,0 +1,10 @@ +{{- with .protocol }} +port: {{ .port }} + +{{- with .tls }} +{{- if .enabled }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/resolver.yaml b/charts/nats/nats/1.2.5/files/config/resolver.yaml new file mode 100644 index 000000000..a6761c403 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/resolver.yaml @@ -0,0 +1,3 @@ +{{- with .Values.config.resolver }} +dir: {{ .dir }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/tls.yaml b/charts/nats/nats/1.2.5/files/config/tls.yaml new file mode 100644 index 000000000..26aee0155 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/tls.yaml @@ -0,0 +1,16 @@ +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert_file: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key_file: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca_file: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/config/websocket.yaml b/charts/nats/nats/1.2.5/files/config/websocket.yaml new file mode 100644 index 000000000..afcd178a7 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/config/websocket.yaml @@ -0,0 +1,12 @@ +{{- with .Values.config.websocket }} +port: {{ .port }} + +{{- if .tls.enabled }} +{{- with .tls }} +tls: + {{- include "nats.loadMergePatch" (merge (dict "file" "config/tls.yaml" "ctx" (merge (dict "tls" .) $)) .) | nindent 2 }} +{{- end }} +{{- else }} +no_tls: true +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/headless-service.yaml b/charts/nats/nats/1.2.5/files/headless-service.yaml new file mode 100644 index 000000000..da6552b37 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/headless-service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.headlessService.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + clusterIP: None + publishNotReadyAddresses: true + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if or (eq $protocol "nats") $configProtocol.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/files/ingress.yaml b/charts/nats/nats/1.2.5/files/ingress.yaml new file mode 100644 index 000000000..b59f0fa5f --- /dev/null +++ b/charts/nats/nats/1.2.5/files/ingress.yaml @@ -0,0 +1,34 @@ +{{- with .Values.config.websocket.ingress }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + {{- with .className }} + ingressClassName: {{ . | quote }} + {{- end }} + rules: + {{- $path := .path }} + {{- $pathType := .pathType }} + {{- range .hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $path | quote }} + pathType: {{ $pathType | quote }} + backend: + service: + name: {{ $.Values.service.name }} + port: + name: websocket + {{- end }} + {{- if .tlsSecretName }} + tls: + - secretName: {{ .tlsSecretName | quote }} + hosts: + {{- toYaml .hosts | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/contents-secret.yaml b/charts/nats/nats/1.2.5/files/nats-box/contents-secret.yaml new file mode 100644 index 000000000..6e8fdb26f --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/contents-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contentsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "creds" "nkey" "nk" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.contents }} + "{{ $ctxKey }}.{{ $secretVal }}": {{ $secret.contents | quote }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/context.yaml b/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/context.yaml new file mode 100644 index 000000000..54480eac9 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/context.yaml @@ -0,0 +1,51 @@ +{{- $contextName := .contextName }} + +# url +{{- if .Values.service.enabled }} +url: nats://{{ .Values.service.name }} +{{- else }} +url: nats://{{ .Values.headlessService.name }} +{{- end }} + +{{- with .context }} + +# creds +{{- with .creds}} +{{- if .contents }} +creds: /etc/nats-contents/{{ $contextName }}.creds +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +creds: {{ printf "%s/%s" $dir (.key | default "nats.creds") | quote }} +{{- end }} +{{- end }} + +# nkey +{{- with .nkey}} +{{- if .contents }} +nkey: /etc/nats-contents/{{ $contextName }}.nk +{{- else if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +nkey: {{ printf "%s/%s" $dir (.key | default "nats.nk") | quote }} +{{- end }} +{{- end }} + +# tls +{{- with .tls }} +{{- if .secretName }} +{{- $dir := trimSuffix "/" .dir }} +cert: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }} +key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }} +{{- end }} +{{- end }} + +# tlsCA +{{- if $.Values.config.nats.tls.enabled }} +{{- with $.Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +{{- $dir := trimSuffix "/" .dir }} +ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/contexts-secret.yaml b/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/contexts-secret.yaml new file mode 100644 index 000000000..0ce8d1d87 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/contexts-secret/contexts-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.contextsSecret.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +type: Opaque +stringData: +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + "{{ $ctxKey }}.json": | + {{- include "toPrettyRawJson" (include "nats.loadMergePatch" (dict "file" "nats-box/contexts-secret/context.yaml" "merge" (.merge | default dict) "patch" (.patch | default list) "ctx" (merge (dict "contextName" $ctxKey "context" $ctxVal) $)) | fromYaml) | nindent 4 }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/deployment/container.yaml b/charts/nats/nats/1.2.5/files/nats-box/deployment/container.yaml new file mode 100644 index 000000000..aa1753b4b --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/deployment/container.yaml @@ -0,0 +1,46 @@ +name: nats-box +{{ include "nats.image" (merge (pick $.Values "global") .Values.natsBox.container.image) }} + +{{- with .Values.natsBox.container.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +command: +- sh +- -ec +- | + work_dir="$(pwd)" + mkdir -p "$XDG_CONFIG_HOME/nats" + cd "$XDG_CONFIG_HOME/nats" + if ! [ -s context ]; then + ln -s /etc/nats-contexts context + fi + {{- if .Values.natsBox.defaultContextName }} + if ! [ -f context.txt ]; then + echo -n {{ .Values.natsBox.defaultContextName | quote }} > context.txt + fi + {{- end }} + cd "$work_dir" + exec /entrypoint.sh "$@" +- -- +args: +- sh +- -ec +- trap true INT TERM; sleep infinity & wait +volumeMounts: +# contexts secret +- name: contexts + mountPath: /etc/nats-contexts +# contents secret +{{- if .hasContentsSecret }} +- name: contents + mountPath: /etc/nats-contents +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/deployment/deployment.yaml b/charts/nats/nats/1.2.5/files/nats-box/deployment/deployment.yaml new file mode 100644 index 000000000..bf39dd8d5 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/deployment/deployment.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.deployment.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "natsBox.selectorLabels" $ | nindent 6 }} + replicas: 1 + template: + {{- with .Values.natsBox.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/deployment/pod-template.yaml b/charts/nats/nats/1.2.5/files/nats-box/deployment/pod-template.yaml new file mode 100644 index 000000000..71056bfb6 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/deployment/pod-template.yaml @@ -0,0 +1,44 @@ +metadata: + labels: + {{- include "natsBox.labels" $ | nindent 4 }} +spec: + containers: + {{- with .Values.natsBox.container }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.global.image.pullSecretNames }} + imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} + {{- end }} + + {{- with .Values.natsBox.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + volumes: + # contexts secret + - name: contexts + secret: + secretName: {{ .Values.natsBox.contextsSecret.name }} + # contents secret + {{- if .hasContentsSecret }} + - name: contents + secret: + secretName: {{ .Values.natsBox.contentsSecret.name }} + {{- end }} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/files/nats-box/service-account.yaml b/charts/nats/nats/1.2.5/files/nats-box/service-account.yaml new file mode 100644 index 000000000..c31e52f18 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/nats-box/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.natsBox.serviceAccount.name }} + labels: + {{- include "natsBox.labels" $ | nindent 4 }} diff --git a/charts/nats/nats/1.2.5/files/pod-disruption-budget.yaml b/charts/nats/nats/1.2.5/files/pod-disruption-budget.yaml new file mode 100644 index 000000000..fd1fdead5 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/pod-disruption-budget.yaml @@ -0,0 +1,12 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.podDisruptionBudget.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} diff --git a/charts/nats/nats/1.2.5/files/pod-monitor.yaml b/charts/nats/nats/1.2.5/files/pod-monitor.yaml new file mode 100644 index 000000000..c6c8eae06 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/pod-monitor.yaml @@ -0,0 +1,13 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.promExporter.podMonitor.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + podMetricsEndpoints: + - port: prom-metrics diff --git a/charts/nats/nats/1.2.5/files/service-account.yaml b/charts/nats/nats/1.2.5/files/service-account.yaml new file mode 100644 index 000000000..22c18cc70 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.serviceAccount.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} diff --git a/charts/nats/nats/1.2.5/files/service.yaml b/charts/nats/nats/1.2.5/files/service.yaml new file mode 100644 index 000000000..db08fe5b5 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.service.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + {{- include "nats.selectorLabels" $ | nindent 4 }} + ports: + {{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- $servicePort := get $.Values.service.ports $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $servicePort.enabled }} + {{- $tlsEnabled := false }} + {{- if hasKey $configProtocol "tls" }} + {{- $tlsEnabled = $configProtocol.tls.enabled }} + {{- end }} + {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }} + - {{ merge (dict "name" $protocol "targetPort" $protocol "appProtocol" $appProtocol) (omit $servicePort "enabled") (dict "port" $configProtocol.port) | toYaml | nindent 4 }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/jetstream-pvc.yaml b/charts/nats/nats/1.2.5/files/stateful-set/jetstream-pvc.yaml new file mode 100644 index 000000000..a43f20059 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/jetstream-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.jetstream.fileStore.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/nats-container.yaml b/charts/nats/nats/1.2.5/files/stateful-set/nats-container.yaml new file mode 100644 index 000000000..c5402efea --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/nats-container.yaml @@ -0,0 +1,106 @@ +name: nats +{{ include "nats.image" (merge (pick $.Values "global") .Values.container.image) }} + +ports: +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" "monitor" "profiling" }} +{{- $configProtocol := get $.Values.config $protocol }} +{{- $containerPort := get $.Values.container.ports $protocol }} +{{- if or (eq $protocol "nats") $configProtocol.enabled }} +- {{ merge (dict "name" $protocol "containerPort" $configProtocol.port) $containerPort | toYaml | nindent 2 }} +{{- end }} +{{- end }} + +args: +- --config +- /etc/nats-config/nats.conf + +env: +- name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: SERVER_NAME + value: {{ printf "%s$(POD_NAME)" .Values.config.serverNamePrefix | quote }} +{{- with .Values.container.env }} +{{- include "nats.env" . }} +{{- end }} + +lifecycle: + preStop: + exec: + # send the lame duck shutdown signal to trigger a graceful shutdown + command: + - nats-server + - -sl=ldm=/var/run/nats/nats.pid + +{{- with .Values.config.monitor }} +{{- if .enabled }} +startupProbe: + httpGet: + path: /healthz + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 90 +readinessProbe: + httpGet: + path: /healthz?js-server-only=true + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 +livenessProbe: + httpGet: + path: /healthz?js-enabled-only=true + port: monitor + {{- if .tls.enabled }} + scheme: HTTPS + {{- end}} + initialDelaySeconds: 10 + timeoutSeconds: 5 + periodSeconds: 30 + successThreshold: 1 + failureThreshold: 3 +{{- end }} +{{- end }} + +volumeMounts: +# nats config +- name: config + mountPath: /etc/nats-config +# PID volume +- name: pid + mountPath: /var/run/nats +# JetStream PVC +{{- with .Values.config.jetstream }} +{{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} +{{- with .fileStore }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} +# resolver PVC +{{- with .Values.config.resolver }} +{{- if and .enabled .pvc.enabled }} +- name: {{ .pvc.name }} + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +# tlsCA +{{- include "nats.tlsCAVolumeMount" $ }} +# secrets +{{- range (include "nats.secretNames" $ | fromJson).secretNames }} +- name: {{ .name | quote }} + mountPath: {{ .dir | quote }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/pod-template.yaml b/charts/nats/nats/1.2.5/files/stateful-set/pod-template.yaml new file mode 100644 index 000000000..bb1d8d7be --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/pod-template.yaml @@ -0,0 +1,71 @@ +metadata: + labels: + {{- include "nats.labels" $ | nindent 4 }} + annotations: + {{- if .Values.podTemplate.configChecksumAnnotation }} + {{- $configMap := include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) $.Values.configMap) }} + checksum/config: {{ sha256sum $configMap }} + {{- end }} +spec: + containers: + # nats + {{- $nats := dict }} + {{- with .Values.container }} + {{- $nats = include "nats.loadMergePatch" (merge (dict "file" "stateful-set/nats-container.yaml" "ctx" $) .) | fromYaml }} + - {{ toYaml $nats | nindent 4 }} + {{- end }} + # reloader + {{- with .Values.reloader }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/reloader-container.yaml" "ctx" (merge (dict "natsVolumeMounts" $nats.volumeMounts) $)) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- with .Values.promExporter }} + {{- if .enabled }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/prom-exporter-container.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + + # service discovery uses DNS; don't need service env vars + enableServiceLinks: false + + {{- with .Values.global.image.pullSecretNames }} + imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} + {{- end }} + + {{- with .Values.serviceAccount }} + {{- if .enabled }} + serviceAccountName: {{ .name | quote }} + {{- end }} + {{- end }} + + {{- if .Values.reloader.enabled }} + shareProcessNamespace: true + {{- end }} + + volumes: + # nats config + - name: config + configMap: + name: {{ .Values.configMap.name }} + # PID volume + - name: pid + emptyDir: {} + # tlsCA + {{- include "nats.tlsCAVolume" $ | nindent 2 }} + # secrets + {{- range (include "nats.secretNames" $ | fromJson).secretNames }} + - name: {{ .name | quote }} + secret: + secretName: {{ .secretName | quote }} + {{- end }} + + {{- with .Values.podTemplate.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $k, $v := . }} + - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} + {{- end }} + {{- end}} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/prom-exporter-container.yaml b/charts/nats/nats/1.2.5/files/stateful-set/prom-exporter-container.yaml new file mode 100644 index 000000000..c3e1b6fbe --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/prom-exporter-container.yaml @@ -0,0 +1,30 @@ +name: prom-exporter +{{ include "nats.image" (merge (pick $.Values "global") .Values.promExporter.image) }} + +ports: +- name: prom-metrics + containerPort: {{ .Values.promExporter.port }} + +{{- with .Values.promExporter.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -port={{ .Values.promExporter.port }} +- -connz +- -routez +- -subz +- -varz +- -prefix=nats +- -use_internal_server_id +{{- if .Values.config.jetstream.enabled }} +- -jsz=all +{{- end }} +{{- if .Values.config.leafnodes.enabled }} +- -leafz +{{- end }} +{{- if .Values.config.gateway.enabled }} +- -gatewayz +{{- end }} +- http://localhost:{{ .Values.config.monitor.port }}/ diff --git a/charts/nats/nats/1.2.5/files/stateful-set/reloader-container.yaml b/charts/nats/nats/1.2.5/files/stateful-set/reloader-container.yaml new file mode 100644 index 000000000..96722045f --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/reloader-container.yaml @@ -0,0 +1,27 @@ +name: reloader +{{ include "nats.image" (merge (pick $.Values "global") .Values.reloader.image) }} + +{{- with .Values.reloader.env }} +env: +{{- include "nats.env" . }} +{{- end }} + +args: +- -pid +- /var/run/nats/nats.pid +- -config +- /etc/nats-config/nats.conf +{{ include "nats.reloaderConfig" (dict "config" .config "dir" "/etc/nats-config") }} + +volumeMounts: +- name: pid + mountPath: /var/run/nats +{{- range $mnt := .natsVolumeMounts }} +{{- $found := false }} +{{- range $.Values.reloader.natsVolumeMountPrefixes }} +{{- if and (not $found) (hasPrefix . $mnt.mountPath) }} +{{- $found = true }} +- {{ toYaml $mnt | nindent 2}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/resolver-pvc.yaml b/charts/nats/nats/1.2.5/files/stateful-set/resolver-pvc.yaml new file mode 100644 index 000000000..3634cd826 --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/resolver-pvc.yaml @@ -0,0 +1,13 @@ +{{- with .Values.config.resolver.pvc }} +metadata: + name: {{ .name }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .size | quote }} + {{- with .storageClassName }} + storageClassName: {{ . | quote }} + {{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/files/stateful-set/stateful-set.yaml b/charts/nats/nats/1.2.5/files/stateful-set/stateful-set.yaml new file mode 100644 index 000000000..cd8082cbb --- /dev/null +++ b/charts/nats/nats/1.2.5/files/stateful-set/stateful-set.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + {{- include "nats.metadataNamespace" $ | nindent 2 }} + name: {{ .Values.statefulSet.name }} + labels: + {{- include "nats.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nats.selectorLabels" $ | nindent 6 }} + {{- if .Values.config.cluster.enabled }} + replicas: {{ .Values.config.cluster.replicas }} + {{- else }} + replicas: 1 + {{- end }} + serviceName: {{ .Values.headlessService.name }} + podManagementPolicy: Parallel + template: + {{- with .Values.podTemplate }} + {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/pod-template.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + volumeClaimTemplates: + {{- with .Values.config.jetstream }} + {{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }} + {{- with .fileStore.pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/jetstream-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.config.resolver }} + {{- if and .enabled .pvc.enabled }} + {{- with .pvc }} + - {{ include "nats.loadMergePatch" (merge (dict "file" "stateful-set/resolver-pvc.yaml" "ctx" $) .) | nindent 4 }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/nats/nats/1.2.5/questions.yaml b/charts/nats/nats/1.2.5/questions.yaml new file mode 100644 index 000000000..a476e440d --- /dev/null +++ b/charts/nats/nats/1.2.5/questions.yaml @@ -0,0 +1,12 @@ +questions: +- variable: cluster.enabled + default: false + type: boolean + label: Enable Cluster + group: "Cluster Settings" + show_subquestion_if: "true" + subquestions: + - variable: cluster.replicas + default: 3 + type: int + label: Replicas diff --git a/charts/nats/nats/1.2.5/templates/_helpers.tpl b/charts/nats/nats/1.2.5/templates/_helpers.tpl new file mode 100644 index 000000000..ba831397d --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/_helpers.tpl @@ -0,0 +1,281 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "nats.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nats.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nats.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Print the namespace +*/}} +{{- define "nats.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride }} +{{- end }} + +{{/* +Print the namespace for the metadata section +*/}} +{{- define "nats.metadataNamespace" -}} +{{- with .Values.namespaceOverride }} +namespace: {{ . | quote }} +{{- end }} +{{- end }} + +{{/* +Set default values. +*/}} +{{- define "nats.defaultValues" }} +{{- if not .defaultValuesSet }} + {{- $name := include "nats.fullname" . }} + {{- with .Values }} + {{- $_ := set .config.jetstream.fileStore.pvc "name" (.config.jetstream.fileStore.pvc.name | default (printf "%s-js" $name)) }} + {{- $_ := set .config.resolver.pvc "name" (.config.resolver.pvc.name | default (printf "%s-resolver" $name)) }} + {{- $_ := set .config.websocket.ingress "name" (.config.websocket.ingress.name | default (printf "%s-ws" $name)) }} + {{- $_ := set .configMap "name" (.configMap.name | default (printf "%s-config" $name)) }} + {{- $_ := set .headlessService "name" (.headlessService.name | default (printf "%s-headless" $name)) }} + {{- $_ := set .natsBox.contentsSecret "name" (.natsBox.contentsSecret.name | default (printf "%s-box-contents" $name)) }} + {{- $_ := set .natsBox.contextsSecret "name" (.natsBox.contextsSecret.name | default (printf "%s-box-contexts" $name)) }} + {{- $_ := set .natsBox.deployment "name" (.natsBox.deployment.name | default (printf "%s-box" $name)) }} + {{- $_ := set .natsBox.serviceAccount "name" (.natsBox.serviceAccount.name | default (printf "%s-box" $name)) }} + {{- $_ := set .podDisruptionBudget "name" (.podDisruptionBudget.name | default $name) }} + {{- $_ := set .service "name" (.service.name | default $name) }} + {{- $_ := set .serviceAccount "name" (.serviceAccount.name | default $name) }} + {{- $_ := set .statefulSet "name" (.statefulSet.name | default $name) }} + {{- $_ := set .promExporter.podMonitor "name" (.promExporter.podMonitor.name | default $name) }} + {{- end }} + + {{- $values := get (include "tplYaml" (dict "doc" .Values "ctx" $) | fromJson) "doc" }} + {{- $_ := set . "Values" $values }} + + {{- $hasContentsSecret := false }} + {{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} + {{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if $secret }} + {{- $_ := set $secret "dir" ($secret.dir | default (printf "/etc/%s/%s" $secretVal $ctxKey)) }} + {{- if and (ne $secretKey "tls") $secret.contents }} + {{- $hasContentsSecret = true }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- $_ := set $ "hasContentsSecret" $hasContentsSecret }} + + {{- with .Values.config }} + {{- $config := include "nats.loadMergePatch" (merge (dict "file" "config/config.yaml" "ctx" $) .) | fromYaml }} + {{- $_ := set $ "config" $config }} + {{- end }} + + {{- $_ := set . "defaultValuesSet" true }} +{{- end }} +{{- end }} + +{{/* +NATS labels +*/}} +{{- define "nats.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{ include "nats.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +NATS selector labels +*/}} +{{- define "nats.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: nats +{{- end }} + +{{/* +NATS Box labels +*/}} +{{- define "natsBox.labels" -}} +{{- with .Values.global.labels -}} +{{ toYaml . }} +{{ end -}} +helm.sh/chart: {{ include "nats.chart" . }} +{{ include "natsBox.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +NATS Box selector labels +*/}} +{{- define "natsBox.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nats.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: nats-box +{{- end }} + +{{/* +Print the image +*/}} +{{- define "nats.image" }} +{{- $image := printf "%s:%s" .repository .tag }} +{{- if or .registry .global.image.registry }} +{{- $image = printf "%s/%s" (.registry | default .global.image.registry) $image }} +{{- end -}} +image: {{ $image }} +{{- if or .pullPolicy .global.image.pullPolicy }} +imagePullPolicy: {{ .pullPolicy | default .global.image.pullPolicy }} +{{- end }} +{{- end }} + +{{- define "nats.secretNames" -}} +{{- $secrets := list }} +{{- range $protocol := list "nats" "leafnodes" "websocket" "mqtt" "cluster" "gateway" }} + {{- $configProtocol := get $.Values.config $protocol }} + {{- if and (or (eq $protocol "nats") $configProtocol.enabled) $configProtocol.tls.enabled $configProtocol.tls.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "%s-tls" $protocol)) $configProtocol.tls) }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "natsBox.secretNames" -}} +{{- $secrets := list }} +{{- range $ctxKey, $ctxVal := .Values.natsBox.contexts }} +{{- range $secretKey, $secretVal := dict "creds" "nats-creds" "nkey" "nats-nkeys" "tls" "nats-certs" }} + {{- $secret := get $ctxVal $secretKey }} + {{- if and $secret $secret.secretName }} + {{- $secrets = append $secrets (merge (dict "name" (printf "ctx-%s-%s" $ctxKey $secretKey)) $secret) }} + {{- end }} + {{- end }} +{{- end }} +{{- toJson (dict "secretNames" $secrets) }} +{{- end }} + +{{- define "nats.tlsCAVolume" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca +{{- if .configMapName }} + configMap: + name: {{ .configMapName | quote }} +{{- else if .secretName }} + secret: + secretName: {{ .secretName | quote }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "nats.tlsCAVolumeMount" -}} +{{- with .Values.tlsCA }} +{{- if and .enabled (or .configMapName .secretName) }} +- name: tls-ca + mountPath: {{ .dir | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +translates env var map to list +*/}} +{{- define "nats.env" -}} +{{- range $k, $v := . }} +{{- if kindIs "string" $v }} +- name: {{ $k | quote }} + value: {{ $v | quote }} +{{- else if kindIs "map" $v }} +- {{ merge (dict "name" $k) $v | toYaml | nindent 2 }} +{{- else }} +{{- fail (cat "env var" $k "must be string or map, got" (kindOf $v)) }} +{{- end }} +{{- end }} +{{- end }} + +{{- /* +nats.loadMergePatch +input: map with 4 keys: +- file: name of file to load +- ctx: context to pass to tpl +- merge: interface{} to merge +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "nats.loadMergePatch" -}} +{{- $doc := tpl (.ctx.Files.Get (printf "files/%s" .file)) .ctx | fromYaml | default dict -}} +{{- $doc = mergeOverwrite $doc (deepCopy (.merge | default dict)) -}} +{{- get (include "jsonpatch" (dict "doc" $doc "patch" (.patch | default list)) | fromJson ) "doc" | toYaml -}} +{{- end }} + + +{{- /* +nats.reloaderConfig +input: map with 2 keys: +- config: interface{} nats config +- dir: dir config file is in +output: YAML list of reloader config files +*/}} +{{- define "nats.reloaderConfig" -}} + {{- $dir := trimSuffix "/" .dir -}} + {{- with .config -}} + {{- if kindIs "map" . -}} + {{- range $k, $v := . -}} + {{- if or (eq $k "cert_file") (eq $k "key_file") (eq $k "ca_file") }} +- -config +- {{ $v }} + {{- else if hasSuffix "$include" $k }} +- -config +- {{ clean (printf "%s/%s" $dir $v) }} + {{- else }} + {{- include "nats.reloaderConfig" (dict "config" $v "dir" $dir) }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + + +{{- /* +nats.formatConfig +input: map[string]interface{} +output: string with following format rules +1. keys ending in $natsRaw are unquoted +2. keys ending in $natsInclude are converted to include directives +*/}} +{{- define "nats.formatConfig" -}} + {{- + (regexReplaceAll "\"<<\\s+(.*)\\s+>>\"" + (regexReplaceAll "\".*\\$include\": \"(.*)\",?" (include "toPrettyRawJson" .) "include ${1};") + "${1}") + -}} +{{- end -}} diff --git a/charts/nats/nats/1.2.5/templates/_jsonpatch.tpl b/charts/nats/nats/1.2.5/templates/_jsonpatch.tpl new file mode 100644 index 000000000..cd42c3bbc --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/_jsonpatch.tpl @@ -0,0 +1,219 @@ +{{- /* +jsonpatch +input: map with 2 keys: +- doc: interface{} valid JSON document +- patch: []interface{} valid JSON Patch document +output: JSON encoded map with 1 key: +- doc: interface{} patched json result +*/}} +{{- define "jsonpatch" -}} + {{- $params := fromJson (toJson .) -}} + {{- $patches := $params.patch -}} + {{- $docContainer := pick $params "doc" -}} + + {{- range $patch := $patches -}} + {{- if not (hasKey $patch "op") -}} + {{- fail "patch is missing op key" -}} + {{- end -}} + {{- if and (ne $patch.op "add") (ne $patch.op "remove") (ne $patch.op "replace") (ne $patch.op "copy") (ne $patch.op "move") (ne $patch.op "test") -}} + {{- fail (cat "patch has invalid op" $patch.op) -}} + {{- end -}} + {{- if not (hasKey $patch "path") -}} + {{- fail "patch is missing path key" -}} + {{- end -}} + {{- if and (or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "test")) (not (hasKey $patch "value")) -}} + {{- fail (cat "patch with op" $patch.op "is missing value key") -}} + {{- end -}} + {{- if and (or (eq $patch.op "copy") (eq $patch.op "move")) (not (hasKey $patch "from")) -}} + {{- fail (cat "patch with op" $patch.op "is missing from key") -}} + {{- end -}} + + {{- $opPathKeys := list "path" -}} + {{- if or (eq $patch.op "copy") (eq $patch.op "move") -}} + {{- $opPathKeys = append $opPathKeys "from" -}} + {{- end -}} + {{- $reSlice := list -}} + + {{- range $opPathKey := $opPathKeys -}} + {{- $obj := $docContainer -}} + {{- if and (eq $patch.op "copy") (eq $opPathKey "from") -}} + {{- $obj = (fromJson (toJson $docContainer)) -}} + {{- end -}} + {{- $key := "doc" -}} + {{- $lastMap := dict "root" $obj -}} + {{- $lastKey := "root" -}} + {{- $paths := (splitList "/" (get $patch $opPathKey)) -}} + {{- $firstPath := index $paths 0 -}} + {{- if ne (index $paths 0) "" -}} + {{- fail (cat "invalid" $opPathKey (get $patch $opPathKey) "must be empty string or start with /") -}} + {{- end -}} + {{- $paths = slice $paths 1 -}} + + {{- range $path := $paths -}} + {{- $path = replace "~1" "/" $path -}} + {{- $path = replace "~0" "~" $path -}} + + {{- if kindIs "slice" $obj -}} + {{- $mapObj := dict -}} + {{- range $i, $v := $obj -}} + {{- $_ := set $mapObj (toString $i) $v -}} + {{- end -}} + {{- $obj = $mapObj -}} + {{- $_ := set $lastMap $lastKey $obj -}} + {{- $reSlice = prepend $reSlice (dict "lastMap" $lastMap "lastKey" $lastKey "mapObj" $obj) -}} + {{- end -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat "key" $key "does not exist") -}} + {{- end -}} + {{- $lastKey = $key -}} + {{- $lastMap = $obj -}} + {{- $obj = index $obj $key -}} + {{- $key = $path -}} + {{- else -}} + {{- fail (cat "cannot iterate into path" $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- $_ := set $patch (printf "%sKey" $opPathKey) $key -}} + {{- $_ := set $patch (printf "%sLastKey" $opPathKey) $lastKey -}} + {{- $_ = set $patch (printf "%sLastMap" $opPathKey) $lastMap -}} + {{- end -}} + + {{- if eq $patch.op "move" }} + {{- if and (ne $patch.path $patch.from) (hasPrefix (printf "%s/" $patch.path) (printf "%s/" $patch.from)) -}} + {{- fail (cat "from" $patch.from "may not be a child of path" $patch.path) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "move") (eq $patch.op "copy") (eq $patch.op "test") }} + {{- $key := $patch.fromKey -}} + {{- $lastMap := $patch.fromLastMap -}} + {{- $lastKey := $patch.fromLastKey -}} + {{- $setKey := "value" -}} + {{- if eq $patch.op "test" }} + {{- $key = $patch.pathKey -}} + {{- $lastMap = $patch.pathLastMap -}} + {{- $lastKey = $patch.pathLastKey -}} + {{- $setKey = "testValue" -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := set $patch $setKey (index $obj $key) -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $patch $setKey (index $obj $i) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "remove") (eq $patch.op "replace") (eq $patch.op "move") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- if eq $patch.op "move" }} + {{- $key = $patch.fromKey -}} + {{- $lastMap = $patch.fromLastMap -}} + {{- $lastKey = $patch.fromLastKey -}} + {{- end -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- if not (hasKey $obj $key) -}} + {{- fail (cat $key "does not exist") -}} + {{- end -}} + {{- $_ := unset $obj $key -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (slice $obj 1) -}} + {{- else if lt $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (concat (slice $obj 0 $i) (slice $obj (add $i 1) (len $obj))) -}} + {{- else if eq $i (sub (len $obj) 1) -}} + {{- $_ := set $lastMap $lastKey (slice $obj 0 (sub (len $obj) 1)) -}} + {{- else -}} + {{- fail "slice index >= slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if or (eq $patch.op "add") (eq $patch.op "replace") (eq $patch.op "move") (eq $patch.op "copy") }} + {{- $key := $patch.pathKey -}} + {{- $lastMap := $patch.pathLastMap -}} + {{- $lastKey := $patch.pathLastKey -}} + {{- $value := $patch.value -}} + {{- $obj := index $lastMap $lastKey -}} + + {{- if kindIs "map" $obj -}} + {{- $_ := set $obj $key $value -}} + + {{- else if kindIs "slice" $obj -}} + {{- $i := 0 -}} + {{- if eq $key "-" -}} + {{- $i = len $obj -}} + {{- else -}} + {{- $i = atoi $key -}} + {{- if ne $key (toString $i) -}} + {{- fail (cat "cannot convert" $key "to int") -}} + {{- end -}} + {{- end -}} + {{- if lt $i 0 -}} + {{- fail "slice index <0" -}} + {{- else if eq $i 0 -}} + {{- $_ := set $lastMap $lastKey (prepend $obj $value) -}} + {{- else if lt $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (concat (append (slice $obj 0 $i) $value) (slice $obj $i)) -}} + {{- else if eq $i (len $obj) -}} + {{- $_ := set $lastMap $lastKey (append $obj $value) -}} + {{- else -}} + {{- fail "slice index > slice length" -}} + {{- end -}} + + {{- else -}} + {{- fail (cat "cannot" $patch.op $key "on type" (kindOf $obj)) -}} + {{- end -}} + {{- end -}} + + {{- if eq $patch.op "test" }} + {{- if not (deepEqual $patch.value $patch.testValue) }} + {{- fail (cat "test failed, expected" (toJson $patch.value) "but got" (toJson $patch.testValue)) -}} + {{- end -}} + {{- end -}} + + {{- range $reSliceOp := $reSlice -}} + {{- $sliceObj := list -}} + {{- range $i := until (len $reSliceOp.mapObj) -}} + {{- $sliceObj = append $sliceObj (index $reSliceOp.mapObj (toString $i)) -}} + {{- end -}} + {{- $_ := set $reSliceOp.lastMap $reSliceOp.lastKey $sliceObj -}} + {{- end -}} + + {{- end -}} + {{- toJson $docContainer -}} +{{- end -}} diff --git a/charts/nats/nats/1.2.5/templates/_toPrettyRawJson.tpl b/charts/nats/nats/1.2.5/templates/_toPrettyRawJson.tpl new file mode 100644 index 000000000..612a62f9c --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/_toPrettyRawJson.tpl @@ -0,0 +1,28 @@ +{{- /* +toPrettyRawJson +input: interface{} valid JSON document +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJson" -}} + {{- include "toPrettyRawJsonStr" (toPrettyJson .) -}} +{{- end -}} + +{{- /* +toPrettyRawJsonStr +input: pretty JSON string +output: pretty raw JSON string +*/}} +{{- define "toPrettyRawJsonStr" -}} + {{- $s := + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003e" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u003c" + (regexReplaceAll "([^\\\\](?:\\\\\\\\)*)\\\\u0026" . "${1}&") + "${1}<") + "${1}>") + -}} + {{- if regexMatch "([^\\\\](?:\\\\\\\\)*)\\\\u00(26|3c|3e)" $s -}} + {{- include "toPrettyRawJsonStr" $s -}} + {{- else -}} + {{- $s -}} + {{- end -}} +{{- end -}} diff --git a/charts/nats/nats/1.2.5/templates/_tplYaml.tpl b/charts/nats/nats/1.2.5/templates/_tplYaml.tpl new file mode 100644 index 000000000..f42b9c168 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/_tplYaml.tpl @@ -0,0 +1,114 @@ +{{- /* +tplYaml +input: map with 2 keys: +- doc: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- doc: interface{} with any keys called tpl or tplSpread values templated and replaced + +maps matching the following syntax will be templated and parsed as YAML +{ + $tplYaml: string +} + +maps matching the follow syntax will be templated, parsed as YAML, and spread into the parent map/slice +{ + $tplYamlSpread: string +} +*/}} +{{- define "tplYaml" -}} + {{- $patch := get (include "tplYamlItr" (dict "ctx" .ctx "parentKind" "" "parentPath" "" "path" "/" "value" .doc) | fromJson) "patch" -}} + {{- include "jsonpatch" (dict "doc" .doc "patch" $patch) -}} +{{- end -}} + +{{- /* +tplYamlItr +input: map with 4 keys: +- path: string JSONPath to current element +- parentKind: string kind of parent element +- parentPath: string JSONPath to parent element +- value: interface{} +- ctx: context to pass to tpl function +output: JSON encoded map with 1 key: +- patch: list of patches to apply in order to template +*/}} +{{- define "tplYamlItr" -}} + {{- $params := . -}} + {{- $kind := kindOf $params.value -}} + {{- $patch := list -}} + {{- $joinPath := $params.path -}} + {{- if eq $params.path "/" -}} + {{- $joinPath = "" -}} + {{- end -}} + {{- $joinParentPath := $params.parentPath -}} + {{- if eq $params.parentPath "/" -}} + {{- $joinParentPath = "" -}} + {{- end -}} + + {{- if eq $kind "slice" -}} + {{- $iAdj := 0 -}} + {{- range $i, $v := $params.value -}} + {{- $iPath := printf "%s/%d" $joinPath (add $i $iAdj) -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $iPath "value" $v) | fromJson) "patch" -}} + {{- $itrLen := len $itrPatch -}} + {{- if gt $itrLen 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- if eq (get (index $itrPatch 0) "op") "remove" -}} + {{- $iAdj = add $iAdj (sub $itrLen 2) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- else if eq $kind "map" -}} + {{- if and (eq (len $params.value) 1) (or (hasKey $params.value "$tplYaml") (hasKey $params.value "$tplYamlSpread")) -}} + {{- $tpl := get $params.value "$tplYaml" -}} + {{- $spread := false -}} + {{- if hasKey $params.value "$tplYamlSpread" -}} + {{- if eq $params.path "/" -}} + {{- fail "cannot $tplYamlSpread on root object" -}} + {{- end -}} + {{- $tpl = get $params.value "$tplYamlSpread" -}} + {{- $spread = true -}} + {{- end -}} + + {{- $res := tpl $tpl $params.ctx -}} + {{- $res = get (fromYaml (tpl "tpl: {{ nindent 2 .res }}" (merge (dict "res" $res) $params.ctx))) "tpl" -}} + + {{- if eq $spread false -}} + {{- $patch = append $patch (dict "op" "replace" "path" $params.path "value" $res) -}} + {{- else -}} + {{- $resKind := kindOf $res -}} + {{- if and (ne $resKind "invalid") (ne $resKind $params.parentKind) -}} + {{- fail (cat "can only $tplYamlSpread slice onto a slice or map onto a map; attempted to spread" $resKind "on" $params.parentKind "at path" $params.path) -}} + {{- end -}} + {{- $patch = append $patch (dict "op" "remove" "path" $params.path) -}} + {{- if eq $resKind "invalid" -}} + {{- /* no-op */ -}} + {{- else if eq $resKind "slice" -}} + {{- range $v := reverse $res -}} + {{- $patch = append $patch (dict "op" "add" "path" $params.path "value" $v) -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $res -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinParentPath $kPath -}} + {{- $patch = append $patch (dict "op" "add" "path" $kPath "value" $v) -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $k, $v := $params.value -}} + {{- $kPath := replace "~" "~0" $k -}} + {{- $kPath = replace "/" "~1" $kPath -}} + {{- $kPath = printf "%s/%s" $joinPath $kPath -}} + {{- $itrPatch := get (include "tplYamlItr" (dict "ctx" $params.ctx "parentKind" $kind "parentPath" $params.path "path" $kPath "value" $v) | fromJson) "patch" -}} + {{- if gt (len $itrPatch) 0 -}} + {{- $patch = concat $patch $itrPatch -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- toJson (dict "patch" $patch) -}} +{{- end -}} diff --git a/charts/nats/nats/1.2.5/templates/config-map.yaml b/charts/nats/nats/1.2.5/templates/config-map.yaml new file mode 100644 index 000000000..b95afda20 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/config-map.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.configMap }} +{{- include "nats.loadMergePatch" (merge (dict "file" "config-map.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/extra-resources.yaml b/charts/nats/nats/1.2.5/templates/extra-resources.yaml new file mode 100644 index 000000000..c11f0085e --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/extra-resources.yaml @@ -0,0 +1,5 @@ +{{- include "nats.defaultValues" . }} +{{- range .Values.extraResources }} +--- +{{ . | toYaml }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/headless-service.yaml b/charts/nats/nats/1.2.5/templates/headless-service.yaml new file mode 100644 index 000000000..f11a83d13 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/headless-service.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.headlessService }} +{{- include "nats.loadMergePatch" (merge (dict "file" "headless-service.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/ingress.yaml b/charts/nats/nats/1.2.5/templates/ingress.yaml new file mode 100644 index 000000000..eccd73ffd --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/ingress.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.config.websocket.ingress }} +{{- if and .enabled .hosts $.Values.config.websocket.enabled $.Values.service.enabled $.Values.service.ports.websocket.enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "ingress.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/nats-box/contents-secret.yaml b/charts/nats/nats/1.2.5/templates/nats-box/contents-secret.yaml new file mode 100644 index 000000000..db629bf7b --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/nats-box/contents-secret.yaml @@ -0,0 +1,10 @@ +{{- include "nats.defaultValues" . }} +{{- if .hasContentsSecret }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contentsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contents-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/nats-box/contexts-secret.yaml b/charts/nats/nats/1.2.5/templates/nats-box/contexts-secret.yaml new file mode 100644 index 000000000..5ae20f45a --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/nats-box/contexts-secret.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .contextsSecret}} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/contexts-secret/contexts-secret.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/nats-box/deployment.yaml b/charts/nats/nats/1.2.5/templates/nats-box/deployment.yaml new file mode 100644 index 000000000..a063332a2 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/nats-box/deployment.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox }} +{{- if .enabled }} +{{- with .deployment }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/deployment.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/nats-box/service-account.yaml b/charts/nats/nats/1.2.5/templates/nats-box/service-account.yaml new file mode 100644 index 000000000..e11bdd363 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/nats-box/service-account.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- if .Values.natsBox.enabled }} +{{- with .Values.natsBox.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "nats-box/service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/pod-disruption-budget.yaml b/charts/nats/nats/1.2.5/templates/pod-disruption-budget.yaml new file mode 100644 index 000000000..911722629 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/pod-disruption-budget.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.podDisruptionBudget }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-disruption-budget.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/pod-monitor.yaml b/charts/nats/nats/1.2.5/templates/pod-monitor.yaml new file mode 100644 index 000000000..0e42a43a5 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/pod-monitor.yaml @@ -0,0 +1,8 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.promExporter }} +{{- if and .enabled .podMonitor.enabled }} +{{- with .podMonitor }} +{{- include "nats.loadMergePatch" (merge (dict "file" "pod-monitor.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/service-account.yaml b/charts/nats/nats/1.2.5/templates/service-account.yaml new file mode 100644 index 000000000..6c763bd3e --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/service-account.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.serviceAccount }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service-account.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/service.yaml b/charts/nats/nats/1.2.5/templates/service.yaml new file mode 100644 index 000000000..04b0b37e7 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/service.yaml @@ -0,0 +1,6 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.service }} +{{- if .enabled }} +{{- include "nats.loadMergePatch" (merge (dict "file" "service.yaml" "ctx" $) .) }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/stateful-set.yaml b/charts/nats/nats/1.2.5/templates/stateful-set.yaml new file mode 100644 index 000000000..bb198323e --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/stateful-set.yaml @@ -0,0 +1,4 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.statefulSet }} +{{- include "nats.loadMergePatch" (merge (dict "file" "stateful-set/stateful-set.yaml" "ctx" $) .) }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/templates/tests/request-reply.yaml b/charts/nats/nats/1.2.5/templates/tests/request-reply.yaml new file mode 100644 index 000000000..3e06edc08 --- /dev/null +++ b/charts/nats/nats/1.2.5/templates/tests/request-reply.yaml @@ -0,0 +1,37 @@ +{{- include "nats.defaultValues" . }} +{{- with .Values.natsBox | deepCopy }} +{{- $natsBox := . }} +{{- if .enabled -}} +apiVersion: v1 +kind: Pod +{{- with .container }} +{{- $_ := set . "merge" (dict + "args" (list + "sh" + "-ec" + "nats reply --echo echo & pid=\"$!\"; sleep 1; nats request echo hi > /tmp/resp; kill \"$pid\"; wait; grep -qF hi /tmp/resp" + ) +) }} +{{- $_ := set . "patch" list }} +{{- end }} +{{- with .podTemplate }} +{{- $_ := set . "merge" (dict + "metadata" (dict + "name" (printf "%s-test-request-reply" $.Values.statefulSet.name) + "labels" (dict + "app.kubernetes.io/component" "test-request-reply" + ) + "annotations" (dict + "helm.sh/hook" "test" + "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded" + ) + ) + "spec" (dict + "restartPolicy" "Never" + ) +) }} +{{- $_ := set . "patch" list }} +{{ include "nats.loadMergePatch" (merge (dict "file" "nats-box/deployment/pod-template.yaml" "ctx" (merge (dict "Values" (dict "natsBox" $natsBox)) $)) .) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/nats/nats/1.2.5/values.yaml b/charts/nats/nats/1.2.5/values.yaml new file mode 100644 index 000000000..0290881bd --- /dev/null +++ b/charts/nats/nats/1.2.5/values.yaml @@ -0,0 +1,669 @@ +################################################################################ +# Global options +################################################################################ +global: + image: + # global image pull policy to use for all container images in the chart + # can be overridden by individual image pullPolicy + pullPolicy: + # global list of secret names to use as image pull secrets for all pod specs in the chart + # secrets must exist in the same namespace + # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + pullSecretNames: [] + # global registry to use for all container images in the chart + # can be overridden by individual image registry + registry: + + # global labels will be applied to all resources deployed by the chart + labels: {} + +################################################################################ +# Common options +################################################################################ +# override name of the chart +nameOverride: +# override full name of the chart+release +fullnameOverride: +# override the namespace that resources are installed into +namespaceOverride: + +# reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts +# note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS +tlsCA: + enabled: false + # set configMapName in order to mount an existing configMap to dir + configMapName: + # set secretName in order to mount an existing secretName to dir + secretName: + # directory to mount the configMap or secret to + dir: /etc/nats-ca-cert + # key in the configMap or secret that contains the CA Certificate or Bundle + key: ca.crt + +################################################################################ +# NATS Stateful Set and associated resources +################################################################################ + +############################################################ +# NATS config +############################################################ +config: + cluster: + enabled: false + port: 6222 + # must be 2 or higher when jetstream is enabled + replicas: 3 + + # apply to generated route URLs that connect to other pods in the StatefulSet + routeURLs: + # if both user and password are set, they will be added to route URLs + # and the cluster authorization block + user: + password: + # set to true to use FQDN in route URLs + useFQDN: false + k8sClusterDomain: cluster.local + + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/cluster + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the cluster config + # https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config + merge: {} + patch: [] + + jetstream: + enabled: false + + fileStore: + enabled: true + dir: /data + + ############################################################ + # stateful set -> volume claim templates -> jetstream pvc + ############################################################ + pvc: + enabled: true + size: 10Gi + storageClassName: + + # merge or patch the jetstream pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-js" + name: + + # defaults to the PVC size + maxSize: + + memoryStore: + enabled: false + # ensure that container has a sufficient memory limit greater than maxSize + maxSize: 1Gi + + # merge or patch the jetstream config + # https://docs.nats.io/running-a-nats-service/configuration#jetstream + merge: {} + patch: [] + + nats: + port: 4222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/nats + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + leafnodes: + enabled: false + port: 7422 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/leafnodes + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the leafnodes config + # https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf + merge: {} + patch: [] + + websocket: + enabled: false + port: 8080 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/websocket + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + ############################################################ + # ingress + ############################################################ + # service must be enabled also + ingress: + enabled: false + # must contain at least 1 host otherwise ingress will not be created + hosts: [] + path: / + pathType: Exact + # sets to the ingress class name + className: + # set to an existing secret name to enable TLS on the ingress; applies to all hosts + tlsSecretName: + + # merge or patch the ingress + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-ws" + name: + + # merge or patch the websocket config + # https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf + merge: {} + patch: [] + + mqtt: + enabled: false + port: 1883 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/mqtt + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the mqtt config + # https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config + merge: {} + patch: [] + + gateway: + enabled: false + port: 7222 + tls: + enabled: false + # set secretName in order to mount an existing secret to dir + secretName: + dir: /etc/nats-certs/gateway + cert: tls.crt + key: tls.key + # merge or patch the tls config + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls + merge: {} + patch: [] + + # merge or patch the gateway config + # https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block + merge: {} + patch: [] + + monitor: + enabled: true + port: 8222 + tls: + # config.nats.tls must be enabled also + # when enabled, monitoring port will use HTTPS with the options from config.nats.tls + enabled: false + + profiling: + enabled: false + port: 65432 + + resolver: + enabled: false + dir: /data/resolver + + ############################################################ + # stateful set -> volume claim templates -> resolver pvc + ############################################################ + pvc: + enabled: true + size: 1Gi + storageClassName: + + # merge or patch the pvc + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-resolver" + name: + + # merge or patch the resolver + # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver + merge: {} + patch: [] + + # adds a prefix to the server name, which defaults to the pod name + # helpful for ensuring server name is unique in a super cluster + serverNamePrefix: "" + + # merge or patch the nats config + # https://docs.nats.io/running-a-nats-service/configuration + # following special rules apply + # 1. strings that start with << and end with >> will be unquoted + # use this for variables and numbers with units + # 2. keys ending in $include will be switched to include directives + # keys are sorted alphabetically, use prefix before $includes to control includes ordering + # paths should be relative to /etc/nats-config/nats.conf + # example: + # + # merge: + # $include: ./my-config.conf + # zzz$include: ./my-config-last.conf + # server_name: nats + # authorization: + # token: << $TOKEN >> + # jetstream: + # max_memory_store: << 1GB >> + # + # will yield the config: + # { + # include ./my-config.conf; + # "authorization": { + # "token": $TOKEN + # }, + # "jetstream": { + # "max_memory_store": 1GB + # }, + # "server_name": "nats", + # include ./my-config-last.conf; + # } + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> nats container +############################################################ +container: + image: + repository: nats + tag: 2.10.21-alpine + pullPolicy: + registry: + + # container port options + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core + ports: + nats: {} + leafnodes: {} + websocket: {} + mqtt: {} + cluster: {} + gateway: {} + monitor: {} + profiling: {} + + # map with key as env var name, value can be string or map + # example: + # + # env: + # GOMEMLIMIT: 7GiB + # TOKEN: + # valueFrom: + # secretKeyRef: + # name: nats-auth + # key: token + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> reloader container +############################################################ +reloader: + enabled: true + image: + repository: natsio/nats-server-config-reloader + tag: 0.16.0 + pullPolicy: + registry: + + # env var map, see nats.env for an example + env: {} + + # all nats container volume mounts with the following prefixes + # will be mounted into the reloader container + natsVolumeMountPrefixes: + - /etc/ + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + +############################################################ +# stateful set -> pod template -> prom-exporter container +############################################################ +# config.monitor must be enabled +promExporter: + enabled: false + image: + repository: natsio/prometheus-nats-exporter + tag: 0.15.0 + pullPolicy: + registry: + + port: 7777 + # env var map, see nats.env for an example + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + + ############################################################ + # prometheus pod monitor + ############################################################ + podMonitor: + enabled: false + + # merge or patch the pod monitor + # https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + + +############################################################ +# service +############################################################ +service: + enabled: true + + # service port options + # additional boolean field enable to control whether port is exposed in the service + # must be enabled in the config section also + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core + ports: + nats: + enabled: true + leafnodes: + enabled: true + websocket: + enabled: true + mqtt: + enabled: true + cluster: + enabled: false + gateway: + enabled: false + monitor: + enabled: false + profiling: + enabled: false + + # merge or patch the service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +############################################################ +# other nats extension points +############################################################ + +# stateful set +statefulSet: + # merge or patch the stateful set + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# stateful set -> pod template +podTemplate: + # adds a hash of the ConfigMap as a pod annotation + # this will cause the StatefulSet to roll when the ConfigMap is updated + configChecksumAnnotation: true + + # map of topologyKey: topologySpreadConstraint + # labelSelector will be added to match StatefulSet pods + # + # topologySpreadConstraints: + # kubernetes.io/hostname: + # maxSkew: 1 + # + topologySpreadConstraints: {} + + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] + +# headless service +headlessService: + # merge or patch the headless service + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-headless" + name: + +# config map +configMap: + # merge or patch the config map + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-config" + name: + +# pod disruption budget +podDisruptionBudget: + enabled: true + # merge or patch the pod disruption budget + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudget-v1-policy + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + +# service account +serviceAccount: + enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}" + name: + + +############################################################ +# natsBox +# +# NATS Box Deployment and associated resources +############################################################ +natsBox: + enabled: true + + ############################################################ + # NATS contexts + ############################################################ + contexts: + default: + creds: + # set contents in order to create a secret with the creds file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-creds/ + dir: + key: nats.creds + nkey: + # set contents in order to create a secret with the nkey file contents + contents: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-nkeys/ + dir: + key: nats.nk + # used to connect with client certificates + tls: + # set secretName in order to mount an existing secret to dir + secretName: + # defaults to /etc/nats-certs/ + dir: + cert: tls.crt + key: tls.key + + # merge or patch the context + # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts + merge: {} + patch: [] + + # name of context to select by default + defaultContextName: default + + ############################################################ + # deployment -> pod template -> nats-box container + ############################################################ + container: + image: + repository: natsio/nats-box + tag: 0.14.5 + pullPolicy: + registry: + + # env var map, see nats.env for an example + env: {} + + # merge or patch the container + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core + merge: {} + patch: [] + + ############################################################ + # other nats-box extension points + ############################################################ + + # deployment + deployment: + # merge or patch the deployment + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: + + # deployment -> pod template + podTemplate: + # merge or patch the pod template + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core + merge: {} + patch: [] + + # contexts secret + contextsSecret: + # merge or patch the context secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contexts" + name: + + # contents secret + contentsSecret: + # merge or patch the contents secret + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box-contents" + name: + + # service account + serviceAccount: + enabled: false + # merge or patch the service account + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core + merge: {} + patch: [] + # defaults to "{{ include "nats.fullname" $ }}-box" + name: + + +################################################################################ +# Extra user-defined resources +################################################################################ +# +# add arbitrary user-generated resources +# example: +# +# config: +# websocket: +# enabled: true +# extraResources: +# - apiVersion: networking.istio.io/v1beta1 +# kind: VirtualService +# metadata: +# name: +# $tplYaml: > +# {{ include "nats.fullname" $ | quote }} +# labels: +# $tplYaml: | +# {{ include "nats.labels" $ }} +# spec: +# hosts: +# - demo.nats.io +# gateways: +# - my-gateway +# http: +# - name: default +# match: +# - name: root +# uri: +# exact: / +# route: +# - destination: +# host: +# $tplYaml: > +# {{ .Values.service.name | quote }} +# port: +# number: +# $tplYaml: > +# {{ .Values.config.websocket.port }} +# +extraResources: [] diff --git a/charts/redpanda/redpanda/5.9.5/.helmignore b/charts/redpanda/redpanda/5.9.5/.helmignore new file mode 100644 index 000000000..d5bb5e6ba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/5.9.5/Chart.lock b/charts/redpanda/redpanda/5.9.5/Chart.lock new file mode 100644 index 000000000..b3c6c0a2a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: console + repository: https://charts.redpanda.com + version: 0.7.29 +- name: connectors + repository: https://charts.redpanda.com + version: 0.1.13 +digest: sha256:3023f8ca61cf80050d0f0e73f9e86b73ae796717c651be8765c9db90996e5462 +generated: "2024-09-26T22:13:55.854012+02:00" diff --git a/charts/redpanda/redpanda/5.9.5/Chart.yaml b/charts/redpanda/redpanda/5.9.5/Chart.yaml new file mode 100644 index 000000000..5f48d031b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/Chart.yaml @@ -0,0 +1,40 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.5 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda +apiVersion: v2 +appVersion: v24.2.5 +dependencies: +- condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' +- condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' +description: Redpanda is the real-time engine for modern apps. +icon: file://assets/icons/redpanda.svg +kubeVersion: '>=1.21-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: redpanda +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 5.9.5 diff --git a/charts/redpanda/redpanda/5.9.5/LICENSE b/charts/redpanda/redpanda/5.9.5/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.5/README.md b/charts/redpanda/redpanda/5.9.5/README.md new file mode 100644 index 000000000..d7f247f24 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/README.md @@ -0,0 +1,1244 @@ +# Redpanda Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Helm chart. +--- + +![Version: 5.9.5](https://img.shields.io/badge/Version-5.9.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.2.5](https://img.shields.io/badge/AppVersion-v24.2.5-informational?style=flat-square) + +This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 | +| https://charts.redpanda.com | console | >=0.5 <1.0 | + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity) + +Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +**Default:** `{}` + +### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging) + +Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. + +**Default:** + +``` +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null} +``` + +### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) + +Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + +**Default:** `16777216` + +### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled) + +Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled. + +**Default:** `false` + +### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) + +Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + +**Default:** `nil` + +### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals) + +List of principals to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics) + +List of topics to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) + +Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`. + +**Default:** `"internal"` + +### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions) + +Integer value defining the number of partitions used by a newly created audit topic. + +**Default:** `12` + +### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs) + +In ms, frequency in which per shard audit logs are batched to client for write to audit log. + +**Default:** `500` + +### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard) + +Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + +**Default:** `1048576` + +### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) + +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + +**Default:** `nil` + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). + +**Default:** + +``` +{"sasl":{"bootstrapUser":{"mechanism":"SCRAM-SHA-256"},"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}} +``` + +### [auth.sasl.bootstrapUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser) + +Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the "kubernetes-controller" bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret "releasename"-bootstrap-user, with the key "password". + +**Default:** + +``` +{"mechanism":"SCRAM-SHA-256"} +``` + +### [auth.sasl.bootstrapUser.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser.mechanism) + +The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-256"` + +### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled) + +Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + +**Default:** `false` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + +**Default:** `"redpanda-users"` + +### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users) + +Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + +**Default:** `[]` + +### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain) + +Default Kubernetes cluster domain. + +**Default:** `"cluster.local"` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config) + +This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). + +**Default:** + +``` +{"cluster":{},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}} +``` + +### [config.cluster](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.cluster) + +[Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + +**Default:** `{}` + +### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node) + +[Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + +**Default:** `{"crash_loop_limit":5}` + +### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit) + +Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + +**Default:** `5` + +### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable) + +Tunable cluster properties. Deprecated: all settings here may be specified via `config.cluster`. + +**Default:** + +``` +{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912} +``` + +### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + +**Default:** `67108864` + +### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + +**Default:** `1000` + +### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + +**Default:** `268435456` + +### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + +**Default:** `16777216` + +### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + +**Default:** `536870912` + +### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors) + +Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). + +**Default:** + +``` +{"deployment":{"create":false},"enabled":false,"test":{"create":false}} +``` + +### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console) + +Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** + +``` +{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}} +``` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise) + +Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** + +``` +{"license":"","licenseSecretRef":{}} +``` + +### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license) + +license (optional). + +**Default:** `""` + +### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef) + +Secret name and key where the license key is stored. + +**Default:** `{}` + +### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external) + +External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). + +**Default:** + +``` +{"enabled":true,"service":{"enabled":true},"type":"NodePort"} +``` + +### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled) + +Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`. + +**Default:** `true` + +### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service) + +Service allows you to manage the creation of an external kubernetes service object + +**Default:** `{"enabled":true}` + +### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled) + +Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service. + +**Default:** `true` + +### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type) + +External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority. + +**Default:** `"NodePort"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) + +Override `redpanda.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). + +**Default:** `[]` + +### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key) + +DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** `""` + +### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref) + +DEPRECATED Secret name and secret key where the license key is stored. + +**Default:** `{}` + +### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners) + +Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). + +**Default:** + +``` +{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}} +``` + +### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin) + +Admin API listener (only one). + +**Default:** + +``` +{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external) + +Optional external access settings. + +**Default:** + +``` +{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}} +``` + +### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default) + +Name of the external listener. + +**Default:** + +``` +{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}} +``` + +### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls) + +The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used. + +**Default:** `{"cert":"external"}` + +### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port) + +The port for both internal and external connections to the Admin API. + +**Default:** `9644` + +### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls) + +Optional TLS section (required if global TLS is enabled) + +**Default:** + +``` +{"cert":"default","requireClientAuth":false} +``` + +### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert) + +Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + +**Default:** `"default"` + +### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth) + +If true, the truststore file for this listener is included in the ConfigMap. + +**Default:** `false` + +### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http) + +HTTP API listeners (aka PandaProxy). + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka) + +Kafka API listeners. + +**Default:** + +``` +{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts) + +If undefined, `listeners.kafka.external.default.port` is used. + +**Default:** `[31092]` + +### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port) + +The port used for external client connections. + +**Default:** `9094` + +### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port) + +The port for internal client connections. + +**Default:** `9093` + +### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc) + +RPC listener (this is never externally accessible). + +**Default:** + +``` +{"port":33145,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry) + +Schema registry listeners. + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging) + +Log-level settings. + +**Default:** + +``` +{"logLevel":"info","usageStats":{"enabled":true}} +``` + +### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel) + +Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + +**Default:** `"info"` + +### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats) + +Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + +**Default:** `{"enabled":true}` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring) + +Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"enabled":false,"labels":{},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) + +Override `redpanda.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) + +Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity) + +**Default:** `{}` + +### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled) + +**Default:** `true` + +### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations) + +Additional annotations to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels) + +Additional labels to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}} +``` + +### [post_upgrade_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.affinity) + +**Default:** `{}` + +### [post_upgrade_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.enabled) + +**Default:** `true` + +### [post_upgrade_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.annotations) + +Additional annotations to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_upgrade_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.labels) + +Additional labels to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_upgrade_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-upgrade","securityContext":{}}],"securityContext":{}} +``` + +### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness) + +Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). + +**Default:** + +``` +{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"} +``` + +### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled) + +When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`. + +**Default:** `false` + +### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation) + +The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation. + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac) + +Role Based Access Control. + +**Default:** + +``` +{"annotations":{},"enabled":false} +``` + +### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations) + +Annotations to add to the `rbac` resources. + +**Default:** `{}` + +### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) + +Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. + +**Default:** `false` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) + +Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). + +**Default:** + +``` +{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}} +``` + +### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu) + +CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + +**Default:** `{"cores":1}` + +### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores) + +Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + +**Default:** `1` + +### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory) + +Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + +**Default:** + +``` +{"container":{"max":"2.5Gi"}} +``` + +### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container) + +Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for the Seastar subsystem (reserveMemory) and other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. + +**Default:** `{"max":"2.5Gi"}` + +### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max) + +Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater. + +**Default:** `"2.5Gi"` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount) + +Service account management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template. + +**Default:** `""` + +### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags) + +Additional flags to pass to redpanda, + +**Default:** `[]` + +### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels) + +Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations) + +DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation. + +**Default:** `{}` + +### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable) + +**Default:** `1` + +### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes) + +**Default:** `""` + +### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository) + +**Default:** `"busybox"` + +### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag) + +**Default:** `"latest"` + +### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled) + +**Default:** `false` + +### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS) + +**Default:** `"xfs"` + +### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) + +In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. + +**Default:** `false` + +### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds) + +**Default:** `10` + +### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) + +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey) + +The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types. + +**Default:** `100` + +### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations) + +Additional annotations to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels) + +Additional labels to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"redpanda","securityContext":{}}],"securityContext":{}} +``` + +### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName) + +PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds) + +**Default:** `1` + +### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold) + +**Default:** `1` + +### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas) + +Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + +**Default:** `3` + +### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext) + +DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + +**Default:** + +``` +{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101} +``` + +### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled) + +**Default:** `true` + +### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext) + +**Default:** `{}` + +### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC) + +**Default:** `true` + +### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled) + +**Default:** `false` + +### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress) + +**Default:** `":8085"` + +### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository) + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda-operator" +``` + +### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag) + +**Default:** `"v2.1.10-23.2.18"` + +### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress) + +**Default:** `":9082"` + +### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0]) + +**Default:** `"all"` + +### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext) + +**Default:** `{}` + +### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10} +``` + +### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds) + +Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + +**Default:** `90` + +### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations) + +Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type) + +**Default:** `"RollingUpdate"` + +### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage) + +Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). + +**Default:** + +``` +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +``` + +### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) + +Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + +**Default:** `""` + +### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume) + +If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + +**Default:** + +``` +{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""} +``` + +### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite) + +Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume` + +**Default:** `""` + +### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) + +To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config) + +Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + +**Default:** + +``` +{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false} +``` + +### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size) + +Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + +**Default:** `5368709120` + +### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read) + +Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write) + +Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled) + +Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + +**Default:** `false` + +### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath) + +Absolute path on the host to store Redpanda's Tiered Storage cache. + +**Default:** `""` + +### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) + +TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). + +**Default:** + +``` +{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true} +``` + +### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs) + +List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting. + +**Default:** + +``` +{"default":{"caEnabled":true},"external":{"caEnabled":true}} +``` + +### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default) + +This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external) + +Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled) + +Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates. + +**Default:** `true` + +### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled) + +Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`. + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) + +Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning) + +Redpanda tuning settings. Each is set to their default values in Redpanda. + +**Default:** `{"tune_aio_events":true}` + +### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events) + +Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + +**Default:** `true` + +## Merging Semantics + +The redpanda chart implements a form of object merging that's roughly a +middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge +Patch][k8s.smp]. This is done to aid end users in setting or overriding fields +that are not directly exposed via the chart. + +- Directives are not supported. +- List fields that are merged by a unique key in Kubernetes' SMP (e.g. + `containers`, `env`) will be merged in a similar awy. +- Only fields explicitly allowed by the chart's JSON schema will be merged. +- Additional containers that are not present in the original value will NOT be added. + +[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment +[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.5/charts/connectors/.helmignore new file mode 100644 index 000000000..2e271ea0f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/.helmignore @@ -0,0 +1,29 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ +examples/ \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/Chart.yaml new file mode 100644 index 000000000..0dd2396e5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/images: | + - name: connectors + image: docker.redpanda.com/redpandadata/connectors:v1.0.31 + - name: rpk + image: docker.redpanda.com/redpandadata/redpanda:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v1.0.31 +description: Redpanda managed Connectors helm chart +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: ^1.21.0-0 +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: connectors +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.1.13 diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.5/charts/connectors/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.5/charts/connectors/README.md new file mode 100644 index 000000000..2cb143856 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/README.md @@ -0,0 +1,574 @@ +# Redpanda Connectors Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart. +--- + +![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.31](https://img.shields.io/badge/AppVersion-v1.0.31-informational?style=flat-square) + +This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +## Settings + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}} +``` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + +**Default:** `"scram-sha-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your SASL user password. + +**Default:** `""` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration) + +A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + +**Default:** `""` + +### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers) + +A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite) + +If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef) + +The name of the Secret where the ca.crt file content is located. + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite) + +If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef) + +The name of the secret where client signed certificate is located + +**Default:** `""` + +### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled) + +**Default:** `false` + +### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite) + +If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + +**Default:** `""` + +### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef) + +The name of the secret where client private key is located + +**Default:** `""` + +### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID) + +A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + +**Default:** `"connectors-cluster"` + +### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize) + +The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + +**Default:** `131072` + +### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS) + +The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + +**Default:** `1` + +### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort) + +The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + +**Default:** `8083` + +### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL) + +**Default:** `""` + +### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix) + +**Default:** `""` + +### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix) + +**Default:** `""` + +### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled) + +**Default:** `false` + +### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region) + +**Default:** `""` + +### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote) + +Indicates if read and write operations for the respective topics are allowed remotely. + +**Default:** + +``` +{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}} +``` + +### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor) + +The number of replicas for each of the internal topics that Kafka Connect uses. + +**Default:** + +``` +{"config":-1,"offset":-1,"status":-1} +``` + +### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config) + +Replication factor for the configuration topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset) + +Replication factor for the offset topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status) + +Replication factor for the status topic. + +**Default:** `-1` + +### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config) + +The name of the internal topic that Kafka Connect uses to store connector and task configurations. + +**Default:** + +``` +"_internal_connectors_configs" +``` + +### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset) + +The name of the internal topic that Kafka Connect uses to store source connector offsets. + +**Default:** + +``` +"_internal_connectors_offsets" +``` + +### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status) + +The name of the internal topic that Kafka Connect uses to store connector and task status updates. + +**Default:** + +``` +"_internal_connectors_status" +``` + +### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled) + +**Default:** `"false"` + +### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources) + +Pod resource management. + +**Default:** + +``` +{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}} +``` + +### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize) + +Java maximum heap size must not be greater than `container.resources.limits.memory`. + +**Default:** `"2G"` + +### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext) + +Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings. + +**Default:** + +``` +{"allowPrivilegeEscalation":false} +``` + +### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations) + +Additional annotations to apply to the Pods of this Deployment. + +**Default:** `{}` + +### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable) + +**Default:** `1` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create) + +**Default:** `true` + +### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv) + +Additional environment variables for the Pods. + +**Default:** `[]` + +### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom) + +Configure extra environment variables from Secrets and ConfigMaps. + +**Default:** `[]` + +### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity) + +Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + +**Default:** `{}` + +### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector) + +Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey) + +The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. + +**Default:** `100` + +### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName) + +PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds) + +The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. + +**Default:** `600` + +### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold) + +**Default:** `2` + +### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds) + +**Default:** `60` + +### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds) + +**Default:** `10` + +### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold) + +**Default:** `3` + +### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds) + +**Default:** `5` + +### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy) + +**Default:** `"Always"` + +### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit) + +The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. + +**Default:** `10` + +### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName) + +**Default:** `""` + +### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup) + +**Default:** `101` + +### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy) + +**Default:** `"OnRootMismatch"` + +### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser) + +**Default:** `101` + +### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type) + +**Default:** `"RollingUpdate"` + +### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds) + +**Default:** `30` + +### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations) + +Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride) + +Override `connectors.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/connectors" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging) + +Log-level settings. + +**Default:** `{"level":"warn"}` + +### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level) + +Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + +**Default:** `"warn"` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring) + +Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride) + +Override `connectors.name` template. + +**Default:** `""` + +### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service) + +Service management. + +**Default:** + +``` +{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]} +``` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations) + +Annotations to add to the Service. + +**Default:** `{}` + +### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name) + +The name of the service to use. If not set, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount) + +ServiceAccount management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations) + +Annotations to add to the ServiceAccount. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create) + +Specifies whether a ServiceAccount should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name) + +The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath) + +**Default:** `"/tmp"` + +### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name) + +**Default:** `"rp-connect-tmp"` + +### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium) + +**Default:** `"Memory"` + +### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit) + +**Default:** `"5Mi"` + +### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name) + +**Default:** `"rp-connect-tmp"` + +### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations) + +Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_deployment.go.tpl new file mode 100644 index 000000000..f785c1ad9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_deployment.go.tpl @@ -0,0 +1,136 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "connectors.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $topologySpreadConstraints := (coalesce nil) -}} +{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}} +{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $podAntiAffinity := (coalesce nil) -}} +{{- if (ne $values.deployment.podAntiAffinity (coalesce nil)) -}} +{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}} +{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.env" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}} +{{- if (not (empty $values.connectors.schemaRegistryURL)) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.connectorConfiguration" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}} +{{- if $values.connectors.secretManager.enabled -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}} +{{- end -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $lines)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumes" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (coalesce nil) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}} +{{- end -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumeMountss" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (coalesce nil) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.go.tpl new file mode 100644 index 000000000..49b711538 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.go.tpl @@ -0,0 +1,131 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "connectors.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.fullnameOverride)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.PodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}} +{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (mustRegexMatch $matchString $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.trunc" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.tpl new file mode 100644 index 000000000..89c888eee --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connectors.name" -}} +{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "connectors.fullname" }} +{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +pod labels merged with common labels +*/}} +{{- define "connectors-pod-labels" -}} +{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connectors.chart" -}} +{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Get the version of redpanda being used as an image +*/}} +{{- define "connectors.semver" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "connectors.serviceAccountName" -}} +{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service to use +*/}} +{{- define "connectors.serviceName" -}} +{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "connectors.tag" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_pod-monitor.go.tpl new file mode 100644 index 000000000..4e12b2008 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_pod-monitor.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "podmonitor.go" */ -}} + +{{- define "connectors.PodMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_service.go.tpl new file mode 100644 index 000000000..54a7ce8a0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "connectors.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..31b5ac2ac --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "connectors.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_values.go.tpl new file mode 100644 index 000000000..9b304d4bf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/_values.go.tpl @@ -0,0 +1,15 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "connectors.Auth.SASLEnabled" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $saslEnabled := (not (empty $c.sasl.userName)) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $saslEnabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/deployment.yaml new file mode 100644 index 000000000..ee78b69eb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/pod-monitor.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/pod-monitor.yaml new file mode 100644 index 000000000..42c145754 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/pod-monitor.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.PodMonitor" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/service.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/service.yaml new file mode 100644 index 000000000..0b8825bef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/serviceaccount.yaml new file mode 100644 index 000000000..eda755fb1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/tests/01-mm2-values.yaml new file mode 100644 index 000000000..c369806c8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/templates/tests/01-mm2-values.yaml @@ -0,0 +1,176 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} +{{- if .Values.test.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "connectors.fullname" . }}-mm2-test + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: create-mm2 + image: docker.redpanda.com/redpandadata/redpanda:latest + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + rpk profile create test + rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + + {{- if .Values.connectors.brokerTLS.enabled }} + CONNECT_TLS_ENABLED=true + {{- else }} + CONNECT_TLS_ENABLED=false + {{- end }} + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + rpk topic list + rpk topic create test-topic + rpk topic list + echo "Test message!" | rpk topic produce test-topic + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "name": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "test-topic", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.alias": "test-only", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM", + "offset-syncs.topic.replication.factor": 1 + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json + + # The rpk topic consume could fail for the first few times as kafka connect needs + # to spawn the task and copy one message from the source topic. To solve this race condition + # the retry should be implemented in bash for rpk topic consume or other mechanism that + # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added. + sleep 30 + + rpk topic consume source.test-topic -n 1 | grep "Test message!" + + curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal + volumeMounts: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - mountPath: /redpanda-certs + name: redpanda-ca + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 8 }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: redpanda-ca + secret: + defaultMode: 0444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.5/charts/connectors/values.yaml new file mode 100644 index 000000000..f230a84d3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/connectors/values.yaml @@ -0,0 +1,311 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `connectors.name` template. +nameOverride: "" +# -- Override `connectors.fullname` template. +fullnameOverride: "" +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Taints to be tolerated by Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/connectors + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +test: + create: true + +connectors: + # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + restPort: 8083 + # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + bootstrapServers: "" + # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers. + schemaRegistryURL: "" + # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + additionalConfiguration: "" + secretManager: + enabled: false + region: "" + consolePrefix: "" + connectorsPrefix: "" + # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + producerBatchSize: 131072 + # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + producerLingerMS: 1 + storage: + # -- The number of replicas for each of the internal topics that Kafka Connect uses. + replicationFactor: + # -- Replication factor for the offset topic. + offset: -1 + # -- Replication factor for the configuration topic. + config: -1 + # -- Replication factor for the status topic. + status: -1 + # -- Indicates if read and write operations for the respective topics are allowed remotely. + remote: + read: + offset: false + config: false + status: false + write: + offset: false + config: false + status: false + topic: + # -- The name of the internal topic that Kafka Connect uses to store source connector offsets. + offset: _internal_connectors_offsets + # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations. + config: _internal_connectors_configs + # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates. + status: _internal_connectors_status + # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + groupID: connectors-cluster + brokerTLS: + enabled: false + ca: + # -- The name of the Secret where the ca.crt file content is located. + secretRef: "" + # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the + # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + secretNameOverwrite: "" + cert: + # -- The name of the secret where client signed certificate is located + secretRef: "" + # -- If secretRef points to secret where client signed certificate is not under + # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + secretNameOverwrite: "" + key: + # -- The name of the secret where client private key is located + secretRef: "" + # -- If secretRef points to secret where client private key is not under + # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + secretNameOverwrite: "" + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. +auth: + sasl: + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + mechanism: scram-sha-512 + # -- A Secret that contains your SASL user password. + secretRef: "" + userName: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + level: warn + +# -- Monitoring. +# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + annotations: {} + namespaceSelector: + any: true + +container: + # + # -- Security context for the Redpanda Connectors container. + # See also `deployment.securityContext` for Pod-level settings. + securityContext: + allowPrivilegeEscalation: false + # -- Pod resource management. + resources: + request: + # Numeric values here are also acceptable. + cpu: "1" + memory: 2350Mi + limits: + cpu: "1" + memory: 2350Mi + # -- Java maximum heap size must not be greater than `container.resources.limits.memory`. + javaMaxHeapSize: 2G + javaGCLogEnabled: "false" + +deployment: + # Replicas can be used to scale Deployment + # replicas + + create: true + # Customize the command to use as the entrypoint of the Deployment. + # command: [] + strategy: + type: RollingUpdate + schedulerName: "" + budget: + maxUnavailable: 1 + # -- Additional annotations to apply to the Pods of this Deployment. + annotations: {} + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + initialDelaySeconds: 60 + failureThreshold: 2 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + + # -- Additional environment variables for the Pods. + extraEnv: [] + # - name: RACK_ID + # value: "1" + + # -- Configure extra environment variables from Secrets and ConfigMaps. + extraEnvFrom: [] + # - secretRef: + # name: my-secret + # - configMapRef: + # name: my-configmap + + # -- The maximum time in seconds for a deployment to make progress before it is + # considered to be failed. The deployment controller will continue to process + # failed deployments and a condition with a ProgressDeadlineExceeded reason + # will be surfaced in the deployment status. Note that progress will not be + # estimated during the time a deployment is paused. + progressDeadlineSeconds: 600 + + # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer + # to distinguish between explicit zero and not specified. + revisionHistoryLimit: 10 + + # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Node Affinity rules for scheduling Pods of this Deployment. + # The suggestion would be to spread Pods according to topology zone. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + nodeAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The `topologyKey` to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this Deployment. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this Deployment. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + terminationGracePeriodSeconds: 30 + restartPolicy: Always + +storage: + volume: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + +# -- ServiceAccount management. +serviceAccount: + # -- Specifies whether a ServiceAccount should be created. + create: false + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- The name of the ServiceAccount to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `connectors.fullname` template. + name: "" + +# -- Service management. +service: + # -- Annotations to add to the Service. + annotations: {} + # -- The name of the service to use. + # If not set, a name is generated using the `connectors.fullname` template. + name: "" + ports: + - name: prometheus + port: 9404 diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.5/charts/console/.helmignore new file mode 100644 index 000000000..04ecd888b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/Chart.yaml new file mode 100644 index 000000000..dd51b48d8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/console:v2.7.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v2.7.0 +description: Helm chart to deploy Redpanda Console. +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: '>= 1.21.0-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: console +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.7.29 diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/README.md b/charts/redpanda/redpanda/5.9.5/charts/console/README.md new file mode 100644 index 000000000..9bd93425f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/README.md @@ -0,0 +1,353 @@ +# Redpanda Console Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. +--- + +![Version: 0.7.29](https://img.shields.io/badge/Version-0.7.29-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.7.0](https://img.shields.io/badge/AppVersion-v2.7.0-informational?style=flat-square) + +This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). +Each of the settings is listed and described on this page, along with any default values. + +The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together. +For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.21.0-0` + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity) + +**Default:** `{}` + +### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations) + +Annotations to add to the deployment. + +**Default:** `{}` + +### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken) + +Automount API credentials for the Service Account into the pod. + +**Default:** `true` + +### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled) + +**Default:** `false` + +### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas) + +**Default:** `100` + +### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas) + +**Default:** `1` + +### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage) + +**Default:** `80` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels) + +**Default:** `{}` + +### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create) + +**Default:** `true` + +### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config) + +Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** `{}` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create) + +**Default:** `true` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise) + +Settings for license key, as an alternative to secret.enterprise when a license secret is available + +**Default:** + +``` +{"licenseSecretRef":{"key":"","name":""}} +``` + +### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers) + +Add additional containers, such as for oauth2-proxy. + +**Default:** `[]` + +### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv) + +Additional environment variables for the Redpanda Console Deployment. + +**Default:** `[]` + +### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom) + +Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. + +**Default:** `[]` + +### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts) + +Add additional volume mounts, such as for TLS keys. + +**Default:** `[]` + +### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes) + +Add additional volumes, such as for TLS keys. + +**Default:** `[]` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride) + +Override `console.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image) + +Redpanda Console Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy) + +The imagePullPolicy. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** `"redpandadata/console"` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag) + +The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + +**Default:** `Chart.appVersion` + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations) + +**Default:** `{}` + +### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className) + +**Default:** `nil` + +### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled) + +**Default:** `false` + +### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host) + +**Default:** `"chart-example.local"` + +### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path) + +**Default:** `"/"` + +### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType) + +**Default:** `"ImplementationSpecific"` + +### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls) + +**Default:** `[]` + +### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers) + +Any initContainers defined should be written here + +**Default:** `{"extraInitContainers":""}` + +### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers) + +Additional set of init containers + +**Default:** `""` + +### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe) + +Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). + +**Default:** + +``` +{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride) + +Override `console.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector) + +**Default:** `{}` + +### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations) + +**Default:** `{}` + +### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels) + +**Default:** `{}` + +### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup) + +**Default:** `99` + +### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser) + +**Default:** `99` + +### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName) + +PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold) + +**Default:** `3` + +### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds) + +Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + +**Default:** `10` + +### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds) + +**Default:** `10` + +### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold) + +**Default:** `1` + +### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds) + +**Default:** `1` + +### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount) + +**Default:** `1` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources) + +**Default:** `{}` + +### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret) + +Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. + +**Default:** + +``` +{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}} +``` + +### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka) + +Kafka Secrets. + +**Default:** `{}` + +### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts) + +SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container. + +**Default:** `[]` + +### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot) + +**Default:** `true` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations) + +**Default:** `{}` + +### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port) + +**Default:** `8080` + +### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort) + +Override the value in `console.config.server.listenPort` if not `nil` + +**Default:** `nil` + +### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type) + +**Default:** `"ClusterIP"` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials + +**Default:** `true` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `true` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template + +**Default:** `""` + +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy) + +**Default:** `{}` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations) + +**Default:** `[]` + +### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints) + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/chart_test.go b/charts/redpanda/redpanda/5.9.5/charts/console/chart_test.go new file mode 100644 index 000000000..0e652c13e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/chart_test.go @@ -0,0 +1,158 @@ +package console + +import ( + "encoding/json" + "fmt" + "os" + "regexp" + "slices" + "testing" + + fuzz "github.com/google/gofuzz" + "github.com/redpanda-data/helm-charts/pkg/helm" + "github.com/redpanda-data/helm-charts/pkg/testutil" + "github.com/santhosh-tekuri/jsonschema/v5" + "github.com/stretchr/testify/require" + "golang.org/x/tools/txtar" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +// TestValues asserts that the chart's values.yaml file can be losslessly +// loaded into our type [Values] struct. +// NB: values.yaml should round trip through [Values], not [PartialValues], as +// [Values]'s omitempty tags are models after values.yaml. +func TestValues(t *testing.T) { + var typedValues Values + var unstructuredValues map[string]any + + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &typedValues)) + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &unstructuredValues)) + + typedValuesJSON, err := json.Marshal(typedValues) + require.NoError(t, err) + + unstructuredValuesJSON, err := json.Marshal(unstructuredValues) + require.NoError(t, err) + + require.JSONEq(t, string(unstructuredValuesJSON), string(typedValuesJSON)) +} + +func TestTemplate(t *testing.T) { + ctx := testutil.Context(t) + client, err := helm.New(helm.Options{ConfigHome: testutil.TempDir(t)}) + require.NoError(t, err) + + casesArchive, err := txtar.ParseFile("testdata/template-cases.txtar") + require.NoError(t, err) + + generatedCasesArchive, err := txtar.ParseFile("testdata/template-cases-generated.txtar") + require.NoError(t, err) + + goldens := testutil.NewTxTar(t, "testdata/template-cases.golden.txtar") + + for _, tc := range append(casesArchive.Files, generatedCasesArchive.Files...) { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + var values PartialValues + require.NoError(t, yaml.Unmarshal(tc.Data, &values)) + + out, err := client.Template(ctx, ".", helm.TemplateOptions{ + Name: "console", + Values: values, + Set: []string{ + // jwtSecret defaults to a random string. Can't have that + // in snapshot testing so set it to a static value. + "secret.login.jwtSecret=SECRETKEY", + }, + }) + require.NoError(t, err) + goldens.AssertGolden(t, testutil.YAML, fmt.Sprintf("testdata/%s.yaml.golden", tc.Name), out) + }) + } +} + +// TestGenerateCases is not a test case (sorry) but a test case generator for +// the console chart. +func TestGenerateCases(t *testing.T) { + // Nasty hack to avoid making a main function somewhere. Sorry not sorry. + if !slices.Contains(os.Args, fmt.Sprintf("-test.run=%s", t.Name())) { + t.Skipf("%s will only run if explicitly specified (-run %q)", t.Name(), t.Name()) + } + + // Makes strings easier to read. + asciiStrs := func(s *string, c fuzz.Continue) { + const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + var x []byte + for i := 0; i < c.Intn(25); i++ { + x = append(x, alphabet[c.Intn(len(alphabet))]) + } + *s = string(x) + } + smallInts := func(s *int, c fuzz.Continue) { + *s = c.Intn(501) + } + + fuzzer := fuzz.New().NumElements(0, 3).SkipFieldsWithPattern( + regexp.MustCompile("^(SELinuxOptions|WindowsOptions|SeccompProfile|TCPSocket|HTTPHeaders|VolumeSource)$"), + ).Funcs( + asciiStrs, + smallInts, + func(t *corev1.ServiceType, c fuzz.Continue) { + types := []corev1.ServiceType{ + corev1.ServiceTypeClusterIP, + corev1.ServiceTypeExternalName, + corev1.ServiceTypeNodePort, + corev1.ServiceTypeLoadBalancer, + } + *t = types[c.Intn(len(types))] + }, + func(s *corev1.ResourceName, c fuzz.Continue) { asciiStrs((*string)(s), c) }, + func(_ *any, c fuzz.Continue) {}, + func(_ *[]corev1.ResourceClaim, c fuzz.Continue) {}, + func(_ *[]metav1.ManagedFieldsEntry, c fuzz.Continue) {}, + ) + + schema, err := jsonschema.CompileString("", string(ValuesSchemaJSON)) + require.NoError(t, err) + + nilChance := float64(0.8) + + files := make([]txtar.File, 0, 50) + for i := 0; i < 50; i++ { + // Every 5 iterations, decrease nil chance to ensure that we're biased + // towards exploring most cases. + if i%5 == 0 && nilChance > .1 { + nilChance -= .1 + } + + var values PartialValues + fuzzer.NilChance(nilChance).Fuzz(&values) + + out, err := yaml.Marshal(values) + require.NoError(t, err) + + merged, err := helm.MergeYAMLValues(t.TempDir(), DefaultValuesYAML, out) + require.NoError(t, err) + + // Ensure that our generated values comply with the schema set by the chart. + if err := schema.Validate(merged); err != nil { + t.Logf("Generated invalid values; trying again...\n%v", err) + i-- + continue + } + + files = append(files, txtar.File{ + Name: fmt.Sprintf("case-%03d", i), + Data: out, + }) + } + + archive := txtar.Format(&txtar.Archive{ + Comment: []byte(fmt.Sprintf(`Generated by %s`, t.Name())), + Files: files, + }) + + require.NoError(t, os.WriteFile("testdata/template-cases-generated.txtar", archive, 0o644)) +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/configmap.go b/charts/redpanda/redpanda/5.9.5/charts/console/configmap.go new file mode 100644 index 000000000..c4fa38291 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/configmap.go @@ -0,0 +1,61 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_configmap.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ConfigMap(dot *helmette.Dot) *corev1.ConfigMap { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ConfigMap.Create { + return nil + } + + data := map[string]string{ + "config.yaml": fmt.Sprintf("# from .Values.console.config\n%s\n", helmette.Tpl(helmette.ToYaml(values.Console.Config), dot)), + } + + if len(values.Console.Roles) > 0 { + data["roles.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roles": values.Console.Roles, + }), dot) + } + + if len(values.Console.RoleBindings) > 0 { + data["role-bindings.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roleBindings": values.Console.RoleBindings, + }), dot) + } + + return &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Data: data, + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/deployment.go b/charts/redpanda/redpanda/5.9.5/charts/console/deployment.go new file mode 100644 index 000000000..47537d40d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/deployment.go @@ -0,0 +1,535 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_deployment.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" +) + +// Console's HTTP server Port. +// The port is defined from the provided config but can be overridden +// by setting service.targetPort and if that is missing defaults to 8080. +func ContainerPort(dot *helmette.Dot) int32 { + values := helmette.Unwrap[Values](dot.Values) + + listenPort := int32(8080) + if values.Service.TargetPort != nil { + listenPort = *values.Service.TargetPort + } + + configListenPort := helmette.Dig(values.Console.Config, nil, "server", "listenPort") + if asInt, ok := helmette.AsIntegral[int](configListenPort); ok { + return int32(asInt) + } + + return listenPort +} + +func Deployment(dot *helmette.Dot) *appsv1.Deployment { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Deployment.Create { + return nil + } + + var replicas *int32 + if !values.Autoscaling.Enabled { + replicas = ptr.To(values.ReplicaCount) + } + + var initContainers []corev1.Container + if values.InitContainers.ExtraInitContainers != nil { + initContainers = helmette.UnmarshalYamlArray[corev1.Container](helmette.Tpl(*values.InitContainers.ExtraInitContainers, dot)) + } + + volumeMounts := []corev1.VolumeMount{ + { + Name: "configs", + MountPath: "/etc/console/configs", + ReadOnly: true, + }, + } + + if values.Secret.Create { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "secrets", + MountPath: "/etc/console/secrets", + ReadOnly: true, + }) + } + + for _, mount := range values.SecretMounts { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: mount.Name, + MountPath: mount.Path, + SubPath: ptr.Deref(mount.SubPath, ""), + }) + } + + volumeMounts = append(volumeMounts, values.ExtraVolumeMounts...) + + return &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "apps/v1", + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.Annotations, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: SelectorLabels(dot), + }, + Strategy: values.Strategy, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: helmette.Merge(map[string]string{ + "checksum/config": helmette.Sha256Sum(helmette.ToYaml(ConfigMap(dot))), + }, values.PodAnnotations), + Labels: helmette.Merge(SelectorLabels(dot), values.PodLabels), + }, + Spec: corev1.PodSpec{ + ImagePullSecrets: values.ImagePullSecrets, + ServiceAccountName: ServiceAccountName(dot), + AutomountServiceAccountToken: &values.AutomountServiceAccountToken, + SecurityContext: &values.PodSecurityContext, + NodeSelector: values.NodeSelector, + Affinity: &values.Affinity, + TopologySpreadConstraints: values.TopologySpreadConstraints, + PriorityClassName: values.PriorityClassName, + Tolerations: values.Tolerations, + Volumes: consolePodVolumes(dot), + InitContainers: initContainers, + Containers: append([]corev1.Container{ + { + Name: dot.Chart.Name, + Command: values.Deployment.Command, + Args: append([]string{ + "--config.filepath=/etc/console/configs/config.yaml", + }, values.Deployment.ExtraArgs...), + SecurityContext: &values.SecurityContext, + Image: containerImage(dot), + ImagePullPolicy: values.Image.PullPolicy, + Ports: []corev1.ContainerPort{ + { + Name: "http", + ContainerPort: ContainerPort(dot), + Protocol: corev1.ProtocolTCP, + }, + }, + VolumeMounts: volumeMounts, + LivenessProbe: &corev1.Probe{ + InitialDelaySeconds: values.LivenessProbe.InitialDelaySeconds, // TODO what to do with this?? + PeriodSeconds: values.LivenessProbe.PeriodSeconds, + TimeoutSeconds: values.LivenessProbe.TimeoutSeconds, + SuccessThreshold: values.LivenessProbe.SuccessThreshold, + FailureThreshold: values.LivenessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + ReadinessProbe: &corev1.Probe{ + InitialDelaySeconds: values.ReadinessProbe.InitialDelaySeconds, + PeriodSeconds: values.ReadinessProbe.PeriodSeconds, + TimeoutSeconds: values.ReadinessProbe.TimeoutSeconds, + SuccessThreshold: values.ReadinessProbe.SuccessThreshold, + FailureThreshold: values.ReadinessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + Resources: values.Resources, + Env: consoleContainerEnv(dot), + EnvFrom: values.ExtraEnvFrom, + }, + }, values.ExtraContainers...), + }, + }, + }, + } +} + +// ConsoleImage +func containerImage(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + tag := dot.Chart.AppVersion + if !helmette.Empty(values.Image.Tag) { + tag = *values.Image.Tag + } + + image := fmt.Sprintf("%s:%s", values.Image.Repository, tag) + + if !helmette.Empty(values.Image.Registry) { + return fmt.Sprintf("%s/%s", values.Image.Registry, image) + } + + return image +} + +type PossibleEnvVar struct { + Value any + EnvVar corev1.EnvVar +} + +func consoleContainerEnv(dot *helmette.Dot) []corev1.EnvVar { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + vars := values.ExtraEnv + + if !helmette.Empty(values.Enterprise.LicenseSecretRef.Name) { + vars = append(values.ExtraEnv, corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: values.Enterprise.LicenseSecretRef.Name, + }, + Key: helmette.Default("enterprise-license", values.Enterprise.LicenseSecretRef.Key), + }, + }, + }) + } + + return vars + } + + possibleVars := []PossibleEnvVar{ + { + Value: values.Secret.Kafka.SASLPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.ProtobufGitBasicAuthPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-protobuf-git-basicauth-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.AWSMSKIAMSecretKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_AWSMSKIAM_SECRETKEY", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-aws-msk-iam-secret-key", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-schema-registry-password", + }, + }, + }, + }, + { + Value: true, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_JWTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-jwt-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Google.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-google-oauth-client-secret", + }, + }, + }, + }, + + { + Value: values.Secret.Login.Google.GroupsServiceAccount, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH", + Value: "/etc/console/secrets/login-google-groups-service-account.json", + }, + }, + { + Value: values.Secret.Login.Github.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-oauth-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Github.PersonalAccessToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-personal-access-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.DirectoryAPIToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_DIRECTORY_APITOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-directory-api-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.OIDC.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OIDC_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-oidc-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Enterprise.License, + EnvVar: corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "enterprise-license", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.Password, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "redpanda-admin-api-password", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CAFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-ca", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-key", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-cert", + }, + }, + } + + vars := values.ExtraEnv + for _, possible := range possibleVars { + if !helmette.Empty(possible.Value) { + vars = append(vars, possible.EnvVar) + } + } + + return vars +} + +func consolePodVolumes(dot *helmette.Dot) []corev1.Volume { + values := helmette.Unwrap[Values](dot.Values) + + volumes := []corev1.Volume{ + { + Name: "configs", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + }, + }, + }, + } + + if values.Secret.Create { + volumes = append(volumes, corev1.Volume{ + Name: "secrets", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: Fullname(dot), + }, + }, + }) + } + + for _, mount := range values.SecretMounts { + volumes = append(volumes, corev1.Volume{ + Name: mount.Name, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: mount.SecretName, + DefaultMode: mount.DefaultMode, + }, + }, + }) + } + + return append(volumes, values.ExtraVolumes...) +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/examples/console-enterprise.yaml new file mode 100644 index 000000000..dc3f29197 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/examples/console-enterprise.yaml @@ -0,0 +1,94 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + tag: master-8fcce39 + +resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 100m + memory: 512Mi + +console: + config: + kafka: + brokers: + - bootstrap.mybrokers.com:9092 + clientId: redpanda-console + sasl: + enabled: true + mechanism: SCRAM-SHA-256 + username: console + # password: set via Helm secret / Env variable + tls: + enabled: false + login: + google: + enabled: true + clientId: redacted.apps.googleusercontent.com + # clientSecret: set via Helm secret / Env variable + directory: + # serviceAccountFilepath: set via Helm secret / Env variable + targetPrincipal: admin@mycompany.com + enterprise: + rbac: + enabled: true + roleBindingsFilepath: /etc/console/configs/role-bindings.yaml + roleBindings: + - roleName: viewer + metadata: + # Metadata properties will be shown in the UI. You can omit it if you want to + name: Developers + subjects: + # You can specify all groups or users from different providers here which shall be bound to the same role + - kind: group + provider: Google + name: engineering@mycompany.com + - kind: user + provider: Google + name: singleuser@mycompany.com + - roleName: admin + metadata: + name: Admin + subjects: + - kind: user + provider: Google + name: adminperson@mycompany.com + +secret: + create: true + kafka: + saslPassword: "redacted" + enterprise: + license: "redacted" + login: + google: + clientSecret: "redacted" + groupsServiceAccount: | + { + "type": "service_account", + "project_id": "redacted", + "private_key_id": "redacted", + "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n", + "client_email": "redacted@projectid.iam.gserviceaccount.com", + "client_id": "redacted", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com" + } diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/helpers.go b/charts/redpanda/redpanda/5.9.5/charts/console/helpers.go new file mode 100644 index 000000000..eed4aa711 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/helpers.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_helpers.go.tpl +package console + +import ( + "fmt" + "strings" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +// Expand the name of the chart. +func Name(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + return cleanForK8s(name) +} + +// Create a default fully qualified app name. +// We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +// If release name contains chart name it will be used as a full name. +func Fullname(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.FullnameOverride != "" { + return cleanForK8s(values.FullnameOverride) + } + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + + if helmette.Contains(name, dot.Release.Name) { + return cleanForK8s(dot.Release.Name) + } + + return cleanForK8s(fmt.Sprintf("%s-%s", dot.Release.Name, name)) +} + +// Create chart name and version as used by the chart label. +func Chart(dot *helmette.Dot) string { + chart := fmt.Sprintf("%s-%s", dot.Chart.Name, dot.Chart.Version) + return cleanForK8s(strings.ReplaceAll(chart, "+", "_")) +} + +// Common labels +func Labels(dot *helmette.Dot) map[string]string { + values := helmette.Unwrap[Values](dot.Values) + + labels := map[string]string{ + "helm.sh/chart": Chart(dot), + "app.kubernetes.io/managed-by": dot.Release.Service, + } + + if dot.Chart.AppVersion != "" { + labels["app.kubernetes.io/version"] = dot.Chart.AppVersion + } + + return helmette.Merge(labels, SelectorLabels(dot), values.CommonLabels) +} + +func SelectorLabels(dot *helmette.Dot) map[string]string { + return map[string]string{ + "app.kubernetes.io/name": Name(dot), + "app.kubernetes.io/instance": dot.Release.Name, + } +} + +func cleanForK8s(s string) string { + return helmette.TrimSuffix("-", helmette.Trunc(63, s)) +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/hpa.go b/charts/redpanda/redpanda/5.9.5/charts/console/hpa.go new file mode 100644 index 000000000..3b0458cff --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/hpa.go @@ -0,0 +1,82 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_hpa.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + autoscalingv2 "k8s.io/api/autoscaling/v2" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func HorizontalPodAutoscaler(dot *helmette.Dot) *autoscalingv2.HorizontalPodAutoscaler { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Autoscaling.Enabled { + return nil + } + + metrics := []autoscalingv2.MetricSpec{} + + if values.Autoscaling.TargetCPUUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceCPU, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetCPUUtilizationPercentage, + }, + }, + }) + } + + if values.Autoscaling.TargetMemoryUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceMemory, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetMemoryUtilizationPercentage, + }, + }, + }) + } + + return &autoscalingv2.HorizontalPodAutoscaler{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "autoscaling/v2", + Kind: "HorizontalPodAutoscaler", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Spec: autoscalingv2.HorizontalPodAutoscalerSpec{ + ScaleTargetRef: autoscalingv2.CrossVersionObjectReference{ + APIVersion: "apps/v1", + Kind: "Deployment", + Name: Fullname(dot), + }, + MinReplicas: ptr.To(values.Autoscaling.MinReplicas), + MaxReplicas: values.Autoscaling.MaxReplicas, + Metrics: metrics, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/ingress.go b/charts/redpanda/redpanda/5.9.5/charts/console/ingress.go new file mode 100644 index 000000000..926c286f1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/ingress.go @@ -0,0 +1,88 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_ingress.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func Ingress(dot *helmette.Dot) *networkingv1.Ingress { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Ingress.Enabled { + return nil + } + + var tls []networkingv1.IngressTLS + for _, t := range values.Ingress.TLS { + var hosts []string + for _, host := range t.Hosts { + hosts = append(hosts, helmette.Tpl(host, dot)) + } + tls = append(tls, networkingv1.IngressTLS{ + SecretName: t.SecretName, + Hosts: hosts, + }) + } + + var rules []networkingv1.IngressRule + for _, host := range values.Ingress.Hosts { + var paths []networkingv1.HTTPIngressPath + for _, path := range host.Paths { + paths = append(paths, networkingv1.HTTPIngressPath{ + Path: path.Path, + PathType: path.PathType, + Backend: networkingv1.IngressBackend{ + Service: &networkingv1.IngressServiceBackend{ + Name: Fullname(dot), + Port: networkingv1.ServiceBackendPort{ + Number: values.Service.Port, + }, + }, + }, + }) + } + + rules = append(rules, networkingv1.IngressRule{ + Host: helmette.Tpl(host.Host, dot), + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: paths, + }, + }, + }) + } + + return &networkingv1.Ingress{ + TypeMeta: metav1.TypeMeta{ + Kind: "Ingress", + APIVersion: "networking.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Annotations: values.Ingress.Annotations, + }, + Spec: networkingv1.IngressSpec{ + IngressClassName: values.Ingress.ClassName, + TLS: tls, + Rules: rules, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/notes.go b/charts/redpanda/redpanda/5.9.5/charts/console/notes.go new file mode 100644 index 000000000..1f652dbaf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/notes.go @@ -0,0 +1,67 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_notes.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +func Notes(dot *helmette.Dot) []string { + values := helmette.Unwrap[Values](dot.Values) + + commands := []string{ + `1. Get the application URL by running these commands:`, + } + if values.Ingress.Enabled { + scheme := "http" + if len(values.Ingress.TLS) > 0 { + scheme = "https" + } + for _, host := range values.Ingress.Hosts { + for _, path := range host.Paths { + commands = append(commands, fmt.Sprintf("%s://%s%s", scheme, host.Host, path.Path)) + } + } + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")`, dot.Release.Namespace), + " echo http://$NODE_IP:$NODE_PORT", + ) + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.`, + fmt.Sprintf(` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` echo http://$SERVICE_IP:%d`, values.Service.Port), + ) + } else if helmette.Contains("ClusterIP", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")`, dot.Release.Namespace, Name(dot), dot.Release.Name), + fmt.Sprintf(` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")`, dot.Release.Namespace), + ` echo "Visit http://127.0.0.1:8080 to use your application"`, + fmt.Sprintf(` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT`, dot.Release.Namespace), + ) + } + + return commands +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/secret.go b/charts/redpanda/redpanda/5.9.5/charts/console/secret.go new file mode 100644 index 000000000..d23951cbd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/secret.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_secret.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func Secret(dot *helmette.Dot) *corev1.Secret { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + return nil + } + + jwtSecret := values.Secret.Login.JWTSecret + if jwtSecret == "" { + jwtSecret = helmette.RandAlphaNum(32) + } + + return &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Type: corev1.SecretTypeOpaque, + StringData: map[string]string{ + // Set empty defaults, so that we can always mount them as env variable even if they are not used. + // For this reason we can't use `with` to change the scope. + + // Kafka + "kafka-sasl-password": ptr.Deref(values.Secret.Kafka.SASLPassword, ""), + "kafka-protobuf-git-basicauth-password": ptr.Deref(values.Secret.Kafka.ProtobufGitBasicAuthPassword, ""), + "kafka-sasl-aws-msk-iam-secret-key": ptr.Deref(values.Secret.Kafka.AWSMSKIAMSecretKey, ""), + "kafka-tls-ca": ptr.Deref(values.Secret.Kafka.TLSCA, ""), + "kafka-tls-cert": ptr.Deref(values.Secret.Kafka.TLSCert, ""), + "kafka-tls-key": ptr.Deref(values.Secret.Kafka.TLSKey, ""), + "kafka-schema-registry-password": ptr.Deref(values.Secret.Kafka.SchemaRegistryPassword, ""), + "kafka-schemaregistry-tls-ca": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCA, ""), + "kafka-schemaregistry-tls-cert": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCert, ""), + "kafka-schemaregistry-tls-key": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSKey, ""), + + // Login + "login-jwt-secret": jwtSecret, + "login-google-oauth-client-secret": ptr.Deref(values.Secret.Login.Google.ClientSecret, ""), + "login-google-groups-service-account.json": ptr.Deref(values.Secret.Login.Google.GroupsServiceAccount, ""), + "login-github-oauth-client-secret": ptr.Deref(values.Secret.Login.Github.ClientSecret, ""), + "login-github-personal-access-token": ptr.Deref(values.Secret.Login.Github.PersonalAccessToken, ""), + "login-okta-client-secret": ptr.Deref(values.Secret.Login.Okta.ClientSecret, ""), + "login-okta-directory-api-token": ptr.Deref(values.Secret.Login.Okta.DirectoryAPIToken, ""), + "login-oidc-client-secret": ptr.Deref(values.Secret.Login.OIDC.ClientSecret, ""), + + // Enterprise + "enterprise-license": ptr.Deref(values.Secret.Enterprise.License, ""), + + // Redpanda + "redpanda-admin-api-password": ptr.Deref(values.Secret.Redpanda.AdminAPI.Password, ""), + "redpanda-admin-api-tls-ca": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCA, ""), + "redpanda-admin-api-tls-cert": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCert, ""), + "redpanda-admin-api-tls-key": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSKey, ""), + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/service.go b/charts/redpanda/redpanda/5.9.5/charts/console/service.go new file mode 100644 index 000000000..65214bf3e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/service.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_service.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func Service(dot *helmette.Dot) *corev1.Service { + values := helmette.Unwrap[Values](dot.Values) + + port := corev1.ServicePort{ + Name: "http", + Port: int32(values.Service.Port), + Protocol: corev1.ProtocolTCP, + } + + if values.Service.TargetPort != nil { + port.TargetPort = intstr.FromInt32(*values.Service.TargetPort) + } + + if helmette.Contains("NodePort", string(values.Service.Type)) && values.Service.NodePort != nil { + port.NodePort = *values.Service.NodePort + } + + return &corev1.Service{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Service", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Namespace: dot.Release.Namespace, + Labels: Labels(dot), + Annotations: values.Service.Annotations, + }, + Spec: corev1.ServiceSpec{ + Type: values.Service.Type, + Selector: SelectorLabels(dot), + Ports: []corev1.ServicePort{port}, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/serviceaccount.go b/charts/redpanda/redpanda/5.9.5/charts/console/serviceaccount.go new file mode 100644 index 000000000..c23e5c92c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/serviceaccount.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_serviceaccount.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +// Create the name of the service account to use +func ServiceAccountName(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.ServiceAccount.Create { + if values.ServiceAccount.Name != "" { + return values.ServiceAccount.Name + } + return Fullname(dot) + } + + return helmette.Default("default", values.ServiceAccount.Name) +} + +func ServiceAccount(dot *helmette.Dot) *corev1.ServiceAccount { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ServiceAccount.Create { + return nil + } + + return &corev1.ServiceAccount{ + TypeMeta: metav1.TypeMeta{ + Kind: "ServiceAccount", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceAccountName(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.ServiceAccount.Annotations, + }, + AutomountServiceAccountToken: ptr.To(values.ServiceAccount.AutomountServiceAccountToken), + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.5/charts/console/templates/NOTES.txt new file mode 100644 index 000000000..7541881fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_configmap.go.tpl new file mode 100644 index 000000000..14673b024 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_configmap.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "configmap.go" */ -}} + +{{- define "console.ConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.configmap.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_deployment.go.tpl new file mode 100644 index 000000000..71696bb25 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_deployment.go.tpl @@ -0,0 +1,133 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "console.ContainerPort" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $listenPort := ((8080 | int) | int) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $listenPort = $values.service.targetPort -}} +{{- end -}} +{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}} +{{- if $ok_2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" ($asInt_1 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listenPort) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $replicas := (coalesce nil) -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $replicas = ($values.replicaCount | int) -}} +{{- end -}} +{{- $initContainers := (coalesce nil) -}} +{{- if (ne $values.initContainers.extraInitContainers (coalesce nil)) -}} +{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}} +{{- end -}} +{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}} +{{- if $values.secret.create -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.containerImage" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := $dot.Chart.AppVersion -}} +{{- if (not (empty $values.image.tag)) -}} +{{- $tag = $values.image.tag -}} +{{- end -}} +{{- $image := (printf "%s:%s" $values.image.repository $tag) -}} +{{- if (not (empty $values.image.registry)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $image) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consoleContainerEnv" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $vars := $values.extraEnv -}} +{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}} +{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.License "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}} +{{- $vars := $values.extraEnv -}} +{{- range $_, $possible := $possibleVars -}} +{{- if (not (empty $possible.Value)) -}} +{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consolePodVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}} +{{- if $values.secret.create -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.go.tpl new file mode 100644 index 000000000..88b00025d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.go.tpl @@ -0,0 +1,82 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "console.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.fullnameOverride "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Labels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}} +{{- if (ne $dot.Chart.AppVersion "") -}} +{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.SelectorLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.cleanForK8s" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.tpl new file mode 100644 index 000000000..ee2ab5d9b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* +Expand the name of the chart. +Used by tests/test-connection.yaml +*/}} +{{- define "console.name" -}} +{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Used by tests/test-connection.yaml +*/}} +{{- define "console.fullname" -}} +{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Common labels +Used by tests/test-connection.yaml +*/}} +{{- define "console.labels" -}} +{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_hpa.go.tpl new file mode 100644 index 000000000..5957633d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_hpa.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "hpa.go" */ -}} + +{{- define "console.HorizontalPodAutoscaler" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $metrics := (list ) -}} +{{- if (ne $values.autoscaling.targetCPUUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- if (ne $values.autoscaling.targetMemoryUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_ingress.go.tpl new file mode 100644 index 000000000..0df05e870 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_ingress.go.tpl @@ -0,0 +1,46 @@ +{{- /* Generated from "ingress.go" */ -}} + +{{- define "console.Ingress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.ingress.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tls := (coalesce nil) -}} +{{- range $_, $t := $values.ingress.tls -}} +{{- $hosts := (coalesce nil) -}} +{{- range $_, $host := $t.hosts -}} +{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules := (coalesce nil) -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- $paths := (coalesce nil) -}} +{{- range $_, $path := $host.paths -}} +{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_notes.go.tpl new file mode 100644 index 000000000..6b58b21ef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_notes.go.tpl @@ -0,0 +1,40 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "console.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $commands := (list `1. Get the application URL by running these commands:`) -}} +{{- if $values.ingress.enabled -}} +{{- $scheme := "http" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}} +{{- $scheme = "https" -}} +{{- end -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- range $_, $path := $host.paths -}} +{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}} +{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $commands) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_secret.go.tpl new file mode 100644 index 000000000..49e628993 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_secret.go.tpl @@ -0,0 +1,22 @@ +{{- /* Generated from "secret.go" */ -}} + +{{- define "console.Secret" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $jwtSecret := $values.secret.login.jwtSecret -}} +{{- if (eq $jwtSecret "") -}} +{{- $jwtSecret = (randAlphaNum (32 | int)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.License "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_service.go.tpl new file mode 100644 index 000000000..64cef3f8d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "console.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $_ := (set $port "targetPort" $values.service.targetPort) -}} +{{- end -}} +{{- if (and (contains "NodePort" (toString $values.service.type)) (ne $values.service.nodePort (coalesce nil))) -}} +{{- $_ := (set $port "nodePort" $values.service.nodePort) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..5a49ba3fd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_serviceaccount.go.tpl @@ -0,0 +1,39 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "console.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- if (ne $values.serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/configmap.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/configmap.yaml new file mode 100644 index 000000000..cffd69938 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ConfigMap" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/deployment.yaml new file mode 100644 index 000000000..48a149041 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/hpa.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/hpa.yaml new file mode 100644 index 000000000..9cfc4a132 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.HorizontalPodAutoscaler" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/ingress.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/ingress.yaml new file mode 100644 index 000000000..ef3867869 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Ingress" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/secret.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/secret.yaml new file mode 100644 index 000000000..aeeeba25e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Secret" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/service.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/service.yaml new file mode 100644 index 000000000..0f1621faf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/serviceaccount.yaml new file mode 100644 index 000000000..9215af70e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/templates/tests/test-connection.yaml new file mode 100644 index 000000000..de17fb2b1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/templates/tests/test-connection.yaml @@ -0,0 +1,22 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "console.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "console.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases-generated.txtar b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases-generated.txtar new file mode 100644 index 000000000..7fd56f9de --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases-generated.txtar @@ -0,0 +1,22208 @@ +Generated by TestGenerateCases +-- case-000 -- +affinity: {} +annotations: + Q9AVJD4: G9TEnp +autoscaling: + maxReplicas: 206 + minReplicas: 312 + targetCPUUtilizationPercentage: 41 + targetMemoryUtilizationPercentage: 72 +commonLabels: + "": 31q1Pbz +extraEnv: +- name: Z2BpO + value: 0ggF3ha7D +extraVolumes: +- name: 7iCCax +- name: meEH +- name: xYVSV +fullnameOverride: hvGoJL +livenessProbe: + failureThreshold: 1028486626 + httpGet: + host: AOZs + path: YKi + port: Q8C3tKEBBI + scheme: ćpʔS欻鯡 + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 +nameOverride: "n" +podAnnotations: + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 +priorityClassName: vQhDS +replicaCount: 387 +resources: + limits: + x0StjCjt: "0" +securityContext: {} +serviceAccount: + automountServiceAccountToken: false + create: true + name: HRoLg +strategy: + type: Ò泆A +-- case-001 -- +automountServiceAccountToken: true +extraContainers: +- image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq +extraEnv: +- name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I +- name: T0 + value: trXO4 +- name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 +fullnameOverride: T50cZi +initContainers: + extraInitContainers: qur +nameOverride: Sh +priorityClassName: NyOpfr +replicaCount: 414 +resources: {} +tolerations: +- effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO +- effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy +- effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826068 + value: z +-- case-002 -- +deployment: {} +enterprise: {} +extraEnvFrom: +- prefix: cfVf + secretRef: + name: ha +- prefix: i2E2Jvnc +extraVolumeMounts: +- mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p +fullnameOverride: xZty +imagePullSecrets: +- {} +- name: YPVBzxvx +nameOverride: vN4yH7I +podAnnotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + upwTMuIqflmD: 9J0H45zXX +priorityClassName: TeCy +replicaCount: 417 +resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" +service: + nodePort: 292 + port: 413 + targetPort: 267 + type: ILpSX2Cy +serviceAccount: + automountServiceAccountToken: true + name: R1Yar8 +tolerations: +- effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw +- effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W +- effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh +-- case-003 -- +annotations: + 6HCwaF8XIH: uIbMN + MRwga: Fq5s + mgpV: 4f +autoscaling: + maxReplicas: 411 + minReplicas: 432 + targetCPUUtilizationPercentage: 169 + targetMemoryUtilizationPercentage: 155 +configmap: + create: false +deployment: + create: false +extraVolumes: +- name: 1CIX +fullnameOverride: 8nE +ingress: + className: EqUYi + enabled: true + hosts: + - host: bKQCmfZ + - host: djItx5GtejC6 + - host: 2wLaQU8 + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +nameOverride: w6 +podSecurityContext: + fsGroup: 1512968668502336058 + runAsUser: -2578305880243425477 +priorityClassName: HNqN9h2 +replicaCount: 17 +resources: {} +secret: + create: true + kafka: + awsMskIamSecretKey: SrYY84t + protobufGitBasicAuthPassword: Fb + saslPassword: xCc3TeVY + schemaRegistryPassword: ovCqxwz9Bf + schemaRegistryTlsCa: JL + schemaRegistryTlsCert: cS + schemaRegistryTlsKey: UMwYx4F + tlsCa: HFpsnPdw + tlsCert: hseIt + tlsPassphrase: Wc0 +-- case-004 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} +commonLabels: + "": PtQ7JxIAdPjt +fullnameOverride: "" +nameOverride: YMl +podAnnotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F +priorityClassName: JT0MK +replicaCount: 261 +secretMounts: +- defaultMode: 197 + name: QmzFlXE + path: Oj + secretName: 7gi +service: + nodePort: 366 + port: 112 + targetPort: 173 + type: dO7eovC +strategy: + type: ɡv?ĨJ姯ɚƟć匪cb +-- case-005 -- +autoscaling: + enabled: false + maxReplicas: 26 + minReplicas: 380 + targetCPUUtilizationPercentage: 395 + targetMemoryUtilizationPercentage: 140 +configmap: + create: false +deployment: {} +extraVolumeMounts: +- mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk +- mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT +fullnameOverride: pN +image: + registry: 7iw15D + repository: RnJFs0 + tag: OQDirE +imagePullSecrets: +- name: ATcT6Hd +- name: l15Hhw +initContainers: + extraInitContainers: Me +livenessProbe: + exec: + command: + - AJd + - HZf + - YHivxIsAJ738b5Q + failureThreshold: -1921365096 + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 +nameOverride: MW +priorityClassName: KnLhcy2cw +replicaCount: 396 +secret: + create: true + login: + github: + clientSecret: R4Zj + personalAccessToken: N85av + jwtSecret: g + oidc: + clientSecret: enei1WIcV +tests: {} +-- case-006 -- +affinity: + podAffinity: {} + podAntiAffinity: {} +configmap: + create: true +console: {} +enterprise: {} +extraVolumeMounts: +- mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE +- mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT +fullnameOverride: rzd +image: + registry: zT38Q + repository: V + tag: iSGm6MT1 +ingress: + className: XOZv8 + enabled: false + hosts: + - host: WGn + paths: + - path: NVV + pathType: 0DK + - host: "" +initContainers: + extraInitContainers: SCgmJTj +nameOverride: gCH15URsJZr +podAnnotations: + s2D: DMU7 +podLabels: + CoBI: 20aOZaZvs + e0xqmoOD: Nb5V + ylGQE: p +priorityClassName: 1x11c0q +replicaCount: 176 +resources: + requests: + PY: "0" +secret: + enterprise: + licenseSecretRef: + key: eF + name: fQ02KR + kafka: + awsMskIamSecretKey: 1tq + protobufGitBasicAuthPassword: G + saslPassword: K8kPgIp6 + schemaRegistryPassword: "" + schemaRegistryTlsCa: Zr + schemaRegistryTlsCert: KN + schemaRegistryTlsKey: t + tlsCa: CQ + tlsCert: 6xZ8 + tlsPassphrase: JpScAmVx6 +serviceAccount: + automountServiceAccountToken: false + create: true + name: nd7TSb2mNTS +tests: + enabled: false +-- case-007 -- +commonLabels: + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL +configmap: {} +console: + roleBindings: + - "": null + 5w1YcAu: null +extraEnv: +- name: qY0f + value: Wu +- name: 9zVp + value: g +extraEnvFrom: +- configMapRef: + name: OUS + optional: true + prefix: YWvtgT +- configMapRef: + name: 4xZZ + prefix: Djbp99U +extraVolumes: +- name: dCz +fullnameOverride: "y" +initContainers: + extraInitContainers: RiAu +livenessProbe: + exec: + command: + - 3Ujf + - EOmDk + failureThreshold: 1105213631 + grpc: + port: -199686432 + service: H + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + terminationGracePeriodSeconds: 7570283898099180047 + timeoutSeconds: -603846855 +nameOverride: HWL +nodeSelector: + CAy: 19kW + R2z: OpcDywz9x +podSecurityContext: + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682841 + runAsUser: 7937848737866681002 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 +priorityClassName: rs +readinessProbe: + failureThreshold: 114758306 + grpc: + port: 774513900 + service: GICRd2O + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 +replicaCount: 103 +resources: + requests: + 4P1f3: "0" + DmuY: "0" +secret: + login: + google: + clientSecret: Ln0 + groupsServiceAccount: gp + jwtSecret: 2j6NF + okta: + clientSecret: 3A593BjCuu + directoryApiToken: mSSz8MZ + redpanda: + adminApi: + password: t + tlsCa: QD1x71f + tlsCert: 744Ysvi + tlsKey: 56VaHh +service: + nodePort: 238 + port: 286 + targetPort: 404 + type: Vvrvx +serviceAccount: + automountServiceAccountToken: false + name: RFjc7 +-- case-008 -- +annotations: + hfXF: v4uLEC6f8m +automountServiceAccountToken: false +console: {} +deployment: {} +fullnameOverride: GbgHqD +ingress: + className: XfqwM +livenessProbe: + failureThreshold: 1421249778 + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 +nameOverride: RW +podAnnotations: + BTlN: z8t + a: Pqjhw +podSecurityContext: + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122115 + runAsNonRoot: false + runAsUser: 2693812519144067821 + supplementalGroups: + - -7558357415363805139 + - -9152494874115651655 + - -906805565867492888 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 +priorityClassName: 0fXQqWA96 +readinessProbe: + failureThreshold: -10750427 + httpGet: + host: yftc + path: 7MDOtCNf + port: -1919050774 + scheme: ȧ楢谚 + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 +replicaCount: 475 +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: vGB +securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967093267 +serviceAccount: + create: true + name: YcV5zP8 +strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 +topologySpreadConstraints: +- maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 +- labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 +- labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 +-- case-009 -- +affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} +automountServiceAccountToken: true +configmap: + create: false +deployment: {} +fullnameOverride: l1Bnpx +imagePullSecrets: +- name: x42RbB4KLm +livenessProbe: + failureThreshold: -1420734522 + httpGet: + host: fFkzqM8 + path: aVVHbe + port: TkNE + scheme: ǂɷ烷Į~鼹ǵǃ楅ǰ + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 +nameOverride: BKV +nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv +podSecurityContext: + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911371 + runAsNonRoot: true + supplementalGroups: + - 802667379359895872 + - 8316082600801371691 +priorityClassName: p0ShP6Yru +readinessProbe: + failureThreshold: -286281002 + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + terminationGracePeriodSeconds: 495828610939530481 + timeoutSeconds: 352721839 +replicaCount: 315 +secret: {} +secretMounts: +- defaultMode: 414 + name: yWBr98zs1 + path: xShE + secretName: YMpib3J +- defaultMode: 402 + name: qUQ5 + path: Wnbf + secretName: Pw8 +- defaultMode: 410 + name: hpqapQJQ + path: fgV + secretName: 1JLIOjZI8 +service: + annotations: + efgehQaV5UI0y: GymqDudh + nodePort: 75 + port: 229 + targetPort: 85 + type: yZy +topologySpreadConstraints: +- maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ +-- case-010 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} +configmap: + create: false +console: + roles: + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 6Y + name: juyv +extraContainers: +- env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj +- env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850448 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934519616 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437089 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA +extraVolumeMounts: +- mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw +fullnameOverride: ivK +image: + pullPolicy: "" + registry: 4A + repository: 0YeLdES + tag: 1a4iH +nameOverride: JFcK +priorityClassName: x0ISc2 +readinessProbe: + exec: {} + failureThreshold: 1992527736 + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + terminationGracePeriodSeconds: 236063688080704715 + timeoutSeconds: -1493252430 +replicaCount: 250 +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: K + protobufGitBasicAuthPassword: HMiCm9 + saslPassword: dlWblwkM + schemaRegistryPassword: DQXNeX + schemaRegistryTlsCa: Xe1cT2AuIi + schemaRegistryTlsCert: gaHcYjD + schemaRegistryTlsKey: 96V + tlsCa: "" + tlsCert: WEDNhiC + tlsPassphrase: lP2w1T + login: + github: + clientSecret: vpO + personalAccessToken: pn05iLc53z + google: + clientSecret: OX + groupsServiceAccount: LB64mTpyF + jwtSecret: GQ0Yw + redpanda: {} +serviceAccount: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + create: true + name: kIzbDF +-- case-011 -- +affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 +annotations: + pJ: f0brcnhV +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 239 + minReplicas: 83 + targetCPUUtilizationPercentage: 68 + targetMemoryUtilizationPercentage: 468 +commonLabels: + JwK5MKTa: WW + v7E: 1g6JB +console: {} +deployment: {} +extraEnv: +- name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false +- name: loir2K + value: Ti0q +- name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false +extraEnvFrom: +- configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true +- prefix: M + secretRef: + name: 10or1C2m + optional: false +- configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 +extraVolumeMounts: +- mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad +- mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt +fullnameOverride: hbe +image: + registry: gjR + repository: U + tag: Tl0EP +initContainers: + extraInitContainers: OgPf +livenessProbe: + failureThreshold: 653767212 + grpc: + port: -53435273 + service: fv5J + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + terminationGracePeriodSeconds: 1550995604326825538 + timeoutSeconds: -574178850 +nameOverride: Cy9eHCiP +nodeSelector: + HC7: EI8 +podLabels: + "2": RgUAFm + D2V: V80aQ +podSecurityContext: + fsGroup: 4103142176308445041 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391070953 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE +priorityClassName: sJXoA3V +readinessProbe: + exec: {} + failureThreshold: 1745353710 + grpc: + port: -2051399147 + service: G + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + terminationGracePeriodSeconds: 7625838354502176909 + timeoutSeconds: 888372342 +replicaCount: 65 +resources: + requests: + "Y": "0" +secretMounts: +- defaultMode: 12 + name: n4BPeF + path: 2Qy8k + secretName: auIr +service: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + nodePort: 83 + port: 478 + targetPort: 90 + type: sl +-- case-012 -- +affinity: {} +annotations: + v: D +configmap: {} +console: {} +enterprise: + licenseSecretRef: + key: oG0N9s8 + name: fmqBE +extraContainers: +- command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246345 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192462 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 +- command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868414 + runAsUser: 8469885005475493831 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE +- args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z +extraEnvFrom: +- prefix: RyT9JuZ +fullnameOverride: tmn2Kt +initContainers: + extraInitContainers: SIhGa +livenessProbe: + failureThreshold: 666524470 + grpc: + port: 1398516128 + service: "" + httpGet: + host: bR1aDlNV + path: yDJgyD4 + port: PU8gXWTBf + scheme: 8BƔ7, + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + terminationGracePeriodSeconds: -4709298711736612221 + timeoutSeconds: 1377323766 +nameOverride: Qr03ts +podLabels: + "": S7BNyT + r1F: Fsc + yeY4LjT: MRlwtd +priorityClassName: vMcB +replicaCount: 407 +resources: {} +securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619939509 + runAsNonRoot: false +strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 +tests: {} +-- case-013 -- +automountServiceAccountToken: true +enterprise: {} +extraContainers: +- env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099082 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978014 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE +extraVolumeMounts: +- mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr +- mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ +- mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H +fullnameOverride: RttlJN +initContainers: + extraInitContainers: Gnt +nameOverride: dDkIKgMwXv +priorityClassName: BDUfm1wSRDI +readinessProbe: + exec: {} + failureThreshold: -225696508 + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + terminationGracePeriodSeconds: 5224127779959308812 + timeoutSeconds: -1540252725 +replicaCount: 412 +resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" +secret: + enterprise: {} + redpanda: {} +securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsUser: -8804799239371185443 +tolerations: +- effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL +- effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u +-- case-014 -- +autoscaling: + maxReplicas: 297 + minReplicas: 375 + targetCPUUtilizationPercentage: 161 + targetMemoryUtilizationPercentage: 154 +console: + roleBindings: + - null +deployment: + create: false +extraContainers: +- args: + - Z62Is + - Hbh02LW4 + env: + - name: YW1G + value: 0GWAuZSLomGzW + valueFrom: + configMapKeyRef: + key: G23Iugy + name: TkEMhJ + secretKeyRef: + key: BTU + name: g1 + optional: false + - name: uL + value: FFIE5os + valueFrom: + configMapKeyRef: + key: "Y" + name: auRMap + resourceFieldRef: + containerName: q0II1T + divisor: "0" + resource: HT + secretKeyRef: + key: dzuljE + name: G7WQLg + envFrom: + - prefix: gP + secretRef: + name: OVJe + optional: false + image: rJIHfr2OEa135 + imagePullPolicy: YÙ姯?斕_9xŠɏɉɬ脸埫窿 + name: AH0Q + ports: + - containerPort: 228562644 + hostIP: IoQ1 + hostPort: -1878543188 + name: Rfal + - containerPort: -894592742 + hostIP: WL1wuF + hostPort: -1156574467 + name: kaBC3xQ4W + protocol: ǀw黽Ɂ態y歳饏S鰚醭 + readinessProbe: + exec: + command: + - SSKDo + failureThreshold: 2133132404 + grpc: + port: 1749726411 + service: mXvc + httpGet: + host: pc5My + path: Xb4w6 + port: 478437545 + scheme: X甡蓸^qĠ屘g槛雍d伨ɾ + initialDelaySeconds: -966001365 + periodSeconds: 714178271 + successThreshold: -1714884162 + timeoutSeconds: 152300629 + resources: + limits: + QD: "0" + eQShuVrO: "0" + requests: + xWdhFr9: "0" + restartPolicy: 吥蓔ȫ唿瀘V輇f蓵犆Ȑ]œʢ鶍MƧ樤_ + startupProbe: + exec: {} + failureThreshold: 623319858 + grpc: + port: -1442127150 + service: C6 + initialDelaySeconds: 128345274 + periodSeconds: -1861677604 + successThreshold: 1112169900 + timeoutSeconds: 120934069 + stdin: true + stdinOnce: true + terminationMessagePath: CVFCc8 + terminationMessagePolicy: 欥ɻ斩隫0撊GƲ{ + tty: true + workingDir: IZB +- image: DOt5K + imagePullPolicy: Q燢Ƈʃǻĝ + lifecycle: + postStart: + sleep: + seconds: -2443463859616450892 + preStop: + exec: + command: + - 74I + - RU + sleep: + seconds: -3090258659267849140 + livenessProbe: + failureThreshold: -1269681865 + grpc: + port: -1568193429 + service: X1LyDnjv64JEDb + initialDelaySeconds: -1309179527 + periodSeconds: -1814451145 + successThreshold: -2073223886 + terminationGracePeriodSeconds: -7380892635099163371 + timeoutSeconds: 2123408205 + name: QbUkrjO + readinessProbe: + failureThreshold: -1858848657 + grpc: + port: 349774039 + service: jxJ + httpGet: + path: aAkRuN + port: AGGDH + scheme: Aʝ詷Cţm憻菁裰ś + initialDelaySeconds: -1986091889 + periodSeconds: -775693671 + successThreshold: 930243436 + terminationGracePeriodSeconds: -4158765076015214976 + timeoutSeconds: -1930165730 + resources: + limits: + QL: "0" + startupProbe: + failureThreshold: 79584809 + httpGet: + host: IYI + path: jpfp + port: h + scheme: ÎŲ媱5\æ}QQǤoƲ^8%嵕_踽 + initialDelaySeconds: 1384447753 + periodSeconds: 364207137 + successThreshold: 1778504178 + timeoutSeconds: 1437969450 + stdinOnce: true + terminationMessagePath: z + terminationMessagePolicy: ūJ + tty: true + workingDir: RQkvQON +fullnameOverride: htymHJ +image: + pullPolicy: 袪Ȓ緶Ð菝ȋ擮@Ŧ + registry: ulLeWQWUJdjnk + repository: J + tag: KQ +initContainers: + extraInitContainers: JvUWbM +nameOverride: Vi2vH +podAnnotations: + Tt: CHbO7BF +podSecurityContext: + fsGroupChangePolicy: A%Âȁµ郞星懐,t语Ā詘IJÊ铮Q + runAsUser: -4832235381641550418 +priorityClassName: rcxHoi +replicaCount: 424 +resources: + limits: + AS: "0" +service: + nodePort: 66 + port: 41 + targetPort: 168 + type: Oiwzbmtjpb +serviceAccount: + create: true + name: h6eHrUr +tests: {} +tolerations: +- effect: 鞼CÞŲɮȧɖņ魉**護Å岴hFʎ篅2 + key: ffSN + operator: 葓C巰qĩŹ脠~蒵 + value: fkh +- effect: ȯ绸 + key: meTpNZ + operator: ĥ恃精hw"蘄谇H潔ʎȴ豅©嫗笨 + value: uyTD +-- case-015 -- +affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 +annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 +autoscaling: + maxReplicas: 483 + minReplicas: 178 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 33 +commonLabels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO +enterprise: + licenseSecretRef: + key: 5MWDqlE + name: UoZ4 +extraEnv: +- name: iQE + value: Aj6RWPJE +- name: QwMCc + value: N9g6bDNI +- name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h +extraVolumeMounts: +- mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 +fullnameOverride: 9RweMGWqBs +image: + pullPolicy: '&Ŕ<駄AG' + registry: FezgEM + repository: b4CZb + tag: OoX +ingress: + annotations: + "": ZKQ6I + ES: uo + className: x7Um + enabled: true + tls: + - secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +initContainers: + extraInitContainers: FZnnB +nameOverride: KD8DmV +nodeSelector: + vy4h: rk +podLabels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii +podSecurityContext: + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600423895 + supplementalGroups: + - 6652209348598506050 + - 5521245057591625878 + - 6754698685787706527 + sysctls: + - name: "7" + value: vp +priorityClassName: "68" +readinessProbe: + exec: {} + failureThreshold: 398655641 + httpGet: + host: NaspK + path: Bgdl + port: 1587383135 + scheme: ǰ|鬩E橴s + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + terminationGracePeriodSeconds: 6302545905526400855 + timeoutSeconds: -905426079 +replicaCount: 128 +resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" +securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237098 + runAsUser: -1772317555576666168 +serviceAccount: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + automountServiceAccountToken: true + name: zmr +tests: {} +tolerations: +- effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678033542 + value: x6T1NM +- effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794849 + value: NXt +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" +- labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ +-- case-016 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 +automountServiceAccountToken: false +console: + roleBindings: + - Q0kslM: null + - null +deployment: {} +extraContainers: +- command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008737 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e +fullnameOverride: 6maz +image: + registry: PYDGV + repository: HV3 + tag: cI8TzaYkws +ingress: + className: JpoCC + hosts: + - host: mE + paths: + - path: znvL + pathType: u4c1 +livenessProbe: + exec: + command: + - 1aqSw0 + - A277oB + failureThreshold: 713465020 + grpc: + port: 1803086428 + service: h1wwv + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + terminationGracePeriodSeconds: 4331994492414219168 + timeoutSeconds: 2000039211 +nameOverride: SC +podAnnotations: + JYLUc483y: gTnWiG +podSecurityContext: + fsGroup: -1425599568169885252 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684836915 + supplementalGroups: + - 809809813702093180 + - 6124706841582844730 + - 6159358527003037747 +priorityClassName: XtKq +replicaCount: 331 +securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334245 + runAsUser: -8444673787636983397 +serviceAccount: + automountServiceAccountToken: true + name: DdF7ALq +strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ +tests: {} +topologySpreadConstraints: +- labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 +- labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* +- labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 +-- case-017 -- +annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 164 + minReplicas: 101 + targetCPUUtilizationPercentage: 355 + targetMemoryUtilizationPercentage: 310 +console: + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +extraContainers: +- args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649733275 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh +- args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563150 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106311 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613942317 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl +- command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980193779 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 +extraEnv: +- name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z +- name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false +extraEnvFrom: +- prefix: oK16T1 +- configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 +fullnameOverride: 9XG3SZW +image: + pullPolicy: k痿蹒 + registry: 3s + repository: kPWhaC + tag: BcBi +ingress: + className: N91gS + hosts: + - host: ucSBH + - host: "" + - host: tmOhOR +nameOverride: tPiY +podLabels: + LBQpbD: AHB4hNVL + ey1GpAHh: fA +priorityClassName: qcIlT +readinessProbe: + exec: {} + failureThreshold: 738983906 + grpc: + port: 832752600 + service: 3tLbx + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 +replicaCount: 173 +resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: cjqTR + name: e + login: + github: + clientSecret: jw6tY22 + personalAccessToken: JvG1jx + jwtSecret: DwgaGI + oidc: + clientSecret: MalR2 + okta: + clientSecret: mDILgPMjOS9 + directoryApiToken: M2ywAiP +secretMounts: +- defaultMode: 442 + name: 3SwG7HrS + path: TLaWLIiD + secretName: VR +- defaultMode: 383 + name: Bfv9SGjlbgN + path: dXXPfK + secretName: T +- defaultMode: 13 + name: wz4K9oIYM + path: YEOA49 + secretName: WzM +securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true +tests: + enabled: false +tolerations: +- effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543116 + value: KkCBzwToBMjJ +- effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379086 + value: Z5 +- effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889043 + value: TnWS +-- case-018 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto +annotations: + "": 3E5rtKA +automountServiceAccountToken: false +autoscaling: + maxReplicas: 140 + minReplicas: 91 + targetCPUUtilizationPercentage: 499 + targetMemoryUtilizationPercentage: 324 +configmap: + create: false +console: + roleBindings: + - "": null + DlOD: null + - null + - cDJiV: null + eO: null + qlokva4: null + roles: + - 0E2l1K3: null + pIu5qwn: null +enterprise: + licenseSecretRef: + key: oqyc + name: HL +extraContainers: +- envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708077 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885155 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh +extraEnvFrom: +- prefix: hg + secretRef: + name: eLM59WyoAXO +fullnameOverride: ExFU3 +image: + pullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + registry: iCFSIwyDtoG + repository: 6V6 + tag: 6uR +imagePullSecrets: +- name: vlnGQbo3y +nameOverride: 1qyLP36T +nodeSelector: + Vckw: ifBZ9p7 +priorityClassName: 6jxv +replicaCount: 297 +resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" +secret: + kafka: + awsMskIamSecretKey: 8GlUc + protobufGitBasicAuthPassword: IsvQ9 + saslPassword: Vb + schemaRegistryPassword: UJ7Zl + schemaRegistryTlsCa: T1Q + schemaRegistryTlsCert: 17r + schemaRegistryTlsKey: O44 + tlsCa: n8k9 + tlsCert: aK + tlsPassphrase: Qk8 + login: + github: + clientSecret: t6z0n + personalAccessToken: "" + google: + clientSecret: h + groupsServiceAccount: fpuCEFLL + jwtSecret: 7J + oidc: + clientSecret: t + okta: + clientSecret: 3CcKl + directoryApiToken: AZt8H77 + redpanda: + adminApi: + password: NUkb3zIpwAR + tlsCa: t + tlsCert: zttTAvj + tlsKey: "" +service: + nodePort: 270 + port: 415 + targetPort: 489 + type: 2cM +serviceAccount: + annotations: + X7E: CRSzr + lPi: bGP + name: uAvlOXf +strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå +tolerations: +- effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495592 + value: 1VemeDTEk1 +- effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506227 + value: m3c +- effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le +topologySpreadConstraints: +- matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ +-- case-019 -- +annotations: + lgiIA: u + wK8: JrSfKH +automountServiceAccountToken: true +configmap: + create: true +console: {} +enterprise: + licenseSecretRef: + key: Nr8uSKR + name: nucerZE +extraEnv: +- name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" +- name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F +extraVolumeMounts: +- mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew +fullnameOverride: NZ7h9 +image: + pullPolicy: 韃ĝ + registry: GNXgFQ + repository: W3 + tag: 2vPed +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - Vc01z + failureThreshold: -1736131786 + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 +nameOverride: 8MIg +priorityClassName: FERw +readinessProbe: + exec: + command: + - 96w + failureThreshold: -1936056692 + grpc: + port: 939760843 + service: "" + httpGet: + host: K + path: dIrFM + port: GfrdWiqgUZBPW + scheme: 芧ʒȔ堌 + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 +replicaCount: 79 +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsUser: -471077223001866506 +strategy: + type: 鎦v財ɕŪ +tests: {} +tolerations: +- effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u +- effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u +-- case-020 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[' + initialDelaySeconds: 1994767434 + periodSeconds: 1832245274 + successThreshold: 598112607 + timeoutSeconds: 1119900418 + name: "" + ports: + - containerPort: -330026000 + hostIP: lrMGYnI5Nd + hostPort: -823142941 + name: zuZWb + protocol: Ȳ + resources: + requests: + 4gK: "0" + restartPolicy: 腼癋ğÑ;漘傩鶷 + securityContext: + privileged: true + procMount: ʍ/O9*:zb飯Gɱ朵醴#ŌKp9嬡 + readOnlyRootFilesystem: true + runAsNonRoot: false + startupProbe: + exec: + command: + - "4" + failureThreshold: -950017148 + grpc: + port: -1475121627 + service: 8veUJnWU5 + initialDelaySeconds: 2007069941 + periodSeconds: -1193308189 + successThreshold: 22288729 + timeoutSeconds: -1492112511 + stdin: true + terminationMessagePath: HIj0kQ + terminationMessagePolicy: ȔNj + volumeDevices: + - devicePath: M + name: sDeN + workingDir: V +- args: + - "" + - ihLoishU + command: + - 8Jx + - j + env: + - name: IDOQ6d + value: 12G + image: b4Wv84l + imagePullPolicy: n暨e懔)k + lifecycle: + postStart: + exec: {} + httpGet: + host: Zl2z + path: pzUIO + port: faRx + scheme: 痣甘 + sleep: + seconds: -632399399483384435 + preStop: + exec: {} + httpGet: + host: pklCf2clqD + path: wk27n2gw1L + port: Ufz19 + scheme: ɷņƑG m刡Ęj敂鏸eāa + livenessProbe: + exec: + command: + - Ar2msVeG + - Uzq6cRL + - dujaQs + failureThreshold: -1776611485 + grpc: + port: 835455646 + service: t + httpGet: + host: hri + path: "Y" + port: 1115673796 + scheme: ʟɏķLYÆŨŔ+Č`4Đl + initialDelaySeconds: -739643640 + periodSeconds: -343509466 + successThreshold: -1698086578 + terminationGracePeriodSeconds: 1800922741783400611 + timeoutSeconds: 1182031959 + name: Bq5FHOsB11r + readinessProbe: + exec: + command: + - XaJ8ft + - 57jh + - sAD + failureThreshold: -1798651306 + grpc: + port: -1714447694 + service: ETY + httpGet: + host: V5DSH + path: g8Ygrn + port: Yp9d22 + initialDelaySeconds: 1612392972 + periodSeconds: 1418157100 + successThreshold: -1106593780 + timeoutSeconds: -1970400805 + resizePolicy: + - resourceName: 93At9v + restartPolicy: 涭ɍƍ蕂 + resources: + limits: + 9g69: "0" + h20A4o: "0" + jh: "0" + requests: + h: "0" + ub364wL: "0" + restartPolicy: Ǎ\ƽţ(鄑鴋Őńy餲ÍwWÅ + startupProbe: + failureThreshold: -513807271 + grpc: + port: -788679788 + service: 3vt1qVexq + httpGet: + host: As + path: gG3Jyf6fQ5R + port: 1058443669 + scheme: I?ʐɡ湚犭檚蚗į*o + initialDelaySeconds: 2034517113 + periodSeconds: 2103822699 + successThreshold: 343263788 + timeoutSeconds: 264518020 + stdin: true + stdinOnce: true + terminationMessagePath: AAYYpB1c + terminationMessagePolicy: 贌.[ĉ熶7dzRVç^'谣蔨d搇ĺÎ + tty: true + volumeDevices: + - devicePath: "8" + name: KZo0u22qdit + - devicePath: Fahm + name: lmO + workingDir: tGNhx3deFLdC +extraEnvFrom: +- prefix: 7DB9SS + secretRef: + name: 5rl + optional: true +- configMapRef: {} + prefix: hPVGtWNNR +- configMapRef: + name: FYMIJ1 + prefix: TEtFB3 +extraVolumes: +- name: 2LSr +- name: J +fullnameOverride: Wpq +image: + pullPolicy: M鉃裹Ú&蚑ƈñĎdzɢ/Ɲ9Ws棝 + registry: 0aw5q + repository: PTy + tag: fclX4 +imagePullSecrets: +- name: p95GzFm3JP +ingress: + annotations: + aH: YQ3 + className: IPc + tls: + - secretName: Ec4sB + - secretName: txdIkdw4sg8IB4i9 + - hosts: + - ypg9XtRg8 + - "3" + secretName: DNdM +livenessProbe: + exec: {} + failureThreshold: 913752382 + grpc: + port: 1322195744 + service: iQNfI + initialDelaySeconds: -1439870739 + periodSeconds: 178258715 + successThreshold: -1591263857 + terminationGracePeriodSeconds: 2751522374216629585 + timeoutSeconds: -1117637199 +nameOverride: aD +nodeSelector: + WUADh: 2ruBNaWxT +podLabels: + Avs0UCvd6: "" + LSaZFj: "" + N3gEYOpkd: zqsd +priorityClassName: 2v89v +readinessProbe: + failureThreshold: 1842275861 + grpc: + port: -1389426650 + service: 0bSW249 + httpGet: + host: 0T + path: RnP5zy + port: -514153800 + scheme: k*x"!掫瘑Ʀ扄]Ĝʅƭȑ + initialDelaySeconds: -1077422490 + periodSeconds: 666536934 + successThreshold: 1405066396 + terminationGracePeriodSeconds: -3980601911100433183 + timeoutSeconds: 665413705 +replicaCount: 330 +secret: + create: false + kafka: + awsMskIamSecretKey: 48EJ + protobufGitBasicAuthPassword: U4TfI + saslPassword: xbKdWIc + schemaRegistryPassword: C + schemaRegistryTlsCa: vACi + schemaRegistryTlsCert: l2SQ + schemaRegistryTlsKey: QXTWL2 + tlsCa: sxqA + tlsCert: MZR + tlsPassphrase: Bf18k +secretMounts: +- defaultMode: 278 + name: Vk + path: HIDtODq + secretName: ycVDxFmgC +service: + nodePort: 413 + port: 310 + targetPort: 265 + type: uvupqC6hE4 +strategy: + rollingUpdate: {} + type: ü +tests: {} +tolerations: +- effect: ƛ=åM綁塈'Ʈ7 + key: X + operator: Y葞ęŊ6ùųŗQ膼芏棔ĿF綩 + tolerationSeconds: -7958891124471630696 + value: iw +-- case-025 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchFields: + - key: Jdk + operator: '''妋ū摺wȋ½骭枰ux' + values: + - L3vrBo + - key: AJyvPdo + operator: QBǏ揅饹\欤ĩ# + values: + - KA4X87 + - kAynjW + - key: INtaCgB9Suw + operator: '"' + values: + - sT5QAUbIK + - matchExpressions: + - key: B1ivFyT + operator: ıD芌ʪÌʡ6坨LʞQ蓠kl + values: + - ZM3ncD + - MaDZJN23 + - nQDH + - key: j1 + operator: ^{Q唤涭 + - key: FMwYRC4 + operator: 構ÁHƲ)ǹō + values: + - tc + - 5w4tJ + - gNCNm5J4 + matchFields: + - key: pIsVqr + operator: j@RUȃfǘ·ɏ!Ǖ灃Ņǟ + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - oNBV + - ZW2Upd + mismatchLabelKeys: + - XpmujYp + - zQUvv + - o + namespaces: + - xAojOZ + - 53d1p + topologyKey: wupaWwF + weight: -813250565 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: hRMf + operator: 璢ɂo豢埆o + - key: gByq + operator: '|藐Ç钃[qȂřÜ{南湹裻ßŗyŪ赉' + mismatchLabelKeys: + - 4aBT9oEi8 + topologyKey: "" + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - qDyyFpFgn0 + - qAR2Fz8Jbiq9oz + namespaceSelector: {} + namespaces: + - NKeVvij2 + topologyKey: 7OPEY5MMS +annotations: + 7YN: WjRdnTY + J0Eg: alDk +automountServiceAccountToken: false +configmap: + create: false +console: + roles: + - BU: null + - {} +deployment: {} +enterprise: + licenseSecretRef: + key: 3UhYW + name: Ooxn6uesqBg8 +extraContainers: +- args: + - zj + - Z5D + command: + - QfnH4gn + - B1xl + env: + - name: 4X + value: Bw + valueFrom: + configMapKeyRef: + key: Pdqw0Fl3V + name: v3KgbGdzsLvC + optional: true + fieldRef: + apiVersion: NUZjeNE + fieldPath: 9HRTR + resourceFieldRef: + containerName: p + divisor: "0" + resource: shkxnjmC2 + - name: 2i + value: Zxb + valueFrom: + configMapKeyRef: + key: w + name: WzK6UiO + fieldRef: + apiVersion: GnFqZ3 + fieldPath: W + resourceFieldRef: + containerName: 7JDYpnHIpM + divisor: "0" + resource: vt2RbP + secretKeyRef: + key: yl + name: 36xB2Q + optional: true + envFrom: + - configMapRef: + name: V2xmAgfwBn1 + optional: true + prefix: seW + secretRef: + name: Nt + optional: true + - configMapRef: + name: IluKDPq + prefix: N6Uhe + secretRef: + name: TvN6Z3p + image: 3fh + imagePullPolicy: Ǜmʥ薑ōB愌熹g樿ƒ畬ʙ襫,PD + lifecycle: + postStart: + exec: + command: + - wIfuPiat + sleep: + seconds: 6128979882442257912 + name: 0U + ports: + - containerPort: -975012330 + hostIP: nNpK2 + hostPort: -554886438 + name: aE + - containerPort: -2098096147 + hostIP: FeG8 + hostPort: -651932845 + name: xKI1Tv + protocol: :鿅Ǐ!Ʋ卫_ʕȼʗ壷薮蒰NJŌ + - containerPort: 520035268 + hostIP: GyA + hostPort: -1998834660 + name: PR61 + protocol: ŗ蜥aɝWCb锨ȐsO忷ODž)Ŗʃ觃輘 + readinessProbe: + failureThreshold: 1975710195 + grpc: + port: 8949492 + service: USXa + httpGet: + host: 6J2Mk51 + path: FL4SJXOTR + port: c2vVT + scheme: B哰Hȼ涪Ÿȣę + initialDelaySeconds: 1164971701 + periodSeconds: -1267122769 + successThreshold: -102609571 + terminationGracePeriodSeconds: 6799552209277780019 + timeoutSeconds: -995107635 + resources: + requests: + 2j: "0" + restartPolicy: V牜(p + securityContext: + allowPrivilegeEscalation: true + privileged: false + procMount: '@' + readOnlyRootFilesystem: true + runAsGroup: 8605999305673537166 + runAsUser: 1347603438902927360 + startupProbe: + exec: + command: + - JZX + failureThreshold: 1080874840 + grpc: + port: 1467429214 + service: NWBu1S + httpGet: + host: 4ta7S + path: RcBu6 + port: RapJB5x + scheme: ']襰騊缜ă4蘆Ȓ0礓厨獸枓8D' + initialDelaySeconds: -2008822207 + periodSeconds: -614674587 + successThreshold: -402818223 + terminationGracePeriodSeconds: -7949916801988602426 + timeoutSeconds: 209096121 + stdin: true + stdinOnce: true + terminationMessagePath: KRYz + terminationMessagePolicy: Âǚ凍ʄĒ(#Ñ狶8脍ÅdɅș妙觶.祍 + volumeMounts: + - mountPath: LdSrOQ + mountPropagation: Ɗ?ǚ[澆槱ɢ丗7鍚6A + name: sqOobya + subPath: JZEkD + subPathExpr: eJU + - mountPath: K4kwb + mountPropagation: "" + name: YNNb + readOnly: true + subPath: Z0mne + subPathExpr: ngxE + - mountPath: E2GSzT0 + mountPropagation: ȝ註鴔 + name: fRhgta + subPath: y6Y3BdtA + subPathExpr: P0gcNQL + workingDir: rCAtq +- args: + - tJjzGKfki2 + - "" + - furHsPXM1J + command: + - DK3Wlo2n + env: + - name: ud + value: FOyG7u4mv + - name: YM + value: T8mzKDDU + valueFrom: + configMapKeyRef: + key: "" + name: YlrM + optional: true + fieldRef: + apiVersion: TysS9Olq + fieldPath: RX4 + resourceFieldRef: + containerName: o + divisor: "0" + resource: HVzew + secretKeyRef: + key: moOz + name: 9IePG + optional: true + image: hy6X7dY + imagePullPolicy: 秊q魷讍暳ɁiitǦ梒Ʀ疗ǘt + lifecycle: + postStart: + exec: {} + httpGet: + host: 1bv + path: 3IXIEBTRQc + port: dHTyBrOPT + scheme: hƉǤ\ɯ竔}gŘ + sleep: + seconds: 3802753693240438477 + name: mieVkOhQ4 + ports: + - containerPort: 1406294206 + hostIP: XrMHc + hostPort: 1756733537 + name: xrlM3Cv9 + protocol: ^箅瑦|ȭ,Ī憘ʓ焯 + - containerPort: 1867162726 + hostIP: p8Zguos + hostPort: 1052086554 + name: NCa4 + protocol: Ǽ丝等I塸)kɹ~颁!跼S薒SrM + - containerPort: 1770363328 + hostIP: WPUeJ + hostPort: -1882733223 + name: gAUfp + protocol: u舨[ķ獚m灑朷ƶ慹Ʀ + resources: + requests: + CK: "0" + c6WG16NOR: "0" + restartPolicy: 欣ƎȄŚ&廚FË倔Ŋ寬Lw秮x捨 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ƶəʣ饅ōǧ营Sȑ粴ƞȜj嬷俋箊ʫ + - Yǻ)Iƕƺ:檂躡J勬垒ď%ɦ + drop: + - f{2Ƭɢ~lĕ猆å~? + - 曣晜Ȅ笛 + - 牧 =鄅銣閦ʜ(lȏ + privileged: true + procMount: Âȼ + readOnlyRootFilesystem: true + runAsGroup: -5895892166477051871 + runAsNonRoot: false + startupProbe: + exec: {} + failureThreshold: 1512924080 + grpc: + port: -55537357 + service: 9KQ + initialDelaySeconds: 1472203720 + periodSeconds: 1367361112 + successThreshold: -1486557603 + terminationGracePeriodSeconds: 2382050275815801400 + timeoutSeconds: 246291848 + stdin: true + terminationMessagePath: E7wMC + terminationMessagePolicy: h僊冢ʐȑ + volumeMounts: + - mountPath: "" + mountPropagation: uÞ揶椬=L>ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr +- args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448128 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449891976 + runAsUser: 8255497511479977438 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y +extraEnvFrom: +- configMapRef: + name: Es + optional: false + prefix: sb4Y + secretRef: + name: 5boSPUJ +extraVolumeMounts: +- mountPath: "" + mountPropagation: ė1)ʩ瀚汋跁撯 + name: jFvwz + readOnly: true + subPath: JP5wgP3 + subPathExpr: J +extraVolumes: +- name: Jq0CSftnp +- name: QMHGzzYC2HW +- name: 1PkbzhfK +fullnameOverride: Uo +image: + registry: gFOwHIo + repository: tdq9GJrg + tag: J +imagePullSecrets: +- name: iA1C +- name: ZOdo +- name: qTOK0W +initContainers: + extraInitContainers: UHL +livenessProbe: + exec: {} + failureThreshold: 1473046311 + httpGet: + host: z + path: qQEf + port: -1047428780 + scheme: ȭ龙ğ疹ǜ"ȹȫ怆Ȉiʊ泹牫綖K + initialDelaySeconds: 272400025 + periodSeconds: -1682707125 + successThreshold: -2007433775 + terminationGracePeriodSeconds: 7823760182761119586 + timeoutSeconds: 2024118005 +nameOverride: Mh +podAnnotations: + bHXzf: nOiRsvEXH +podSecurityContext: + fsGroup: -6946946538076897241 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007637 + runAsNonRoot: true + runAsUser: -732766343758518304 + supplementalGroups: + - -5691922089175975080 +priorityClassName: 0bGHQk7gL +readinessProbe: + exec: {} + failureThreshold: 1554150391 + grpc: + port: -2094102439 + service: 0dg5DO + initialDelaySeconds: -564389480 + periodSeconds: -266349500 + successThreshold: -428571163 + terminationGracePeriodSeconds: -4351299803972335390 + timeoutSeconds: 1803246595 +replicaCount: 345 +resources: + limits: + LxNMXlMD: "0" +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: SDPuUt + protobufGitBasicAuthPassword: nq + saslPassword: TLAP + schemaRegistryPassword: AFn + schemaRegistryTlsCa: KbZhZV + schemaRegistryTlsCert: dGfweV + schemaRegistryTlsKey: X2B + tlsCa: Zmu + tlsCert: Lv4BgewmU + tlsPassphrase: bCygOn9yJR + redpanda: + adminApi: + password: AE + tlsCa: CEhIkvxe10u + tlsCert: mjaN + tlsKey: j2mDL +serviceAccount: + automountServiceAccountToken: true + name: H5TDAALUdD +tolerations: +- effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612206872 + value: odxS1Q2Sd +- effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333468 + value: bAy +-- case-026 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i +autoscaling: + maxReplicas: 86 + minReplicas: 445 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 8 +commonLabels: + "": h0uSAPIi + kuKPk7: "" +configmap: + create: false +console: + roleBindings: + - null + - 9T: null + fxu2XaR: null +extraVolumeMounts: +- mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw +- mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ +extraVolumes: +- name: LeIYAb +- name: 176OvjD +- name: b6NpMGfVo1N +fullnameOverride: qhaD +ingress: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + className: cAir + enabled: true + hosts: + - host: o + - host: i18Wi + paths: + - path: apsXYvp + pathType: 7q5 + - host: 8eBXg + paths: + - path: cMbMbCQl + pathType: gJT + - path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +initContainers: + extraInitContainers: 9KiOC +livenessProbe: + exec: + command: + - 0gsq + - "" + failureThreshold: 1372450161 + grpc: + port: 347104155 + service: Vtf + httpGet: + host: 3Is + path: mFQXEnm + port: -207107285 + scheme: u + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + terminationGracePeriodSeconds: 220495921853460964 + timeoutSeconds: 1174210794 +nameOverride: vLjrafvp +nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 +podAnnotations: + LtAjph: 8Q + MiPvJub: 0x + j: xR98FRh +podSecurityContext: + fsGroup: -2594082004410587315 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084168 + runAsNonRoot: false + runAsUser: -9051010573896129766 + supplementalGroups: + - -2777109499517677979 +priorityClassName: JnI8 +readinessProbe: + exec: + command: + - GZAhRFJb + failureThreshold: 1666039794 + grpc: + port: 1689867278 + service: eUJ + httpGet: + host: 6M6GMp + path: hr5gg + port: -751083361 + scheme: 戉窻¦ǃ楓Ëʆ張ǛȤʊLȉŐX5 + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + terminationGracePeriodSeconds: -955330372102946036 + timeoutSeconds: 1790731281 +replicaCount: 78 +secret: + create: false + enterprise: + licenseSecretRef: + key: yi3 + name: "" + kafka: + awsMskIamSecretKey: J36kR7z6r + protobufGitBasicAuthPassword: xf + saslPassword: jW + schemaRegistryPassword: Z5gF2 + schemaRegistryTlsCa: eGSsHDQm + schemaRegistryTlsCert: NmVf1RW + schemaRegistryTlsKey: DKqtW + tlsCa: 8WuqzUG + tlsCert: yrd + tlsPassphrase: swQ7r + redpanda: + adminApi: + password: mN1ZSR + tlsCa: hrjyEhM + tlsCert: YozBWkwcZ + tlsKey: 1p2 +secretMounts: +- defaultMode: 45 + name: ooYxXE + path: U6f3w + secretName: LyH9zvv +- defaultMode: 429 + name: Hmms9 + path: qzOMXCl + secretName: zvR +- defaultMode: 39 + name: "" + path: dXa6uPxR + secretName: PC2Ms7 +securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597623894 + runAsNonRoot: true +serviceAccount: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + automountServiceAccountToken: false + create: true + name: Utu8ZHG2 +strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' +-- case-027 -- +automountServiceAccountToken: true +autoscaling: + maxReplicas: 432 + minReplicas: 265 + targetCPUUtilizationPercentage: 239 + targetMemoryUtilizationPercentage: 130 +commonLabels: + Q0: "" + T4ZmAFi: nfIb0b +configmap: + create: false +console: + roleBindings: + - ElN: null + roles: + - DZcCdT: null + imlLddN: null + - null + - 0MFHoDlkID: null + Xe: null + daS: null +deployment: + create: false +enterprise: {} +extraContainers: +- command: + - WY + - F9X2FePO + env: + - name: MbWT2gynlq + value: S + valueFrom: + fieldRef: + apiVersion: 4msaX + fieldPath: XvlI + resourceFieldRef: + containerName: LEQ + divisor: "0" + resource: oHigE + secretKeyRef: + key: feJnSFqmYy + name: m3lrGM + optional: false + - name: omlZ5 + value: w + valueFrom: + configMapKeyRef: + key: w3iwXnte + name: LqORIZ + fieldRef: + apiVersion: D + fieldPath: bG + secretKeyRef: + key: UeU9m8 + name: 1asSl0l + optional: true + envFrom: + - prefix: HYy4 + secretRef: + name: Q2DTvNx + optional: false + image: jqvBPfz + imagePullPolicy: 庛Ƴ2ɥÔǦ /d2&xȉLJǸAƟ + lifecycle: + postStart: + exec: {} + sleep: + seconds: -1579243177624029331 + livenessProbe: + exec: {} + failureThreshold: 1986638671 + grpc: + port: -1841897347 + service: iUEc + httpGet: + host: CN + path: Dg + port: SYkYMHB + scheme: Ě緷8ĸ)=©ʢ昆ſ9 + initialDelaySeconds: 1029653594 + periodSeconds: 1999066162 + successThreshold: 1106634015 + terminationGracePeriodSeconds: -9022596879374385638 + timeoutSeconds: -809472655 + name: 4D + readinessProbe: + exec: + command: + - iBTD4t + - MY + - Nf + failureThreshold: -1222179068 + httpGet: + host: kgZUkVZPDf + path: hM0yLfiTS7 + port: 846109331 + initialDelaySeconds: 1673719989 + periodSeconds: 1380685354 + successThreshold: -606822450 + terminationGracePeriodSeconds: 2325612573519357970 + timeoutSeconds: 1351631713 + resizePolicy: + - resourceName: KQTh + restartPolicy: 變ȶjȤðʂȈE9ȹɵ礌蓍p殗Ɏ$蟙預 + - resourceName: BATAmUasox + restartPolicy: G寄7]^v腘 + resources: + limits: + 1mn: "0" + 8dnmgn7Vur: "0" + QUXI: "0" + restartPolicy: Ė + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 餋Ƹ + - ǂnlș + - VLJ2範足诮ÈƋʡĻ + procMount: u¸`TE擴弌/yƦ6帜ǏT鱷潈ř蚒 + readOnlyRootFilesystem: true + runAsGroup: -2334732936143374752 + runAsNonRoot: true + runAsUser: 8673583599260752552 + stdin: true + terminationMessagePath: M934 + terminationMessagePolicy: VF¾弎6a巭ġʥţƟ贯Ǐ飙卮ǥĤȸ + tty: true + volumeMounts: + - mountPath: DzNFL + mountPropagation: 单嶃ɠȕƢ砩寢烕TnǣɅƩ帳 + name: "75" + subPath: Up5FB + subPathExpr: 6nD + - mountPath: qj1c9JPX8 + name: 1K + readOnly: true + subPath: H + subPathExpr: LEVSxozubwU + - mountPath: Ll8X + mountPropagation: '@ï禺pƱ=庶ŊJĤ那[:晙dYĸ獘' + name: PGcOpQ3CM + subPath: 1eBZtMIP + subPathExpr: CRyBKRO + workingDir: s +extraEnv: +- name: k7DjEACXyN + value: Pa4mYEUC + valueFrom: + configMapKeyRef: + key: "" + name: RHdV76r + optional: false + fieldRef: + apiVersion: wxIgM + fieldPath: aBDwplYtr + resourceFieldRef: + containerName: xIL7REN8 + divisor: "0" + resource: QCgp9k + secretKeyRef: + key: ag7Jr1e0 + name: I8vGzsJX + optional: true +- name: pG + value: yTh3djvsV +- name: fjV8k4J8 + value: KHKYS + valueFrom: + configMapKeyRef: + key: DFyBHQO + name: s + resourceFieldRef: + containerName: vd0tsh + divisor: "0" + resource: IgH + secretKeyRef: + key: F + name: a34HcjMyaQ +extraVolumes: +- name: "n" +fullnameOverride: 61hunk +imagePullSecrets: +- name: jkqm +ingress: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + className: Ijdd3 + enabled: true + tls: + - secretName: x + - secretName: aSf1 +initContainers: + extraInitContainers: vN +livenessProbe: + exec: {} + failureThreshold: 302661968 + grpc: + port: -418561550 + service: kQV1xc + httpGet: + host: UlBEGBj3 + path: qjxTH + port: n7 + scheme: '''(旆PT馷J溠F斃ɦ娴含Q嘱\t9' + initialDelaySeconds: -1367097431 + periodSeconds: 2073795341 + successThreshold: -1800407036 + terminationGracePeriodSeconds: -3519876905947517853 + timeoutSeconds: 1644960855 +nameOverride: h9P +nodeSelector: + B1PiWrl0VUETb: x + DhTxFTV: 3O4Y106 + i8QiXusZ: YBeiJfZK9g +podLabels: + Zrl6: 0D0M + wbG: ZcWnb +podSecurityContext: + fsGroup: 3334237787347678751 + runAsGroup: -5325418670707949502 + runAsNonRoot: true + supplementalGroups: + - -2717337443247240979 + sysctls: + - name: "" + value: R +priorityClassName: bpi +readinessProbe: + exec: + command: + - xz + - e2gf + failureThreshold: -1765420422 + grpc: + port: 879468582 + service: bqFsvC9nR0 + httpGet: + host: CrL + path: 9Jt + port: 7Y + scheme: )ǔ軛醲]8z傏$荸觖稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb +annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 +automountServiceAccountToken: true +autoscaling: + maxReplicas: 404 + minReplicas: 186 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 383 +commonLabels: + HzuQ: mCfbHBQ + xi7L: ibI45 +console: + roles: + - null + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 8MG + name: 83OH +extraContainers: +- args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045467368 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720147 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569296 + runAsNonRoot: true + runAsUser: 433131246318901172 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151510354 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 +- command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855115 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660712 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022625 + runAsUser: -7207500526873245606 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366499939 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o +extraVolumeMounts: +- mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 +extraVolumes: +- name: "" +- name: SXJ +fullnameOverride: HK +image: + registry: nZ5PG + repository: 5q2qCT + tag: z10JAfCu +ingress: + className: fq2w +initContainers: + extraInitContainers: DVbGC0v6g +livenessProbe: + exec: {} + failureThreshold: -1989869025 + grpc: + port: -580257384 + service: xF + httpGet: + host: EFelM2 + path: NL + port: -1619787350 + scheme: eƌ閽2溧估槞 + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + terminationGracePeriodSeconds: 9170924509557781641 + timeoutSeconds: -1117024654 +nameOverride: 3Wh +nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg +podAnnotations: + IVy: ho3qpcI +podSecurityContext: + runAsGroup: -9040107238323408835 + runAsNonRoot: false +priorityClassName: sLkcwZ +readinessProbe: + exec: {} + failureThreshold: -509957017 + grpc: + port: -1088874416 + service: kVlcoq + httpGet: + host: yJj + path: SWu6bW + port: V + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 +replicaCount: 385 +resources: {} +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538534 +service: + annotations: + 33Yi: tesf5 + nodePort: 286 + port: 389 + targetPort: 52 + type: sIQBZD +serviceAccount: + annotations: + 0E6ZFg: nO7Yr55 + 8JN3: B + create: false + name: 43zobnL +strategy: + rollingUpdate: {} +tolerations: +- effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd +- effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 +-- case-030 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: i3NrGin + operator: LȜɯı偎鵬ćƾ輨ɒ诏Ƞ韾ʂɅ袅 + values: + - ceEnH + - hk + - key: NcZdG + operator: 4# + matchFields: + - key: iJJ + operator: 椤甏Q"dč膌嶁ŵ + values: + - pqbO2v + weight: -888291486 + - preference: + matchExpressions: + - key: 6yk + operator: +[`¥鯦Kqlǣ詆繉ĔNjUƆ + values: + - 9jizdnZ + - 1HUyNhM + - qxDTvf + matchFields: + - key: hCPEY + operator: Ɇ>隣,讽鬓捍+瞶媘暺ɭEƙ + values: + - Ripsc + - CqS + - key: DVFDiRmz7 + operator: U[ + weight: 1468051205 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v + operator: 舘LJwMa煗 + values: + - 8yax8 + - acSVUNTfJ + - "" + - key: oeJI7K + operator: Ȩ岵Ư塠ŕ惆^ȹ]Ǥ(蓂心[6 + values: + - VT3avr + - 1sP4V + - key: INgeGc + operator: 7ȋ_ƫ俾NīÂ缷 + values: + - K6yWR + - matchExpressions: + - key: s + operator: ǖ鱝U9y,ijO<ǯŹ斔ɥɍQŝŘ + values: + - V7Cj8gd672O + - Jxq7EqU + - "" + - key: gYq6n + operator: J30ǂ涉Ǖ絜拃Ȃ隰韤Ko + values: + - cFfLM2a + - cmwJ5 + - NvVSgzPk0K + - key: ha1vIvxMS + operator: 鹶ƦÍR\Y + values: + - kno2LivX + - ZBSIfmJ1 + - Xy + - matchFields: + - key: cGJbcb + operator: M$铯但ƙ崍0塁7ɔ籇ȏč3ţħ + - key: t9tN + operator: ĴĹApŰƎyģ+7ɬ5 + - key: q + operator: ĂǮȅ魥ď疪@ɓ擼 + values: + - GHyvS63U + - lupcwbTbly + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + q: oY6el1mi0 + w: C7Cxyx + matchLabelKeys: + - HMg6IP + namespaceSelector: + matchExpressions: + - key: Crz + operator: əɃ笕P頔ɾ絿ɟ秜Ć冦Ǒ钹圤|讪ɩ + values: + - Dtei + - 1zhZl + - bd + - key: RjH6F + operator: æ監F箂Ñ9 + values: + - n91j6BXw + - 3RLy + - m + namespaces: + - N0Oqq32Q + - TJpJ52Je1Ikj + - "" + topologyKey: HeJdmR + weight: -259316091 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: 麦谐ƺɐqNJ7篐瘘ƊƧR菴qȃ + values: + - 8p + matchLabels: + WW: GL0oC8Fkf + mismatchLabelKeys: + - cdHA3 + namespaceSelector: + matchExpressions: + - key: ar9Y3Br + operator: pK屨鑊聫翶鲔举腏熝ɴ鷏žŝ + namespaces: + - U9UV + topologyKey: cpw + weight: -400075332 + - podAffinityTerm: + labelSelector: + matchLabels: + hYm: "" + mismatchLabelKeys: + - fCOHEas + - uHnZlu + - zhGS + namespaceSelector: + matchExpressions: + - key: HZEOkit1i + operator: '@ÍȪ蟔ʖ' + values: + - t9Xj + matchLabels: + "": so + topologyKey: "" + weight: 2103394856 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 5LP9ZW14 + operator: "" + values: + - O4Urq + - key: f3f + operator: õǷ膀3堢ƧŸ + values: + - GJnsN0 + - key: MOJiCs9Qi + operator: Ȥ:危L昝×秲d3ğd曱窸 + values: + - 3keSh + - Uyy + matchLabels: + R: dUyJ0OOVapc + mismatchLabelKeys: + - Xjqx8f + - I5k + - wq0 + namespaceSelector: + matchExpressions: + - key: UP + operator: ȡ畅fȐiú鍿6+襄懬Uċ + values: + - NmZvVOQ + - key: P0hfM + operator: 黣`倴Ŝʪ鰷淸 + values: + - 0GsglT + - MMOe + - uU7Q9 + - key: qnv + operator: æ钹eťǧI薶瘃預ʑ歪yʖb7IwɄ + values: + - McuTAiUq + - XvSAD + - 4e9Vd4vq4 + matchLabels: + "": 4O2glzZ + namespaces: + - wblXzeT2 + - qKILJo + - lPV + topologyKey: Jnwfpfk + - labelSelector: {} + matchLabelKeys: + - tMph8mi + - Ry31wp + mismatchLabelKeys: + - tBHze4gtm0s + namespaceSelector: + matchExpressions: + - key: RpYdzfZ + operator: 攆KRɮõ涸WæĥŽ¡犇fʼn利$蘁干 + values: + - 8Pxd + - V50 + - key: I0O + operator: w"ʈö褥屑ɣAR(憍Nj松趯ĩȁ + values: + - "" + - 6yt2J + - key: fR7 + operator: GǼ舿 + values: + - gP + - LxpC1 + - brLBqM + matchLabels: + "": D5eSOeauL + namespaces: + - xrd20T0 + - GVD45 + - UU3YxE + topologyKey: augu3G + - labelSelector: + matchExpressions: + - key: c17UgoCbg + operator: -蟁楉mƸ赢UȇEŏ + values: + - cr + - CSYe + - key: FM6GBGy + operator: ;疩Ȯ慫ʂy_Ɛ碷ʩʀđ忮 + matchLabels: + Q4hS: 2Z + w: pvyR + matchLabelKeys: + - PLi + - G2W4IV + namespaceSelector: + matchExpressions: + - key: 8Z + operator: Ȩ卭閃N弲ʠǠ驯Ɩ8Ýʊ + values: + - rEFXZ1 + - oXxjjBM + - iovjqaN7g + matchLabels: + 3ZwMBixAo: QeYp0O + topologyKey: AH3A + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7hX7: uCFlimRES0ZJ + matchLabelKeys: + - CxxMt + namespaceSelector: + matchExpressions: + - key: Xra0M + operator: ʙƤ潯ɔ + - key: "" + operator: 8媮­Ů籌<ǫ + values: + - RsIq + - wqR2cm + - key: ottvJh4 + operator: ¢M&<叇誆戛!Ʒ"(Z氇z錉¬$ + values: + - 5sMUIY + - SV + matchLabels: + iciKwm: xkq + vPG: oQs + namespaces: + - AtM4 + - rZdQ + topologyKey: 9FnG + weight: 1109931313 +annotations: + 5ya: nNowhQY2Bp +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 10 + minReplicas: 306 + targetCPUUtilizationPercentage: 227 + targetMemoryUtilizationPercentage: 477 +commonLabels: + T: f0 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS +configmap: + create: false +console: + roleBindings: + - E: null + W67WBz: null + nYCT7q9: null + - 2S0: null + Nx24C: null + WacOKFS1: null + roles: + - i5oc: null + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: ZJGo + name: oxACi6X0cy +extraContainers: +- env: + - name: rV6MouQf3 + value: E21XoHIB + valueFrom: + configMapKeyRef: + key: LDu + name: Flu + optional: false + fieldRef: + apiVersion: Rc8broTqb + fieldPath: "6" + resourceFieldRef: + containerName: VPb + divisor: "0" + resource: PUL + secretKeyRef: + key: xwKJr5 + name: 8K3IIl70g + optional: false + image: d3e1 + imagePullPolicy: 梅E垉丿ȁƘg/§Oaq嵌艷ɖ½飚 + lifecycle: + postStart: + exec: {} + httpGet: + host: WyIob + path: sVvxO + port: SivnsYEe + scheme: Ǖɜsk煨a% + sleep: + seconds: -5241114468416153504 + preStop: + exec: + command: + - h0 + - PbwM + - xML1a5IbGl + httpGet: + host: i8l7K + path: v0TIlzugj + port: UO1j5 + scheme: 痍´荭鲪 + sleep: + seconds: -5262918982231100330 + livenessProbe: + exec: + command: + - MAKziqqn2 + - RtC + failureThreshold: 301723627 + grpc: + port: 1522990624 + service: Y2uF8U + httpGet: + host: 8E6hLWDfL + path: ptr + port: -819495670 + scheme: 畊傲Ā5ʇġ杭ăïƺƢh]薰 + initialDelaySeconds: 975121998 + periodSeconds: 1462200965 + successThreshold: -1868145610 + terminationGracePeriodSeconds: 438373319570860757 + timeoutSeconds: -992167018 + name: xGfw + ports: + - containerPort: 1210092140 + hostIP: aXzKT + hostPort: -1118392417 + name: A5VIRuB0ki + protocol: 巔B兓汳LDŽ5ǒʛ岹璜ʂá&Ɠ + - containerPort: -1184047055 + hostIP: nLlzZ + hostPort: 1916025056 + name: CSeXd7M + protocol: 朿! + readinessProbe: + exec: + command: + - AfVsN7lM + - SoZ + - yZ2uB93C + failureThreshold: -1305050809 + grpc: + port: -1574571534 + service: vhf8x + httpGet: + host: 2zqRpIh + path: ZRe + port: 1109632462 + scheme: '*h嶳椗痢%īƺ' + initialDelaySeconds: 157767030 + periodSeconds: -538159566 + successThreshold: -909232559 + terminationGracePeriodSeconds: -1089882796882580867 + timeoutSeconds: 1392958383 + resizePolicy: + - resourceName: JCDaktfU + restartPolicy: 鈇Hƣv蘺 + - resourceName: "" + restartPolicy: 魔ţv毇俺ɚ + resources: + requests: + DA9: "0" + XdW14: "0" + lUcQG: "0" + restartPolicy: 淣遦髺tMőƤ橷僟 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 兪q6赀覱勯痜.I膴6+V旱Ő佀 + - 焤Ċʐæ舁ŕ齸Ġ + - uo妿Iǥ2JǟAŊ訖ʆD + privileged: true + procMount: Ɋ胘ſȾ鞣殦ơɧ­ǶǴU譶 + readOnlyRootFilesystem: false + runAsGroup: 5199515302292266073 + runAsNonRoot: false + runAsUser: -7335995488954570305 + startupProbe: + exec: {} + failureThreshold: -777300462 + grpc: + port: 2095052331 + service: bfVTOPN1hv + httpGet: + host: Kp + path: b1bcG9oDl + port: 1383634294 + scheme: 谳涿v衃$Ơʓȳ浲呯 + initialDelaySeconds: -1373123738 + periodSeconds: -1183287381 + successThreshold: 685684993 + terminationGracePeriodSeconds: -4093444870298300516 + timeoutSeconds: -1903691809 + terminationMessagePath: olo1u + terminationMessagePolicy: 怚PʢŸiųŞv嶷宇ƏȌ¥ƀ + volumeDevices: + - devicePath: qFB10P + name: "" + volumeMounts: + - mountPath: YW9lWgZeNE + mountPropagation: 鰛8Ȗ×ʞ + name: Tot + subPath: Ty + subPathExpr: spiOgT0A + - mountPath: SgUmz6Q + mountPropagation: Ă別Z醰棘纀C蘂× + name: ddMHT + readOnly: true + subPath: 8J3YB + subPathExpr: K + workingDir: OQ4 +- args: + - bAsse7O + - u + command: + - MzlyVYHO2w + - oRBJF + - Nafr + env: + - name: U + value: RNGsZ + valueFrom: + configMapKeyRef: + key: YX6H + name: ab92 + optional: true + fieldRef: + fieldPath: 1SR7mfWfzFL + resourceFieldRef: + containerName: C92ipM + divisor: "0" + resource: x4S7 + secretKeyRef: + key: WhzPa + name: lAvfz + optional: true + image: nP + imagePullPolicy: ǫyɮȯ + lifecycle: + postStart: + exec: + command: + - ucft + - K8XaCG + httpGet: + host: rza + path: JhnYc + port: e0 + sleep: + seconds: 6253871176572388811 + preStop: + exec: + command: + - Uiuiougu + - "" + - 3Gx5Gu + httpGet: + host: VQzMXk + path: ws + port: -474919374 + scheme: w媦÷帹ȅW閫ĭ# + sleep: + seconds: 4571098797230986244 + livenessProbe: + exec: + command: + - pHp + - MDPb7 + failureThreshold: 871873843 + grpc: + port: -422130433 + service: nC + httpGet: + host: M + path: p00iJRicrG + port: bS0X1wo + scheme: m鈎Z趟樥R%飅 + initialDelaySeconds: -604803912 + periodSeconds: 1886242291 + successThreshold: -1386436865 + terminationGracePeriodSeconds: 3067492874024630757 + timeoutSeconds: -1583378445 + name: Si46O7YRR + ports: + - containerPort: 1700510643 + hostPort: 251260843 + name: JkZyRGNq + protocol: ȅz,ǹ昉 + - containerPort: -1859013382 + hostIP: NHKaXL + hostPort: 831309722 + name: y9vWUO + protocol: ʡƊX| + - containerPort: -2125300283 + hostIP: jj3qc4 + hostPort: -278349921 + name: Aa + protocol: 耛v6]jç錛洘¶緛uȁ竿 + readinessProbe: + exec: + command: + - "" + failureThreshold: -784645974 + grpc: + port: 1390591548 + service: "" + httpGet: + host: lNyXDdzed + path: W9q4gnCB + port: 4YUq5drSLjLPw + scheme: 唡家調Ô蘓狥ć4^謋遭ŧ厑Ƕ¤ + initialDelaySeconds: -315867707 + periodSeconds: -1221044118 + successThreshold: -2057597685 + terminationGracePeriodSeconds: 8064296597671882818 + timeoutSeconds: -1128414965 + resizePolicy: + - resourceName: MA + restartPolicy: tÜ榋ɼ + - resourceName: bwI + restartPolicy: 斪4瓏鍣ĊYƞ睽%ü劘ĥÑC­ + resources: {} + restartPolicy: ǫ歩ʏ朄DŽ8Ǫȩ;毆|ȕ潆Zʚ輘殈ɔ + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - '*驲' + - 纒寻$KŞ菤Ľ恎eɈ鏽 + - ě宭`羧\LƝ攅嫜ɫʡɞǍ緭p誂 + privileged: true + procMount: 楛钞óŰ)5鞊tY榋肦Ȓ + readOnlyRootFilesystem: true + runAsGroup: -3200847944437364683 + runAsNonRoot: true + runAsUser: -5188355058620722927 + startupProbe: + exec: {} + failureThreshold: -718122732 + grpc: + port: -2045013242 + service: Zg34 + httpGet: + host: slqfokZ + path: SlStyexr + port: 101605170 + scheme: Ȅ.隊ou纾ƙŨ`aʭ + initialDelaySeconds: -467990622 + periodSeconds: 446042771 + successThreshold: -504446684 + terminationGracePeriodSeconds: 1811254130314346303 + timeoutSeconds: -1983992134 + stdin: true + terminationMessagePath: zLDb + terminationMessagePolicy: ōe谕ńg"qy暵ȵ抷¬Ʃ蔚盓 + values: + - tQP + - lAyg + - "" + - key: qaIUADOI + operator: '&Ɗ³ĵLJ鎌ɝǏ縉j' + values: + - 6ot8DTU + weight: 969637277 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: j9Rzed0C + operator: Ò + - key: 02b + operator: "" + matchFields: + - key: "0" + operator: 9Š篅)笕Õ^ɤ疫ɜȬ + values: + - "n" + - key: 96k + operator: 觱踊ĝğOɎʁ胳}$g鄈ʮ誦Ň鱝炠抡凓 + values: + - pJdgL + - 00uMch + - key: pz1WHTJ + operator: 濐r! + values: + - i4rsr5 + - PI8GPtiCkkahh + - matchFields: + - key: oTjdt + operator: $ƹȔLj硍čȒŪ涏ȰŞdų悋ĶA + values: + - KOyvX + - 6JNFdnH + - e59WgamF + - key: lu3OH + operator: ǽəơȽĬt嶫cŭ + values: + - 9SKaOYPiL + - 1ioL + - pZde + - key: Jd6LB + operator: ']洔璗3NZ貦ʞ%ȮǵȺ絥ņ' + values: + - dKyLtzFaqg + - yCg + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: siTiGS + operator: ʐȱe峫LJ鐻cȚEqkwt!ģ + values: + - "" + matchLabels: + Aj: V + P5zpV: 8hC + mismatchLabelKeys: + - 4wtTpNGnV + namespaceSelector: + matchExpressions: + - key: K2ZsAt + operator: 妗巪Wɱ鲵Ǯ洭 + values: + - jxl5gm5E + - X2 + matchLabels: + ly6r: 9k + o0G: "Y" + namespaces: + - Q + - XpXqm + topologyKey: Qrt + weight: -1221853228 + - podAffinityTerm: + labelSelector: + matchLabels: + Jc9: Ftx4sR + Zi0PNgVi: EUuTsR + dQt607d6aSO: RSEoObj9yY + matchLabelKeys: + - odAAyA + - ZUwkRz709gR + namespaceSelector: + matchLabels: + Ag0Kix1n: laC2fYO + topologyKey: izD + weight: 600976747 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - QRHiPYut + - KfMAojY + - Vww + mismatchLabelKeys: + - TTnksi7Ob70 + - gGyPv + namespaceSelector: + matchExpressions: + - key: XYpda + operator: q砐ʌƭʩ烬P§Ǩ + values: + - k7 + - SKn + - eefGAA + namespaces: + - ZYe + - nivMj26 + - OhZ6 + topologyKey: xIpuYH7 + weight: -1130732649 + - podAffinityTerm: + labelSelector: + matchLabels: + ApF: Gsyd94h39Q + H: r + mismatchLabelKeys: + - aWHz7q + - xuzLo + - 5ASY1R + namespaceSelector: + matchExpressions: + - key: Zg + operator: 篃b + values: + - vh + - Rgd3V6 + - key: PNqIEbD + operator: \Ų叢T'ɰď乁ʤ駧ɧ + matchLabels: + ugZKNnsp: bUttL + topologyKey: GRNlK86 + weight: 1964668305 + - podAffinityTerm: + labelSelector: + matchLabels: + t2lvLczlk: um + wjQbQIYB: zsr5i + matchLabelKeys: + - "" + - 7H2Kg1N + - NE + namespaceSelector: + matchExpressions: + - key: 2AEBOqKWel + operator: É$íĨ鯖 + values: + - "7" + - S6PWc + - key: c9NGgT2 + operator: Dǥž駗驕咜2 + values: + - WFDcdOBg + - 8akPt + - key: v5V + operator: 苯Dzŏ趘Ɏ蹰ƦȃDz俑I^ģ鄔ĥƁ鲎硹. + values: + - Ro + namespaces: + - rrn + - Gko + - D + topologyKey: 5GfcY + weight: 1374611901 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 9BEvWF + operator: 箁梄òǣf舢ɉ N + - key: DoJZDVpdUKV + operator: '|痤"纇繁Ơ¹Rnl' + values: + - M1FUy7H + - PmETea + - key: fZB9p + operator: 艨ë寨t^ + values: + - 6SbUQEl9IF + - grOZ + - awRdbXsbbO + matchLabelKeys: + - QbnYiVnjIDt + mismatchLabelKeys: + - dzq3fg + - EHB2 + - E + namespaceSelector: + matchExpressions: + - key: C + operator: 泤煇JĀȅs滚硚ƾĐLJɚ<嗢 + values: + - qweN + - cmGvYLL9 + - key: ftTKd17 + operator: ïǸfǛD + values: + - 3Qp + - 97WXhHH + - QLVxS + - key: X + operator: x Ƙš + values: + - X7mWp + - 4YUDIL + matchLabels: + 2pOyqtJ: X5kt + DqZU: lA7g + yydzgHSxH: mX + namespaces: + - PnB + topologyKey: O2bIu + - labelSelector: + matchExpressions: + - key: lR5v3DP + operator: 8ȈDŽG弪żf[j盠zğ? + values: + - oX28u + - fcVl + - l + matchLabels: + D1CEy: o9m2rVKHK1i + q9TAhY: UxxABL + matchLabelKeys: + - gZSueHOl + mismatchLabelKeys: + - yKwrju + - OmHbxfoV + - p + namespaceSelector: + matchExpressions: + - key: y4jen13nM + operator: '}J;ƴȳ鹓ÿ莂ú' + values: + - 4Fe5y + - BrR + - key: O47QYt11Bl + operator: ıCƾ?9Ìx毧Ƿ + values: + - co + - A7y9 + matchLabels: + "8": 7mV4YD + namespaces: + - vi + topologyKey: sRbXgEn +annotations: + lZ: e +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 25 + minReplicas: 20 + targetCPUUtilizationPercentage: 460 + targetMemoryUtilizationPercentage: 169 +commonLabels: + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC +configmap: + create: true +console: + roleBindings: + - {} + - {} + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: qYIzRhBP + name: lkd8afL +extraEnv: +- name: 6aAK + value: C + valueFrom: + configMapKeyRef: + key: hSSIqC + name: QPNl + optional: true + fieldRef: + apiVersion: LhfAND6hW + fieldPath: g2J7 + resourceFieldRef: + containerName: BDRH4s + divisor: "0" + resource: "" + secretKeyRef: + key: LfIX + name: vI2UB + optional: true +- name: qUw9kXv + value: WEGTagf + valueFrom: + configMapKeyRef: + key: ejuXsJ1 + name: MYu4 + optional: false + fieldRef: + apiVersion: 9PzuPIkT3 + fieldPath: oa8Oe + resourceFieldRef: + containerName: IuMHr6gt9 + divisor: "0" + resource: dazyeM + secretKeyRef: + key: ludRIp + name: 1RhUa7B + optional: false +- name: UIdv4fEDhnwvUs + value: ZhJ + valueFrom: + configMapKeyRef: + key: 9CIrVsxQ + name: bYh + optional: false + fieldRef: + apiVersion: Fv + fieldPath: W3lmjz5mnuz + resourceFieldRef: + divisor: "0" + resource: 8sULBf + secretKeyRef: + key: mjbYsz + name: ZzZ4TUcp + optional: false +extraVolumeMounts: +- mountPath: TpG9eA0 + mountPropagation: "" + name: XFmsoqjlB + readOnly: true + subPath: rJznnSzpn + subPathExpr: kYhNPw7T1 +- mountPath: rhHVxSG + mountPropagation: Ħɔq + name: zucf + readOnly: true + subPath: rhOyK4f + subPathExpr: dxfS2ISRGUw +extraVolumes: +- name: Py +- name: Wq +- name: "N" +fullnameOverride: 59cQ0qKLI +image: + pullPolicy: 賅5尬Ƕktʈ漻`楾Ő抚@瞹%Ř忞崗Y + registry: gAh7r + repository: VvT9aH5 + tag: "" +imagePullSecrets: +- name: 2Ry3vDGf6 +- name: PE5R +- name: uWsoZ +ingress: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + className: GuB1VTCp + enabled: true + hosts: + - host: WsTbK7W + paths: + - path: MKCR56 + pathType: hEV + - path: "6" + pathType: pv + - path: rNv + pathType: L0CY1c8 + - host: OxFD + - host: Ojx + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +initContainers: + extraInitContainers: AN4 +livenessProbe: + exec: + command: + - 5m + - 1hj + failureThreshold: 1710421008 + grpc: + port: -1758154628 + service: "" + httpGet: + host: AbGz9Ql + path: 6HPb6FQP + port: 1834140801 + initialDelaySeconds: -1805305530 + periodSeconds: 580837556 + successThreshold: 1568498137 + terminationGracePeriodSeconds: 6055624087283515610 + timeoutSeconds: 1393862090 +nameOverride: xknw +nodeSelector: + "": O +podAnnotations: + IserdW: Y8zC + rKlqh6W: s9dR +podLabels: + 7yc3n: Cmh + bASmPL: XHGF + e1: s0B +podSecurityContext: + fsGroup: -6352604564338413284 + fsGroupChangePolicy: ¥ɬ屛ɀ裕量7ȅLJI/煿I庮\LÌ0 + runAsGroup: -629752081807497066 + runAsNonRoot: false + runAsUser: -7150506011583335552 + supplementalGroups: + - -2079681094590514497 + - 4310353567816636623 + sysctls: + - name: "" + value: 6bg1 + - name: v54yJPXG + value: BNnF0A + - name: DU + value: J +priorityClassName: mFg +readinessProbe: + exec: + command: + - 1A7AuNqZgrO + - 0Dv9uT + - mi + failureThreshold: -1374895470 + grpc: + port: -974870340 + service: rLr6 + httpGet: + host: ZjH9W0Mw2N7wDlEl + path: A1mi + port: VL + scheme: '''Z悁Ţ瘿ª簳Ʀx.ʞ鳃峚5ƫw牑諥ǁ' + initialDelaySeconds: -1507178072 + periodSeconds: 59289443 + successThreshold: 873349641 + terminationGracePeriodSeconds: 3372950661886875571 + timeoutSeconds: -77680726 +replicaCount: 424 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: 8NBr7XfH + name: UG4to + kafka: + awsMskIamSecretKey: iq3sT9 + protobufGitBasicAuthPassword: TmKaYoY + saslPassword: 41jeqaQ + schemaRegistryPassword: lo1 + schemaRegistryTlsCa: 6ugJXi + schemaRegistryTlsCert: Dfxzy + schemaRegistryTlsKey: s6Wq0 + tlsCa: xiXLxgIB1uY + tlsCert: BoJ + tlsPassphrase: ERo + login: + github: + clientSecret: 6FsPPUCqFaQN9Z + personalAccessToken: mQjpC + google: + clientSecret: zEoO + groupsServiceAccount: sJYwU + jwtSecret: nN8l8K5 + oidc: + clientSecret: t + okta: + clientSecret: uW9S + directoryApiToken: UF7 + redpanda: + adminApi: + password: hkp2 + tlsCa: Hv + tlsCert: YIT6XYEg + tlsKey: gVxUg +secretMounts: +- defaultMode: 217 + name: 84iLClLVXmt + path: z5a16ev9 + secretName: DBNf +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ò4^|wƙJ3ɀªʭ÷齹æc8ǺơG + drop: + - 罩Ɵ + - 凘~蹆縇W偓Ȓ鵇膓咰ɲ俹îS泑 + privileged: true + procMount: 'č #m繰:¿ċY3扙缗_MǮJw' + readOnlyRootFilesystem: true + runAsGroup: -3419647664540135091 + runAsNonRoot: true + runAsUser: -7389132079103631330 +service: + nodePort: 398 + port: 112 + targetPort: 375 + type: N9chrF +serviceAccount: + annotations: + 4Fkdkgg: xGzY0KvisI + WBAEgggZ: v + sCN: cru + automountServiceAccountToken: true + create: false + name: REj +strategy: + rollingUpdate: {} + type: rÂ秘鲊ơ煥ËI5ɠv蜺 +tests: + enabled: true +tolerations: +- effect: Ɍ + key: P5n9NT + operator: hKW塀Bʊ祆aTɋw + tolerationSeconds: 4112555560826291604 + value: WHYsAK +- effect: Ŵ夀D朩儿 + key: QW09kcw + operator: K嗂ɩ + tolerationSeconds: 1977367920031301876 + value: FxI4 +- effect: 虻~ƤɟŪm繒敏嗕?ʅ着é殮领 + key: nkzGJU9 + operator: M鏫ɮ噀屗pq)ɋɎN + tolerationSeconds: 1704904114127412585 + value: AgyEeU +-- case-032 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo +annotations: + xpNWT: MpOZ +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 459 + minReplicas: 198 + targetCPUUtilizationPercentage: 497 + targetMemoryUtilizationPercentage: 146 +commonLabels: + B19ue: 8W + Kxm5R1: R + e3Cx: MIAO +configmap: + create: true +console: + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: bujGpO7D0C + name: V +extraContainers: +- args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054640 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860081979 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889022 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029730 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188880782 + runAsNonRoot: false + runAsUser: 9107304642056618949 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645179 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq +- command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077159 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586770 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503394 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204672541 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953812 + runAsNonRoot: true + runAsUser: -7089742793545456579 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749789 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa +extraEnvFrom: +- configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true +- configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true +extraVolumes: +- name: 1zZI6J +- name: D +- name: OUqOnvjvba +fullnameOverride: llK4G +image: + pullPolicy: "" + registry: mU + repository: xY76Tj + tag: AgKh6S1 +ingress: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + className: EXqR + enabled: true + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +initContainers: + extraInitContainers: nNSsTt6 +livenessProbe: + exec: + command: + - poXliUr + - PT + failureThreshold: 1396135036 + grpc: + port: -224883306 + service: 3pE97 + httpGet: + host: aUivZn75m + path: ELvTnGaV + port: uLGz4AgHb + scheme: ʟ#ĭ輑槳桓ȡȰ-o廕óʒÉ帇ʗ + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + terminationGracePeriodSeconds: 2216517890191965292 + timeoutSeconds: -1229662908 +nameOverride: wB +nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu +podLabels: + So: waKMMvnY + VXPE0: 8ExVsj + ip1RGEzt4t6: "1" +podSecurityContext: + fsGroup: 7101468120327600630 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741076844 + runAsNonRoot: false + runAsUser: -9214274730002703336 + supplementalGroups: + - 4135587743067906306 + - -2908166639165702539 + sysctls: + - name: Yo9 + value: zak2 +priorityClassName: WeB9y8 +readinessProbe: + exec: {} + failureThreshold: 1061708880 + grpc: + port: 241985990 + service: 4id9HdK + httpGet: + host: PcSuBI + path: X5YjgFI2n + port: -1395013021 + scheme: Ȁ/ŚDŽR²庭$ê-d蟄Ä + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + terminationGracePeriodSeconds: -4028618433241851907 + timeoutSeconds: 1824930679 +replicaCount: 371 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: be + kafka: + awsMskIamSecretKey: fs + protobufGitBasicAuthPassword: pUSXv + saslPassword: 1tdj + schemaRegistryPassword: iEgQQMH + schemaRegistryTlsCa: TlBV301 + schemaRegistryTlsCert: fRDnVgKC + schemaRegistryTlsKey: 0yblU + tlsCa: 4tIzJcND + tlsCert: NLnN + tlsPassphrase: iI + login: + github: + clientSecret: WHD + personalAccessToken: 9B7Wu + google: + clientSecret: UZnD3r + groupsServiceAccount: 9b + jwtSecret: cdvBine + oidc: + clientSecret: rQyq1alKY + okta: + clientSecret: ED1 + directoryApiToken: p + redpanda: + adminApi: + password: CWqwAXxFtl + tlsCa: gDQRbrAC8l + tlsCert: EDjU6 + tlsKey: Zm +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138849 + runAsNonRoot: true + runAsUser: -3929576237300142573 +service: + nodePort: 312 + port: 418 + targetPort: 486 + type: aaIqePq +serviceAccount: + annotations: + QHMG: ur9Qr + ZQRGr8gxPSL: BzNE1Ja0avq + yKwL8DJSG: SRC + automountServiceAccountToken: false + create: false + name: zpH +strategy: + rollingUpdate: {} + type: ȁ进辫fu +tests: + enabled: true +-- case-033 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 264 + minReplicas: 267 + targetCPUUtilizationPercentage: 341 + targetMemoryUtilizationPercentage: 404 +commonLabels: + gZ85uw3T: e + qO: F4dqLo67vKYZ +configmap: + create: true +console: + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles: + - {} + - 6Vndf: null + f: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 9y6KmPZ + name: QM +extraContainers: +- args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869616 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249021 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875543964 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331571 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446632999 + runAsNonRoot: false + runAsUser: -8511671649189408390 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018254584 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd +- command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815058 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180301873 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676478929 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302064343 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219183734 + runAsNonRoot: true + runAsUser: 2918288689668335051 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301241 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo +- args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511134 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205848 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562588 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594202880 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715650696 + runAsNonRoot: true + runAsUser: -8187102783441071897 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645191 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC +extraEnv: +- name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true +extraEnvFrom: +- configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true +- configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true +extraVolumeMounts: +- mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD +- mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT +- mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C +extraVolumes: +- name: MqQb15NA +fullnameOverride: foGC +image: + pullPolicy: 躂Qʢ瞶CǁȮ + registry: JWsGq + repository: JAUpWzFL + tag: 3WF1aV +imagePullSecrets: +- name: s1B +- name: R54rm +ingress: + annotations: + "71": 1aSj + B3N4dn: hsJR8Fl + S9: x8u + className: xm + enabled: false + tls: + - hosts: + - 6PBjnokDE5 + - df + - SMIi + secretName: VVeSdJP + - hosts: + - kY + - VSdS4nZ + secretName: rR5tuP +initContainers: + extraInitContainers: DZkf1 +livenessProbe: + exec: + command: + - b5k + - "8" + - 74zV7hI + failureThreshold: 604102540 + grpc: + port: 1351493068 + service: a + httpGet: + host: pbTe + path: l3E3mpnq + port: nBQsx + scheme: . + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + terminationGracePeriodSeconds: -5171571423145940595 + timeoutSeconds: -725304614 +nameOverride: bCPeYVWao +nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb +podLabels: + 1bb6: "" + 3U: mfPv + T: Q +podSecurityContext: + fsGroup: -4412504815274791692 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532219812 + runAsNonRoot: true + runAsUser: -1963293898483195295 + supplementalGroups: + - 2429921255984048344 + - -2773566751575632894 + - 5629450590441918989 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o +priorityClassName: uHKqx +readinessProbe: + exec: {} + failureThreshold: -1216486926 + grpc: + port: -173591622 + service: CPUt + httpGet: + host: hry + path: KRRaps9O + port: W + scheme: ƈ;黷ç駵P!瘠瘀/ǹ + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + terminationGracePeriodSeconds: 788084162692446331 + timeoutSeconds: 1603673472 +replicaCount: 390 +resources: + limits: + HS: "0" + sspp8OAsyF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: enS + name: "" + kafka: + awsMskIamSecretKey: 6Rpozk + protobufGitBasicAuthPassword: b9bAHSr + saslPassword: xFMbXwVAO + schemaRegistryPassword: wMc7l + schemaRegistryTlsCa: Iqy + schemaRegistryTlsCert: B2Y5 + schemaRegistryTlsKey: ooeFo3mZ4 + tlsCa: YCVA9R6f + tlsCert: b5AAaCcgXX + tlsPassphrase: HVdFrCml + login: + github: + clientSecret: JWVOWiL + personalAccessToken: B6DA + google: + clientSecret: lk1l + groupsServiceAccount: KFTHdrXBq + jwtSecret: IfZ3S + oidc: + clientSecret: 33jad4PG + okta: + clientSecret: pEYKMXqE + directoryApiToken: S5N6 + redpanda: + adminApi: + password: cNTmA + tlsCa: Ymp + tlsCert: 5Xquj + tlsKey: f2AsWMK +secretMounts: +- defaultMode: 64 + name: v1bEam0d + path: WfYQ + secretName: FOCtz7x +- defaultMode: 494 + name: 2keqwtlu + path: hpZaUwi + secretName: 1dug +- defaultMode: 354 + name: RAI0g6yvn + path: bCeiaipj + secretName: "2" +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603802952 + runAsNonRoot: true + runAsUser: 956863148985923497 +service: + annotations: + lrtdFF: 60R7 + nodePort: 446 + port: 229 + targetPort: 59 + type: 2K35 +serviceAccount: + annotations: + M: 37JLL + TSllzWgI: ZA + gOSHO: 00aEHRLh + automountServiceAccountToken: false + create: false + name: S9Bk +strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* +tests: + enabled: false +tolerations: +- effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966634 + value: Uvm9nY3 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" +- labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 +-- case-034 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -982889256 + - preference: + matchFields: + - key: XhG + operator: 萎Nc汏帞 + values: + - CY + - key: SQm3as + operator: :g憓痳ʑ^荔ĚE慮ǫ鶉 + values: + - gKNU + - "4" + weight: -2081315042 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: "" + operator: '[棉' + - matchExpressions: + - key: YgpJq + operator: ës曬¡岹V瀈ȭ岅mK + - key: HKYARp + operator: '完RQ\u穩[憄籎禨 ' + values: + - 2wfWZQ9 + - key: M0 + operator: 酺縿Ȼ慭苾Ʉ6Ʀ + values: + - xr7e9 + matchFields: + - key: O + operator: 笿眷ē睡党ǎf鴋Ɗ給 + values: + - HjtABxYy + - key: TD8D + operator: Ȃ顈筻ůȳM!剢nZÁx.}鯡L颗eĵ + values: + - xDTUGq1 + - 9xI + - key: 2B + operator: ']ţ峝輴{ȳ鬻ŶøU)ŢŤ' + values: + - 8hQz + - BtJ6XJwj8 + - bB1HqX + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: QrP50c0 + operator: 2蕦!#ɺĠȿLy2ǽǃƝFʡ + - key: sh4AX + operator: '"ă粸Ǘ筽齣zƪƭŰ''鴚ǝʠƲy>A' + - key: AyAj1WrXn2nZbf + operator: 郥m,攃 + values: + - xuX0t + mismatchLabelKeys: + - 94CSmERwUUu + - "" + - 3lJqWyss + namespaceSelector: + matchLabels: + XPKK9buQTkk: hK + c6yMPKCuDUW: NaXtSSb31Vtc + topologyKey: 4IWq1 + weight: 1215591736 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: bKgv7w5BLU9 + operator: 佱$Ɛɯȳǚ½ȴk + values: + - Rc6Akw + matchLabelKeys: + - nj2vCk + - GT7VEmkOiP + - D81b9yrN + mismatchLabelKeys: + - xrrln + - "" + namespaceSelector: + matchExpressions: + - key: Okpa0 + operator: ȳɃ互B¸砂霿枹蔪 + - key: bG + operator: "" + values: + - 9Az3OOsKzxT + - qufp1g + - hPp0e + namespaces: + - ia + - wpgLWCg + topologyKey: t9 + weight: 1536631188 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: xCMZF2V + operator: p仯F寃Rm慽財Ū-宩>ɗ呈3嚱Y + values: + - 2IrEZ + - ox + - S1NOR4go + - key: M + operator: ƙ岉 ʛZ3 + values: + - 61kg + - gCY32n2G + - key: z7jqw + operator: '´鋁k透 ' + values: + - 3bI7Mo + - V15M6 + - Elw2un19FO + matchLabels: + "1": jTzLL + E3HVo8p: 8mRx + tHPA: X + mismatchLabelKeys: + - sA + - eKQcaD + - 67tHuF + namespaceSelector: + matchExpressions: + - key: CrZYZ + operator: FWɺŮ + - key: K7SRYb + operator: .ØƣƎ 對猣#倳s7Ǵ栔Ħn4 + - key: k2Bz + operator: "" + matchLabels: + r6: SsE6YhO00w + namespaces: + - bECP + - nZT + topologyKey: ATU + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: T8nB5f + operator: 虁Iɂ飇ě + values: + - bTYBHU + - PWWBtWcP + - key: BJo + operator: 焜Eâ簋@ʘ芮暸UĖ + values: + - DI + - dh9e + - 0hiMkvD + matchLabels: + 7TSrj3: t4aVDF0 + P8L: liB + TkxKc: 4k + matchLabelKeys: + - C + - Uxzu6ju3L0 + mismatchLabelKeys: + - 7JBQmr5 + - K2WwmaMb + - ZGo5q7x + namespaceSelector: + matchExpressions: + - key: "603" + operator: 溝ʫ"zNĂ + values: + - 217W38 + - DjaFqo + - 34Dd6xS + matchLabels: + Le1shqQ: q6Ra + jocxC9: 1wwizZ9OUc3 + t9v: p7 + namespaces: + - tNw7r0z + topologyKey: WB + weight: -695352638 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Et + operator: "N" + values: + - iXi + - AZpWUZE + - bB + - key: 6e8xewD + operator: 拒D挼霘%Ǧ珕 + values: + - cLLOT + - LzhXzKVG + matchLabelKeys: + - v1hg0Fb0 + mismatchLabelKeys: + - i + - vh3C0ZF + - i694fjp + namespaceSelector: + matchExpressions: + - key: Rt + operator: 4%{ź*妻=舉佸EǩɛW杚察ű + values: + - gx + - x + - M0 + - key: S1J9kEl0 + operator: 湻膴L鮠#桽 + values: + - Lpx + - key: QzUh3 + operator: 閛V;Ĝ棱碗闃{竀%狮闀ʩE腡¹#C + values: + - qh0l + - Jgu1EIM + matchLabels: + tZ: y7 + u7: jkFA4i + namespaces: + - httsx + topologyKey: wNV2 + weight: -441999969 +annotations: + "": kBVzs + JKJQy: g8k + Zcnpm: TWUNV +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 23 + minReplicas: 122 + targetCPUUtilizationPercentage: 266 + targetMemoryUtilizationPercentage: 92 +commonLabels: + 0fz: qRhpB + blGSa: Hnim0SflkfpF +configmap: + create: true +console: + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: wTtzVK + name: f +extraContainers: +- command: + - fbGgvGkx + - edBIWrM + env: + - name: 8jJnT7Zj + value: Mq + valueFrom: + configMapKeyRef: + key: JC + name: sVkSiknR2xCa3 + optional: true + fieldRef: + apiVersion: wANryBKXLB + fieldPath: NyZCECkxJ + resourceFieldRef: + containerName: OZ8 + divisor: "0" + resource: cmCxr + secretKeyRef: + key: DwO8j5 + name: B + optional: false + - name: EHh + value: QCji0tC6i + valueFrom: + configMapKeyRef: + key: WAw2dVgj1 + name: Ay + optional: false + fieldRef: + apiVersion: Qi + fieldPath: gpyTLtuoWjh2y + resourceFieldRef: + containerName: lU + divisor: "0" + resource: eblZRy9ULY2IzA + secretKeyRef: + key: mv + name: j + optional: false + - name: aUVmiB + value: kpqOP + valueFrom: + configMapKeyRef: + key: s + name: bQ6 + optional: false + fieldRef: + apiVersion: SdqbUuwjM + fieldPath: 2l + resourceFieldRef: + containerName: tw3t5LDN + divisor: "0" + resource: rwu + secretKeyRef: + key: 4BhlrEVh0 + optional: true + envFrom: + - configMapRef: + name: Hjuj9nlmmK + optional: false + prefix: 1f + secretRef: + name: ZAvqr + optional: true + - configMapRef: + name: xM7XvJNDv + optional: true + prefix: a3u3 + secretRef: + name: cvRqlow + optional: true + - configMapRef: + name: bRyp + optional: false + prefix: 5mEO + secretRef: + name: axWGwhmN + optional: false + image: EszTqv + imagePullPolicy: 輧脙ĭr恐荌ǩ\ȓȫ訷鿍湲瑁u楊禅ɤ& + lifecycle: + postStart: + exec: + command: + - WMJ1Vj + - bt + - UpuoW2L + httpGet: + host: ZQUCS + path: XvmuYh + port: p + scheme: 瘿ā|^k*雗 + sleep: + seconds: -4794985278116558932 + preStop: + exec: + command: + - fNY + - Rk + httpGet: + path: vcHj + port: 94X + scheme: ʕ煤}f + sleep: + seconds: -572101244460663065 + livenessProbe: + exec: + command: + - HoQxW7Nhx + - 1vL7TCk + failureThreshold: 1202856974 + grpc: + port: -177653984 + service: dd + httpGet: + host: cFj8k7 + path: l91YUo + port: -205856494 + scheme: '''朔6嚍¹*¢ɰȯK' + initialDelaySeconds: -1838390355 + periodSeconds: -2089935919 + successThreshold: 745930955 + terminationGracePeriodSeconds: 651854435833106407 + timeoutSeconds: -451727064 + name: LUkN + ports: + - containerPort: 52213129 + hostIP: pBen4iN + hostPort: -1605812710 + name: embL6 + protocol: 隠:ʀǙƴ茝鞝剟蚓遆積ǯ槦黽虼m + - containerPort: -1355336717 + hostIP: Vq9h1OAN6 + hostPort: 1469157628 + name: DgLmxr8 + protocol: ơ阆Ƃ + readinessProbe: + exec: {} + failureThreshold: 1404262379 + grpc: + port: 617847874 + service: wZ + httpGet: + host: 7f + path: 4gU9kDN5 + port: MXWfnK + scheme: 鬮ŵVƉ + initialDelaySeconds: -498539377 + periodSeconds: 1569378042 + successThreshold: 1909376148 + terminationGracePeriodSeconds: -3310812073755566654 + timeoutSeconds: 957960925 + resources: + limits: + 5k: "0" + wIlp6Km9XNo: "0" + requests: + RaT: "0" + restartPolicy: 车WđƜ嚓Ŭ罀ǑȪ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - w}ɼ簖#s>腭hWɘnj嗠/ʜ墭呣lj + - dT劍Il捝s+;暷ƻņʖ馺ª贐 + drop: + - '*¢炐96ʑ叛z¢á5ɏeEɢ@Ƨ' + - ƭ樯Ɉ>ƈ@Ɨ + - ńɜʢnij咓ƹ灀}¿\ + privileged: false + procMount: 堲渢)#珯犠ƙYĮ鷝Ƈ蚈_ + readOnlyRootFilesystem: true + runAsGroup: 5272751894835649479 + runAsNonRoot: true + runAsUser: -777021971579066284 + startupProbe: + exec: {} + failureThreshold: 48102716 + grpc: + port: -1093646129 + service: bIKooEs + httpGet: + host: Mv + path: fstI2uQ + port: Qd + scheme: dzLBʖ飐吃ê傧靲dz + initialDelaySeconds: -187921670 + periodSeconds: -217914776 + successThreshold: -664446049 + terminationGracePeriodSeconds: 8083333456613274947 + timeoutSeconds: 399455066 + terminationMessagePath: jqUx + tty: true + volumeDevices: + - devicePath: LLB2W + name: kDDD + - devicePath: 9DhP1 + name: aW0PgFJODCAEF + volumeMounts: + - mountPath: "4" + mountPropagation: ;bŊcN啲;蜩½ǒ朒Q"EƙȌ{甐岊 + name: c + subPath: c + subPathExpr: cXqUzbd + - mountPath: NY + mountPropagation: ʋS溸呖Ä翫ɧȐ{豒lÔș:ľ玠3íw + name: 7nseZUY + readOnly: true + subPath: itHF + subPathExpr: eHexIOW + workingDir: BZZ6 +- args: + - 5cCg + - E7 + - iFP6rZ + env: + - name: qEiC5K + value: HE + valueFrom: + configMapKeyRef: + key: Q4ff + name: c6s + optional: false + fieldRef: + apiVersion: jBI6X + fieldPath: zpTUfYD + resourceFieldRef: + containerName: mzmkl8 + divisor: "0" + resource: 81k8LI + secretKeyRef: + key: "" + name: N9yqj + optional: false + envFrom: + - configMapRef: + optional: false + prefix: WYG + secretRef: + name: DFBRLWb + optional: false + image: Z + imagePullPolicy: ǂAM鳘墊šéDz!迒A + lifecycle: + postStart: + exec: + command: + - r + - RbH + httpGet: + host: FG + path: gzf4kd + port: 813947014 + scheme: '&X垮Ą:S褦慺ʛ竆閃_m鑙òó' + sleep: + seconds: -1141547218815402249 + preStop: + exec: {} + httpGet: + host: ZA8qVd + path: 9ooQ + port: -271801527 + scheme: 鏡稂;ňȓRH愦Ƚ + sleep: + seconds: -8502483422139801966 + livenessProbe: + exec: + command: + - I4WNnF + failureThreshold: -637772395 + grpc: + port: -1513640963 + service: CpWh0e + httpGet: + host: JrZk + path: YCnQ4z + port: 13mIiI + scheme: 鏘 + initialDelaySeconds: -200843985 + periodSeconds: -502259067 + successThreshold: 1719668769 + terminationGracePeriodSeconds: 6044193620909725026 + timeoutSeconds: -388757192 + name: Vem + readinessProbe: + exec: {} + failureThreshold: 1932036046 + grpc: + port: 940655155 + service: h5HN + httpGet: + host: H + path: G1p4WFvGD + port: iMuM + scheme: ŗ颁njNą筵 + initialDelaySeconds: 271733079 + periodSeconds: 1483111043 + successThreshold: -1186732202 + terminationGracePeriodSeconds: 8539189418162863572 + timeoutSeconds: 1565787262 + resources: + limits: + AfrFB6Ne: "0" + UFzEjwa: "0" + regGR: "0" + requests: + 30st: "0" + restartPolicy: Ǫ豥ɗ槻T+Ĕʓȣ+卮Ȱ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 1蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 367 + minReplicas: 105 + targetCPUUtilizationPercentage: 126 + targetMemoryUtilizationPercentage: 500 +commonLabels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA +configmap: + create: true +console: + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: xLO4B2BCZUJ + name: BQR2Y +extraContainers: +- command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295319 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475044 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286451 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088710 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 +- args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244895909 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205057985 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722354757 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693656 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347273 + runAsNonRoot: true + runAsUser: 3942212766283409661 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628311 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 +extraEnv: +- name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false +extraVolumeMounts: +- mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM +- mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY +extraVolumes: +- name: 00PT1WRWHX +- name: P4 +- name: fn +fullnameOverride: Bv0I +image: + pullPolicy: 垿儣Ƈ#WMƻ + registry: XB9ke7yB + repository: EwU0pzhz + tag: SmZAnO7 +imagePullSecrets: +- name: ygWNP7C0W9 +- name: lo0PU +ingress: + className: vg + enabled: true + hosts: + - host: daRMGxIy7gKoE + paths: + - path: GVhF41Ue + pathType: TeM8 + - path: UontjIzl + pathType: MN + - path: "" + pathType: xN + - host: YCgI + paths: + - path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + paths: + - path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +initContainers: + extraInitContainers: ITIY +livenessProbe: + exec: {} + failureThreshold: 724782955 + grpc: + port: -2055628426 + service: kYxAdPiz + httpGet: + host: JfFu5eafS + path: S8lsKuv + port: 45830231 + scheme: 嵋6ǞkĤ閾8_Tu鍓 + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + terminationGracePeriodSeconds: -5739612377473505352 + timeoutSeconds: -1665363921 +nameOverride: "" +nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c +podLabels: + Klzm: we + e: C2swj + s: vw1lrq +podSecurityContext: + fsGroup: -8750452531563962174 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903160 + runAsNonRoot: false + runAsUser: 2565919490422334632 + supplementalGroups: + - 2907772986244331938 + - -4686580881125536152 + - -7134026849524391427 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN +priorityClassName: F +readinessProbe: + exec: {} + failureThreshold: -1128918125 + grpc: + port: -1566880140 + service: wMGGUi + httpGet: + host: EwUYUz5 + path: qC4K0 + port: frlhx + scheme: 2鳳ǿ{ǿN + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + terminationGracePeriodSeconds: -4458812029359989949 + timeoutSeconds: -1293939870 +replicaCount: 464 +resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Sfb6 + name: Fkoh + kafka: + awsMskIamSecretKey: Bof21IpUS + protobufGitBasicAuthPassword: fIQwt + saslPassword: KBS + schemaRegistryPassword: TehF8FK + schemaRegistryTlsCa: 40HTol + schemaRegistryTlsCert: cgz0Y9o + schemaRegistryTlsKey: QUpyP + tlsCa: naM + tlsCert: cC23TMJ + tlsPassphrase: NxVcNj + login: + github: + clientSecret: IDQ0 + personalAccessToken: "4" + google: + clientSecret: P + groupsServiceAccount: oKbW15 + jwtSecret: "5" + oidc: + clientSecret: YcYiIJm + okta: + clientSecret: CtRNDaLkEFXR + directoryApiToken: pH3E2YC7xP + redpanda: + adminApi: + password: "y" + tlsCa: 4ieHo3L + tlsCert: pQ6AshR + tlsKey: s9 +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029755 + runAsNonRoot: false + runAsUser: 7772713475568767829 +service: + annotations: + C3p: uCspVMX + nodePort: 441 + port: 51 + targetPort: 456 + type: ZQQlqx7Np +serviceAccount: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + automountServiceAccountToken: true + create: true + name: HMyYp +strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ +tests: + enabled: true +tolerations: +- effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417046 + value: U +- effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548565002 + value: c2m6hlo +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 +-- case-036 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK +annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 213 + minReplicas: 211 + targetCPUUtilizationPercentage: 270 + targetMemoryUtilizationPercentage: 495 +commonLabels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 +configmap: + create: false +console: + roleBindings: + - cwSnKnhS: null + mzA9: null + oRCBU: null + - 4VfdtEVC: null + UF: null + - 785va: null + Cmlc: null + NyhDjFL: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: teD + name: fP2IA +extraContainers: +- args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723367536 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680147 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151273 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786392 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650765955 + runAsNonRoot: true + runAsUser: -1786517016760367110 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724482122 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM +- args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238529 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008471 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799012 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980208248 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043871 + runAsNonRoot: false + runAsUser: 3737016357651072730 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040237914 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F +extraEnv: +- name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false +- name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true +- name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false +extraEnvFrom: +- configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false +- configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true +- configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true +extraVolumeMounts: +- mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn +- mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I +- mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA +extraVolumes: +- name: HUa7xM +fullnameOverride: AumW +image: + pullPolicy: ǫtŖŮƘ瓧ù¹勍u + registry: ai + repository: f54I + tag: iO +imagePullSecrets: +- name: bbjdn +- name: VI +ingress: + annotations: + RX47S: lb0 + Ton: ukp + className: R3Ykmr + enabled: false + hosts: + - host: bybyr6XsLFPDg + paths: + - path: c9F + pathType: TyYv +initContainers: + extraInitContainers: q +livenessProbe: + exec: + command: + - dRbj + failureThreshold: 864346345 + grpc: + port: -568790446 + service: 9WyiSW + httpGet: + host: EbFlYW + path: HC + port: C1Fv7 + scheme: 軔ǷʧP + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + terminationGracePeriodSeconds: -2333626465204273709 + timeoutSeconds: -589897727 +nameOverride: 9mG8n4Wu4 +nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD +podAnnotations: + jLE31lUP: LWc +podLabels: + 6W: FQvOa + YwkBSNWK: 0qqd + jP3: iNkD +podSecurityContext: + fsGroup: 8205502301244812774 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915815616 + runAsNonRoot: true + runAsUser: 4432310384984167581 + supplementalGroups: + - 7965846110903121951 + - -9174375158887062481 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 +priorityClassName: gPB +readinessProbe: + exec: + command: + - NjJ7Lit5 + - 29odviV2mnb + failureThreshold: 1075627654 + grpc: + port: 364618769 + service: g1wc + httpGet: + host: 40i + path: OTDO + port: -2089902693 + scheme: $Gȇ表匾ʞG絁娚彰ŝê<ĭ + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + terminationGracePeriodSeconds: 1389336444380098948 + timeoutSeconds: 669945326 +replicaCount: 24 +resources: + limits: + 7VHN3: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: jPpQY + name: uRkzw + kafka: + awsMskIamSecretKey: B + protobufGitBasicAuthPassword: EfQbyB + saslPassword: w + schemaRegistryPassword: qiltVq + schemaRegistryTlsCa: kyT4j + schemaRegistryTlsCert: Tu4varJ + schemaRegistryTlsKey: bmT + tlsCa: UyskLmDZ + tlsCert: "" + tlsPassphrase: IdsCzt + login: + github: + clientSecret: hPt + personalAccessToken: vRbRqD0 + google: + clientSecret: "" + groupsServiceAccount: lcc9 + jwtSecret: tf0x + oidc: + clientSecret: A9RDbO6GzTtHYG + okta: + clientSecret: HktzleLAg + directoryApiToken: qX + redpanda: + adminApi: + password: 5imX8ztdqjU + tlsCa: opQQ + tlsCert: PGcfJC3zH + tlsKey: IhqyTvQn4T +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824069 + runAsNonRoot: true + runAsUser: -4392330066259666500 +service: + nodePort: 249 + port: 113 + targetPort: 414 + type: XHYb2qmrk +serviceAccount: + automountServiceAccountToken: true + create: false + name: Jg +strategy: + rollingUpdate: {} + type: LJėwǮ甧 +tests: + enabled: false +-- case-037 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: IPWU1 + operator: 魡燸"趵p砮ƘċÈ3ljDŽ + values: + - i + matchFields: + - key: "" + operator: 廋46齄aā[傡ŤXjğ@ɫ聱昣ȞA + values: + - hrjhAJC + - RGJEJ + - key: 9XRD + operator: 鏖Ų姓萲1蜓舆 + - key: nmlhnezDL + operator: =WF»圻礼鍕4u-瘸]NJ + values: + - MlE9xcsLb + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: vxH0 + operator: kűŐ鄴 + matchLabels: + YR: ZYyx + matchLabelKeys: + - lrfi + - 9s + - "2" + mismatchLabelKeys: + - "" + - vc + - rz4SvG + namespaceSelector: + matchExpressions: + - key: ybBiR8Fm + operator: UlƜ寻眅崈O+聁ȴ + values: + - xxao + - key: UpNi + operator: v韠Ʀ.Ɓ氩諑ʊ0ɔ凹 + values: + - ECPGYavF2 + matchLabels: + 7qRB: 56MM + tcHg1: kpR + topologyKey: "7" + weight: 212582037 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 6PJt: OILe3j + mismatchLabelKeys: + - PB + namespaceSelector: + matchExpressions: + - key: "1" + operator: ǯVɳCĬ鷹儉ïXǐʐ楏ċŇǽ + - key: aFA + operator: ƣ諔&ȵ%ǼQ傠ûQ& + values: + - tdkCJmsLj + - 2WF + - nlO + matchLabels: + "": JgBcTwL + gUx2lrPlU: 2MEiay0i + namespaces: + - iUHz + - F + - C + topologyKey: 0DqLIsLvEJ + - labelSelector: + matchLabels: + D65k: m + v: Wf73pl + namespaceSelector: + matchExpressions: + - key: Mql8T + operator: Ȳ + values: + - kiCXA + matchLabels: + QJPP2Wmbc: MGiu + tm: POZGk072F + v: OdyUJaKz8sW + topologyKey: CaAJ + - labelSelector: + matchExpressions: + - key: kJFGWDPIX + operator: '`園bsN唲幈ùÄ!鑢' + values: + - x + - key: PQktimeqK + operator: Í Ho亜q毂EɌ39蓷 + values: + - rYZ + - key: L6Wp + operator: '&去鉼晆Äě菉' + values: + - BPX5 + - 7Ows + matchLabelKeys: + - PhOMWnct + - 4Iar + mismatchLabelKeys: + - SfvAwYYqtwPc + - w9 + namespaceSelector: + matchExpressions: + - key: VmRQ2 + operator: 錛ȋʤ`搲ZL婨ƅ\鴃m闬ǿ戺ƨĤs@ + values: + - Ah8tj + matchLabels: + JBFf5vLf4: q2X6daLRz + VuZT: gmluiWbT + p64cMTP: B9 + namespaces: + - Ri6BSDl1 + topologyKey: nACF7H8 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ZZaxS + operator: 黦ƒ©瀂 + values: + - "" + - 20OCN + - IZ86eI1 + - key: RXLfn + operator: .惊ŝ4ni`ræseȕƌ筬NJ@pŻ + values: + - Fuy + - 6ZIkwShr + matchLabels: + RJHcF0aLL9: avVll8hJB + Spsji: hW + mismatchLabelKeys: + - RDiUdFmoEZ + namespaceSelector: + matchExpressions: + - key: RmcZbbc + operator: uŒ¶鱸K + values: + - 90lQUM5B + - J07lI + matchLabels: + 6hQX9h: Sr5NoqB + L0vc: i + iJ6hIS: yLkpjBIU + namespaces: + - i1uGAcY9Xxf + - DO5c + topologyKey: uVcRZ + weight: 608820709 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Mgdm + operator: 惋¯ʢÝǒ=h佅茆接 + - key: "n" + operator: 系¦澜C2騗ā穩 + values: + - yelaWfaB + - Cq + - Va + - key: Ymvr + operator: 7 ^»ðq> + values: + - GES + - gPThP + matchLabels: + zj9Ud7LvFtg: trcgDo5 + matchLabelKeys: + - X + mismatchLabelKeys: + - peo1 + - zVPvCpJUM + - "" + namespaceSelector: + matchLabels: + "1": qRCy + namespaces: + - Eczjbhs + - F8 + topologyKey: Az + weight: -470853400 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - VWM7 + namespaceSelector: + matchLabels: + Q4BC: BojBLo + Vz06Yne: "" + namespaces: + - yEEmKNg + - iGJzcn + - G1bhP4 + topologyKey: pcOSh + - labelSelector: + matchExpressions: + - key: lCW5OK2A6HKOaC7 + operator: 蚿~2婈 ʝ似矉k + values: + - 5IOGWj + - UwmQ + - Ser + matchLabels: + "4": PB0Pb9 + Ykh3k: oX8w + matchLabelKeys: + - SfZ9pUjA + mismatchLabelKeys: + - i16lOT + - 8iU + namespaceSelector: + matchExpressions: + - key: ZxE + operator: 恇3 + values: + - "" + - 43TqLr + - key: ikCzWLGa + operator: E + values: + - W1 + - ZqA + matchLabels: + "": YJaQ + 7h: dybADQ + topologyKey: "" + - labelSelector: + matchExpressions: + - key: 0bZO + operator: '[ ' + values: + - DPm + matchLabelKeys: + - "" + namespaceSelector: + matchExpressions: + - key: b8XGJRAsiP7 + operator: ']眆寜眴z' + values: + - MsgI + - dhrJF0b + - key: SMx + operator: JɦĈ + values: + - o + - yknE + - key: rfxn3qvEK + operator: 綐岮~2熗昕Ñ占Wm员Ƴ橝灃Ɗ + values: + - "" + - K + matchLabels: + 2Jd: g3du2W + ZHju0: u7DvsT5e + zUssA7: ZKAL + namespaces: + - Qpqer2VPQ6oA + - zR0okqL + - nuH + topologyKey: i +annotations: + 1B8qie: FSPYCLoT + I: hpwL4TH + Z: 0LFy +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 370 + minReplicas: 221 + targetCPUUtilizationPercentage: 463 + targetMemoryUtilizationPercentage: 49 +commonLabels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + uEVMkDkYRvnn: zvptNai +configmap: + create: true +console: + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles: + - Dd: null + H0QLXtA: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: HqS5hb + name: 3sA8DqHdr +extraContainers: +- args: + - UaqwQ7 + image: 9gJVF + imagePullPolicy: 5傅c諹ɕ ƅƬDr1鰹瀣n怌ʡ + lifecycle: + postStart: + exec: + command: + - EJfXoz + - pxAl7T7 + httpGet: + host: 4dtyQHxp + path: 9i + port: BmGAi + scheme: ¼ů + sleep: + seconds: 2333336810403167963 + preStop: + exec: + command: + - EF + httpGet: + host: gc + path: 5IcdjR2 + port: Ln1 + scheme: Ȱʛ{`Ɓʛ劽Ŋ劧Yǥ + sleep: + seconds: -8338094784810815040 + livenessProbe: + exec: {} + failureThreshold: -1009316117 + grpc: + port: 434468004 + service: hOHaw7yL5 + httpGet: + host: r0OfO9Tjf + path: rvqaH + port: 1861701721 + scheme: 蓫AȚ%Țx痷 + initialDelaySeconds: -1210592458 + periodSeconds: -1685889023 + successThreshold: -1513585658 + terminationGracePeriodSeconds: -2039599439532369874 + timeoutSeconds: 615837494 + name: 0z + ports: + - containerPort: 920384597 + hostIP: amIbTg + hostPort: -1446796645 + name: H + protocol: tsė歟ū$B,qʐ医枝 + - containerPort: 533680030 + hostIP: AQrcm57h + hostPort: 436553418 + name: zI + protocol: mĖ}ʘá~滬 + - containerPort: -88474612 + hostIP: 5Q7z7DzPSmu1KQ + hostPort: -894572877 + name: Ie31rl + protocol: Z尤汸 + readinessProbe: + exec: + command: + - Ig53IR5s + - X + - MD + failureThreshold: -697650972 + grpc: + port: -1408023460 + service: q3NQW + httpGet: + host: NClmq + path: "y" + port: 4KJj4nVotN + scheme: ®顫jV/懔e + initialDelaySeconds: 1925202911 + periodSeconds: 1008375062 + successThreshold: -1515262628 + terminationGracePeriodSeconds: -9135279372752511888 + timeoutSeconds: -757546061 + resizePolicy: + - resourceName: BhTx + restartPolicy: O憢%ȔnjŸƓx汮$ + resources: + limits: + 0R8h7mczbiK0u: "0" + ngcoDm: "0" + requests: + FvPC8: "0" + restartPolicy: 竴xJ飊µ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - eF + drop: + - '#泪<1饤ǯȲ78狎外龬郄晛頯6汐嫏' + privileged: true + procMount: bűƍȓ2C޵舕秗騛^ĪĪ溫Nȇ + readOnlyRootFilesystem: true + runAsGroup: -3343110605261139689 + runAsNonRoot: true + runAsUser: 7479178344552716344 + startupProbe: + exec: + command: + - 4mbBa0iSAgQ + - 9Vb + - B5u + failureThreshold: 753806032 + grpc: + port: 1382157718 + service: Sbk + httpGet: + host: bVoIiYzvoi0B2 + path: H7pGt3 + port: TTVi + scheme: 厪$dıQǵ_ƀÁ釔ɵ徣 + initialDelaySeconds: 849023271 + periodSeconds: -1908074475 + successThreshold: 328769480 + terminationGracePeriodSeconds: 5149904224053969297 + timeoutSeconds: 1277324377 + terminationMessagePath: 00uJXyD + terminationMessagePolicy: 禣儛x~靰ɿ`šŀǼŋP^n + tty: true + volumeDevices: + - devicePath: TMbZU + name: hFJz + - devicePath: yr + name: O0NQRcuq + - devicePath: UHqeq + name: Ydaqo + workingDir: TzR +- args: + - 1EEFNaNA + - U2l + command: + - CsMZk + - 4HgTHX + - Sqt9at + envFrom: + - configMapRef: + name: RRMDeJ + optional: false + secretRef: + name: lcA + optional: false + image: GQ69 + imagePullPolicy: Ɉǥ + lifecycle: + postStart: + exec: + command: + - 3YpG + - vZTzHN + httpGet: + host: cPtKCkyO + path: "4" + port: -1049236742 + scheme: 硺=ɸǖɵ恆Žd0 + sleep: + seconds: -7566729856608460688 + preStop: + exec: + command: + - y2fpvM + - VG + - hhX3m + httpGet: + host: o + path: "7" + port: nl5CZNKB + scheme: Ȉ + sleep: + seconds: -9000479934802388409 + livenessProbe: + exec: {} + failureThreshold: 115197733 + grpc: + port: 418872789 + service: mK04M1 + httpGet: + host: tYy4jqPpZ + path: om7u1 + port: 6vYh + scheme: 鬧ĕ,b嫲ʞÈȅɼ瑀\-ŤÔĞ{ + initialDelaySeconds: -1996330627 + periodSeconds: -2123682197 + successThreshold: -274102072 + terminationGracePeriodSeconds: -4086669261853017280 + timeoutSeconds: 1671175282 + name: MN + ports: + - containerPort: -581773322 + hostIP: w + hostPort: -1918799357 + name: NUQc5 + protocol: lɡFàW6ǼC7騰僮氁繸{Ȏ + readinessProbe: + exec: + command: + - IYC3M + failureThreshold: 178025639 + grpc: + port: -205038391 + service: EGqI + httpGet: + host: oGjb56 + path: mnq + port: pb9x + initialDelaySeconds: -1053907742 + periodSeconds: -777502604 + successThreshold: -350871959 + terminationGracePeriodSeconds: -6813701492426236069 + timeoutSeconds: -1712603807 + resources: + limits: + TwWe: "0" + requests: + 4FGQT: "0" + 57DEge: "0" + zBEzXaq: "0" + restartPolicy: 焂ś(Z緌挄ǥȪȑq*刾 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ư#æ9NF犔帙錈 + - N範3>ȖlǖɥöS竾ƾÔŸ烠dk弸 + privileged: false + procMount: ı.ĔtQ+p銍/盂pJr替àŽ + readOnlyRootFilesystem: true + runAsGroup: -9023516459602390407 + runAsNonRoot: false + runAsUser: 2513546243926544067 + startupProbe: + exec: + command: + - C + - 9o + failureThreshold: -1595663358 + grpc: + port: 879782754 + service: E3 + httpGet: + host: j + path: ZwGu + port: -1183682475 + scheme: ȉʬ|Ȗ-胨\GǴ酥âïŀ + initialDelaySeconds: -320635887 + periodSeconds: -1762048755 + successThreshold: -1206942688 + terminationGracePeriodSeconds: 2874889772540953352 + timeoutSeconds: 201190682 + terminationMessagePath: D5nhSA2KK + terminationMessagePolicy: '|Áʊv~' + tty: true + volumeDevices: + - devicePath: fl + name: "" + - devicePath: Pivii + name: SAJBTs + volumeMounts: + - mountPath: os + mountPropagation: 霤ņd碤 + name: Wma3F + readOnly: true + subPath: J + subPathExpr: rp + - mountPath: 7p + mountPropagation: ʜ塖ɥw阒ɠ·閐駔址遥铣C龂ȵ槂瑷 + name: EKv9jGIV + readOnly: true + subPath: YjGj1 + subPathExpr: goeN5mMZVyE + workingDir: 9pZ +- env: + - name: jUF3n5Y + value: 5Oas + valueFrom: + configMapKeyRef: + key: NjvBzcrV9 + name: kjnqdL + optional: true + fieldRef: + apiVersion: EKxzT + fieldPath: keiWEt + resourceFieldRef: + containerName: 6ei + divisor: "0" + resource: 5SYJ0LG + secretKeyRef: + key: khTsQnn + name: R22Yc + optional: true + - name: Eqsqk + value: ZbUl8L + valueFrom: + configMapKeyRef: + key: LBJ9Co8gX + name: 5F + optional: false + fieldRef: + apiVersion: BBXJwlU6ov + fieldPath: tR7Z2 + resourceFieldRef: + divisor: "0" + resource: Kw7UxsTdNB + secretKeyRef: + key: x1Ijg6T + name: qqT6Y + optional: true + - name: 7zUt + value: 92wkXugDh + valueFrom: + configMapKeyRef: + key: JfY0lIp0Jdtpv + name: nYzr + optional: false + fieldRef: + apiVersion: IDhOF + fieldPath: aTWd + resourceFieldRef: + containerName: m4s0LUsO + divisor: "0" + resource: jJSLfi + secretKeyRef: + key: KzYvK2KKl0 + name: sR + optional: true + envFrom: + - configMapRef: + name: LuhmK + optional: true + prefix: z3 + secretRef: + name: bhwKfwEMY + optional: true + - configMapRef: + name: ZLn6PrNZ + optional: true + prefix: CZK + secretRef: + name: ln + optional: false + image: 40twCh1 + lifecycle: + postStart: + exec: + command: + - "" + - 4qZLs + - OKN + httpGet: + host: L1rE + path: zDyVFyy + port: kQZa + scheme: l + sleep: + seconds: -7109845505283004784 + preStop: + exec: + command: + - HBLUwI5qG + httpGet: + host: vM5bd + path: "y" + port: 1065237668 + scheme: 働ı愊GƜǻo4qtHŢ*獊K[w + sleep: + seconds: -1099871671561452384 + livenessProbe: + exec: + command: + - K1 + - O5Tdq + failureThreshold: 1326476911 + grpc: + port: 1266228568 + service: 0yovH + httpGet: + host: feV + path: HDTE + port: "1" + scheme: '!@ȄKh8淫~ǿ%硬睇鵤嵤' + initialDelaySeconds: 1175577649 + periodSeconds: 1877040036 + successThreshold: -1354358221 + terminationGracePeriodSeconds: -925123122471881643 + timeoutSeconds: 1464454545 + name: W8b6OOS + readinessProbe: + exec: + command: + - i + failureThreshold: 1781656452 + grpc: + port: -1606887908 + service: RrbvDP + httpGet: + host: mKx + path: HD + port: hiq5RvT05 + scheme: 鱑Ȍ¾ĵ覓{>鿼钇 + initialDelaySeconds: -1803086365 + periodSeconds: 450703172 + successThreshold: -1624696013 + terminationGracePeriodSeconds: -5286538260023923986 + timeoutSeconds: -528162423 + resizePolicy: + - resourceName: um0g1naPII7 + restartPolicy: ¹俞Wƌ甝 + resources: + limits: + EDhQ2V: "0" + OQ: "0" + WtnTV: "0" + requests: + jQaF: "0" + restartPolicy: '{鉪蟏E喧t庛Þa¦ʕ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ň鰍坸Ñ霰ʁ攽$Ơ + - 蟒磁砈Z芥EDZ + drop: + - ċ6洌扼雚nj墣l睧奟*躾ƛƌ秡t + privileged: true + procMount: 蜵5>MU + readOnlyRootFilesystem: true + runAsGroup: -7704085956113873818 + runAsNonRoot: false + runAsUser: 5730999299228810722 + startupProbe: + exec: + command: + - ImPt + - cIB + - e58MzW + failureThreshold: 310737712 + grpc: + port: 1849024783 + service: B1W + httpGet: + host: 1nU5qLkMA + path: Oo7nHt + port: hxGSeC + scheme: ƇĒɔmĦɦ齋貢 + initialDelaySeconds: -1797908483 + periodSeconds: -761708273 + successThreshold: -1316915468 + terminationGracePeriodSeconds: 8128903938581944374 + timeoutSeconds: -1573011089 + terminationMessagePath: FYPtlxf + terminationMessagePolicy: Pʏɉ{ů囏Ì4鰸曘Ʃ氕峵 + tty: true + volumeDevices: + - devicePath: "93" + name: t3A + workingDir: w +extraEnv: +- name: fXB4uyH + value: GPmKm1YgQuvB8 + valueFrom: + configMapKeyRef: + key: BYyG6 + name: Kr8iKZ + optional: true + fieldRef: + apiVersion: sSt + fieldPath: 7r3LBO + resourceFieldRef: + containerName: B8G + divisor: "0" + resource: 3cRQ + secretKeyRef: + key: nQtb + name: B8Snqwl0U0 + optional: true +extraEnvFrom: +- configMapRef: + name: C1P + optional: true + prefix: KcZH45pd2 + secretRef: + name: N7Yt + optional: true +extraVolumeMounts: +- mountPath: twfjF9 + mountPropagation: ȶ唗蠤S柋ɖȈƻ + name: MMcC8 + subPath: UwT0sYVo + subPathExpr: 9ugOBQ +- mountPath: 6cj + mountPropagation: "" + name: 3iQ + subPath: SaQ + subPathExpr: QQI +extraVolumes: +- name: xbuLqNQHFY +fullnameOverride: ADIhC +image: + pullPolicy: '|í' + registry: CIzpk + repository: O + tag: F +imagePullSecrets: +- name: Yi +- name: 6XnEhUN +- name: oeoW +ingress: + annotations: + "8": SeJ + className: PHr + enabled: true + hosts: + - host: PXAcFs520n + paths: + - path: 1uGP0 + pathType: dWpX + - path: hAH + pathType: LjzFf + - path: 7Qy + pathType: vjB + - host: z9QAJ5 + - host: "" + paths: + - path: Hc0IpaX + pathType: bc0T + - path: dzn1ldJ5h + pathType: M +initContainers: + extraInitContainers: 7DdMwNg +livenessProbe: + exec: + command: + - XRPuLpEO + - nplEP2IP3 + - 9jrKdj2 + failureThreshold: 1516033986 + grpc: + port: -531236004 + service: 11bsOMf + httpGet: + host: 9PMyxMco + path: RI3zx + port: -2029405965 + scheme: G隠Ī:ŁuƠ禲oŇO鿈Ⱥȡ + initialDelaySeconds: 1774510914 + periodSeconds: 1308551645 + successThreshold: 752675362 + terminationGracePeriodSeconds: 8661862683503969755 + timeoutSeconds: 437106483 +nameOverride: u2r6 +nodeSelector: + CrYMUu1pg: "" + ftZ: dKqEwc + pNPla: Cc +podAnnotations: + dApB5noz: fJm84 +podLabels: + 9c2: 3fwyB6m1 + MyocWENxGGa: TrRadg +podSecurityContext: + fsGroup: 5618615494228351604 + fsGroupChangePolicy: ʩrXù济延唇ė袡 ʊ + runAsGroup: -3861060047548570674 + runAsNonRoot: false + runAsUser: 3602747950735365650 + supplementalGroups: + - -5665823160677538937 + - 2942720231280319982 + - -7811581565559124250 + sysctls: + - name: X + value: sWo + - name: MI521Dolo + value: ETgcRWsr + - name: 4gVCXpSch + value: csKV +priorityClassName: U7wS +readinessProbe: + exec: + command: + - cYKp + - vP + failureThreshold: 670800660 + grpc: + port: 1721771977 + service: y69H + httpGet: + host: mtLvsm + path: hd4c + port: 326683785 + scheme: X½鼅餕嚶渭闬脮ƧŗŠ#7êk.] + initialDelaySeconds: 713201976 + periodSeconds: 1611391820 + successThreshold: 604905966 + terminationGracePeriodSeconds: 8452879830155323173 + timeoutSeconds: 981065048 +replicaCount: 471 +resources: + limits: + avG: "0" + q: "0" + w8p: "0" + requests: + AZ: "0" + fGW: "0" + vom84xUd0: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: 41x + name: HHI4WeIS + kafka: + awsMskIamSecretKey: vvbXmwn + protobufGitBasicAuthPassword: uJNU2 + saslPassword: 1wgp7riu8 + schemaRegistryPassword: nKfA7t + schemaRegistryTlsCa: dsi + schemaRegistryTlsCert: 85xiT + schemaRegistryTlsKey: "1e0" + tlsCa: hEe0gyNOx + tlsCert: "" + tlsPassphrase: Jktiu0 + login: + github: + clientSecret: BDnf + personalAccessToken: MrWfu + google: + clientSecret: tkAac + groupsServiceAccount: w6hg3 + jwtSecret: zpS + oidc: + clientSecret: d + okta: + clientSecret: "" + directoryApiToken: a + redpanda: + adminApi: + password: raQeh15W + tlsCa: Ax453qH + tlsCert: 5cvfDAz7XB + tlsKey: ve +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ȏ煣+ȗ爸詤rȱoCö:踕v;D'茈% + - 斉 + - 劝 + drop: + - 6儌 + privileged: false + procMount: G + readOnlyRootFilesystem: true + runAsGroup: 6433461052261949548 + runAsNonRoot: false + runAsUser: -8726272423258831483 +service: + nodePort: 150 + port: 226 + targetPort: 87 + type: At +serviceAccount: + automountServiceAccountToken: true + create: true + name: ItYso +strategy: + rollingUpdate: {} + type: 匏ǛǢ²Ƴ屣EǙ9Gʡy +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: {} + matchLabelKeys: + - ImKkR6l + - oUu1w + maxSkew: 373901521 + minDomains: -938191316 + nodeAffinityPolicy: "" + nodeTaintsPolicy: 梄焑ȅƗH + topologyKey: Mh1K + whenUnsatisfiable: CǑ庬Kf鄊珪t忒訾Ɗ壚pv餲(ɯŕT铈藘SȂ臏閏@ȗ云Ȧ + weight: -1530606902 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R8 + operator: 茔íȟÁ嗮敚S顕DZ躨ijȱ厎ɬɏl蜶拼 + values: + - PRc + - svCs + - key: LBaaOWdWW + operator: 0ŧĸ荕fR焌禗#ȰȶŁA + values: + - G0FXBn + - IpnG + - NM8oL + matchLabels: + lrB: NtdoEuXoTr2r + y1BSzp: ivK7CU + matchLabelKeys: + - 6ZNJrk5JxOHW + - B9Q + mismatchLabelKeys: + - "48" + - nm1WD5nM + - vLqhDh + namespaceSelector: + matchExpressions: + - key: GF6EQ8mKus + operator: B"(ň枣<吰檰戱R&狅Ɍ鋋Ļ飮 + values: + - f0plBpNy + - Gzl + - key: x4 + operator: Dz謶ʮ_ūKNdv· 壼×z朤 + values: + - zo + namespaces: + - QMv + topologyKey: r1z + weight: 1950038583 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x3pdwI + operator: ǿLȴ8涣ÎƶǛ醌Õ纺網(đ倠樓纗Ǯg + values: + - xJlJ3H5 + - iza5 + - 4rszgB8v9aH + - key: 9j5f + operator: ǘ賊ƾA迌磡m摾烊 + values: + - EMECS8f + - oveu + - He + matchLabelKeys: + - 33y4E5v + - 5XIM + - "" + mismatchLabelKeys: + - 37I + - a02Re + - GVqKNcGgl + namespaceSelector: + matchExpressions: + - key: Rtiwm + operator: 萱J矻軚fC + matchLabels: + 8ipw: G + JwDA: 8EVkJ + oiQ2p: mYGgaz + topologyKey: 5l6PI + weight: -1824427504 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "" + operator: 晑2%·QHVJTM錈 + values: + - CTU + - X5a + matchLabels: + WdJU6: I + bN: "" + uoTcuu: w1Y3yLW2rz + matchLabelKeys: + - O80Pf1RfMp + - WRJOT6B + mismatchLabelKeys: + - "" + - "6" + - nwQikpclV + namespaceSelector: + matchExpressions: + - key: CNaHfk + operator: 蕵Qmƀʁ6鲿)żȯ+ɩ玙9 + values: + - OuxZv + - key: dS + operator: 炧踮P-.壨ġ + values: + - 6ZJp7y + - key: jiLGGAQ + operator: 蟾Ɵ餌|ƨ綁訲bǝɋ圼 + values: + - mQ + - Fk3eA81t + - YR3WT + topologyKey: "5" + weight: 1634860618 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "" + operator: (冁粄Ƴ\Ē4ǀ9峖樾t燠熂鷸ȿź蛼* + values: + - fnrA + - g + - gptz8 + - key: 4Hue + operator: oğ魀Ʌ¦榴 + values: + - InPtpb + - rxTpo + - HXnghAhWU1 + - key: EE2p + operator: á儬倏qȼ療ƚ + matchLabels: + YvCi: 1Tg + oLQ9OhyY: pFYpYKV + matchLabelKeys: + - J7 + - VR5 + namespaceSelector: + matchExpressions: + - key: cwgATYQvdj + operator: ÷Zá磋舫棹瑗-神ĕ嘟泦猵 + matchLabels: + Inz: BpiLQXOvEh + topologyKey: 5sHov5x + - labelSelector: + matchExpressions: + - key: vLI2 + operator: 歑ūĿɒ + values: + - FiQIMCFX2 + - vqhAaV5N7 + matchLabels: + 6DNwSiVsen: 1fRK + V: 3L49A8YEn + matchLabelKeys: + - K0sPcZWy + - fqn0luLnrF + - "" + namespaceSelector: + matchLabels: + O9bMG: CvBa11UI9OL + cm56v: Z83nkLc + gLJIEvg5: tUJq + namespaces: + - yP + topologyKey: 3RN + - labelSelector: {} + matchLabelKeys: + - vMX6FV1t + - vP + - TU8VLc + mismatchLabelKeys: + - ZAaEBYk + - Y0F4V0C + namespaceSelector: {} + namespaces: + - LwoHgQ + - qAJ + topologyKey: "0" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: afwQ + operator: X(^Ȓ蘘}例 + values: + - 2ak8Yfa6P + - key: T4 + operator: ȵë_-Òŝ/c諒M攕窸 + values: + - Vktm + - trH51Z3 + - key: in74thKl + operator: HþČ謼ijƉË + values: + - NK2D3 + - NUsncshnv + - YDiqn6 + matchLabels: + T1: "" + nQFxJe: tdqf + matchLabelKeys: + - KI + - 6LjhIKmlnlhpI + - 88DArl53wb + mismatchLabelKeys: + - Bn30p + - zjq + namespaceSelector: {} + topologyKey: LrLYm2oYCgO + weight: -1318876164 + - podAffinityTerm: + labelSelector: + matchLabels: + T837hItO1qv: mCNMYnPq + gDh4Dxx2O: JUZxy4z + matchLabelKeys: + - sTn + - 4nu + - CSgSC + namespaceSelector: + matchExpressions: + - key: A5z + operator: "" + values: + - PJ6Zh + - S + - key: VufLBVvFECvIW + operator: ʝcƘʣ]筍ġ0Ğ鎏£<艻錯瀢 + values: + - tz64EN + - i + - key: 8Q2s + operator: E1戠天:ɺ勎sȸɾ + matchLabels: + XTI: 7cIZ + jpH49wkR: D5u5c + namespaces: + - XyGPkW + - CERSWYSVu + - Ms80R + topologyKey: 57PFRYX + weight: -1558645933 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ZGO5iRhr + operator: 堭ŷz + values: + - IfLuRt6FZf7 + - 03fn3j1 + - key: HL + operator: M螎õ}shƏ檅葜0<瘼Ɗț夡J偦ʆ + values: + - "96" + - 4uInca + - KsWaAE + - key: nKr + operator: ʋƲ~uè蟪ʗƁʬȌ势ȃVÄ穵Ą + matchLabels: + DVRktk1U: 1XFlhcXH + matchLabelKeys: + - kJMI + - Js8qeQ + mismatchLabelKeys: + - lnn1G + - A4nlWqCrE3 + - BzU + namespaceSelector: + matchExpressions: + - key: "" + operator: ɍįmŐ冹?E蹣ƋH肥=ɭuR訷$ + values: + - faDMJv + - b0VUPX + - lOsWCl + - key: 7iy + operator: 0:H碼\b黵禧鐃 + - key: nbn + operator: 疬厼掚Ƿ蛬ƞÜ9懎拖ų洜 + values: + - byjrbi + - RqfcIc + - dLaAUt + topologyKey: BUfQ +annotations: + He: OemFaO9 + QE5O: 6CBP +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 455 + targetCPUUtilizationPercentage: 64 + targetMemoryUtilizationPercentage: 472 +configmap: + create: true +console: + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: 4F + name: k +extraEnv: +- name: fqLRMsbtI + value: VzzHe + valueFrom: + configMapKeyRef: + key: "" + name: 1au8QkGsYcK + optional: true + fieldRef: + apiVersion: "38" + fieldPath: rM + resourceFieldRef: + containerName: Moz + divisor: "0" + resource: V + secretKeyRef: + key: IQ7AC3i60u + name: BCb + optional: false +extraEnvFrom: +- configMapRef: + name: twq36B + optional: false + secretRef: + name: OLKXh + optional: true +- configMapRef: + name: Pyr + optional: true + prefix: nyu + secretRef: + name: HDmfly7EP + optional: true +- configMapRef: + name: 2TmUL8GD + optional: false + prefix: R5 + secretRef: + name: TyS + optional: false +extraVolumeMounts: +- mountPath: 4zQSAo1Lj + mountPropagation: 檛ȂWg + name: eeS + subPath: iaw3G + subPathExpr: N02q4 +extraVolumes: +- name: "" +fullnameOverride: j1dUk8TGy8Np +image: + pullPolicy: 谝鞛榜ɸ暐ɸ刀x喋 + registry: zi + repository: MTSoVvJ + tag: a25lJOfGpG +imagePullSecrets: +- name: OlRQO +- name: Hkuk3 +- name: fP +ingress: + annotations: + ADJxl: n5EK4WzM0 + M: Zoud6 + eWXUqq: "" + className: "27" + enabled: false + hosts: + - host: 6PclZ7Q + paths: + - path: RqbF29XX + pathType: WB + - path: npV1GL + pathType: zxvm + tls: + - secretName: Q + - hosts: + - EvjYI + secretName: gRDta + - hosts: + - zlgJP1 + - g367Bgr1 + secretName: eQ +initContainers: + extraInitContainers: d5lM +livenessProbe: + exec: + command: + - S + - eqi + failureThreshold: -574948042 + grpc: + port: -653621031 + service: ir + httpGet: + host: qboin0qudh2Y + path: 4jFbHK + port: 9APWoaII + scheme: ćdž埭]KU + initialDelaySeconds: 1217073146 + periodSeconds: 2084735603 + successThreshold: -1091703574 + terminationGracePeriodSeconds: -4975007928507132892 + timeoutSeconds: -203727359 +nameOverride: ld +podAnnotations: + Scdn: fLH1yCm + lCp: Hi +podLabels: + 6AmpBMD: yDh + lPb: vi6tx4 + u: Vai7 +podSecurityContext: + fsGroup: -4268923634359973318 + fsGroupChangePolicy: 椶'ɏ4Ŝʘþf¸ǚļţRď0 + runAsGroup: -5513988494785819878 + runAsNonRoot: true + runAsUser: 3348050323720255791 + supplementalGroups: + - -9211346208910065015 +priorityClassName: 89gnK9rXyDXui +readinessProbe: + exec: + command: + - WCCn1 + failureThreshold: 1866953941 + grpc: + port: -978078521 + service: Gk8q + httpGet: + host: 4aDbYIp + path: sFssnZ8D + port: b9TEE2n + scheme: n8鞘呷2ef嫰髡箩棔螇džNj雤 + initialDelaySeconds: -1624688782 + periodSeconds: -231284043 + successThreshold: 1609785496 + terminationGracePeriodSeconds: -564252460349465292 + timeoutSeconds: 767134266 +replicaCount: 444 +resources: + limits: + wjrESvfqh: "0" + requests: + fSPJBFEwK58: "0" + j: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: iKQ6Nz + name: OD68lA + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: GKaL + saslPassword: J6S + schemaRegistryPassword: 8PuilRN + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: "" + schemaRegistryTlsKey: LsoxQcg + tlsCa: rGkjDT + tlsCert: gzs + tlsPassphrase: "70" + login: + github: + clientSecret: BGgKCBXeA + personalAccessToken: S + google: + clientSecret: KQXew + groupsServiceAccount: Ll + jwtSecret: 95jKDcdtX + oidc: + clientSecret: "" + okta: + clientSecret: b + directoryApiToken: "" + redpanda: + adminApi: + password: y2jU08n6KI + tlsCa: 6YyBT + tlsCert: ZkxE + tlsKey: MpUTYb4y +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ƹłš硇¹,9菧ȉŪ転Ǹï7ĭɜ + privileged: false + procMount: 榷ŋĦƨÈ俟ţUȫ桊fLŊƐbƼɤ襐 + readOnlyRootFilesystem: true + runAsGroup: 2134851813508950156 + runAsNonRoot: false + runAsUser: 1677623433130194771 +service: + nodePort: 470 + port: 46 + targetPort: 43 + type: uqFB +serviceAccount: + automountServiceAccountToken: true + create: true + name: fP77cJ3T +strategy: + rollingUpdate: {} + type: '>Ƒ梚ǩ' +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + IoAy: C6rMwI0 + eM8D7JD5PJ: "n" + lFmG: gJ3l + maxSkew: 839777044 + minDomains: -1438737093 + nodeAffinityPolicy: Ƭ氄ɿ[閾pʙ9 + nodeTaintsPolicy: j珙%!溌BN + topologyKey: 2GZ + whenUnsatisfiable: 屄ɧȄ +- labelSelector: + matchExpressions: + - key: UQkB4Vn + operator: D86i溨F'>亖÷ + values: + - pH + - LHgYM1W9 + - gO + matchLabels: + bw52WaG7: 5zm31oU + t99k: AF0 + matchLabelKeys: + - lkYaHo + - 4tzd + maxSkew: -1948819142 + minDomains: -1754532325 + nodeAffinityPolicy: 酝ʪ+彨緱Y塞雾}捋嗭0]ȰʤĖé横 + nodeTaintsPolicy: '#騅Ɵ$F圃拱鿎鵅xq' + topologyKey: z2NL + whenUnsatisfiable: uȤÝ酑 +-- case-039 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: OiH + operator: Eʤ#/7諨 + values: + - iYzfGpa4 + - PaMqxj5fj8 + - sWaI + - key: Pw + operator: Kw[o0鿚 + values: + - Gnm + matchFields: + - key: YO9QL + operator: ȏ网牙鍩橷潗D9騭ŗʈ求U縷讒Ƴ漏哟 + values: + - XV65fSG5o + weight: 144962453 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: p2uqgWn7p + operator: ǙmX窀ʄʙ婘m.Ƈ谱qŴĆ揿 + values: + - IQGwhE + - Hiut + - key: mrN9GbREak + operator: oʟ + values: + - GZkF1BV + matchLabels: + 8bOT0: pvv + VYd3OWm: 0gW5 + matchLabelKeys: + - thrYIp + namespaceSelector: + matchExpressions: + - key: sonam3I + operator: "" + values: + - a9M + - bM + - key: ZFAy + operator: yW揚ɻʖî床哲ɯǮ^DzǓ + - key: ZwHE + operator: sǍ逘璿Ǧ5u軟DZ鞏綇鏑Ɲ` + values: + - 1D6 + matchLabels: + MoK3: j4Rw + namespaces: + - yS + - F2VMFv + topologyKey: wNv3 + weight: -1334539094 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Hp + operator: QɃ蒜§Ɩ5SyǸ鎧ȝ)ɒ獬v氮n兡Ĝ + values: + - "" + - y3ufRu75J + matchLabels: + Sbhb4LC: p + U1NMpjoLa: BC1D + eIgw: tBbWDRZ7j + mismatchLabelKeys: + - iWKlUgr + namespaceSelector: + matchExpressions: + - key: 9HkK + operator: ȃĕ送 + - key: P9rh1yxLN + operator: ŋľ&謮稠Ÿ珀胔俨ʎŰ + values: + - 16yHoCooS + - r3ym6YAoy + matchLabels: + PrnS8: K2h + namespaces: + - s + - US2hE + topologyKey: 5SbLzS + weight: 1219402233 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 082AGo10x + operator: pȁij~搣ɢDĝ偩ʣȘ'oIʓ?憏圽U + - key: CXjEgRK + operator: 颭镃Ș蠮S闬耧涐²ǒ圡窽ǹ(ǁ + values: + - zIVWI7jXh + - HE8UDiZnhVG + - "" + matchLabels: + FRgh: MUBtKVc + iu: K3 + jV: 5jM + mismatchLabelKeys: + - h2 + namespaceSelector: + matchExpressions: + - key: "" + operator: mHɻȐĪ$ + values: + - GFueB + - 5prw02 + matchLabels: + KgBnfc: t9Hb4 + SxGw: 4qCJppj + h3m2: gRc + namespaces: + - 1maI + topologyKey: UCy + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 08Q + operator: $鏪轟ſ俨+嬯呦ĄȕɓJp + matchLabels: + kSy3s8nE: Q0 + matchLabelKeys: + - bf0Tpn + - I + mismatchLabelKeys: + - 0Bm09lf + - P7 + - lyb2 + namespaceSelector: + matchExpressions: + - key: 6zTBp0G7 + operator: 氯¥+Dz睧勪娳Ƨ伮慒{ąɫ`瑛稃5绨 + values: + - 1YVGovQ + - bJ + - key: Cxm + operator: 芼 + topologyKey: f + - labelSelector: + matchExpressions: + - key: jNrAref + operator: 接ʼnĎ + values: + - N0 + - ZNwtHjxR + - key: 33k8BGf + operator: rĴr+qȩȃ休3Ȳȅ + values: + - "" + - E8yL4W + - 9anWnm + matchLabels: + WyV0Ct: 6BVL + vLUV: mvMLwn + matchLabelKeys: + - 9O + mismatchLabelKeys: + - CO + namespaceSelector: + matchExpressions: + - key: Jiyaq + operator: ɯ唺饓9 + values: + - qogYf + - key: UXg6 + operator: à! + values: + - phW2 + - BItew + - c09DZ9v + - key: hPhLpBwJ + operator: g«疻:糄Ś$q + namespaces: + - jAvA + - 0V6Uv6PU + - AOoh3 + topologyKey: d2QYa +annotations: + IJC774: 5hK + P1Py: YYAic7jN + REyW: 7LdLtJYMz +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 461 + minReplicas: 403 + targetCPUUtilizationPercentage: 297 + targetMemoryUtilizationPercentage: 161 +configmap: + create: true +console: + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: KvJNskb5ptO + name: vVsE +extraContainers: +- args: + - fajfbgt + - 1XG4cARu + envFrom: + - configMapRef: + name: F5n + optional: false + prefix: Prg + secretRef: + name: vq2FHcobO + optional: false + - configMapRef: + name: Mfdidfx + optional: false + prefix: eggfGpU + secretRef: + name: gX5GT + optional: false + image: H + imagePullPolicy: 玣ɟ踣 + lifecycle: + postStart: + exec: + command: + - 5ABG2Ao + httpGet: + host: D4S2dPB + path: QCCIL6 + port: wu + scheme: eSÉĝ嶤ʮ牑 + sleep: + seconds: -6736232898620818377 + preStop: + exec: + command: + - "" + - 9oy + httpGet: + host: vIPKpEbM + path: l4HaTS9 + port: -180983347 + scheme: h儷#PX盩ʋÈ + sleep: + seconds: -3654571329064470871 + livenessProbe: + exec: + command: + - zGWiFCpvJyG + - 2A + failureThreshold: 130427535 + grpc: + port: -458689504 + service: keBJI3 + httpGet: + host: fkJ + path: MFy2 + port: 1638404838 + scheme: ƵĜRóM螻作仄ĨgŋƷ蔶慅Ƹ + initialDelaySeconds: -1024094942 + periodSeconds: -1045387639 + successThreshold: 966241980 + terminationGracePeriodSeconds: 43907789703605006 + timeoutSeconds: -2115548430 + name: n65z1Le + ports: + - containerPort: -496460005 + hostIP: m9e0LZZ + hostPort: 557092727 + name: hG + protocol: 奀x儋韖ȃ嶍射擋- + readinessProbe: + exec: {} + failureThreshold: 1620135876 + grpc: + port: -1149097195 + service: 7KtLa + httpGet: + host: Mel9pu + path: J + port: Bl + scheme: 臹欔 + initialDelaySeconds: -750113074 + periodSeconds: 820678693 + successThreshold: 1708685033 + terminationGracePeriodSeconds: 6351250062493105403 + timeoutSeconds: -89282235 + resizePolicy: + - resourceName: Cm2W + restartPolicy: o^Cǐɬ醒ÛQȌ帧圷孩Ą + - resourceName: jhEz4gNWQKP + restartPolicy: DV庴 + - resourceName: EgwUKXikbg + restartPolicy: 瑚 + resources: + limits: + 2jSTU8: "0" + 7OI: "0" + FIfseL: "0" + requests: + EPF86: "0" + GcwO1SNT: "0" + restartPolicy: '>Ǥ摔ȶ蘭ɘʜɩ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - J + - 8垺ŭihȸ£gJĠǐ!İ0 + - ƶ害Ƈ§孶邸 + drop: + - 龈PeęIJ傮ȅ溣E忬鮷蜆GÊ霌 + - þƢ^ + - RTmī07ý謐ɩ噎 + privileged: true + procMount: (朴頲碞!0¿搻ź)磑[哈YǓěNG$ + readOnlyRootFilesystem: false + runAsGroup: 3606686082741296584 + runAsNonRoot: true + runAsUser: -9076124251416402294 + startupProbe: + exec: {} + failureThreshold: -2038237600 + grpc: + port: -992723564 + service: bMQIm4Y6fY + httpGet: + host: w0Z6WQWwn + path: Kw + port: KdZFUIvpm + scheme: L媰 + initialDelaySeconds: 266050830 + periodSeconds: -879749840 + successThreshold: 1098563171 + terminationGracePeriodSeconds: -3577990655544091297 + timeoutSeconds: -838391922 + stdinOnce: true + terminationMessagePath: bh7 + terminationMessagePolicy: 餔Ŵ婜 + tty: true + volumeDevices: + - devicePath: 5EA9lR0y + name: wCP0dl2Uf + - devicePath: IKOQwmn + name: connmB4Ve + - devicePath: hssHEiwb + name: vP68uD + volumeMounts: + - mountPath: 9Yvkg + mountPropagation: Q众XM娪08菫 + name: XP + readOnly: true + subPath: Mk + subPathExpr: LV + - mountPath: 381fE + mountPropagation: ǚ钍jǍŏh濢n1ŕǼ姕ŗđċCʏ(漇 + name: 4prce + subPath: tvkrRPN + subPathExpr: Otc + workingDir: D4 +extraEnvFrom: +- configMapRef: + name: zdN8iNs1e + optional: true + prefix: z + secretRef: + name: tGw + optional: false +- configMapRef: + name: qRSvRtA6 + optional: false + prefix: dE0dDLvy + secretRef: + name: m + optional: false +extraVolumeMounts: +- mountPath: nTxUyaL + mountPropagation: "" + name: cwkJrEER + readOnly: true + subPath: FKU9h + subPathExpr: 12vLerk +- mountPath: DuUpWysEh2r + mountPropagation: IƏ + name: YlcuH + readOnly: true + subPath: 1faJ4ypp7 + subPathExpr: ZDct +extraVolumes: +- name: bdnliW +- name: Tr +- name: cd +fullnameOverride: bbshm +image: + pullPolicy: ɴ烚庻阐狘:ŭ(M$tY炜ī崞Ž + registry: QxUvz + repository: Gr + tag: hrAYj1i +imagePullSecrets: +- name: MTOK84IL +- name: YAl +ingress: + className: qyKUEOUT4u + enabled: true + tls: + - hosts: + - F7m23 + - "7" + secretName: M +initContainers: + extraInitContainers: aSeq42klM +livenessProbe: + exec: + command: + - ajpIBjdV + failureThreshold: -1650923727 + grpc: + port: -598400902 + service: NoUl1T + httpGet: + host: "1" + path: T + port: -1011339684 + initialDelaySeconds: -1047122153 + periodSeconds: 300714247 + successThreshold: 1660165948 + terminationGracePeriodSeconds: -6817463041894309382 + timeoutSeconds: 497385152 +nameOverride: o2F37Lr +nodeSelector: + Md8w5MD: cTipUm6 + Y31W: uQ5xyo +podAnnotations: + 5oGD5: wKq + Qi815eSQdI7wJ: SwgPh + vAJU: z +podSecurityContext: + fsGroup: -1210907643611065698 + fsGroupChangePolicy: IJ鄔ȫ荪癓椥%k矜椒ʊ0宻lƑɜIɇ + runAsGroup: -4059110951032458810 + runAsNonRoot: false + runAsUser: -6169453912741831517 + supplementalGroups: + - 5292690601828357137 + sysctls: + - name: xY9WN + value: JL + - name: v7R + value: q1nexB5KTD3SE + - name: PN + value: neE5ismaY +priorityClassName: aDlP +readinessProbe: + exec: + command: + - 2xO + - BlUV + failureThreshold: -2130189853 + grpc: + port: 996585883 + service: qWavRHqQOBBP + httpGet: + host: U + path: MJdmT7Y + port: aujUU + scheme: ¹Ť碏譽> + initialDelaySeconds: -781516024 + periodSeconds: 241739148 + successThreshold: 912206192 + terminationGracePeriodSeconds: 1472699093368179429 + timeoutSeconds: -1948646722 +replicaCount: 122 +resources: + limits: + g51: "0" + requests: + Wd: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: PXlML + name: 1ZXP + kafka: + awsMskIamSecretKey: Q8ZB + protobufGitBasicAuthPassword: 6x8Cv + saslPassword: kPhPSQWJJ + schemaRegistryPassword: JK + schemaRegistryTlsCa: SnQ + schemaRegistryTlsCert: nrxxx8 + schemaRegistryTlsKey: aizaszl + tlsCa: tKnCvE97 + tlsCert: XQGOjdnSY + tlsPassphrase: UIS + login: + github: + clientSecret: RAo + personalAccessToken: YJtxt19kpv + google: + clientSecret: V0kmwLq + groupsServiceAccount: AaiW + jwtSecret: FGWF3nXjDA4 + oidc: + clientSecret: rnv + okta: + clientSecret: ZE5mxhO6s + directoryApiToken: 7z + redpanda: + adminApi: + password: YwKgntj3 + tlsCa: ywmMdJU + tlsCert: OK6C5sNI0 + tlsKey: eNdF9knNN +secretMounts: +- defaultMode: 368 + name: GaEvNh0Ifo + path: 8c1 + secretName: "" +- defaultMode: 412 + name: Dy8Ef + path: X2Ct + secretName: QRQFk +- defaultMode: 211 + name: cLEkHy + path: alMc11eGER + secretName: 8miR +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ƕE仍腽ʨLJ甴Z´:涟 + - mŠ'菴h饘ǦŃ2 + privileged: false + procMount: 麤绊噃ȳ{ɚƪ秥ȧG + readOnlyRootFilesystem: false + runAsGroup: -8188439767627968973 + runAsNonRoot: true + runAsUser: 2990782549155496077 +service: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + nodePort: 233 + port: 400 + targetPort: 329 + type: dPOD9Kzb +serviceAccount: + annotations: + PPZDrdmxKV: UBjiSx + automountServiceAccountToken: false + create: true + name: 8s2qVhKEW +strategy: + rollingUpdate: {} + type: '!蘃«2狺čH' +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: K98063hAMXd + operator: 閃ŘDZƳwųA旰C汔§挦塳¹@ē + matchLabels: + y9: GJEjaj + matchLabelKeys: + - 4xZpqk + maxSkew: -659297182 + minDomains: 1124395321 + nodeAffinityPolicy: ʬC8 + nodeTaintsPolicy: 鱯禓瞝 + topologyKey: mq + whenUnsatisfiable: A´ʕɭNÀȜ龎q擞u貒槂轌v +- labelSelector: + matchExpressions: + - key: Yd + operator: "" + values: + - dCWo2pjVuA + - hl8G3Kp + - M + - key: VYxo + operator: _k?Ř + matchLabels: + 3kRK: xOzJ6 + KUwsC: FN5bAqvV + QPay: w0lIH + matchLabelKeys: + - gkJFY + maxSkew: 501038978 + minDomains: -2011840701 + nodeAffinityPolicy: Łdz倾僚ʒ屆9ÐE釤Ŏo + nodeTaintsPolicy: Ǩʖ#Ŭǧ¦Ûũ°啑 + topologyKey: JCJYk4 + whenUnsatisfiable: 暛ūZɆǗ絜皼bȇĀ簁搿WXƪçɗÁ +- labelSelector: + matchExpressions: + - key: gyZMV + operator: ƲƬ釒橙ȋ齸鑝鷳ĔǸɊZ聻趁õÈc + matchLabels: + T1YT: SJYt + W: ZaF + WdGxif: 3EKPjb9 + matchLabelKeys: + - ukD8HM + - mD + - Z + maxSkew: 1774410820 + minDomains: 36391976 + nodeAffinityPolicy: "" + nodeTaintsPolicy: ŵɎļ%鋏[ʞô + topologyKey: oGrtNcnUje + whenUnsatisfiable: ƓǪĈɏ荥蟗Ș鉢A +-- case-040 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 470 + minReplicas: 361 + targetCPUUtilizationPercentage: 160 + targetMemoryUtilizationPercentage: 475 +commonLabels: + X: zjmrl + "Y": yG0 +configmap: + create: true +console: {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: a7Ph + name: zsHNWVcS9 +extraContainers: +- args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698030 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851382825 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930777 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654337 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943231672 + runAsNonRoot: false + runAsUser: 6381588597473822835 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793050 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV +- args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922158 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338099 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540888 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811137 + runAsNonRoot: true + runAsUser: -1191472066985646967 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559086 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt +- command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902981 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192094 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640188829 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198888 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151493 + runAsNonRoot: true + runAsUser: 2409160731771391054 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739877 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S +extraEnv: +- name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true +- name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true +extraEnvFrom: +- configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true +- configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true +extraVolumes: +- name: iPeR +- name: ZgdCb2kUB +fullnameOverride: KchYZFsbB3 +image: + pullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + registry: cwfXN2KlU + repository: qYQHJ + tag: RIG +imagePullSecrets: +- name: V1 +- name: AyLzRkaGE +- name: 3pZ8 +ingress: + annotations: + 7KBv: R6qBYfCa + aBRf1: ygsbc + yL0ht8k8h: e + className: N8nne2Adwe5AYa + enabled: false + hosts: + - host: FyKy + paths: + - path: Cgcwa4F + pathType: pcConNItFmo +initContainers: + extraInitContainers: uND1 +livenessProbe: + exec: + command: + - 6VSzmxYwHC + failureThreshold: -1894321442 + grpc: + port: 487517384 + service: INsH + httpGet: + host: JNW + path: QZgsr + port: 228553774 + scheme: 躀廗裲繄鄸爖ž + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + terminationGracePeriodSeconds: -7878496327638757142 + timeoutSeconds: 1374945691 +nameOverride: 6sW +nodeSelector: + y63G: wNiNvOMv +podSecurityContext: + fsGroup: 2302511509023017096 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924856743 + runAsNonRoot: true + runAsUser: 1720952380350228641 + supplementalGroups: + - -621944387099711210 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE +priorityClassName: 3A +readinessProbe: + exec: + command: + - "" + - KEndqzRiV + failureThreshold: 467513555 + grpc: + port: -1573796455 + service: ErWB + httpGet: + host: lLC + path: HH5gzp + port: -1970119534 + scheme: 酥梕ʄE訳 + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + terminationGracePeriodSeconds: -4383611239728405989 + timeoutSeconds: 1203716236 +replicaCount: 291 +resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: yoQYDK + name: xU86MHgk + kafka: + awsMskIamSecretKey: b1dpxuu + protobufGitBasicAuthPassword: bNLttpx0UHrQ + saslPassword: WLiPGk4IafDZkx8 + schemaRegistryPassword: d7In271W + schemaRegistryTlsCa: JYJZN + schemaRegistryTlsCert: muZOO19 + schemaRegistryTlsKey: 7cUIM + tlsCa: NWid + tlsCert: v843II + tlsPassphrase: ks1QSKsS + login: + github: + clientSecret: Bh26we + personalAccessToken: yKlBsX + google: + clientSecret: luzCc89Wm0 + groupsServiceAccount: qpX + jwtSecret: ojb + oidc: + clientSecret: cze + okta: + clientSecret: uuUR + directoryApiToken: WOW1d + redpanda: + adminApi: + password: rVI + tlsCa: yMec + tlsCert: YYHCeTg + tlsKey: 4Qv3y5Dl +secretMounts: +- defaultMode: 83 + name: ieSo8V + path: d + secretName: mD0jl +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374618 + runAsNonRoot: true + runAsUser: -2569068293811684873 +service: + nodePort: 314 + port: 424 + targetPort: 17 + type: oZi +serviceAccount: + automountServiceAccountToken: true + create: false + name: Cj +strategy: + rollingUpdate: {} + type: G阏发6s +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N +-- case-041 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429462875 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN +- args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541681769 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195833 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127832448 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248606 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323828796 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295127978 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N +extraEnv: +- name: 4R567pw + value: mWumx + valueFrom: + configMapKeyRef: + key: zDKgXG8 + name: Murbi95HW + optional: false + fieldRef: + apiVersion: FE + fieldPath: WAoZL + resourceFieldRef: + containerName: KyYyulloT + divisor: "0" + resource: fqVTn + secretKeyRef: + key: "2" + name: MHnd7TscnRWwYy + optional: false +- name: fm + value: 8fbdsVIUd + valueFrom: + configMapKeyRef: + key: "" + name: 6dU18hENH + optional: false + fieldRef: + apiVersion: Z + fieldPath: yt6csyy + resourceFieldRef: + containerName: c1WXMV + divisor: "0" + resource: NJVUoKSuC7pJDm + secretKeyRef: + key: "" + name: JptOa + optional: false +- name: WjWJX + value: 9VpkkQa + valueFrom: + configMapKeyRef: + key: Rpe79 + name: os5FYjLzS + optional: true + fieldRef: + apiVersion: "0" + fieldPath: j + resourceFieldRef: + containerName: NYuP + divisor: "0" + resource: EWUuGe739oa + secretKeyRef: + key: CFh + name: 8zez51Q + optional: true +extraVolumeMounts: +- mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf +- mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 +- mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF +extraVolumes: +- name: "4" +- name: Kry +fullnameOverride: eHZ +image: + pullPolicy: ź,Î斎殉媰Fƅ + registry: l0qIdHu + repository: 5OO0wF5p + tag: i +ingress: + annotations: + fDuBFTYK9Q: 5XXu + wYD: 6p + "y": "" + className: Zp11 + enabled: false + tls: + - hosts: + - "" + - I + secretName: yCke +initContainers: + extraInitContainers: GXh2uupW81kt +livenessProbe: + exec: {} + failureThreshold: 1618833311 + grpc: + port: -1505397275 + service: IUgXOa3 + httpGet: + host: 99a94 + path: YFX41J + port: -636645896 + scheme: ƣ[ɐ虪ǸI + initialDelaySeconds: -1510068452 + periodSeconds: -1728837159 + successThreshold: -1832841689 + terminationGracePeriodSeconds: -2499091687248362302 + timeoutSeconds: 254335269 +nameOverride: 84QIe +nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp +podAnnotations: + JkW1: feghYA7 + okSVM8H: 7Pau + yYrmYn: uT +podLabels: + b4I: j707zvg + eyn1: gqdp7 + sWR: MV07t +podSecurityContext: + fsGroup: 3426922926776119440 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683441 + runAsNonRoot: false + runAsUser: 6270039107728700969 + supplementalGroups: + - -2399342924686736516 + - 620655430084388100 +priorityClassName: 6ZbHC +readinessProbe: + exec: + command: + - u4wSt + failureThreshold: -992972964 + grpc: + port: -940292781 + service: zh5 + httpGet: + host: 1Tg + path: FfFHRfo + port: -94900838 + scheme: țcPÞ + initialDelaySeconds: 2051362912 + periodSeconds: -288287188 + successThreshold: -404266702 + terminationGracePeriodSeconds: -123318567100123885 + timeoutSeconds: 31934256 +replicaCount: 378 +resources: + limits: + 0Yl63: "0" + BUorG9: "0" + requests: + JNdWuFZf5nnT: "0" + aszsvHn: "0" + qC76cU: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: "5" + name: X2lLLdu + kafka: + awsMskIamSecretKey: RoyDigH4v7A0 + protobufGitBasicAuthPassword: 3m + saslPassword: 5E + schemaRegistryPassword: "2" + schemaRegistryTlsCa: DSr2uQnBZ2 + schemaRegistryTlsCert: mji + schemaRegistryTlsKey: EcukHN + tlsCa: HwarCHVf + tlsCert: tsx + tlsPassphrase: owRWr + login: + github: + clientSecret: 3QP + personalAccessToken: RFXhu + google: + clientSecret: KbrHoAQ + groupsServiceAccount: tSLR4 + jwtSecret: gQSZ8AC + oidc: + clientSecret: O + okta: + clientSecret: tv58V + directoryApiToken: C3j + redpanda: + adminApi: + password: OZVk + tlsCa: F4wK + tlsCert: nkKfJ + tlsKey: ewWdsq +secretMounts: +- defaultMode: 210 + name: gcTdF + path: ctE5Qa + secretName: MPU +- defaultMode: 186 + name: "4" + path: n8KpOJZ + secretName: s6 +- defaultMode: 412 + name: lBE0nAE + path: 3Ka7 + secretName: RG +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 憑 + - 贁 + - cÝ琦ŝʛD緪娥t諰ɤɼʠßʏ + drop: + - Hē粙 S綽ESFľĞóǂ + privileged: false + procMount: '>IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246942363 + runAsNonRoot: true + runAsUser: 972586500223089794 +service: + nodePort: 310 + port: 190 + targetPort: 396 + type: uTyclgj9tVV +serviceAccount: + annotations: + 1vh4t: 2P6FHr47JPz + JPV: tx0p + automountServiceAccountToken: true + create: false + name: gIkiPRSc53Eb4w +strategy: + rollingUpdate: {} + type: ĸ鍽3ɨ勍Ȱ¦T搟 +tests: + enabled: true +tolerations: +- effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541780742 + value: Zmrz8 +-- case-043 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x2q + operator: B肖HOʀ + values: + - "" + - Ys3JeXs5q + - key: kTV1 + operator: ɑɸ&楥ÃFŎł + values: + - UQJ1b + - PSnF + matchLabels: + x3: OyQXZWg + matchLabelKeys: + - c7l + - QL52 + mismatchLabelKeys: + - upadP + namespaceSelector: + matchExpressions: + - key: ve00EK + operator: 'ɗY莶ʥV蔈ƀ廜ȶƹŀLjÓ%õɽ ' + values: + - KsFwEq9un + matchLabels: + pZaTZ4dEyKe: Zr + y2udi: nOeICOHiSN + namespaces: + - eh3 + - Tk + topologyKey: sDRodPzb + weight: 950808176 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "5" + operator: 豗ŵǕ + values: + - CXc + - lamtTG39Nn + - key: PAiD + operator: 靑 + values: + - Xc2 + - 0vCS1b + - MsAd + - key: V5SqAAs0jK + operator: tŇ + values: + - "" + matchLabels: + sN: eS9 + zyhZtMI: vk + mismatchLabelKeys: + - "9" + - 8kmgYkR + namespaceSelector: {} + namespaces: + - rttEi + - LsPL05A + - vt + topologyKey: RI9Fz + weight: 735869102 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3wYP8eoC3 + operator: Ĭ囁缯盦鍎Șe宧冸'Pțl諷鵣 + values: + - tjW4s6vTm + - dAFd + matchLabels: + MYd: Xsox8 + vdIPmBzGHW: u + vtRD: cJZSpnJ + mismatchLabelKeys: + - ysVrZBCS + namespaceSelector: + matchLabels: + LLN: an + zhG0GzF: ebgXWsq + namespaces: + - Tc7JW + - l5 + topologyKey: XvVTKe + weight: 284965413 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: snHS61E + operator: ŁjĈ偔Ĵgä缬ɏ魜竿Ȍ匊ȡf + - key: GF64H + operator: N?+痱+龟嗙糨(;籄µ_ȤP榡Ȁ + values: + - sBC5mout + - gLNrAHCql + matchLabelKeys: + - I6T + - cfQ + - bj1O + mismatchLabelKeys: + - DOsKcbZ + namespaceSelector: + matchExpressions: + - key: wabhpRnnMK + operator: 昶Ǝ傪Ȃß + values: + - 6A + matchLabels: + AWV: wH5n597Z5ZD + MO5x: gCiuzkb + namespaces: + - SE6wLN + topologyKey: i + - labelSelector: + matchExpressions: + - key: hyV52PjMCdDTPM3Xj + operator: t.卆痘惠Ú皙駼ɥ飑蝪 + values: + - df + - QinuCr3k + matchLabels: + "4": xjs7u + 26YT8Kwl: 6Fn7QaX + IyQVKh: FT + matchLabelKeys: + - 43p + - 7wOCOZltU + mismatchLabelKeys: + - 69P + - KGelm4KjR + namespaceSelector: + matchExpressions: + - key: lc1l + operator: 圼酭蟶ƿʕNȎ褷K0¢戜ŰĨ矤磓 + values: + - F5sJcyG + - gSLP4 + - key: VUC9 + operator: 伂Nxŧ}_Ť + values: + - fdEFxj + - key: TtWF1erkH + operator: 鿐ȖP薈廰ǿÅʋ + values: + - 8fCxCdw018mnN + namespaces: + - MI7v + - 4d + topologyKey: t6NgG + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: D + operator: 棎 + values: + - 20fifD + - FrMdPhx9xo + - key: UGNn3lb + operator: 佛Ǥ3 + - key: Z2RLUvJbK + operator: "" + values: + - FdkgDft + - TefWIg2 + - bpqycNdCB + matchLabels: + HS3J6YWoEqk: Z6wgyP + doC4E: kBDLOXELx + matchLabelKeys: + - AcWh + - wz1OjMAc + mismatchLabelKeys: + - TzAtxmFj + namespaceSelector: + matchExpressions: + - key: 0PcmdJ + operator: h + values: + - cUMRXCqpYKF + - key: CNiL1smGnM + operator: cSŦ胪ǟ婟魳!M + values: + - nn + - J + - DT + namespaces: + - 115aP7 + - NIr + topologyKey: pAC + - labelSelector: + matchExpressions: + - key: N5YJ + operator: '`ȺDŽ窿U澩Û' + values: + - c6b9k + - kBiQmy4m0 + matchLabels: + I7ZhU9r: mVYody9U + kY71: tu + r0veMW: zYM + matchLabelKeys: + - iswu + mismatchLabelKeys: + - CANmp649B + namespaceSelector: + matchExpressions: + - key: 9dVeM + operator: "" + values: + - j4ohdLhch + - l + - "" + - key: Dg0F + operator: wŴǂ&;计DzP.觰髬uþ + values: + - gaIEZk1 + - W + - ox3 + - key: eem + operator: F铃ø睤榺蠯ƺDZ2s瘨澌秠%晸 + values: + - gQvNAvyI + - oime + - 4Sq9 + matchLabels: + J9W: R8 + o3EOEfEW: doLp + namespaces: + - kkkj1owvoXiU0 + - yfKU6aK + - LAx8rxmN8 + topologyKey: Z +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 207 + targetCPUUtilizationPercentage: 127 + targetMemoryUtilizationPercentage: 234 +configmap: + create: false +console: + roles: + - Ei: null + v4ACJLz: null + - isAtO9ew4: null + yruh: null + - 51fb5in: null + ILAz4wr: null + l90: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: lN0R + name: Is29uweE +extraContainers: +- args: + - lXv3W4h + command: + - 0hlaE + env: + - name: 2R4HDOw + value: Ow63m2 + valueFrom: + configMapKeyRef: + key: W + name: K4xi + optional: true + fieldRef: + apiVersion: Jky + fieldPath: 53aQO + resourceFieldRef: + containerName: FnyzXcJW0Y + divisor: "0" + resource: CEeuoM3B + secretKeyRef: + key: d1k + name: gqHwwuuW7YCi + optional: false + - name: ixNGgU + value: zzCXF + valueFrom: + configMapKeyRef: + key: pAT30it + name: t + optional: false + fieldRef: + apiVersion: yp + fieldPath: Mh1WcPCbP + resourceFieldRef: + containerName: IswD1IBE9 + divisor: "0" + resource: Ro + secretKeyRef: + key: yFZxBVZdODt + name: X + optional: true + - name: WTnCxkS + value: pEk + valueFrom: + configMapKeyRef: + key: 11H + name: QATfCX3IsDv + optional: true + fieldRef: + apiVersion: vN4 + fieldPath: qMFch + resourceFieldRef: + containerName: uO0O + divisor: "0" + resource: N0cJGosw + secretKeyRef: + key: fDMU + name: hps + optional: true + envFrom: + - configMapRef: + name: 0OJJ5YVIX03 + optional: true + prefix: qMb + secretRef: + name: Q + optional: true + - configMapRef: + name: xbFZU + optional: false + prefix: a1 + secretRef: + name: x + optional: false + - configMapRef: + name: k37 + optional: false + prefix: YoFy + secretRef: + name: ogUiKqk + optional: true + image: 0pe + imagePullPolicy: 娒菐皎X噴粗嘍»ƪ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: lO6z + path: Ocry6h + port: ZXfKF + scheme: ə朕IH尹ğ殤鍻O艚Ʃj"羈 + sleep: + seconds: 5751106255636900299 + preStop: + exec: {} + httpGet: + host: 7QkaR + path: F + port: 1848101873 + scheme: 7Õ嚎c煣擢?ǙȬžREWƿY#¡DZ + sleep: + seconds: -6692990274650219794 + livenessProbe: + exec: + command: + - uNT + failureThreshold: -829813283 + grpc: + port: -567104846 + service: LDcJp + httpGet: + host: g20utb + path: SiqR + port: hDMLQykO + scheme: Ŧ螵n^ʑ柁ɼĥh韁傧厬džƑ + initialDelaySeconds: -564429238 + periodSeconds: -1564220228 + successThreshold: 358143040 + terminationGracePeriodSeconds: -3271131206023471117 + timeoutSeconds: 1743016683 + name: 0dQgH + ports: + - containerPort: 1592798281 + hostIP: Ob6i + hostPort: 1226080714 + name: owTN2e7 + - containerPort: -909719890 + hostIP: LU4ibkw2 + hostPort: -291412037 + protocol: ț榌餬<孋蔣熰瘞;癘, + - containerPort: -1320944614 + hostIP: FALEX24mB + hostPort: -2067901656 + name: 3x2T + protocol: 鑴桄ɵ珧Ū + readinessProbe: + exec: + command: + - oc + failureThreshold: -784903530 + grpc: + port: -2046315075 + service: OUsbY + httpGet: + host: s50gn + path: gPyB + port: -2077437763 + scheme: 撫ƄǥǞ + initialDelaySeconds: 1983356613 + periodSeconds: 1988783141 + successThreshold: 2066305810 + terminationGracePeriodSeconds: 2348593211159662414 + timeoutSeconds: -418402994 + resizePolicy: + - resourceName: yW + restartPolicy: 9從O9籿c绉ȠýH + - resourceName: 9WLZ + restartPolicy: 酎!8 + - resourceName: ISSu7K + restartPolicy: RǷ巫錬$e幅"Ȅ + resources: + requests: + ZAHXO: "0" + cT: "0" + ftA: "0" + restartPolicy: 箕赳箨J顏 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 厍F>%甾灵讝 dɌ撑礙Oo_ʦ + - ǮI埁艏:řŴi/隰6Ň + privileged: false + procMount: 籟ɔ矎C趶椰ʓ + readOnlyRootFilesystem: true + runAsGroup: -1819068651107678420 + runAsNonRoot: true + runAsUser: -4446960001037568719 + startupProbe: + exec: {} + failureThreshold: 1529697760 + grpc: + port: 2086810289 + service: LFhs + httpGet: + host: y7 + path: 7Q5PcVes + port: i + scheme: 阀ÿ¼+砵S麦ƺ'nǥ恪qżZǹ + initialDelaySeconds: -2048008543 + periodSeconds: -1559576850 + successThreshold: -655600930 + terminationGracePeriodSeconds: -8913842277118830912 + timeoutSeconds: -857654009 + terminationMessagePath: 9TOoj + terminationMessagePolicy: ¦ƫʇȬ儤f^_U躭 + tty: true + workingDir: cGeaEyJc6A9 +extraEnv: +- name: 1qcxFe + value: CddCzg + valueFrom: + configMapKeyRef: + key: uetPc0pnjv + name: CvmkK + optional: true + fieldRef: + apiVersion: FHMfGqk + fieldPath: 2P + resourceFieldRef: + containerName: bD1 + divisor: "0" + resource: kcSi + secretKeyRef: + key: pUu0 + name: 31uIu28D + optional: false +extraEnvFrom: +- configMapRef: + name: sJl8l + optional: false + secretRef: + name: ULPPuBUveK + optional: false +- configMapRef: + name: r4KbQIM + optional: true + prefix: vFNhdrDV + secretRef: + name: b + optional: false +extraVolumeMounts: +- mountPath: BsnW + mountPropagation: 撾<¥燩Uáb魩2wdz携W駟c韀羸â閹 + name: kS + readOnly: true + subPath: MQkyaubVs + subPathExpr: Bc +extraVolumes: +- name: FK5aYrlt +- name: BuMd +fullnameOverride: y0pa6pm83 +image: + pullPolicy: ā + registry: frvkIce + repository: Eyf5QN + tag: NF +imagePullSecrets: +- name: kBoh0Lyd +ingress: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + className: 4Z1r6JSTY + enabled: true + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - secretName: jRYKg +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - 5l + - TPa5xuR1 + - pL3 + failureThreshold: -665161597 + grpc: + port: -1993107785 + service: u6KPs + httpGet: + host: R4Get + path: 0V + port: 1160926320 + scheme: ǨĄBW躼uQ劢Z + initialDelaySeconds: -958442622 + periodSeconds: 1883059027 + successThreshold: 1933410843 + terminationGracePeriodSeconds: 6283661173054068495 + timeoutSeconds: -1835273944 +nameOverride: "" +podLabels: + ZUMXq: 1paitbyR + o5jSmwn: "1" +podSecurityContext: + fsGroup: -2194962218839547968 + fsGroupChangePolicy: Ƃ搵Ņů羁nʇ雵Ri摿TǛø!ʣa饪詹 + runAsGroup: -8349123147211058668 + runAsNonRoot: false + runAsUser: -7634316416044162316 + supplementalGroups: + - -8005115528631553908 + - 3338610853164048033 + sysctls: + - name: KolWq + value: HzqTwBK4G4 + - name: rWyCA7 + value: DXY + - name: ukO43edoA + value: EVLsuF +priorityClassName: vW +readinessProbe: + exec: + command: + - 0X8tCVJI + - Sm4 + failureThreshold: -1604827341 + grpc: + port: 42051403 + service: H + httpGet: + host: 0gB9WjO + path: 0sPD + port: -849836679 + initialDelaySeconds: -1237987229 + periodSeconds: -2089146286 + successThreshold: 1944965466 + terminationGracePeriodSeconds: 6313366685724995629 + timeoutSeconds: -421565232 +replicaCount: 180 +resources: + limits: + pWciOVB3: "0" + requests: + CokuM: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: KGprr + name: w + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: SerI + saslPassword: GKTX + schemaRegistryPassword: 4e + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: 5V + schemaRegistryTlsKey: WFfrAH2a + tlsCa: kdCuX + tlsCert: j8Y2S + tlsPassphrase: jzecZl + login: + github: + clientSecret: cRkCl + personalAccessToken: 7XzR7g4 + google: + clientSecret: 1h + groupsServiceAccount: PpzN + jwtSecret: "" + oidc: + clientSecret: r + okta: + clientSecret: om + directoryApiToken: vYqev5 + redpanda: + adminApi: + password: X0 + tlsCa: MadMnzee10AL + tlsCert: SXxHZ + tlsKey: HYAn +secretMounts: +- defaultMode: 257 + name: mbhBeHK + path: 4B + secretName: "3" +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɓ秈Ǽ霏*苇ȋɇ燡ƲɔċɈx + - 畼#QȲȬ懹脆俼[葓箘Ⱥ¿ + - ƭ + drop: + - 鉉C餱芕鳧ǥƔʚŰ + - ǖ瞱祈)售歜ŃȀƖ厀Ʃ9茡ɥq + privileged: false + procMount: '''³編Ź~莽WS2孲j禺' + readOnlyRootFilesystem: false + runAsGroup: -7898786566866618408 + runAsNonRoot: false + runAsUser: 5048177807031045156 +service: + nodePort: 402 + port: 11 + targetPort: 465 + type: 9TsjJQkJZ +serviceAccount: + automountServiceAccountToken: true + create: true + name: Gma +strategy: + rollingUpdate: {} + type: I讗烉Ð-Ǵ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 8oHl6iWalV + operator: 嗌ƕþ]eěk歄兠惴5]nj鿵ų|暫\ + matchLabelKeys: + - n2lT + - nr + maxSkew: 565546972 + minDomains: 1026506021 + nodeAffinityPolicy: _攊v + nodeTaintsPolicy: 踠~Ë?¶嘬 + topologyKey: OZKwm9I + whenUnsatisfiable: 艽ʧj +- labelSelector: + matchExpressions: + - key: e + operator: 貙wɡȗ扊l橠,ȶ^ + values: + - "2" + - 1aeU + - X1mzNz + matchLabels: + Kw: L0rDwe + hFD: 9Kbm7CtaSg + matchLabelKeys: + - lw1gZ + maxSkew: 131623139 + minDomains: 1034504401 + nodeAffinityPolicy: NƎ乮+却ŷƑIf.L焚 + nodeTaintsPolicy: "" + topologyKey: dpa7OA + whenUnsatisfiable: 貧uƻläʯlÓʐȮ竇dʐ疮儾 +-- case-044 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr +annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 220 + minReplicas: 54 + targetCPUUtilizationPercentage: 269 + targetMemoryUtilizationPercentage: 205 +commonLabels: + BvJq2xZ: jY6O0 +configmap: + create: true +console: + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: x8ik3q + name: K7c7oe +extraContainers: +- args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976474890 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022233717 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612357 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657403 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399378702 + runAsNonRoot: true + runAsUser: 989961539055775316 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666596 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw +- command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724426 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843110 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493169 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885341 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276814 + runAsNonRoot: false + runAsUser: -3933065726531016441 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454597158 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO +extraEnv: +- name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false +- name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true +extraEnvFrom: +- configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false +extraVolumeMounts: +- mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f +- mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w +- mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy +extraVolumes: +- name: Kt6NIoVzEY +- name: O +fullnameOverride: resP +image: + pullPolicy: 讘ɂȴɩF壜î栒p + registry: UqWwteW0x + repository: TZqk + tag: 0fpMB +ingress: + annotations: + 7CEw: nk8 + bqg: H5 + x1S7: Pu + className: 6IuECM + enabled: false + hosts: + - host: gDc + paths: + - path: len9tdPYcpq + pathType: XETm5mmK3Es + - path: zn5u + pathType: p5jlQul + - host: "" + tls: + - hosts: + - Th5w + - xssK + - xFW9 + secretName: wA + - hosts: + - bR + - U73RtLKOI + secretName: jEnKU +initContainers: + extraInitContainers: 0VCU +livenessProbe: + exec: + command: + - wV + - eooUnSLpW + failureThreshold: 1147871047 + grpc: + port: 483952618 + service: Ca + httpGet: + host: pXrlUHltqchNl + path: kMP5 + port: -1823407150 + scheme: Ò壻«Ƭ魠?ǣ×Ç + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + terminationGracePeriodSeconds: 8174922400865091455 + timeoutSeconds: 1252398573 +nameOverride: tvDI +nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx +podAnnotations: + N0F: vSjZxkjW +podLabels: + K1uahi: UMygEU2O2 + ecdKkB: "1" +podSecurityContext: + fsGroup: -3027126285888130862 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747057973 + runAsNonRoot: true + runAsUser: 5739747577453985710 + supplementalGroups: + - -1289730562709624524 + - 2918948066534341347 + - 8836988143915675306 + sysctls: + - name: ZSspAgrV + value: ES11 +priorityClassName: 8KMLup9vb +readinessProbe: + exec: + command: + - 50jwjhoUN3n + failureThreshold: 1026367217 + grpc: + port: -238173978 + service: Ju + httpGet: + host: wDDq9i + path: w7hRVdP6kmTaLN + port: -919313657 + scheme: 闡ś + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + terminationGracePeriodSeconds: -7352799244112409845 + timeoutSeconds: 1827269276 +replicaCount: 410 +resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: zvbci + name: W0 + kafka: + awsMskIamSecretKey: SFtL8nb + protobufGitBasicAuthPassword: "" + saslPassword: "" + schemaRegistryPassword: p + schemaRegistryTlsCa: 0m5L + schemaRegistryTlsCert: fqb + schemaRegistryTlsKey: whFm7 + tlsCa: 2Ir + tlsCert: JBVRtfzSurH + tlsPassphrase: OSDd + login: + github: + clientSecret: mCF8qeqhA + personalAccessToken: 7MnYqfh + google: + clientSecret: uo83GiVX2X + groupsServiceAccount: LCEQJi + jwtSecret: cmCx + oidc: + clientSecret: jW3Syrm + okta: + clientSecret: RDyL5FTb + directoryApiToken: BmJgmq2h + redpanda: + adminApi: + password: 6pe + tlsCa: gzJP1h + tlsCert: GRhBENFNa + tlsKey: qKQ +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841053659 + runAsNonRoot: true + runAsUser: -56006153890553620 +service: + annotations: + CRHNsVY: Nl04 + nodePort: 437 + port: 103 + targetPort: 329 + type: "" +serviceAccount: + automountServiceAccountToken: true + create: true + name: W9k +strategy: + rollingUpdate: {} + type: ɬdW5f +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 +-- case-045 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: MyOwAD1 + operator: 啜0Ȕ + values: + - ZGn4YX + - key: jDkjMmXqE + operator: NŤ~鷚ȃÐ醩@鿘.礡PdL + values: + - N3K + - ow + - PzPEWA + weight: -72104605 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JvUcVrA7 + operator: Žx"ơ + - key: xqi + operator: 1匹层舕ƒ僜ʓ + values: + - e + - key: eLiG + operator: '[r-!"ĻŻ艂酁嵍鏺]髠' + values: + - EKgA + - 2tR + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7EKjs: lal36 + matchLabelKeys: + - DsNc + - EF + - MxSx7 + namespaceSelector: + matchExpressions: + - key: AJRciio + operator: I鎴 3ɡƞK慳hĉ + values: + - dh + - key: O8 + operator: ʤ喜牅ƫ]Ȉʚ廆Ƨ椬訐儹9ȡ趿 + values: + - QIR + - 4QIg3r + - key: xEKeM + operator: 嬕 + values: + - R0qm21j + topologyKey: yN7rFb + weight: 371178507 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 6m + operator: "" + values: + - sEP + - r + - 916oARGpag + - key: YtLdy2vWFRG + operator: "" + values: + - NbAvpL8G + - 0a3vqv + - key: TOiWxWC + operator: ǝ椦誄ȟ2沾ʩɁǢɶ攧Ţ胑< + values: + - BDKh + - NFb9UYct3p + - TFdQLF + matchLabelKeys: + - TACd + - RFCD1IMt + mismatchLabelKeys: + - CLaySswMot + - S3sEweRaY + - tC6pZ + namespaceSelector: + matchExpressions: + - key: pDz + operator: "" + - key: iRP7TsiyE + operator: 8šiƛPċŞ貲I轒ĮÜ + matchLabels: + 4IVb55JZf: "" + XokO: FntMc + namespaces: + - BOohC67i + - tv + topologyKey: Wc36G + - labelSelector: + matchExpressions: + - key: 2swiyf9 + operator: X + values: + - "2" + - Mmu6iYl3 + - XsZhnelID + matchLabels: + zf: IJlhUxrQg + namespaceSelector: + matchExpressions: + - key: RMLd0ptomdzoSd + operator: ƋŲǯ-'Dð獿礘ĘQ蕲螙x + values: + - rz5QKfx + - key: smO + operator: DɴK*4瘢齮 + matchLabels: + "": crZm + R7TX: 7hcjy + Yh: dyM1 + namespaces: + - PqubN + - elFz + - 5Iah6Cz + topologyKey: QE + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: faWSc + operator: ʚʉŝwʊ寭跼Z + values: + - dgKap + matchLabelKeys: + - sEXCWO + mismatchLabelKeys: + - BqB + - QSJQOy + namespaceSelector: + matchExpressions: + - key: 9zT + operator: 锂遼9ɎVn嵕缰~ + - key: bJi68gZ + operator: 己樚僚%隓馦d + values: + - LT + - "" + matchLabels: + yt: Z + zMv4Ez: NSxkcn + namespaces: + - bfc + topologyKey: pUFg7ZP + weight: -962989660 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - Mfh + namespaceSelector: + matchExpressions: + - key: 6Ax1cf + operator: ʆ骜ʣ蘧F栮,C + values: + - 1WljmgAmSY + matchLabels: + 174k: 7or9Mr + F4YETWGCg: Rt46e + cMQyYT: RTaOOxz3Li + topologyKey: 9j +annotations: + 12kkcHLZdTIn: FQ4am + LQDfr: q +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 305 + minReplicas: 326 + targetCPUUtilizationPercentage: 344 + targetMemoryUtilizationPercentage: 186 +commonLabels: + M1diW: PVb +configmap: + create: false +console: + roles: + - tvT4mf0wFe: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: kMfu2CiNvgC34 + name: oa9a +extraContainers: +- args: + - HP10TO + - kuCNcTLL + command: + - m + - Nww8 + - 98Rn + env: + - name: SSO + value: dOiVAD + valueFrom: + configMapKeyRef: + key: rG6s + name: ZIOGFg7 + optional: true + fieldRef: + apiVersion: 5QpSAgTC + fieldPath: wvXbuBkn + resourceFieldRef: + containerName: ZRxTJ6p + divisor: "0" + resource: lxXIfgo + secretKeyRef: + key: a4I + name: fdAC + optional: true + - name: t + value: lhJB5Gu + valueFrom: + configMapKeyRef: + key: 9sIY7ap56C + name: jxSPO + optional: true + fieldRef: + apiVersion: 7y + fieldPath: TVs + resourceFieldRef: + containerName: Bk7GMS + divisor: "0" + resource: KghhcLY + secretKeyRef: + key: "4" + name: Q0xn + optional: true + envFrom: + - configMapRef: + name: xkM + optional: false + prefix: 6Hmq + secretRef: + name: 2W7 + optional: false + - configMapRef: + name: nw + optional: true + prefix: ZF8q + secretRef: + name: Hazz + optional: true + - configMapRef: + name: C0TBIATG + optional: true + prefix: Wm + secretRef: + name: Yg2 + optional: true + image: vXSldD9 + imagePullPolicy: .Ś.l庥抁臚蚋巸_ȧʟ[R榶E + lifecycle: + postStart: + exec: + command: + - oN + - eEYgTnILd + httpGet: + host: mg7llOt105m + path: dtlR4G + port: wD90f + scheme: ʖ两ĕ¤¬瞮U? + sleep: + seconds: -2237517267526569736 + preStop: + exec: + command: + - GMjypvCI + httpGet: + host: T8pa05 + path: u9bCqIg + port: M9zgB + scheme: '*蛬ŻĈ' + sleep: + seconds: 475574192596548942 + livenessProbe: + exec: + command: + - dUJeULUg + failureThreshold: 1485223326 + grpc: + port: 701458966 + service: CQKKuIS4d + httpGet: + host: E2fjZ + path: XvuU + port: NoCTx + scheme: 蜼烀ȏǓɦMDn糆ƥHʼn/瓏ìȢŷ + initialDelaySeconds: -1475170089 + periodSeconds: 1989433587 + successThreshold: 1386111224 + terminationGracePeriodSeconds: 5430499533574282933 + timeoutSeconds: 1740226413 + name: wG4ZxvZMuJ + readinessProbe: + exec: + command: + - "6" + - obo + failureThreshold: 2126666969 + grpc: + port: 521888256 + service: z + httpGet: + host: Fpq + path: ghrc2 + port: -314576227 + scheme: 瓰vp烫ǁĴŰDȐ插研Ǽʜ + initialDelaySeconds: 1330937719 + periodSeconds: 78230226 + successThreshold: -351220698 + terminationGracePeriodSeconds: 6147801770047971409 + timeoutSeconds: 1906635539 + resizePolicy: + - resourceName: Waf + restartPolicy: ʑ艜ɾ蘩Ƈ`7ɫ坓弎Ȗƈ + resources: + limits: + WfxZ: "0" + gZ: "0" + oup1P0j: "0" + requests: + D0AyOZ87h: "0" + Wmp9uU8: "0" + mowWvEm: "0" + restartPolicy: ǔ輋篐棶耏īʡm0Ñ!ř$曤Qʢ瞪Ļ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ì酃`sŬ硪W#鿻Gƃu + - 先ĜtàX + privileged: false + procMount: Ĕʤj螹țȞVa + readOnlyRootFilesystem: true + runAsGroup: 5877071704122825347 + runAsNonRoot: true + runAsUser: 607897543692979281 + startupProbe: + exec: + command: + - 1R1GIynL2u + failureThreshold: 197417586 + grpc: + port: 581882770 + service: jrlDhPYYcBk + httpGet: + host: btMskta + path: iy + port: -1405181644 + scheme: ­劲襇板ƶ2豣Ă輒" + initialDelaySeconds: -317632223 + periodSeconds: 1128778719 + successThreshold: -878681442 + terminationGracePeriodSeconds: -5809012571377279815 + timeoutSeconds: 326998121 + stdin: true + terminationMessagePath: vlSz + tty: true + volumeDevices: + - devicePath: jpSm + name: A1S8F + volumeMounts: + - mountPath: zH + mountPropagation: Œib抪黠wƱ軭 + name: vY1XOHYYy + subPath: Tui26JLZyP + subPathExpr: 2T0bhLFBv + - mountPath: qLd4 + mountPropagation: = + name: MlJNiuK + subPath: Gt + subPathExpr: 1br + workingDir: qaJz +extraEnv: +- name: "" + value: 8qqxpUmb + valueFrom: + configMapKeyRef: + key: nyn + name: 2a6 + optional: true + fieldRef: + apiVersion: 4VL + fieldPath: mLkq5SaY + resourceFieldRef: + containerName: q58NCY4 + divisor: "0" + resource: iTwPTz + secretKeyRef: + key: fymwKG2di + name: jP + optional: false +extraEnvFrom: +- configMapRef: + name: kjk + optional: true + prefix: bXXh + secretRef: + name: ksMoUzjV + optional: true +- configMapRef: + name: 8AWI + optional: false + prefix: hqwWp6 + secretRef: + name: a + optional: false +extraVolumeMounts: +- mountPath: g + mountPropagation: ƎÀ虰|墫} + name: izh4Kt + subPath: l3Jx + subPathExpr: bgpu9UdSPr4CF +extraVolumes: +- name: UQKug +- name: giK +fullnameOverride: 9gCm5xz +image: + pullPolicy: "" + registry: I + repository: utUA + tag: 3NaFJMnq7cwb +imagePullSecrets: +- name: rTO7I +- {} +ingress: + className: y6u9o + enabled: true + hosts: + - host: V + paths: + - path: VRp3 + pathType: WX + - path: ZXqa + pathType: LXDjotJK + - path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +initContainers: + extraInitContainers: Gaa +livenessProbe: + exec: + command: + - w + - 4y0unO7q + - fUMv46yk + failureThreshold: 564680295 + grpc: + port: -274686900 + service: SZ + httpGet: + host: "97" + path: R + port: sw2f4 + scheme: ǖe灻膃爌|rQʮ` + initialDelaySeconds: -1623540175 + periodSeconds: 2083875877 + successThreshold: 1467697726 + terminationGracePeriodSeconds: 1240720412315600394 + timeoutSeconds: 514813622 +nameOverride: tOoxEiwdVpT +nodeSelector: + 4X: PJ6v +podAnnotations: + TImM2rpn: ixT +podLabels: + jAyDz: vW2 +podSecurityContext: + fsGroup: 8841428564051369991 + fsGroupChangePolicy: '''諢憭捽鉚ƾ邓鈽6M_s' + runAsGroup: 5877981406957979012 + runAsNonRoot: false + runAsUser: -2714811370596686768 + supplementalGroups: + - 3627757755693767927 + - 3933990106793080427 +priorityClassName: Op +readinessProbe: + exec: + command: + - Rvxle1 + failureThreshold: -1544911058 + grpc: + port: 1480625343 + service: iUWGjn1Yq + httpGet: + host: 0Wg8b + path: qrDi3 + port: -689203177 + scheme: 馨PƆȣdfTNʫ*ɀLɐ3} + initialDelaySeconds: -386708604 + periodSeconds: -1196967535 + successThreshold: -658970667 + terminationGracePeriodSeconds: -8534050677682835111 + timeoutSeconds: 1352482566 +replicaCount: 218 +resources: + requests: + Nh6YX: "0" + z: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: "9" + name: Pd + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: naFpMBw + saslPassword: nKEzr + schemaRegistryPassword: xU + schemaRegistryTlsCa: pc + schemaRegistryTlsCert: fF1z9FE + schemaRegistryTlsKey: tx + tlsCa: bhhbwypQ + tlsCert: Dw1477 + tlsPassphrase: zRD + login: + github: + clientSecret: 1UD4N + personalAccessToken: LmFkP6BgmLQ + google: + clientSecret: m + groupsServiceAccount: "" + jwtSecret: 9ejQZ6 + oidc: + clientSecret: cXdjG + okta: + clientSecret: eF90RohF + directoryApiToken: 1zXLSJEQ + redpanda: + adminApi: + password: rr4c4 + tlsCa: Eonnpq + tlsCert: aPCNgYI + tlsKey: vlrLQ9I9 +secretMounts: +- defaultMode: 266 + name: omIzst + path: "" + secretName: Pn +- defaultMode: 133 + name: "1" + path: gIWg + secretName: gi4zM +- defaultMode: 451 + name: lrUYguc + path: D9pR + secretName: 3FH +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - m优ķNJ噓+Pð + - 橯O燁 + drop: + - 褈墄ȃ杵 + - 娨Î + - rƴ}Ɇ橮ʕ*m敼ʎhǰ.ʔcZ + privileged: true + procMount: 攏O婑 + readOnlyRootFilesystem: true + runAsGroup: 8829730151763757512 + runAsNonRoot: false + runAsUser: 64441908715087607 +service: + nodePort: 325 + port: 314 + targetPort: 398 + type: C +serviceAccount: + annotations: + "": zL + EANkzh: rmy + automountServiceAccountToken: false + create: true + name: nX5G +strategy: + rollingUpdate: {} + type: ɬ(ìɅ +tests: + enabled: true +tolerations: +- effect: ɥ)藖朡YȖɌGǼRŗ迼@醹F6鎚 + key: 7Nq + operator: "4" + tolerationSeconds: 3766411560743927749 + value: TCksEtpTf +- effect: ȷ^?3HʉɚŢȾL + key: mj5pit + operator: 隱瀆J纝ɽÄ:憹欓 + tolerationSeconds: -3549323835306297633 + value: CN0gSHK7T +topologySpreadConstraints: +- labelSelector: + matchLabels: + N5pfvDQM4ZnP: "" + ZDk6ppZLAO: nn + f1Z: 2Molvtunvm + matchLabelKeys: + - cUf4VG + maxSkew: 2039905438 + minDomains: -1795353257 + nodeAffinityPolicy: 啚FLjʐəǪɠ梎Ň沮<^Zæ + nodeTaintsPolicy: Å扯R + topologyKey: qVloCmz + whenUnsatisfiable: ūh挕ŀ靕土伔澍鄓 +- labelSelector: + matchExpressions: + - key: sgB0Jx + operator: "y" + matchLabels: + Dhp: chzEB + matchLabelKeys: + - TBO + - g5M + - h + maxSkew: -825758940 + minDomains: 1383227075 + nodeAffinityPolicy: 婬ȴ羉Ā蕲k<ǯŘ`貉ì攘窼ȶ{黺( + nodeTaintsPolicy: 晓}從磹砛鬀D + topologyKey: MXei + whenUnsatisfiable: Ē舐ɒ'Q|ȃ#Y\厾h +-- case-046 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Nsqe + operator: 阴闤Bǘ尚僞熐蘐槄TČ鉇拍Ɣ唉f钡 + values: + - EQslZWcPKU3 + - key: clrdH7j + operator: 鹓ī郖漖8ĬwƓ + values: + - zsB2 + - HGN2A + matchFields: + - key: Is7w3FDS5zse + operator: -ĉYd + values: + - U4nF56qPTw + - mm38x0AQL5c + weight: -1981921933 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: mRa + operator: ȥǮĬʩɄeƩ蟤确= + values: + - ooR1 + - QIho6keUV5fIUe + - jrOsTe + matchFields: + - key: miXl + operator: ʯ5yɶȁ/z>Ǡb_Ȉ撿÷đ湕ǭ + - matchFields: + - key: yXFe + operator: ȁ!Ńǩ浉F蕊ƕ倉輴Q¬ß巩ɿ + - key: qEUUleUJCe + operator: dz楥Qɗ鎽嚬t轮黑<ƻ眄 + values: + - pXk + - l22 + - l6 + - key: DiInxf + operator: lťõ祟X鬀ò嬬uġ + values: + - CtW2vs2 + - x + - rT + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 0oFNd + operator: 喯z芡I钷)bę%匾蟨 + values: + - i6xl9Mn + - "Y" + - Dnn1nA + matchLabels: + ACWAVtod: 5MsAi + W7L46x: Iohx + matchLabelKeys: + - tZcagyiX + - 5w + - SMP + mismatchLabelKeys: + - b + - f + - bqCBIIfcdw + namespaceSelector: + matchLabels: + H3qd: 6DBRkuQvCde + namespaces: + - Y3j7k + - 8i2rf + topologyKey: 290Z + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: j8OASVi + operator: Ų驐Ĥ>Ȳ`1)o}嵊袀d + values: + - DE + - key: Iir + operator: WqȊ晝ɛ唊ɵk抩Ǟ紅銫Ş秠Ś~ą + matchLabels: + 8RiTX5m: lU1nenIq2B + B1: gskcNQo6g + D1kq67: "" + matchLabelKeys: + - ii9Ab3 + mismatchLabelKeys: + - 4X2zohLQD + namespaceSelector: + matchExpressions: + - key: HyU35bXzWF + operator: 尽ǰ + values: + - "" + - sB3pY + - 4r + namespaces: + - vW + - LYI + - mhQ0 + topologyKey: pjisw + weight: 1962236401 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9GtVGXjE + operator: 镭鱆ʁ;崽DȔ3Ĭ鐓敝 + values: + - igW0 + - Qiyx + - zMm24In + matchLabels: + AWiVWW: gPF0Yh + matchLabelKeys: + - 01T9Mphw + - qcecz73o + - o6bBrV + mismatchLabelKeys: + - uJJWe + - 8On4IIB31 + - p4t46HL8K + namespaceSelector: + matchLabels: + h: iExiiF + topologyKey: ZhTV + weight: -2130387111 +annotations: + cflWrdcz: jJe +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 451 + minReplicas: 241 + targetCPUUtilizationPercentage: 434 + targetMemoryUtilizationPercentage: 89 +commonLabels: + "": WcYTY + rHtDM6k: ZY6Kw +configmap: + create: false +console: + roleBindings: + - 0RZs: null + 3MoL: null + DS: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: "" + name: mP +extraContainers: +- args: + - TLL + command: + - "" + - kyr + envFrom: + - configMapRef: + name: cGxJkM382 + optional: false + prefix: 8ZYix + secretRef: + name: sptdX + optional: true + - configMapRef: + name: sv + optional: true + prefix: juf4E1 + secretRef: + name: WrvN + optional: true + - configMapRef: + name: stixRM6Z1c + optional: false + prefix: eHg4 + secretRef: + name: kJK + optional: false + image: Q + imagePullPolicy: 榲µʪ + lifecycle: + postStart: + exec: + command: + - AHw4N6lX4 + httpGet: + host: CuJ + path: kY9OI68 + port: I6fEdljwf7WI + scheme: 0Tæ + sleep: + seconds: 8747859025599270243 + preStop: + exec: + command: + - SAiYloe + - rxrb8 + - U1 + httpGet: + host: D + path: Ck4D + port: 1235678776 + scheme: 讅º頼 + sleep: + seconds: 2255567287221174216 + livenessProbe: + exec: + command: + - rlPo + - TpvecI + - c + failureThreshold: -1194959675 + grpc: + port: 1286950474 + service: l03Ttx + httpGet: + host: iZbpkGTG + port: -104521289 + scheme: ǘɚƃŊ1_蛺ƥ篯 + initialDelaySeconds: -1041934050 + periodSeconds: 1858129919 + successThreshold: 812913269 + terminationGracePeriodSeconds: -6125486107996409317 + timeoutSeconds: -1767574186 + name: "5" + readinessProbe: + exec: {} + failureThreshold: 596482569 + grpc: + port: 1150156757 + service: qaPYsPWRM + httpGet: + host: iNasZ6 + path: CpVj + port: GC + scheme: 謭¤GȫȇƄ聭Dłʬ + initialDelaySeconds: -1604058483 + periodSeconds: -603768209 + successThreshold: 1589218932 + terminationGracePeriodSeconds: 4819160591653315271 + timeoutSeconds: 2047446198 + resizePolicy: + - resourceName: Or + restartPolicy: OȜ)漢ɨ酳h + - resourceName: i6roWBCG + restartPolicy: Ćʊ赆ʒ + resources: + limits: + ZTOf: "0" + requests: + "5": "0" + restartPolicy: ȱTǣıN飿 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - c + - Ɛ絜-Ȭ狆ǚƫȼ)ɦȗ欌3Z + drop: + - '*`N}柁番贝鍝陂±Ǖ弊' + privileged: true + procMount: 湅ʨɩƗ吞硩Ǘɵ櫜5 + readOnlyRootFilesystem: true + runAsGroup: 2454233763446715277 + runAsNonRoot: true + runAsUser: 1349777568495231591 + startupProbe: + exec: + command: + - tEiO0Gf + failureThreshold: 1955219951 + grpc: + port: -4890683 + service: 4tTWT + httpGet: + host: 5h5p4Uk + path: JX2HU + port: b6yI + scheme: 娂儯庬Xǿƫ + initialDelaySeconds: 1159427409 + periodSeconds: -1534574298 + successThreshold: 1143094739 + terminationGracePeriodSeconds: -2223019815025430450 + timeoutSeconds: -1544667872 + stdin: true + stdinOnce: true + terminationMessagePath: 1FuR + volumeDevices: + - devicePath: "Y" + name: EahA503T0 + volumeMounts: + - mountPath: QxOZw9E + mountPropagation: N"賬 + name: k4sw3lfzmj4 + subPath: 9a + subPathExpr: q5p0 + - mountPath: 9FHN + mountPropagation: o~ʆ容Ĺkjɋ5cȔcƼ诔楞 + name: wmkq + subPath: M1UIiHV + subPathExpr: IhSh2 + - mountPath: KTgxDgARv + mountPropagation: 篪k矲PƊ$ʇ謞šS婝耻遄 + name: nvW2 + readOnly: true + subPath: u6 + subPathExpr: C3n82 + workingDir: F2B +extraEnvFrom: +- configMapRef: + name: s4S + optional: true + prefix: g8JM + secretRef: + name: Km8n + optional: false +extraVolumeMounts: +- mountPath: VW + mountPropagation: gjɲi呒>[ɻ + name: HRTFVpU6YN + readOnly: true + subPath: J + subPathExpr: Zx9CYV +extraVolumes: +- name: ldO +fullnameOverride: fB6TF +image: + pullPolicy: '&Q眫' + registry: HjNl + repository: z9WL9QV + tag: jKgmVjE +imagePullSecrets: +- name: DL1OBpd0 +- name: jM +ingress: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + className: aU0xOzsFN + enabled: true + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +initContainers: + extraInitContainers: aF +livenessProbe: + exec: + command: + - mWA8 + failureThreshold: -2111746605 + grpc: + port: -159496093 + service: 5BzT + httpGet: + host: Pgb + path: W + port: FTodWK + scheme: '@ĝȗɰ*8Eȑ' + initialDelaySeconds: 1224736641 + periodSeconds: 1490424943 + successThreshold: 2012886943 + terminationGracePeriodSeconds: 1140281843739171103 + timeoutSeconds: 1910690397 +nameOverride: "" +podAnnotations: + P10bx: 4As + RWk: E + e: rh7XI +podLabels: + SnZ: mnX + aL0TsomY: aVv4hsuMJ7Aiq + luPi3E6: iCt +podSecurityContext: + fsGroup: -137977092678744094 + fsGroupChangePolicy: ʅ翄ąIJU÷[Ɉ<Ǧ兰巒鄂 + runAsGroup: 2453672470118860 + runAsNonRoot: false + runAsUser: -2867620198524252040 + sysctls: + - name: p + value: "" +priorityClassName: wQ +readinessProbe: + exec: + command: + - bmfgcwd + failureThreshold: -1418487663 + grpc: + port: -468793496 + service: MhQm3 + httpGet: + host: nQSr0S + path: M8 + port: 1657726276 + scheme: 鶉阑 $ý + initialDelaySeconds: 1895968402 + periodSeconds: -1686229865 + successThreshold: 1934722351 + terminationGracePeriodSeconds: 2537915062001973026 + timeoutSeconds: 1366589097 +replicaCount: 376 +resources: + limits: + 87w5tBp: "0" + AmXXE: "0" + QH55ZH: "0" + requests: + EbalAlq: "0" + RpvkPX: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: ellF2F + name: K3 + kafka: + awsMskIamSecretKey: Xs8UvJPyL + protobufGitBasicAuthPassword: BKbdr + saslPassword: xW3EDKA + schemaRegistryPassword: Vewx + schemaRegistryTlsCa: te + schemaRegistryTlsCert: JxH + schemaRegistryTlsKey: jhxioPhQ + tlsCa: eP + tlsCert: H9 + tlsPassphrase: Gz + login: + github: + clientSecret: Q + personalAccessToken: akEcq + google: + clientSecret: vj6 + groupsServiceAccount: pJ8NQ + jwtSecret: jUc4rQpG + oidc: + clientSecret: 8SCyi + okta: + clientSecret: Yd + directoryApiToken: q1rSa + redpanda: + adminApi: + password: mON + tlsCa: rNzsp + tlsCert: UStA + tlsKey: 3E +secretMounts: +- defaultMode: 305 + name: smBrE0cI + path: "2" + secretName: zeb +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - pij*fƤ + privileged: false + procMount: 罽İ耲,衧駕R=k{ŝ{躈瑮L + readOnlyRootFilesystem: true + runAsGroup: 3478202026348193011 + runAsNonRoot: false + runAsUser: -5521479784565460908 +service: + annotations: + aDeGG7F9S: 5d + nodePort: 439 + port: 271 + targetPort: 481 + type: PK7oH1pcU3 +serviceAccount: + automountServiceAccountToken: false + create: false + name: "" +strategy: + rollingUpdate: {} + type: żb給ū裬M +tests: + enabled: false +tolerations: +- effect: 瑟bĕʫFuěG盲ÿ + key: d + operator: 秸ƿ + tolerationSeconds: -7614909558910242428 + value: h2U4 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 60k + operator: ʉ赳Ɇǂt硴煟讒ib + values: + - M755avF + - He6fTmtHDXC + matchLabels: + c4BN5BiYtjB: tyUmvwGkL + matchLabelKeys: + - E4G8mM3 + - G1C9Cjj + maxSkew: -1527756346 + minDomains: 432090734 + nodeAffinityPolicy: qǗ阵W&喁CE®ņpPȂ\Ç苗ĈȄ + nodeTaintsPolicy: ȉ珉@:x凝謽Q釀ļn适c顦 + topologyKey: V + whenUnsatisfiable: 瀥 +-- case-047 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K +annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 122 + minReplicas: 449 + targetCPUUtilizationPercentage: 218 + targetMemoryUtilizationPercentage: 488 +configmap: + create: false +console: + roleBindings: + - eaLPMN8qOPT: null + xb: null + xnt: null + - 3Mgk: null + roHIFBN: null + - TtzrP: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: nj + name: rl +extraContainers: +- args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534394 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159898567 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371216 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485186 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348253718 + runAsNonRoot: true + runAsUser: 5983932912975749110 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410314 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb +extraEnv: +- name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false +- name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true +extraVolumeMounts: +- mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe +- mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME +- mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 +fullnameOverride: YUi5JpG +image: + pullPolicy: ȕ蚧竔/´苅oC + registry: zUsK + repository: lQjo + tag: p +ingress: + annotations: + CImW98Gx2v: otj + fP: SRGkm + className: lM + enabled: false + hosts: + - host: AYT + - host: oulge + paths: + - path: 3bi + pathType: ixqeQz + - path: nG + pathType: 5LwYGxvMr + - host: "" + paths: + - path: jJrUpe + pathType: 72AAc + - path: B0K + pathType: kxnm8kN + - path: tQDn + pathType: IxAmHD + tls: + - hosts: + - n9Np8ftRtFhzi + - g + secretName: C + - hosts: + - CMhuwA + - wYA0tSvo + secretName: z + - hosts: + - 34mbP + secretName: 80Z +initContainers: + extraInitContainers: PRtnaAy8 +livenessProbe: + exec: {} + failureThreshold: -1392926461 + grpc: + port: 257623603 + service: us + httpGet: + port: L9CrR58RHnS + scheme: ʅ²7kp + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + terminationGracePeriodSeconds: 6050526356201491316 + timeoutSeconds: 213455290 +nameOverride: nEojiMtRc +podAnnotations: + Mfsd: hmi +podLabels: + 6dZAs: xJPaLHKS1Y2 +podSecurityContext: + fsGroup: -6567182940167159103 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390804845 + supplementalGroups: + - -3306962996817147613 + - 975882030005456556 + - -5263492609498468245 + sysctls: + - name: YC + value: 7JlDTCP6hs +priorityClassName: 0P6RnoBeb5 +readinessProbe: + exec: {} + failureThreshold: 1689894479 + grpc: + port: 222105741 + service: D + httpGet: + host: vyj + path: JoV4VZMz2Bv + port: vRf9ZHgc4j + scheme: 条om競娷Njʑ + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + terminationGracePeriodSeconds: -6266260075166332402 + timeoutSeconds: -209775227 +replicaCount: 391 +resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Iq + name: Tb8RGi + kafka: + awsMskIamSecretKey: gj + protobufGitBasicAuthPassword: kO + saslPassword: IB3qNjrV + schemaRegistryPassword: 4wnp6Qi + schemaRegistryTlsCa: gFBJq + schemaRegistryTlsCert: LUubckiv + schemaRegistryTlsKey: 9Op + tlsCa: 94x0v + tlsCert: h4lSMbv + tlsPassphrase: CVT4wjw + login: + github: + clientSecret: YaYETggo1hi + personalAccessToken: d + google: + clientSecret: tDqsIg + groupsServiceAccount: FSUAkU004n0k + jwtSecret: 2dWKNqarwb + oidc: + clientSecret: i2n + okta: + clientSecret: XytR0yn + directoryApiToken: m3WEq4zKv + redpanda: + adminApi: + password: ozo + tlsCa: 0g + tlsCert: hQ + tlsKey: xfpkmy +secretMounts: +- defaultMode: 184 + name: L8dbWip + path: g + secretName: LF0O +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085799 + runAsNonRoot: false + runAsUser: 3238073083343117470 +service: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + nodePort: 18 + port: 168 + targetPort: 227 + type: WAAXkZY +serviceAccount: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + automountServiceAccountToken: true + create: true + name: DSw7 +strategy: + rollingUpdate: {} + type: żʧȟ +tests: + enabled: false +-- case-048 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 +annotations: + Dgw3Wl: 7aofTp +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 1 + minReplicas: 224 + targetCPUUtilizationPercentage: 468 + targetMemoryUtilizationPercentage: 256 +commonLabels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE +configmap: + create: true +console: + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: "" + name: 3VGefRh +extraContainers: +- args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712439 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894064 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602935730 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522234 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374303682 + runAsNonRoot: false + runAsUser: 7731251064648990624 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850396 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB +- args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961012693 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165581925 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920616 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342213 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742886931 + runAsNonRoot: true + runAsUser: 3204614620414442288 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517382 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE +extraEnv: +- name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false +- name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true +extraVolumeMounts: +- mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh +- mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH +fullnameOverride: 3um +image: + pullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + registry: VHbf77MFq + repository: 9Gz + tag: Tg +ingress: + className: ob + enabled: false + hosts: + - host: gH + paths: + - path: Ts + pathType: CGb + - path: "" + pathType: zZQ + - host: iiV3 + tls: + - hosts: + - tHQ4 + secretName: fnmcizOYm + - hosts: + - iPP + - 6ESVwf0d + - ziZck0N + secretName: O7mKv7 + - hosts: + - 8YGvchGJ + - wN + - XtvjzH0 + secretName: VlbaTuVK +initContainers: + extraInitContainers: thAoOYwQDaAt +livenessProbe: + exec: + command: + - nCg + - T6fzKjCjD + failureThreshold: 279778022 + grpc: + port: -995356959 + service: 9yOO2 + httpGet: + host: PYJSaHej + path: fr7 + port: 8Ij + scheme: QɄ揆ѧ鶹i骡l僴Ǎ植烤ĕǘqɦ + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + terminationGracePeriodSeconds: -5729352865043664628 + timeoutSeconds: 873461419 +nameOverride: W7q3X +nodeSelector: + Bm9U: oTYglG6dh +podAnnotations: + eG: vxInc0 + g: BI6yk + xCtSP: rQ +podLabels: + ZEXh: zufy +podSecurityContext: + fsGroup: -3794452885502571644 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467191 + runAsNonRoot: true + runAsUser: -4412205905842408558 + supplementalGroups: + - -7215185124091152595 + - 5139656417921062736 + - 600742233156257714 + sysctls: + - name: Te + value: cKzihj +priorityClassName: l4Mowg +readinessProbe: + exec: + command: + - "" + - c8G + failureThreshold: 37001950 + grpc: + port: 1211428387 + service: UUKg3TJGP2 + httpGet: + host: eznD + path: aBohoOMPU + port: -2044766681 + scheme: 讻;Ǩ办鈁癃靟èʣ¾fǖ^Ǟ + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + terminationGracePeriodSeconds: -8721653473984246810 + timeoutSeconds: -1781454259 +replicaCount: 46 +resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: wNZRnHu3m + name: ULOBG + kafka: + awsMskIamSecretKey: RfMF + protobufGitBasicAuthPassword: julgURa4B + saslPassword: uuq + schemaRegistryPassword: "54" + schemaRegistryTlsCa: 0rjT0gsnw3 + schemaRegistryTlsCert: kpA9ZJQgp1 + schemaRegistryTlsKey: 4rfN + tlsCa: NhTEC0A + tlsCert: iN0W + tlsPassphrase: Id1ovgK + login: + github: + clientSecret: LWyKxwgV + personalAccessToken: Nkq1DyJixsC + google: + clientSecret: tJv + groupsServiceAccount: 9jqz4h + jwtSecret: PWdr6CcxS + oidc: + clientSecret: RMxiMIY + okta: + clientSecret: SJ6I + directoryApiToken: 1wIf + redpanda: + adminApi: + password: C9I2x + tlsCa: Qpp + tlsCert: "" + tlsKey: 7uh28L +secretMounts: +- defaultMode: 80 + name: Mt1 + path: WsSL4vxNxCkXP + secretName: ZxXI0Hhv +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300312 + runAsNonRoot: true + runAsUser: -812867783664200775 +service: + annotations: + c: DNy + kDPtPpnL: kFmmx + nodePort: 377 + port: 311 + targetPort: 29 + type: l5gj +serviceAccount: + automountServiceAccountToken: true + create: true + name: sKa +strategy: + rollingUpdate: {} + type: 顓ǝSm +tests: + enabled: false +tolerations: +- effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151183 + value: a3XbyS +-- case-049 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul +annotations: + BceQMZiOm: E1uakdHPkLNL +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 292 + minReplicas: 381 + targetCPUUtilizationPercentage: 255 + targetMemoryUtilizationPercentage: 99 +commonLabels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + ztm: qegfb80 +configmap: + create: false +console: + roleBindings: + - K: null + nGSYV: null + roles: + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: yAo51i + name: blNvk6O7Urx +extraContainers: +- args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819638 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269449 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485272 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555383 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659713 + runAsNonRoot: false + runAsUser: -6936271037843914749 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519709604 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL +- args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823543730 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382433952 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591108 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515380 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700598 + runAsNonRoot: false + runAsUser: 6590063474480015904 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207780 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT +extraEnvFrom: +- configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true +- configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false +- configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false +extraVolumeMounts: +- mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD +- mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk +- mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w +fullnameOverride: 0BIfuN +image: + pullPolicy: õ鴀铑û + registry: RCYS61Exfql + repository: 8ZLfmymq + tag: 4BSL9iL +imagePullSecrets: +- name: h5x +ingress: + annotations: + q5IN: ehJ3uPo + zL3YTK: "3" + className: aflhQOHWYOXuZ3 + enabled: false + hosts: + - host: obOeJZKpH + - host: u1ac0 + paths: + - path: Riz + pathType: Oa0rGRl + - path: w2xzu + pathType: n2bXr + - path: a68 + pathType: S + tls: + - hosts: + - pgmng + - hosts: + - rxpJYOgPS + secretName: dMa7jxJF +initContainers: + extraInitContainers: N4zG +livenessProbe: + exec: + command: + - "8" + - hRb + - cFB + failureThreshold: -567921134 + grpc: + port: -512457609 + service: F01OY6OLj + httpGet: + host: C04PqGy + path: lMqUJbF + port: 381786117 + scheme: c隢ƖȂ賒Q'd{X旝ĤɪI,k4Ú + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + terminationGracePeriodSeconds: -4579383330955987300 + timeoutSeconds: 582403024 +nameOverride: 8dJzE +nodeSelector: + ra78: fJ +podAnnotations: + "": cuRn + qBdeU: EQv +podLabels: + O2n4u: kpFpu + g1c: XEOMg +podSecurityContext: + fsGroup: 6449559755791185949 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707704 + runAsNonRoot: true + runAsUser: -2824253868920734938 + supplementalGroups: + - 8145086042470336086 + - -5005570809576723279 +priorityClassName: JhGfjGXQ +readinessProbe: + exec: {} + failureThreshold: 1010917423 + grpc: + port: 1307350058 + service: TfOG + httpGet: + host: dKWY + path: Qr + port: -837347685 + scheme: C_ + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + terminationGracePeriodSeconds: -4633283219964217670 + timeoutSeconds: 1291669389 +replicaCount: 308 +resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: 6LDJ8t + name: 4n4q72vaO + kafka: + awsMskIamSecretKey: INqD5 + protobufGitBasicAuthPassword: SBJl + saslPassword: 78E + schemaRegistryPassword: YMuFCG7qR + schemaRegistryTlsCa: 1y5yRb6O2b + schemaRegistryTlsCert: NuhkhpMV7b + schemaRegistryTlsKey: 9zcrFj + tlsCa: 0PF + tlsCert: wArD + tlsPassphrase: bj3xqz + login: + github: + clientSecret: jdPGF7 + personalAccessToken: y6xqv + google: + clientSecret: m6FeI + groupsServiceAccount: xi1j27Lipj8 + jwtSecret: pg + oidc: + clientSecret: zbsTootC + okta: + clientSecret: rHSfT + directoryApiToken: rOXaN + redpanda: + adminApi: + password: 8c + tlsCa: CJbHIM + tlsCert: uO + tlsKey: uhB0L +secretMounts: +- defaultMode: 500 + name: 99SgdOsZD + path: AQpWvptFEk7y + secretName: B6Fq +- defaultMode: 337 + name: U + path: p44 + secretName: DddF02 +- defaultMode: 246 + name: WFd + path: UiI + secretName: tz +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993066 + runAsNonRoot: true + runAsUser: -4828746969388386674 +service: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + nodePort: 291 + port: 269 + targetPort: 479 + type: IfYfRoHRG +serviceAccount: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + automountServiceAccountToken: true + create: true + name: z12W +strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ +tests: + enabled: true +tolerations: +- key: ka + tolerationSeconds: 2857628758439265098 + value: Ohni9QGx +topologySpreadConstraints: +- labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| +- labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.golden.txtar b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.golden.txtar new file mode 100644 index 000000000..cf65330d4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.golden.txtar @@ -0,0 +1,24705 @@ +-- testdata/autoscaling-cpu.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 10 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-memory.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 14 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-nulls.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/case-000.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HRoLg + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Q9AVJD4: G9TEnp + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + replicas: 387 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + strategy: + type: Ò泆A + template: + metadata: + annotations: + checksum/config: a2b60d22337ad49c09f2108d08f05fc6590bc4b45c804adc901467f348d564e1 + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z2BpO + value: 0ggF3ha7D + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hvGoJL + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1028486626 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + x0StjCjt: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: vQhDS + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: HRoLg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hvGoJL + name: configs + - name: secrets + secret: + secretName: hvGoJL + - name: 7iCCax + - name: meEH + - name: xYVSV +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hvGoJL-test-connection" + namespace: "default" + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hvGoJL:8080'] + restartPolicy: Never + priorityClassName: vQhDS +-- testdata/case-001.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + replicas: 414 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + strategy: {} + template: + metadata: + annotations: + checksum/config: 6eb5d8456a652d5006051c8425191238a1a7d39e93a9336b0cc8ca98963c2dbd + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I + - name: T0 + value: trXO4 + - name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: T50cZi + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: NyOpfr + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: T50cZi + tolerations: + - effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO + - effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy + - effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826000 + value: z + topologySpreadConstraints: [] + volumes: + - configMap: + name: T50cZi + name: configs + - name: secrets + secret: + secretName: T50cZi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "T50cZi-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['T50cZi:8080'] + restartPolicy: Never + priorityClassName: NyOpfr +-- testdata/case-002.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: R1Yar8 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + ports: + - name: http + port: 413 + protocol: TCP + targetPort: 267 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + type: ILpSX2Cy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + replicas: 417 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + strategy: {} + template: + metadata: + annotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + checksum/config: 69703ab54946efe744831224dacdb980663f666d8fa5be794fb800135f91d11f + upwTMuIqflmD: 9J0H45zXX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: xZty + envFrom: + - prefix: cfVf + secretRef: + name: ha + - prefix: i2E2Jvnc + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 267 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p + imagePullSecrets: + - {} + - name: YPVBzxvx + initContainers: [] + nodeSelector: {} + priorityClassName: TeCy + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: R1Yar8 + tolerations: + - effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw + - effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W + - effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh + topologySpreadConstraints: [] + volumes: + - configMap: + name: xZty + name: configs + - name: secrets + secret: + secretName: xZty +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "xZty-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - {} + - name: YPVBzxvx + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['xZty:413'] + restartPolicy: Never + priorityClassName: TeCy +-- testdata/case-003.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: Fb + kafka-sasl-aws-msk-iam-secret-key: SrYY84t + kafka-sasl-password: xCc3TeVY + kafka-schema-registry-password: ovCqxwz9Bf + kafka-schemaregistry-tls-ca: JL + kafka-schemaregistry-tls-cert: cS + kafka-schemaregistry-tls-key: UMwYx4F + kafka-tls-ca: HFpsnPdw + kafka-tls-cert: hseIt + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: w6 + type: ClusterIP +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +spec: + ingressClassName: EqUYi + rules: + - host: bKQCmfZ + http: + paths: null + - host: djItx5GtejC6 + http: + paths: null + - host: 2wLaQU8 + http: + paths: null + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "8nE-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['8nE:8080'] + restartPolicy: Never + priorityClassName: HNqN9h2 +-- testdata/case-004.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 173 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + type: dO7eovC +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + replicas: 261 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + strategy: + type: ɡv?ĨJ姯ɚƟć匪cb + template: + metadata: + annotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F + checksum/config: 5f83295c905c2d3c9fea06172a38428a89334248aea9df0ebd8b589a29afeb4f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console-YMl + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 173 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oj + name: QmzFlXE + subPath: "" + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: JT0MK + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console-YMl + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console-YMl + name: configs + - name: secrets + secret: + secretName: console-YMl + - name: QmzFlXE + secret: + defaultMode: 197 + secretName: 7gi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-YMl-test-connection" + namespace: "default" + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console-YMl:112'] + restartPolicy: Never + priorityClassName: JT0MK +-- testdata/case-005.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: R4Zj + login-github-personal-access-token: N85av + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: enei1WIcV + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + replicas: 396 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: pN + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: pN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: pN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: pN + envFrom: [] + image: 7iw15D/RnJFs0:OQDirE + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1921365096 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk + - mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: KnLhcy2cw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: pN + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: pN + name: configs + - name: secrets + secret: + secretName: pN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "pN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['pN:8080'] + restartPolicy: Never + priorityClassName: KnLhcy2cw +-- testdata/case-006.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nd7TSb2mNTS + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: G + kafka-sasl-aws-msk-iam-secret-key: 1tq + kafka-sasl-password: K8kPgIp6 + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: Zr + kafka-schemaregistry-tls-cert: KN + kafka-schemaregistry-tls-key: t + kafka-tls-ca: CQ + kafka-tls-cert: 6xZ8 + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + replicas: 176 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + strategy: {} + template: + metadata: + annotations: + checksum/config: f55f3fdc49a4774db4d2377ea9b69fd8da2a190ef99f7fb31aeb393215f878cc + s2D: DMU7 + creationTimestamp: null + labels: + CoBI: 20aOZaZvs + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + e0xqmoOD: Nb5V + ylGQE: p + spec: + affinity: + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: rzd + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: rzd + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: rzd + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: rzd + envFrom: [] + image: zT38Q/V:iSGm6MT1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + PY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE + - mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 1x11c0q + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: nd7TSb2mNTS + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: rzd + name: configs + - name: secrets + secret: + secretName: rzd +-- testdata/case-007.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: RFjc7 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: gp + login-google-oauth-client-secret: Ln0 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: 3A593BjCuu + login-okta-directory-api-token: mSSz8MZ + redpanda-admin-api-password: t + redpanda-admin-api-tls-ca: QD1x71f + redpanda-admin-api-tls-cert: 744Ysvi + redpanda-admin-api-tls-key: 56VaHh +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - "": null + 5w1YcAu: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + ports: + - name: http + port: 286 + protocol: TCP + targetPort: 404 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + type: Vvrvx +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + replicas: 103 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + strategy: {} + template: + metadata: + annotations: + checksum/config: 37ddb9195e66f6743cc901bea8e2e2db0492fbf3e78355ffe8c7f2395ece1e90 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: qY0f + value: Wu + - name: 9zVp + value: g + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: "y" + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: "y" + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: "y" + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: "y" + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: "y" + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: OUS + optional: true + prefix: YWvtgT + - configMapRef: + name: 4xZZ + prefix: Djbp99U + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1105213631 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + timeoutSeconds: -603846855 + name: console + ports: + - containerPort: 404 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 114758306 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 + resources: + requests: + 4P1f3: "0" + DmuY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + CAy: 19kW + R2z: OpcDywz9x + priorityClassName: rs + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682000 + runAsUser: 7937848737866681000 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 + serviceAccountName: RFjc7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: "y" + name: configs + - name: secrets + secret: + secretName: "y" + - name: dCz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "y-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['y:286'] + restartPolicy: Never + priorityClassName: rs +-- testdata/case-008.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YcV5zP8 + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + hfXF: v4uLEC6f8m + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + replicas: 475 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 + template: + metadata: + annotations: + BTlN: z8t + a: Pqjhw + checksum/config: 1ba99bb938e262d91c73069e0caf6c1ce45d5e92491a50db9d1af5d59db59aed + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1421249778 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -10750427 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 + resources: {} + securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967094000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: 0fXQqWA96 + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122000 + runAsNonRoot: false + runAsUser: 2693812519144067600 + supplementalGroups: + - -7558357415363805000 + - -9152494874115652000 + - -906805565867492900 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 + serviceAccountName: YcV5zP8 + tolerations: [] + topologySpreadConstraints: + - maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 + - labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 + - labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 + volumes: + - configMap: + name: GbgHqD + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "GbgHqD-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['GbgHqD:8080'] + restartPolicy: Never + priorityClassName: 0fXQqWA96 +-- testdata/case-009.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + efgehQaV5UI0y: GymqDudh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 85 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + type: yZy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + replicas: 315 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: l1Bnpx + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1420734522 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 + name: console + ports: + - containerPort: 85 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -286281002 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + timeoutSeconds: 352721839 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: xShE + name: yWBr98zs1 + subPath: "" + - mountPath: Wnbf + name: qUQ5 + subPath: "" + - mountPath: fgV + name: hpqapQJQ + subPath: "" + imagePullSecrets: + - name: x42RbB4KLm + initContainers: [] + nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv + priorityClassName: p0ShP6Yru + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911600 + runAsNonRoot: true + runAsUser: 99 + supplementalGroups: + - 802667379359895800 + - 8316082600801372000 + serviceAccountName: l1Bnpx + tolerations: [] + topologySpreadConstraints: + - maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ + volumes: + - configMap: + name: l1Bnpx + name: configs + - name: secrets + secret: + secretName: l1Bnpx + - name: yWBr98zs1 + secret: + defaultMode: 414 + secretName: YMpib3J + - name: qUQ5 + secret: + defaultMode: 402 + secretName: Pw8 + - name: hpqapQJQ + secret: + defaultMode: 410 + secretName: 1JLIOjZI8 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l1Bnpx-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: x42RbB4KLm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l1Bnpx:229'] + restartPolicy: Never + priorityClassName: p0ShP6Yru +-- testdata/case-010.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: kIzbDF + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + replicas: 250 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: 6Y + name: juyv + envFrom: [] + image: 4A/0YeLdES:1a4iH + imagePullPolicy: "" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1992527736 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + timeoutSeconds: -1493252430 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw + - env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj + - env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850600 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934520000 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437000 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: x0ISc2 + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: kIzbDF + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: ivK + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ivK-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ivK:8080'] + restartPolicy: Never + priorityClassName: x0ISc2 +-- testdata/case-011.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + ports: + - name: http + port: 478 + protocol: TCP + targetPort: 90 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + type: sl +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + pJ: f0brcnhV + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + replicas: 65 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + strategy: {} + template: + metadata: + annotations: + checksum/config: 0ebeace369c9c96d75109609694bd464d6c28c2e8d1fcbd96529ef96d4ba0ec5 + creationTimestamp: null + labels: + "2": RgUAFm + D2V: V80aQ + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + spec: + affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false + - name: loir2K + value: Ti0q + - name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hbe + envFrom: + - configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true + - prefix: M + secretRef: + name: 10or1C2m + optional: false + - configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 + image: gjR/U:Tl0EP + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 653767212 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + timeoutSeconds: -574178850 + name: console + ports: + - containerPort: 90 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1745353710 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + timeoutSeconds: 888372342 + resources: + requests: + "Y": "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 2Qy8k + name: n4BPeF + subPath: "" + - mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad + - mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + HC7: EI8 + priorityClassName: sJXoA3V + securityContext: + fsGroup: 4103142176308445000 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391071000 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE + serviceAccountName: hbe + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hbe + name: configs + - name: secrets + secret: + secretName: hbe + - name: n4BPeF + secret: + defaultMode: 12 + secretName: auIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hbe-test-connection" + namespace: "default" + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hbe:478'] + restartPolicy: Never + priorityClassName: sJXoA3V +-- testdata/case-012.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + v: D + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + replicas: 407 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 + template: + metadata: + annotations: + checksum/config: f03a44f92485e3dfb6772dc84dec7c868a151f08fa5c04332bebe63251290ce5 + creationTimestamp: null + labels: + "": S7BNyT + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + r1F: Fsc + yeY4LjT: MRlwtd + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: tmn2Kt + envFrom: + - prefix: RyT9JuZ + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 666524470 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + timeoutSeconds: 1377323766 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619940000 + runAsNonRoot: false + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246600 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192500 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 + - command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868400 + runAsUser: 8469885005475494000 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE + - args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: vMcB + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: tmn2Kt + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: tmn2Kt + name: configs + - name: secrets + secret: + secretName: tmn2Kt +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "tmn2Kt-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['tmn2Kt:8080'] + restartPolicy: Never + priorityClassName: vMcB +-- testdata/case-013.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + replicas: 412 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + strategy: {} + template: + metadata: + annotations: + checksum/config: 80fd97b611d09c692bd5e12a12d43f51c7486213c5798a4f57bb8f0866119572 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: RttlJN + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -225696508 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + timeoutSeconds: -1540252725 + resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" + securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: -8804799239371185000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr + - mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ + - mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H + - env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099000 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978000 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: BDUfm1wSRDI + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: RttlJN + tolerations: + - effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL + - effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u + topologySpreadConstraints: [] + volumes: + - configMap: + name: RttlJN + name: configs + - name: secrets + secret: + secretName: RttlJN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "RttlJN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['RttlJN:8080'] + restartPolicy: Never + priorityClassName: BDUfm1wSRDI +-- testdata/case-014.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: h6eHrUr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ + namespace: default +spec: + ports: + - name: http + port: 41 + protocol: TCP + targetPort: 168 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vi2vH + type: Oiwzbmtjpb +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "htymHJ-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['htymHJ:41'] + restartPolicy: Never + priorityClassName: rcxHoi +-- testdata/case-015.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: zmr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + replicas: 128 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + strategy: {} + template: + metadata: + annotations: + checksum/config: c07b76ad8263a0560734a09b913b4c726efe461a7f519da293467d20a90d78bf + creationTimestamp: null + labels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: iQE + value: Aj6RWPJE + - name: QwMCc + value: N9g6bDNI + - name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9RweMGWqBs + envFrom: [] + image: FezgEM/b4CZb:OoX + imagePullPolicy: '&Ŕ<駄AG' + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 398655641 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + timeoutSeconds: -905426079 + resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" + securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237000 + runAsNonRoot: true + runAsUser: -1772317555576666000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + vy4h: rk + priorityClassName: "68" + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600424000 + runAsUser: 99 + supplementalGroups: + - 6652209348598506000 + - 5521245057591626000 + - 6754698685787706000 + sysctls: + - name: "7" + value: vp + serviceAccountName: zmr + tolerations: + - effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678034000 + value: x6T1NM + - effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794000 + value: NXt + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" + - labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ + volumes: + - configMap: + name: 9RweMGWqBs + name: configs + - name: secrets + secret: + secretName: 9RweMGWqBs +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZKQ6I + ES: uo + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +spec: + ingressClassName: x7Um + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 9RweMGWqBs + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9RweMGWqBs-test-connection" + namespace: "default" + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9RweMGWqBs:8080'] + restartPolicy: Never + priorityClassName: 68 +-- testdata/case-016.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DdF7ALq + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - Q0kslM: null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + replicas: 331 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ + template: + metadata: + annotations: + JYLUc483y: gTnWiG + checksum/config: e4b69acb9132e0c7dea94f0e868bb2c5850883e5487d4cca28762798c1b9dda6 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 6maz + envFrom: [] + image: PYDGV/HV3:cI8TzaYkws + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 713465020 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + timeoutSeconds: 2000039211 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334000 + runAsNonRoot: true + runAsUser: -8444673787636984000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008740 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: XtKq + securityContext: + fsGroup: -1425599568169885200 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684837000 + runAsUser: 99 + supplementalGroups: + - 809809813702093200 + - 6124706841582845000 + - 6159358527003038000 + serviceAccountName: DdF7ALq + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 + - labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* + - labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 + volumes: + - configMap: + name: 6maz + name: configs + - name: secrets + secret: + secretName: 6maz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "6maz-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['6maz:8080'] + restartPolicy: Never + priorityClassName: XtKq +-- testdata/case-017.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: jw6tY22 + login-github-personal-access-token: JvG1jx + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: MalR2 + login-okta-client-secret: mDILgPMjOS9 + login-okta-directory-api-token: M2ywAiP + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + replicas: 173 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + strategy: {} + template: + metadata: + annotations: + checksum/config: a9353e622b2ed64d835d05830dc4357d8eb982e89685498d39ac88a30931fb87 + creationTimestamp: null + labels: + LBQpbD: AHB4hNVL + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + ey1GpAHh: fA + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z + - name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 9XG3SZW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 9XG3SZW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 9XG3SZW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 9XG3SZW + envFrom: + - prefix: oK16T1 + - configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 + image: 3s/kPWhaC:BcBi + imagePullPolicy: k痿蹒 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 738983906 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 + resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" + securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: TLaWLIiD + name: 3SwG7HrS + subPath: "" + - mountPath: dXXPfK + name: Bfv9SGjlbgN + subPath: "" + - mountPath: YEOA49 + name: wz4K9oIYM + subPath: "" + - args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649734000 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh + - args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563400 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106600 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613943000 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl + - command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980194000 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: qcIlT + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: 9XG3SZW + tolerations: + - effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543000 + value: KkCBzwToBMjJ + - effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379000 + value: Z5 + - effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889000 + value: TnWS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 9XG3SZW + name: configs + - name: secrets + secret: + secretName: 9XG3SZW + - name: 3SwG7HrS + secret: + defaultMode: 442 + secretName: VR + - name: Bfv9SGjlbgN + secret: + defaultMode: 383 + secretName: T + - name: wz4K9oIYM + secret: + defaultMode: 13 + secretName: WzM +-- testdata/case-018.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + X7E: CRSzr + lPi: bGP + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: uAvlOXf + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: IsvQ9 + kafka-sasl-aws-msk-iam-secret-key: 8GlUc + kafka-sasl-password: Vb + kafka-schema-registry-password: UJ7Zl + kafka-schemaregistry-tls-ca: T1Q + kafka-schemaregistry-tls-cert: 17r + kafka-schemaregistry-tls-key: O44 + kafka-tls-ca: n8k9 + kafka-tls-cert: aK + kafka-tls-key: "" + login-github-oauth-client-secret: t6z0n + login-github-personal-access-token: "" + login-google-groups-service-account.json: fpuCEFLL + login-google-oauth-client-secret: h + login-jwt-secret: SECRETKEY + login-oidc-client-secret: t + login-okta-client-secret: 3CcKl + login-okta-directory-api-token: AZt8H77 + redpanda-admin-api-password: NUkb3zIpwAR + redpanda-admin-api-tls-ca: t + redpanda-admin-api-tls-cert: zttTAvj + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + ports: + - name: http + port: 415 + protocol: TCP + targetPort: 489 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + type: 2cM +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + "": 3E5rtKA + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + replicas: 297 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: ExFU3 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: ExFU3 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: ExFU3 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: ExFU3 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: ExFU3 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: ExFU3 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: ExFU3 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: ExFU3 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: ExFU3 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: ExFU3 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: ExFU3 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - prefix: hg + secretRef: + name: eLM59WyoAXO + image: iCFSIwyDtoG/6V6:6uR + imagePullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 489 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708000 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885000 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh + imagePullSecrets: + - name: vlnGQbo3y + initContainers: [] + nodeSelector: + Vckw: ifBZ9p7 + priorityClassName: 6jxv + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: uAvlOXf + tolerations: + - effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495700 + value: 1VemeDTEk1 + - effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506300 + value: m3c + - effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le + topologySpreadConstraints: + - matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ + volumes: + - configMap: + name: ExFU3 + name: configs + - name: secrets + secret: + secretName: ExFU3 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ExFU3-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: vlnGQbo3y + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ExFU3:415'] + restartPolicy: Never + priorityClassName: 6jxv +-- testdata/case-019.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + lgiIA: u + wK8: JrSfKH + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + replicas: 79 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + strategy: + type: 鎦v財ɕŪ + template: + metadata: + annotations: + checksum/config: 9960ac5c5faddbc59ee9638bfac7f4fd7513b7e295e3fcc28b0fdfabc2aba1d3 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" + - name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: NZ7h9 + envFrom: [] + image: GNXgFQ/W3:2vPed + imagePullPolicy: 韃ĝ + livenessProbe: + failureThreshold: -1736131786 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1936056692 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsNonRoot: true + runAsUser: -471077223001866500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: FERw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: NZ7h9 + tolerations: + - effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u + - effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u + topologySpreadConstraints: [] + volumes: + - configMap: + name: NZ7h9 + name: configs + - name: secrets + secret: + secretName: NZ7h9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "NZ7h9-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['NZ7h9:8080'] + restartPolicy: Never + priorityClassName: FERw +-- testdata/case-020.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + Cs0Tv: PNgn + tawhZGj4: yuBQ1 + xdl: jbYUlUI + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMpc + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: XhRg8T + login-github-personal-access-token: oB8xbs + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: saEi + login-okta-directory-api-token: tq8L + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + ports: + - name: http + port: 310 + protocol: TCP + targetPort: 28 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 0lA: PZvwfKrip + AUm: KY + KBFrJC: hkdfq + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + replicas: 344 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + strategy: + rollingUpdate: {} + type: x&N涮ĶJ­ɕ + template: + metadata: + annotations: + checksum/config: 2881fbe0f4a9d0f2f17dbbbe515c08d46dd6d4a6d2c84c3482c94ace8ee6b09f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr + - args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448100 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449892000 + runAsUser: 8255497511479977000 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0bGHQk7gL + securityContext: + fsGroup: -6946946538076897000 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007700 + runAsNonRoot: true + runAsUser: -732766343758518300 + supplementalGroups: + - -5691922089175975000 + serviceAccountName: H5TDAALUdD + tolerations: + - effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612207000 + value: odxS1Q2Sd + - effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333500 + value: bAy + topologySpreadConstraints: [] + volumes: + - configMap: + name: Uo + name: configs + - name: Jq0CSftnp + - name: QMHGzzYC2HW + - name: 1PkbzhfK +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Uo-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Mh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Uo:8080'] + restartPolicy: Never + priorityClassName: 0bGHQk7gL +-- testdata/case-026.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: Utu8ZHG2 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + replicas: 78 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ + template: + metadata: + annotations: + LtAjph: 8Q + MiPvJub: 0x + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + j: xR98FRh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1372450161 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + timeoutSeconds: 1174210794 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1666039794 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + timeoutSeconds: 1790731281 + resources: {} + securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597624000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: U6f3w + name: ooYxXE + subPath: "" + - mountPath: qzOMXCl + name: Hmms9 + subPath: "" + - mountPath: dXa6uPxR + name: "" + subPath: "" + - mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw + - mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 + priorityClassName: JnI8 + securityContext: + fsGroup: -2594082004410587000 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084200 + runAsNonRoot: false + runAsUser: -9051010573896130000 + supplementalGroups: + - -2777109499517678000 + serviceAccountName: Utu8ZHG2 + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' + volumes: + - configMap: + name: qhaD + name: configs + - name: ooYxXE + secret: + defaultMode: 45 + secretName: LyH9zvv + - name: Hmms9 + secret: + defaultMode: 429 + secretName: zvR + - name: "" + secret: + defaultMode: 39 + secretName: PC2Ms7 + - name: LeIYAb + - name: 176OvjD + - name: b6NpMGfVo1N +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD +spec: + ingressClassName: cAir + rules: + - host: o + http: + paths: null + - host: i18Wi + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: apsXYvp + pathType: 7q5 + - host: 8eBXg + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: cMbMbCQl + pathType: gJT + - backend: + service: + name: qhaD + port: + number: 8080 + path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +-- testdata/case-027.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + "": ta51q + RW5sX: LXvP + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 55C9f3 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Gi0OSuP5jF: ARBECJB + qId: Bo + wPKI: "" + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk + namespace: default +spec: + ports: + - name: http + port: 376 + protocol: TCP + targetPort: 473 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: h9P + type: G2gqK +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk +spec: + ingressClassName: Ijdd3 + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 61hunk + port: + number: 376 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: x + - hosts: null + secretName: aSf1 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "61hunk-test-connection" + namespace: "default" + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: jkqm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['61hunk:376'] + restartPolicy: Never + priorityClassName: bpi +-- testdata/case-028.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: aM + kafka-sasl-aws-msk-iam-secret-key: pcNJ4lPh + kafka-sasl-password: OT9m4 + kafka-schema-registry-password: 4VybIhiIU + kafka-schemaregistry-tls-ca: FVWvaL5HS3DE + kafka-schemaregistry-tls-cert: UqZl + kafka-schemaregistry-tls-key: ch + kafka-tls-ca: 0h0Ac6CS + kafka-tls-cert: pNm4uHVMn + kafka-tls-key: "" + login-github-oauth-client-secret: 5XbGmlDmls + login-github-personal-access-token: y0PF13 + login-google-groups-service-account.json: w3 + login-google-oauth-client-secret: lEvrgxa + login-jwt-secret: SECRETKEY + login-oidc-client-secret: VfRrL3 + login-okta-client-secret: 1Gm + login-okta-directory-api-token: hgmY7AyguR + redpanda-admin-api-password: WvzP1D53 + redpanda-admin-api-tls-ca: dxtnG + redpanda-admin-api-tls-cert: Rs3rHA8Qdb + redpanda-admin-api-tls-key: 7hsD +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + VLzukyGLL5H: "" + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + replicas: 278 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + strategy: + rollingUpdate: {} + type: 砓涶rƀł庫x烮ȯ~茤įêŎZ姮Ⱦ + template: + metadata: + annotations: + YefFO9J: uVUZra + checksum/config: cc3f7478d926a8c80ab516ac0060a56c87bbbfdd227b765567fa8644fbee7f09 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + n8PG: NEb + sINjD1zSK: exkAcWK3 + yG: T + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 9yhGd: kXTYKV + xb5Co: trB98 + matchLabelKeys: + - gTre + - 3SLXY + namespaceSelector: {} + namespaces: + - q + - j3 + - k76qB + topologyKey: gz6KtIn43 + - labelSelector: + matchLabels: + 9slaN: 9Cv + M: NcJRMIAxd6 + f4JK: QX + matchLabelKeys: + - BGI9Dr + mismatchLabelKeys: + - SZUKIlPB + - WzTTmXWoFc + - wXLg9viobEw + namespaceSelector: + matchLabels: + MZx: u + NztFyV3: EvzmJzLQcn + topologyKey: iLs + - labelSelector: + matchExpressions: + - key: d3S + operator: ò洏ʓ暝歆Ű鈰钌鸔栵ù舁Tb曯ƫ貊ȵ + values: + - sanCz + - lZ + - 5rZ0 + matchLabels: + MEoILl9k: Jd + hVfX4: "" + "n": yhV + matchLabelKeys: + - HOI + namespaceSelector: + matchLabels: + fodO5ovc74m: lvF + mlCh: E1 + ve7: r4P5biTA + topologyKey: CtXr + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: wti + value: AYZm + valueFrom: + configMapKeyRef: + key: Sxryl + name: xXe78 + fieldRef: + apiVersion: HoyJsUxLKd + fieldPath: 2Ns + secretKeyRef: + key: w7WydZL + name: CgxV7 + optional: true + - name: eEKnv + value: BBAXaggk0n + valueFrom: + secretKeyRef: + key: GRP + name: dYBHtrO + optional: true + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: odFI2M4 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: odFI2M4 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: odFI2M4 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: odFI2M4 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: odFI2M4 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: odFI2M4 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: odFI2M4 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: odFI2M4 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: odFI2M4 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: I6Dbq + optional: false + secretRef: + name: fhgE + optional: false + - prefix: L0m + - configMapRef: + name: pVHt + optional: true + prefix: 0xFYui3Ke2pJ + secretRef: + name: IBHH4sd + optional: false + image: qnkfx/ARBa:BetSp + imagePullPolicy: ȸ才TkâĆ8o + livenessProbe: + failureThreshold: -544797053 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1464359845 + periodSeconds: -775253635 + successThreshold: -2065370772 + timeoutSeconds: 3873767 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 286014638 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1755094379 + periodSeconds: 712612179 + successThreshold: 1265199044 + timeoutSeconds: 939664799 + resources: + limits: + H2g: "0" + requests: + i0vpd: "0" + piR58NXU: "0" + securityContext: + privileged: true + procMount: '`4乬+ʍÿȦ!常ʥ_' + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 8119235947749130000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: hHTC4sQ + mountPropagation: ƭ埢Ş@ʮ擈Ɓsmďĝ + name: mVbo + subPath: bI + subPathExpr: q6R + - mountPath: "" + name: gC + readOnly: true + subPath: 5xyS + subPathExpr: Ju9L6o + imagePullSecrets: + - name: Nu2 + - name: j0 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + fD: q5Hun + priorityClassName: u8cTjKLB + securityContext: + fsGroup: -9123846953160880000 + fsGroupChangePolicy: UƻA竘锵]湞ȊM + runAsNonRoot: false + runAsUser: 2594597056592417300 + sysctls: + - name: 4eRaw + value: HnWeNFR + - name: 4hP + value: UoCU8Ni + - name: d + value: TpLFHKFo + serviceAccountName: 5zV + tolerations: + - effect: x)|綻%ŴC¸÷G) + key: 6c + operator: 皐łʨɆ挓R衯Ǫ诌ƍ爂vĂB麧尣Ć* + tolerationSeconds: 341291117142213700 + value: 45gIZCr + - effect: ɿ鎅ɸƱɿ韆頟R躦0P^,豐ƨe祠攇覙 + operator: ß¼ʐȻ*溃N妞 + tolerationSeconds: -7034164218355111000 + value: xb5 + topologySpreadConstraints: [] + volumes: + - configMap: + name: odFI2M4 + name: configs + - name: secrets + secret: + secretName: odFI2M4 + - name: 0nP + - name: 5Mq +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "odFI2M4-test-connection" + namespace: "default" + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Nu2 + - name: j0 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['odFI2M4:8080'] + restartPolicy: Never + priorityClassName: u8cTjKLB +-- testdata/case-029.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 33Yi: tesf5 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + ports: + - name: http + port: 389 + protocol: TCP + targetPort: 52 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + type: sIQBZD +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + replicas: 385 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + strategy: + rollingUpdate: {} + template: + metadata: + annotations: + IVy: ho3qpcI + checksum/config: ed80a6573dafe73ab884b6322e9c75c1018d618e61286f9e61f445266092293d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hPtYq9oSSQ + operator: ŗ妃Mīú玢盛 + values: + - T0M + - aywAkbl + - key: F7yCY + operator: '2Pl@äEɜś`PȾ槯c:' + values: + - n7sIXrD6 + - 5EPSQgq3v + matchFields: + - key: wOOgY + operator: 乾Ǧ + values: + - GqfE + - key: gRF5bu + operator: DŸQ95ʊÊj蕵髪OHōM4Ľɝ钣 + values: + - 2rEXM1C + - BB + - key: TK75p + operator: 譌嵡荀Ș枻賿ė + values: + - MHB + - sI + weight: -1638497382 + - preference: + matchExpressions: + - key: sgUr6t + operator: ʁE'[剳嫯Ȧ梳*&櫺窟ľ幣ɥ{紌 + values: + - 6x + - NRmDb1X + - key: VrZW4eZ + operator: 蘨ȘÚ籘J嬋JƒÎhUl田U + values: + - 0cG6ed0 + - I + - key: Ui + operator: 遂樸tUŏǞF)橷嵱 + values: + - mUT9H9 + matchFields: + - key: zzI6 + operator: ƈ肶帅ʒb漄i + values: + - 9Xi0r + - key: Bm + operator: 嚏鈻峓霙ʊcʔ暏g圖鹔夺mą¹跑 + values: + - tvOC + weight: 1006541829 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: ZlUi + operator: ʯ鼙%淹ȏ č>稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: HK + envFrom: [] + image: nZ5PG/5q2qCT:z10JAfCu + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1989869025 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + timeoutSeconds: -1117024654 + name: console + ports: + - containerPort: 52 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -509957017 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 + - args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045468000 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720000 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569000 + runAsNonRoot: true + runAsUser: 433131246318901200 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151511000 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 + - command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855400 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660740 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022000 + runAsUser: -7207500526873246000 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366500000 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg + priorityClassName: sLkcwZ + securityContext: + fsGroup: 99 + runAsGroup: -9040107238323409000 + runAsNonRoot: false + runAsUser: 99 + serviceAccountName: 43zobnL + tolerations: + - effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd + - effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 + topologySpreadConstraints: [] + volumes: + - configMap: + name: HK + name: configs + - name: secrets + secret: + secretName: HK + - name: "" + - name: SXJ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "HK-test-connection" + namespace: "default" + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['HK:389'] + restartPolicy: Never + priorityClassName: sLkcwZ +-- testdata/case-030.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: DtIy + kafka-sasl-aws-msk-iam-secret-key: 9xCf7 + kafka-sasl-password: 8F + kafka-schema-registry-password: krNk2 + kafka-schemaregistry-tls-ca: 5I73C + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "34" + kafka-tls-ca: DaT + kafka-tls-cert: LaU0jwOpGv + kafka-tls-key: "" + login-github-oauth-client-secret: BoOjni + login-github-personal-access-token: uUxZ + login-google-groups-service-account.json: NulwlJ + login-google-oauth-client-secret: oeL6p7fcL + login-jwt-secret: SECRETKEY + login-oidc-client-secret: yRSh2 + login-okta-client-secret: xKLBJ9ZAR + login-okta-directory-api-token: HTZWfHt + redpanda-admin-api-password: 5DQTqKD + redpanda-admin-api-tls-ca: m5pg + redpanda-admin-api-tls-cert: yfP + redpanda-admin-api-tls-key: gzG +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 + namespace: default +spec: + ports: + - name: http + port: 250 + protocol: TCP + targetPort: 475 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: J + type: QAVsE +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +spec: + maxReplicas: 10 + metrics: + - resource: + name: cpu + target: + averageUtilization: 227 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 477 + type: Utilization + type: Resource + minReplicas: 306 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: G9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "G9-test-connection" + namespace: "default" + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: wu1 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['G9:250'] + restartPolicy: Never + priorityClassName: KuRS +-- testdata/case-031.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - {} + - {} + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 375 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: xknw + type: N9chrF +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + maxReplicas: 25 + metrics: + - resource: + name: cpu + target: + averageUtilization: 460 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 169 + type: Utilization + type: Resource + minReplicas: 20 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 59cQ0qKLI +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + ingressClassName: GuB1VTCp + rules: + - host: WsTbK7W + http: + paths: + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: MKCR56 + pathType: hEV + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: "6" + pathType: pv + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: rNv + pathType: L0CY1c8 + - host: OxFD + http: + paths: null + - host: Ojx + http: + paths: null + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "59cQ0qKLI-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: 2Ry3vDGf6 + - name: PE5R + - name: uWsoZ + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['59cQ0qKLI:112'] + restartPolicy: Never + priorityClassName: mFg +-- testdata/case-032.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles.yaml: |- + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + ports: + - name: http + port: 418 + protocol: TCP + targetPort: 486 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + type: aaIqePq +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + xpNWT: MpOZ + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + strategy: + rollingUpdate: {} + type: ȁ进辫fu + template: + metadata: + annotations: + checksum/config: ae52af057e6331e5caa1d321881f906df93659aa45a5458c4dd4ae890cf7695b + creationTimestamp: null + labels: + So: waKMMvnY + VXPE0: 8ExVsj + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + ip1RGEzt4t6: "1" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: bujGpO7D0C + name: V + envFrom: + - configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true + - configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true + image: mU/xY76Tj:AgKh6S1 + imagePullPolicy: "" + livenessProbe: + failureThreshold: 1396135036 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + timeoutSeconds: -1229662908 + name: console + ports: + - containerPort: 486 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1061708880 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + timeoutSeconds: 1824930679 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138800 + runAsNonRoot: true + runAsUser: -3929576237300142600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054500 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860082000 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889000 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029000 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188881000 + runAsNonRoot: false + runAsUser: 9107304642056619000 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645400 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq + - command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077000 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586000 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503400 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204673000 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953900 + runAsNonRoot: true + runAsUser: -7089742793545457000 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749700 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu + priorityClassName: WeB9y8 + securityContext: + fsGroup: 7101468120327600000 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741077000 + runAsNonRoot: false + runAsUser: -9214274730002703000 + supplementalGroups: + - 4135587743067906600 + - -2908166639165702700 + sysctls: + - name: Yo9 + value: zak2 + serviceAccountName: zpH + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: llK4G + name: configs + - name: 1zZI6J + - name: D + - name: OUqOnvjvba +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + maxReplicas: 459 + metrics: + - resource: + name: cpu + target: + averageUtilization: 497 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 146 + type: Utilization + type: Resource + minReplicas: 198 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: llK4G +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + ingressClassName: EXqR + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: llK4G + port: + number: 418 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "llK4G-test-connection" + namespace: "default" + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['llK4G:418'] + restartPolicy: Never + priorityClassName: WeB9y8 +-- testdata/case-033.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles.yaml: |- + roles: + - {} + - 6Vndf: null + f: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + lrtdFF: 60R7 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 59 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + type: 2K35 +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + replicas: 390 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* + template: + metadata: + annotations: + checksum/config: b3a4b261d0705e207d46ac15067d5c7d7c951cf0c0fa7736607331369bd47b6d + creationTimestamp: null + labels: + 1bb6: "" + 3U: mfPv + T: Q + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: 9y6KmPZ + name: QM + envFrom: + - configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true + - configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true + image: JWsGq/JAUpWzFL:3WF1aV + imagePullPolicy: 躂Qʢ瞶CǁȮ + livenessProbe: + failureThreshold: 604102540 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + timeoutSeconds: -725304614 + name: console + ports: + - containerPort: 59 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1216486926 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + timeoutSeconds: 1603673472 + resources: + limits: + HS: "0" + sspp8OAsyF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603803000 + runAsNonRoot: true + runAsUser: 956863148985923500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WfYQ + name: v1bEam0d + subPath: "" + - mountPath: hpZaUwi + name: 2keqwtlu + subPath: "" + - mountPath: bCeiaipj + name: RAI0g6yvn + subPath: "" + - mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD + - mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT + - mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C + - args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869600 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249000 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875544000 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331600 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446633000 + runAsNonRoot: false + runAsUser: -8511671649189409000 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018255000 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd + - command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815000 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180302000 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676479000 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302065000 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219184000 + runAsNonRoot: true + runAsUser: 2918288689668335000 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301000 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo + - args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511100 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205800 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562400 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594203000 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715651000 + runAsNonRoot: true + runAsUser: -8187102783441072000 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645200 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC + imagePullSecrets: + - name: s1B + - name: R54rm + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb + priorityClassName: uHKqx + securityContext: + fsGroup: -4412504815274792000 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532220000 + runAsNonRoot: true + runAsUser: -1963293898483195400 + supplementalGroups: + - 2429921255984048000 + - -2773566751575633000 + - 5629450590441919000 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o + serviceAccountName: S9Bk + tolerations: + - effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966700 + value: Uvm9nY3 + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" + - labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 + volumes: + - configMap: + name: foGC + name: configs + - name: v1bEam0d + secret: + defaultMode: 64 + secretName: FOCtz7x + - name: 2keqwtlu + secret: + defaultMode: 494 + secretName: 1dug + - name: RAI0g6yvn + secret: + defaultMode: 354 + secretName: "2" + - name: MqQb15NA +-- testdata/case-034.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: QxrM + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles.yaml: |- + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + W8Ix4: 4kOonr2 + g93: wNXcKSBg + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l + namespace: default +spec: + ports: + - name: http + port: 421 + protocol: TCP + targetPort: 214 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zE + type: d2QGeqxiX +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l-test-connection" + namespace: "default" + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: AGiMf + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l:421'] + restartPolicy: Never + priorityClassName: ER4 +-- testdata/case-035.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMyYp + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + C3p: uCspVMX + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + ports: + - name: http + port: 51 + protocol: TCP + targetPort: 456 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ZQQlqx7Np +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + replicas: 464 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ + template: + metadata: + annotations: + checksum/config: 6556f5b75614fc7b5556cf3e548fa463f543604a0e97446ccd74584bf794de97 + creationTimestamp: null + labels: + Klzm: we + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + e: C2swj + s: vw1lrq + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: Zjc3H + operator: ~IJʚ伥ʜ1鷦鄪脳= + - key: AI40kXKS + operator: Tr^ǘõ8ù<鹶ĉ崱 + values: + - fCyDs + - nJRkjROTjd + matchFields: + - key: yFbZ + operator: Ĉ8%Sp + - key: AUDzh + operator: 礉 + values: + - agJ0f + - MD + - key: hREcH + operator: Ǻŀɏʉ紸戳禰ȸ酲 + values: + - JUaNJ + - CXFmegvU + weight: 1536882470 + - preference: + matchExpressions: + - key: pXW + operator: '@ļ矏鮯ɭ碊Gɽt蜮閻ƃǖ#ũ' + values: + - I8SZLF + - key: Rz + operator: '''p麛ȧ' + - key: mvD0aV1 + operator: 狴ȸ溂辷0Ġ + values: + - JpJWDh + matchFields: + - key: OB4 + operator: "" + values: + - tnWLH4yB + - "" + weight: 410194565 + - preference: + matchFields: + - key: 2C + operator: 屮少Ļɶ賊滺W + values: + - 28ZwpH + - ybv8 + - 8qy7 + - key: bs + operator: ŝ鮱芬Ǧ脸ƍ蠎Ā + weight: -1129044572 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ayaEl + operator: Ɗ琫 + values: + - WGZPb + - EzYpfj + - key: Isb + operator: '@£驍' + matchLabelKeys: + - 2NNt + - NCBB22ja0 + - retU + mismatchLabelKeys: + - x3 + namespaceSelector: + matchExpressions: + - key: iQ + operator: u倲鹩?úʈ腄跛[¤O + values: + - 5y4bG + topologyKey: STnAVX + weight: -1894745290 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: xʣcǦ:槠ʒ鄊喁蠨 + values: + - P + - 348OOM + - "0" + - key: hpIVL + operator: 鷭ʚ櫹hȅɩ&嘨Ād旌³ƑǫʄcǶ + matchLabels: + h6hNi: II1Z29P + t: 8wxT + matchLabelKeys: + - P + - axCJXjr + - ICeVp + mismatchLabelKeys: + - ljKwc + - mr6kl5v + - e + namespaceSelector: + matchExpressions: + - key: C + operator: =ĥĕ壚_隈]Ȑ釀侹ʩʎ痿c揜 + values: + - K1K + - c8fwp + - 8vQ4EPywlatl + - key: 28EpNe + operator: 鼓頳'ʛ1挂ō緕当gToʇ接遫 + - key: "" + operator: ƝZĂ 寑=愝奚Ĩw桟t摧pŸ + values: + - BuqtJnV + - 0hpJEbg + matchLabels: + 4lNwC: NEzAktH + h3ErklId8G: qClR4lO9e + namespaces: + - AYtMy3oUrS + - aX5P8O + topologyKey: 6D + weight: -1152164451 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: F6jo11z + operator: 亊路+M + values: + - h + - mmuiW + - GIV7E3H + - key: C + operator: v2佉鱉v辑ɞȠXɎʫǸú81Ɵ + values: + - QL + - MPxVd + - dqj9PPnthc + - key: 6JaPa + operator: 8dž貒ɑzןlȍH琧3ɞ + values: + - 1vJUmwXUq + matchLabels: + CIFj: YwH + Y2kn8RCwh: 90KzxhieelQ + y05g7PKLJ: 75bPN + matchLabelKeys: + - bYiD + mismatchLabelKeys: + - IiTYx5K5t + namespaceSelector: {} + namespaces: + - rZw0zlprDr + topologyKey: sxEn3K + weight: -1384321177 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: VgaK0hEji + operator: Ĺ礇紈銠噐ɴ諠2稇Ɠ鸈ý藁 + - key: S + operator: 鋸ɢǎ"膤ƭU軖tg埞鴤駩蹡 + - key: 9CwIty + operator: '`\糖ť8弤娹)覇gƲ妒墲9n' + values: + - 3j6O7C1tYz8 + matchLabels: + 0gEuFD: 74yF5 + matchLabelKeys: + - C + - IaGS + mismatchLabelKeys: + - W1 + - x + namespaceSelector: + matchExpressions: + - key: WXQ4P + operator: eĈ峧ʔƟ±ps缆D戭ǟ + values: + - "" + - EyV7u6ShG55 + topologyKey: DHgv6 + - labelSelector: + matchExpressions: + - key: RrGr5 + operator: 苭 + values: + - s + - Uk9D + - qTA4 + matchLabels: + yvalC: zQDHWOCId + matchLabelKeys: + - j1mN0G + mismatchLabelKeys: + - VdCZU8 + namespaceSelector: + matchExpressions: + - key: YzPO7z + operator: Lȇ杦娀 + values: + - 4UCJLskm4 + - VY + - key: arPd + operator: 燔佰馛{I諵Gƣ_*e + matchLabels: + g3PzQTKu: EtFrI + namespaces: + - ZXe + - ik9z + topologyKey: Os0u + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: DTU + operator: 鷚OíDzRě¤觹J闬#6U脥狍 + values: + - "" + - A5o + - gC + matchLabels: + Dm: WpOLJ + matchLabelKeys: + - z + mismatchLabelKeys: + - ICMl + namespaceSelector: + matchLabels: + XY9q9YY6uD: CiedBn + namespaces: + - vZ6M + topologyKey: OpLnLGsE + weight: 538966601 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: kEha + operator: Ę沌`f帞qA'躚S郻Ɏ珍韄 + values: + - etjdRyp + - zavjaM + - OYvYj + matchLabels: + KVwZfB: KEPzsU59 + RkZ: 0VcRQYQ + YpbOAE: DLjKEd + mismatchLabelKeys: + - djF + - SUMMj + - TGSC2G8I1Up + namespaceSelector: + matchExpressions: + - key: menWm + operator: k÷餌Ō + values: + - x9N + - mtsmYut + - key: szQb + operator: °« + values: + - hkxKeWqC + - key: YJUom + operator: ź²%FÔ縥:嗚K + values: + - NiQwKD + matchLabels: + 4AI5GYaY: ALH1BY + Bu43TOQ: WD + H: iujH1 + namespaces: + - Lc1PZ + - Z7LIE + - s4c0o + topologyKey: P7xmm2 + weight: 1130067767 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - yJiUSi + mismatchLabelKeys: + - 3ulP + - "66" + - "4" + namespaceSelector: + matchExpressions: + - key: eK + operator: 钕Ŧ + values: + - yRj + - Ukm + - "" + - key: "" + operator: 锧BȾLF譨Ɣ? + values: + - MtLk2 + - mUrlwRAdRoNX + - key: rlSqK0xlaaI + operator: 'Ɏƶʗ疇ȵMÇŕ翸鑉d劯kʦĺʄ4 ' + matchLabels: + FGHX9SlJz: MRMXuk + topologyKey: 4morNsk6TdYi + weight: -971499940 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: zosngP + operator: ʒ蠜¡ȂŧIH闦º弓鳾蠖Ą批9}_ + matchLabels: + "": wEhn + P1O8tGwJ: ZC + matchLabelKeys: + - IN0 + namespaceSelector: + matchLabels: + wMID0: aOr1UxM + topologyKey: krnVB + - labelSelector: + matchExpressions: + - key: mE + operator: 虵xǯ6熋湧ƳʝŅU节擎隆X鏯 + values: + - k + - bcx + - ks + matchLabels: + nYs: Hv5tuwQ + zAVu: G1PF + matchLabelKeys: + - u + - Gi6tJR + - "60" + namespaceSelector: + matchExpressions: + - key: bqRj + operator: ĭ啞&/sFş(墠O1Ÿ( + values: + - fe2dTLTbB + - QLUYqgc + - XBuCBfk27 + - key: exMkm + operator: m輚ɮ凪哇褚 + values: + - EQROy + - XQDPF7uw + - key: MwOO + operator: 鹗u仏兤o*>蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false + - name: LICENSE + valueFrom: + secretKeyRef: + key: xLO4B2BCZUJ + name: BQR2Y + envFrom: [] + image: XB9ke7yB/EwU0pzhz:SmZAnO7 + imagePullPolicy: 垿儣Ƈ#WMƻ + livenessProbe: + failureThreshold: 724782955 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + timeoutSeconds: -1665363921 + name: console + ports: + - containerPort: 456 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1128918125 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + timeoutSeconds: -1293939870 + resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029760 + runAsNonRoot: false + runAsUser: 7772713475568768000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM + - mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY + - command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295000 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475000 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286400 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088000 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 + - args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244896000 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205058000 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722355000 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693700 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347260 + runAsNonRoot: true + runAsUser: 3942212766283409400 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628500 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c + priorityClassName: F + securityContext: + fsGroup: -8750452531563962000 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903000 + runAsNonRoot: false + runAsUser: 2565919490422334500 + supplementalGroups: + - 2907772986244332000 + - -4686580881125536000 + - -7134026849524392000 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN + serviceAccountName: HMyYp + tolerations: + - effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417040 + value: U + - effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548566000 + value: c2m6hlo + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 + volumes: + - configMap: + name: Bv0I + name: configs + - name: 00PT1WRWHX + - name: P4 + - name: fn +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +spec: + ingressClassName: vg + rules: + - host: daRMGxIy7gKoE + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: GVhF41Ue + pathType: TeM8 + - backend: + service: + name: Bv0I + port: + number: 51 + path: UontjIzl + pathType: MN + - backend: + service: + name: Bv0I + port: + number: 51 + path: "" + pathType: xN + - host: YCgI + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Bv0I-test-connection" + namespace: "default" + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Bv0I:51'] + restartPolicy: Never + priorityClassName: F +-- testdata/case-036.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: EfQbyB + kafka-sasl-aws-msk-iam-secret-key: B + kafka-sasl-password: w + kafka-schema-registry-password: qiltVq + kafka-schemaregistry-tls-ca: kyT4j + kafka-schemaregistry-tls-cert: Tu4varJ + kafka-schemaregistry-tls-key: bmT + kafka-tls-ca: UyskLmDZ + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: hPt + login-github-personal-access-token: vRbRqD0 + login-google-groups-service-account.json: lcc9 + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: A9RDbO6GzTtHYG + login-okta-client-secret: HktzleLAg + login-okta-directory-api-token: qX + redpanda-admin-api-password: 5imX8ztdqjU + redpanda-admin-api-tls-ca: opQQ + redpanda-admin-api-tls-cert: PGcfJC3zH + redpanda-admin-api-tls-key: IhqyTvQn4T +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + ports: + - name: http + port: 113 + protocol: TCP + targetPort: 414 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + type: XHYb2qmrk +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + replicas: 24 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + strategy: + rollingUpdate: {} + type: LJėwǮ甧 + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + jLE31lUP: LWc + creationTimestamp: null + labels: + 6W: FQvOa + YwkBSNWK: 0qqd + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + jP3: iNkD + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false + - name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true + - name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: AumW + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: AumW + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: AumW + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: AumW + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: AumW + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: AumW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: AumW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: AumW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: AumW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: AumW + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: AumW + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false + - configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true + - configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true + image: ai/f54I:iO + imagePullPolicy: ǫtŖŮƘ瓧ù¹勍u + livenessProbe: + failureThreshold: 864346345 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + timeoutSeconds: -589897727 + name: console + ports: + - containerPort: 414 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1075627654 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + timeoutSeconds: 669945326 + resources: + limits: + 7VHN3: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824060 + runAsNonRoot: true + runAsUser: -4392330066259666400 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn + - mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I + - mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA + - args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723368000 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680100 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151200 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786600 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650766000 + runAsNonRoot: true + runAsUser: -1786517016760367000 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724483000 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM + - args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238000 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008450 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799000 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980209000 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043900 + runAsNonRoot: false + runAsUser: 3737016357651072500 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040238000 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F + imagePullSecrets: + - name: bbjdn + - name: VI + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD + priorityClassName: gPB + securityContext: + fsGroup: 8205502301244812000 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915816000 + runAsNonRoot: true + runAsUser: 4432310384984167400 + supplementalGroups: + - 7965846110903122000 + - -9174375158887063000 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 + serviceAccountName: Jg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: AumW + name: configs + - name: secrets + secret: + secretName: AumW + - name: HUa7xM +-- testdata/case-037.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ItYso + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles.yaml: |- + roles: + - Dd: null + H0QLXtA: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC + namespace: default +spec: + ports: + - name: http + port: 226 + protocol: TCP + targetPort: 87 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: u2r6 + type: At +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "8": SeJ + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +spec: + ingressClassName: PHr + rules: + - host: PXAcFs520n + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: 1uGP0 + pathType: dWpX + - backend: + service: + name: ADIhC + port: + number: 226 + path: hAH + pathType: LjzFf + - backend: + service: + name: ADIhC + port: + number: 226 + path: 7Qy + pathType: vjB + - host: z9QAJ5 + http: + paths: null + - host: "" + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: Hc0IpaX + pathType: bc0T + - backend: + service: + name: ADIhC + port: + number: 226 + path: dzn1ldJ5h + pathType: M + tls: null +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ADIhC-test-connection" + namespace: "default" + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Yi + - name: 6XnEhUN + - name: oeoW + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ADIhC:226'] + restartPolicy: Never + priorityClassName: U7wS +-- testdata/case-038.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: fP77cJ3T + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np + namespace: default +spec: + ports: + - name: http + port: 46 + protocol: TCP + targetPort: 43 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: ld + type: uqFB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "j1dUk8TGy8Np-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: OlRQO + - name: Hkuk3 + - name: fP + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['j1dUk8TGy8Np:46'] + restartPolicy: Never + priorityClassName: 89gnK9rXyDXui +-- testdata/case-039.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + PPZDrdmxKV: UBjiSx + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8s2qVhKEW + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm + namespace: default +spec: + ports: + - name: http + port: 400 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: o2F37Lr + type: dPOD9Kzb +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +spec: + ingressClassName: qyKUEOUT4u + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: bbshm + port: + number: 400 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - F7m23 + - "7" + secretName: M +-- testdata/case-040.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + ports: + - name: http + port: 424 + protocol: TCP + targetPort: 17 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + type: oZi +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + replicas: 291 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + strategy: + rollingUpdate: {} + type: G阏发6s + template: + metadata: + annotations: + checksum/config: 6f40381c972fd418dd311a992b76c4181a57129add8096d427da1c5284bcdd8a + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true + - name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: a7Ph + name: zsHNWVcS9 + envFrom: + - configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true + - configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true + image: cwfXN2KlU/qYQHJ:RIG + imagePullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + livenessProbe: + failureThreshold: -1894321442 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + timeoutSeconds: 1374945691 + name: console + ports: + - containerPort: 17 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 467513555 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + timeoutSeconds: 1203716236 + resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374000 + runAsNonRoot: true + runAsUser: -2569068293811685000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: d + name: ieSo8V + subPath: "" + - args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698000 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851383000 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930800 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654340 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943232000 + runAsNonRoot: false + runAsUser: 6381588597473823000 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793000 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV + - args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922000 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338000 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540900 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811300 + runAsNonRoot: true + runAsUser: -1191472066985646800 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559000 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt + - command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902980 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192000 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640189000 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198700 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151000 + runAsNonRoot: true + runAsUser: 2409160731771391000 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739000 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + y63G: wNiNvOMv + priorityClassName: 3A + securityContext: + fsGroup: 2302511509023017200 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924857000 + runAsNonRoot: true + runAsUser: 1720952380350228700 + supplementalGroups: + - -621944387099711200 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE + serviceAccountName: Cj + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N + volumes: + - configMap: + name: KchYZFsbB3 + name: configs + - name: ieSo8V + secret: + defaultMode: 83 + secretName: mD0jl + - name: iPeR + - name: ZgdCb2kUB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "KchYZFsbB3-test-connection" + namespace: "default" + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['KchYZFsbB3:424'] + restartPolicy: Never + priorityClassName: 3A +-- testdata/case-041.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + 5DCBJ96u: 12Himnm + ZQrRxpb: Aa + abcRNo3AHIw: gH1 + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: 0Z71mJNQUx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: 4uTKbvRNSh + kafka-sasl-aws-msk-iam-secret-key: tfc + kafka-sasl-password: NAMo + kafka-schema-registry-password: 5LUUey + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: i + kafka-tls-ca: Fydyp8 + kafka-tls-cert: R4y + kafka-tls-key: "" + login-github-oauth-client-secret: Y0 + login-github-personal-access-token: xyn + login-google-groups-service-account.json: zFJbYJ + login-google-oauth-client-secret: CsVVc6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: dsx + login-okta-client-secret: wr9eIA + login-okta-directory-api-token: Dy + redpanda-admin-api-password: O7kPq + redpanda-admin-api-tls-ca: 7ORz + redpanda-admin-api-tls-cert: IT + redpanda-admin-api-tls-key: KR25cT +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - EQY9390E: null + WXyS: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Sxsz0HWh: z9cj + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + ports: + - name: http + port: 359 + protocol: TCP + targetPort: 363 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + type: tJUW +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + I4K: K1yz + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + strategy: + rollingUpdate: {} + type: 稫启玩ɡʂ56 龪o + template: + metadata: + annotations: + checksum/config: 2e1f5f5401bac9a6ca8b2205a50f20ebc4a08fcafa78467ca458eb9e8411b634 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246943000 + runAsNonRoot: true + runAsUser: 972586500223089800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: ctE5Qa + name: gcTdF + subPath: "" + - mountPath: n8KpOJZ + name: "4" + subPath: "" + - mountPath: 3Ka7 + name: lBE0nAE + subPath: "" + - mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf + - mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 + - mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF + - args: + - M5GoLEac + command: + - "" + env: + - name: xn + value: gHloqKCZA0M + valueFrom: + configMapKeyRef: + key: 9EasdvqH1 + name: 3Jm5qlVRdb + optional: false + fieldRef: + apiVersion: IEuh0S + fieldPath: yGW + resourceFieldRef: + containerName: 6ytjPS + divisor: "0" + resource: Z + secretKeyRef: + key: a1KfCCp1 + name: OspUW + optional: false + - name: 1jMB + value: gsvW9h + valueFrom: + configMapKeyRef: + key: lEB1Z + name: sB + optional: true + fieldRef: + fieldPath: zsUJ + resourceFieldRef: + containerName: 11SE1A + divisor: "0" + resource: OFZYobDs5 + secretKeyRef: + key: wwZ + name: 0z + optional: false + envFrom: + - configMapRef: + name: AuPTaMX7 + optional: true + prefix: YNB9WA + secretRef: + name: QyV6 + optional: true + - configMapRef: + name: N5izN44MJ + optional: true + prefix: 103jYU2pj + secretRef: + name: IsJ + optional: true + image: f + imagePullPolicy: ']L7掻钏ĚxǢRʃd×?ŠɓT{' + lifecycle: + postStart: + exec: + command: + - 1Kv + - F2E + - uX1vDFV + httpGet: + host: XQ5sY + path: 5X8E + port: ZEAsx0C5i + scheme: 巇L嶤n蔢ȥ.&h喵趶旃 + sleep: + seconds: 3646722142291548000 + preStop: + exec: + command: + - "98" + httpGet: + host: MWUlhjhJA + path: JM3LkEQY + port: I4x4q + scheme: ʄȀ%ʎ兒餐oc-c + sleep: + seconds: 2358122019278204000 + livenessProbe: + exec: + command: + - dyqr + - 79j + - 6N2YiU + failureThreshold: 1763651267 + grpc: + port: 1387074657 + service: m + httpGet: + host: G + path: 9kp6wlF5 + port: 5zuLtPI + scheme: d輢殣ſē诧Wɹ讏 + initialDelaySeconds: -1520109712 + periodSeconds: -1170771093 + successThreshold: -1383663641 + terminationGracePeriodSeconds: -1296467687071372800 + timeoutSeconds: 1017261975 + name: xf5VXbM9DX + ports: + - containerPort: -1245943187 + hostIP: iVo + hostPort: -1606480480 + protocol: à唿Ň癫俤健ǛƵ虰響 + - containerPort: 1088776251 + hostIP: mN + hostPort: 2006200810 + name: izfW + protocol: 蠣狓j霎緦(Lǫ[ + readinessProbe: + exec: + command: + - w + - ZZzn + failureThreshold: -841549142 + grpc: + port: -1318693763 + service: z3 + httpGet: + host: DK8AT0w + path: TQEPNMTrmL26 + port: -1446467943 + scheme: ś檊:& + initialDelaySeconds: -768827532 + periodSeconds: -2057604270 + successThreshold: -1558550931 + terminationGracePeriodSeconds: 6890017506404353000 + timeoutSeconds: -1558365951 + resizePolicy: + - resourceName: BhJ20rFM28sOexT + restartPolicy: 槟"äÅ緦Xjê荀谆 + resources: + limits: + 3yphxx: "0" + requests: + "71": "0" + qj1cwc9x: "0" + xIH2: "0" + restartPolicy: 兜藄墲皀 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 翇ƒ\Ý琂麌褶犗錀Ć姉溬[I珵巖â迍Õ + - ȖnS¦ºǀʼndz&ü1 + privileged: false + procMount: ǻ\頧ADȜ[ʋɺɗ鬌ʢ栵鏆W剨 + readOnlyRootFilesystem: true + runAsGroup: -8217745538717204000 + runAsNonRoot: false + runAsUser: 8409092840666673000 + startupProbe: + exec: {} + failureThreshold: 514371514 + grpc: + port: 1386630692 + service: 5k9JljF + httpGet: + host: Yxa + path: KKzxL + port: 1749552838 + scheme: ǁ1钥`岺ȱ$ + initialDelaySeconds: 198009978 + periodSeconds: 1269387330 + successThreshold: 150401625 + terminationGracePeriodSeconds: 756942197968954200 + timeoutSeconds: -1507606503 + stdin: true + stdinOnce: true + terminationMessagePath: Yuuqhx + tty: true + workingDir: cNvZ0 + - args: + - EBJwKsy + - 88iT6Xcn + - XcT28aSWj + command: + - KYgqdbR + envFrom: + - configMapRef: + name: N30BWF9jx + optional: true + prefix: b + secretRef: + name: g + optional: true + - configMapRef: + name: vkY + optional: false + prefix: gn67ft + secretRef: + name: 9bmgS + optional: true + image: mhs + imagePullPolicy: agŒJ!Ǽƴ硴ĘBjp¸ǟ鏔ȫv + lifecycle: + postStart: + exec: {} + httpGet: + host: k1oZic + port: kWma + scheme: /A縊$/Ðl脿ʅK\Yû¡DȜ + sleep: + seconds: 4880710696024837000 + preStop: + exec: + command: + - mE1S + httpGet: + host: wmLvZ + path: P8Lw + port: 2130804875 + scheme: Aɷĝ/éȏ圳%)n帣 + sleep: + seconds: 5681554568621785000 + livenessProbe: + exec: + command: + - g + - 1tbHYej2 + failureThreshold: 721918154 + grpc: + port: 977234381 + service: K8 + httpGet: + host: o1a + path: EL + port: 606530945 + scheme: ɬ憋} + initialDelaySeconds: 527377871 + periodSeconds: 1831783866 + successThreshold: -925249104 + terminationGracePeriodSeconds: -5462814855858063000 + timeoutSeconds: 1067001478 + name: Cyr + ports: + - containerPort: -1582092218 + hostIP: HefrxT + hostPort: -1694778841 + name: "5" + protocol: 5訙奆Ņ蘹Ǭ馲ǧõsg + - containerPort: -1709296974 + hostIP: S + hostPort: -12435236 + name: RQIJVqVp + protocol: ı+=Ŷ\褭昊 + readinessProbe: + exec: + command: + - LxHQI2 + failureThreshold: -1670032382 + grpc: + port: 2038020216 + service: uS1pHYQuE + httpGet: + host: dFCk9 + path: 2YYVJoTxFI + port: 1533020718 + scheme: 侅弴噉讀ŲĨ趚ʉB + initialDelaySeconds: 753694711 + periodSeconds: -620933924 + successThreshold: 1935472803 + terminationGracePeriodSeconds: -1414957386950590200 + timeoutSeconds: 1810571120 + resources: + limits: + SwVZL: "0" + m6OD8E: "0" + requests: + bZQK: "0" + h9G0: "0" + hCGxGGtFgSx: "0" + restartPolicy: 毄鶏疡ɍʛ啔l鹯ą9掇悋ƦjþË + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*6珛åǪ' + drop: + - qć纣cȈʊ«Ȯ¤u俳糐郭ȉHT5į軌 + - ³R语 + privileged: false + procMount: GɛFȖ黸ȋȤá峠缂蛞·NN + readOnlyRootFilesystem: true + runAsGroup: 2219217566755129900 + runAsNonRoot: false + runAsUser: -6958635490019934000 + startupProbe: + exec: + command: + - VqKEGlA + - h1eQQmyq + failureThreshold: 1344510971 + grpc: + port: 1296412500 + service: 0FZIq + httpGet: + host: Gk + path: J1ncBCi + port: yqdEt689 + scheme: Ƹ陳ƨj>喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429463000 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN + - args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541682000 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195800 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127833000 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248400 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323829000 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295128000 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp + priorityClassName: 6ZbHC + securityContext: + fsGroup: 3426922926776119300 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683000 + runAsNonRoot: false + runAsUser: 6270039107728701000 + supplementalGroups: + - -2399342924686736400 + - 620655430084388100 + serviceAccountName: gIkiPRSc53Eb4w + tolerations: + - effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541781000 + value: Zmrz8 + topologySpreadConstraints: [] + volumes: + - configMap: + name: eHZ + name: configs + - name: gcTdF + secret: + defaultMode: 210 + secretName: MPU + - name: "4" + secret: + defaultMode: 186 + secretName: s6 + - name: lBE0nAE + secret: + defaultMode: 412 + secretName: RG + - name: "4" + - name: Kry +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: eHZ +spec: + maxReplicas: 165 + metrics: + - resource: + name: cpu + target: + averageUtilization: 42 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 454 + type: Utilization + type: Resource + minReplicas: 187 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: eHZ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "eHZ-test-connection" + namespace: "default" + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['eHZ:190'] + restartPolicy: Never + priorityClassName: 6ZbHC +-- testdata/case-043.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Gma + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 + namespace: default +spec: + ports: + - name: http + port: 11 + protocol: TCP + targetPort: 465 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: 9TsjJQkJZ +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 +spec: + ingressClassName: 4Z1r6JSTY + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: y0pa6pm83 + port: + number: 11 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - hosts: null + secretName: jRYKg +-- testdata/case-044.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: W9k + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles.yaml: |- + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + CRHNsVY: Nl04 + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + ports: + - name: http + port: 103 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + replicas: 410 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + strategy: + rollingUpdate: {} + type: ɬdW5f + template: + metadata: + annotations: + N0F: vSjZxkjW + checksum/config: 8ebe1d816245b967e7ea3109d93ad79599a2b8a33eed8e72fc85166d6ffa7aaf + creationTimestamp: null + labels: + K1uahi: UMygEU2O2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + ecdKkB: "1" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false + - name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: x8ik3q + name: K7c7oe + envFrom: + - configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false + image: UqWwteW0x/TZqk:0fpMB + imagePullPolicy: 讘ɂȴɩF壜î栒p + livenessProbe: + failureThreshold: 1147871047 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + timeoutSeconds: 1252398573 + name: console + ports: + - containerPort: 329 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1026367217 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + timeoutSeconds: 1827269276 + resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841054000 + runAsNonRoot: true + runAsUser: -56006153890553620 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f + - mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w + - mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy + - args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976475000 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022234000 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612000 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657500 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399379000 + runAsNonRoot: true + runAsUser: 989961539055775400 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666000 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw + - command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724700 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843000 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493000 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885000 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276900 + runAsNonRoot: false + runAsUser: -3933065726531016000 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454598000 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx + priorityClassName: 8KMLup9vb + securityContext: + fsGroup: -3027126285888131000 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747058000 + runAsNonRoot: true + runAsUser: 5739747577453986000 + supplementalGroups: + - -1289730562709624600 + - 2918948066534341000 + - 8836988143915676000 + sysctls: + - name: ZSspAgrV + value: ES11 + serviceAccountName: W9k + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 + volumes: + - configMap: + name: resP + name: configs + - name: Kt6NIoVzEY + - name: O +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "resP-test-connection" + namespace: "default" + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['resP:103'] + restartPolicy: Never + priorityClassName: 8KMLup9vb +-- testdata/case-045.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": zL + EANkzh: rmy + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nX5G + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: naFpMBw + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: nKEzr + kafka-schema-registry-password: xU + kafka-schemaregistry-tls-ca: pc + kafka-schemaregistry-tls-cert: fF1z9FE + kafka-schemaregistry-tls-key: tx + kafka-tls-ca: bhhbwypQ + kafka-tls-cert: Dw1477 + kafka-tls-key: "" + login-github-oauth-client-secret: 1UD4N + login-github-personal-access-token: LmFkP6BgmLQ + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: m + login-jwt-secret: SECRETKEY + login-oidc-client-secret: cXdjG + login-okta-client-secret: eF90RohF + login-okta-directory-api-token: 1zXLSJEQ + redpanda-admin-api-password: rr4c4 + redpanda-admin-api-tls-ca: Eonnpq + redpanda-admin-api-tls-cert: aPCNgYI + redpanda-admin-api-tls-key: vlrLQ9I9 +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz + namespace: default +spec: + ports: + - name: http + port: 314 + protocol: TCP + targetPort: 398 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tOoxEiwdVpT + type: C +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + maxReplicas: 305 + metrics: + - resource: + name: cpu + target: + averageUtilization: 344 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 186 + type: Utilization + type: Resource + minReplicas: 326 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 9gCm5xz +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + ingressClassName: y6u9o + rules: + - host: V + http: + paths: + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: VRp3 + pathType: WX + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: ZXqa + pathType: LXDjotJK + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9gCm5xz-test-connection" + namespace: "default" + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: rTO7I + - {} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9gCm5xz:314'] + restartPolicy: Never + priorityClassName: Op +-- testdata/case-046.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: BKbdr + kafka-sasl-aws-msk-iam-secret-key: Xs8UvJPyL + kafka-sasl-password: xW3EDKA + kafka-schema-registry-password: Vewx + kafka-schemaregistry-tls-ca: te + kafka-schemaregistry-tls-cert: JxH + kafka-schemaregistry-tls-key: jhxioPhQ + kafka-tls-ca: eP + kafka-tls-cert: H9 + kafka-tls-key: "" + login-github-oauth-client-secret: Q + login-github-personal-access-token: akEcq + login-google-groups-service-account.json: pJ8NQ + login-google-oauth-client-secret: vj6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: 8SCyi + login-okta-client-secret: Yd + login-okta-directory-api-token: q1rSa + redpanda-admin-api-password: mON + redpanda-admin-api-tls-ca: rNzsp + redpanda-admin-api-tls-cert: UStA + redpanda-admin-api-tls-key: 3E +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + aDeGG7F9S: 5d + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF + namespace: default +spec: + ports: + - name: http + port: 271 + protocol: TCP + targetPort: 481 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: PK7oH1pcU3 +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +spec: + ingressClassName: aU0xOzsFN + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: fB6TF + port: + number: 271 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +-- testdata/case-047.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DSw7 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + ports: + - name: http + port: 168 + protocol: TCP + targetPort: 227 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + type: WAAXkZY +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + strategy: + rollingUpdate: {} + type: żʧȟ + template: + metadata: + annotations: + Mfsd: hmi + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + 6dZAs: xJPaLHKS1Y2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false + - name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: nj + name: rl + envFrom: [] + image: zUsK/lQjo:p + imagePullPolicy: ȕ蚧竔/´苅oC + livenessProbe: + failureThreshold: -1392926461 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + timeoutSeconds: 213455290 + name: console + ports: + - containerPort: 227 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1689894479 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + timeoutSeconds: -209775227 + resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085800 + runAsNonRoot: false + runAsUser: 3238073083343117300 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: g + name: L8dbWip + subPath: "" + - mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe + - mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME + - mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 + - args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534500 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159899000 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371000 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485000 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348254000 + runAsNonRoot: true + runAsUser: 5983932912975749000 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410300 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0P6RnoBeb5 + securityContext: + fsGroup: -6567182940167159000 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390805000 + supplementalGroups: + - -3306962996817147400 + - 975882030005456500 + - -5263492609498468000 + sysctls: + - name: YC + value: 7JlDTCP6hs + serviceAccountName: DSw7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: YUi5JpG + name: configs + - name: L8dbWip + secret: + defaultMode: 184 + secretName: LF0O +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG +spec: + maxReplicas: 122 + metrics: + - resource: + name: cpu + target: + averageUtilization: 218 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 488 + type: Utilization + type: Resource + minReplicas: 449 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: YUi5JpG +-- testdata/case-048.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: sKa + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + c: DNy + kDPtPpnL: kFmmx + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + ports: + - name: http + port: 311 + protocol: TCP + targetPort: 29 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + type: l5gj +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Dgw3Wl: 7aofTp + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + strategy: + rollingUpdate: {} + type: 顓ǝSm + template: + metadata: + annotations: + checksum/config: 1f1200550e8f17e44439daf44ec8c9721945fe5e499d9d558666a7a6516a4bd3 + eG: vxInc0 + g: BI6yk + xCtSP: rQ + creationTimestamp: null + labels: + ZEXh: zufy + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false + - name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: enterprise-license + name: 3VGefRh + envFrom: [] + image: VHbf77MFq/9Gz:Tg + imagePullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + livenessProbe: + failureThreshold: 279778022 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + timeoutSeconds: 873461419 + name: console + ports: + - containerPort: 29 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 37001950 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + timeoutSeconds: -1781454259 + resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300500 + runAsNonRoot: true + runAsUser: -812867783664200800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WsSL4vxNxCkXP + name: Mt1 + subPath: "" + - mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh + - mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH + - args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712450 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894000 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602936000 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522000 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374304000 + runAsNonRoot: false + runAsUser: 7731251064648991000 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850300 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB + - args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961013000 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165582000 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920700 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342300 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742887000 + runAsNonRoot: true + runAsUser: 3204614620414442500 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517600 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Bm9U: oTYglG6dh + priorityClassName: l4Mowg + securityContext: + fsGroup: -3794452885502571500 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467000 + runAsNonRoot: true + runAsUser: -4412205905842408400 + supplementalGroups: + - -7215185124091152000 + - 5139656417921063000 + - 600742233156257700 + sysctls: + - name: Te + value: cKzihj + serviceAccountName: sKa + tolerations: + - effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151000 + value: a3XbyS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 3um + name: configs + - name: Mt1 + secret: + defaultMode: 80 + secretName: ZxXI0Hhv +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +spec: + maxReplicas: 1 + metrics: + - resource: + name: cpu + target: + averageUtilization: 468 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 256 + type: Utilization + type: Resource + minReplicas: 224 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 3um +-- testdata/case-049.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: z12W + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: SBJl + kafka-sasl-aws-msk-iam-secret-key: INqD5 + kafka-sasl-password: 78E + kafka-schema-registry-password: YMuFCG7qR + kafka-schemaregistry-tls-ca: 1y5yRb6O2b + kafka-schemaregistry-tls-cert: NuhkhpMV7b + kafka-schemaregistry-tls-key: 9zcrFj + kafka-tls-ca: 0PF + kafka-tls-cert: wArD + kafka-tls-key: "" + login-github-oauth-client-secret: jdPGF7 + login-github-personal-access-token: y6xqv + login-google-groups-service-account.json: xi1j27Lipj8 + login-google-oauth-client-secret: m6FeI + login-jwt-secret: SECRETKEY + login-oidc-client-secret: zbsTootC + login-okta-client-secret: rHSfT + login-okta-directory-api-token: rOXaN + redpanda-admin-api-password: 8c + redpanda-admin-api-tls-ca: CJbHIM + redpanda-admin-api-tls-cert: uO + redpanda-admin-api-tls-key: uhB0L +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + ports: + - name: http + port: 269 + protocol: TCP + targetPort: 479 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + type: IfYfRoHRG +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + BceQMZiOm: E1uakdHPkLNL + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ + template: + metadata: + annotations: + "": cuRn + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + qBdeU: EQv + creationTimestamp: null + labels: + O2n4u: kpFpu + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + g1c: XEOMg + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: 0BIfuN + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: 0BIfuN + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: 0BIfuN + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: 0BIfuN + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 0BIfuN + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 0BIfuN + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 0BIfuN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 0BIfuN + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: 0BIfuN + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true + - configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false + - configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false + image: RCYS61Exfql/8ZLfmymq:4BSL9iL + imagePullPolicy: õ鴀铑û + livenessProbe: + failureThreshold: -567921134 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + timeoutSeconds: 582403024 + name: console + ports: + - containerPort: 479 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1010917423 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + timeoutSeconds: 1291669389 + resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993000 + runAsNonRoot: true + runAsUser: -4828746969388386000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: AQpWvptFEk7y + name: 99SgdOsZD + subPath: "" + - mountPath: p44 + name: U + subPath: "" + - mountPath: UiI + name: WFd + subPath: "" + - mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD + - mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk + - mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w + - args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819500 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269600 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485400 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555300 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659600 + runAsNonRoot: false + runAsUser: -6936271037843915000 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519710000 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL + - args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823544000 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382434000 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591200 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515500 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700500 + runAsNonRoot: false + runAsUser: 6590063474480016000 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207700 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT + imagePullSecrets: + - name: h5x + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ra78: fJ + priorityClassName: JhGfjGXQ + securityContext: + fsGroup: 6449559755791186000 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707600 + runAsNonRoot: true + runAsUser: -2824253868920734700 + supplementalGroups: + - 8145086042470337000 + - -5005570809576723000 + serviceAccountName: z12W + tolerations: + - key: ka + tolerationSeconds: 2857628758439265300 + value: Ohni9QGx + topologySpreadConstraints: + - labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| + - labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 + volumes: + - configMap: + name: 0BIfuN + name: configs + - name: secrets + secret: + secretName: 0BIfuN + - name: 99SgdOsZD + secret: + defaultMode: 500 + secretName: B6Fq + - name: U + secret: + defaultMode: 337 + secretName: DddF02 + - name: WFd + secret: + defaultMode: 246 + secretName: tz +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +spec: + maxReplicas: 292 + metrics: + - resource: + name: cpu + target: + averageUtilization: 255 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 99 + type: Utilization + type: Resource + minReplicas: 381 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 0BIfuN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "0BIfuN-test-connection" + namespace: "default" + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: h5x + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['0BIfuN:269'] + restartPolicy: Never + priorityClassName: JhGfjGXQ +-- testdata/console-config-listen-and-target-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 4444 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-config-listen-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-role-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: fb8e6e138b819f5ea3ae5c413e14f624501b139f2294e15c4f188ec463049755 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles-and-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: a586a304567f15fd4a79d95e15044439368fd8985e42a1a93cdcb6d0b540ed57 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 1afc8dfaddbbe103d0707800bfc71b4cc8f14e12334b3e22484d2b73ef5d57c0 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/custom-tag-no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:my-custom-tag + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/default-values.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/extra-init-containers.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - args: + - |- + set -xe + echo "Hello 3!" + command: + - /bin/bash + - -c + image: mintel/docker-alpine-bash-curl-jq:latest + name: test-init-container + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/ingress-templating.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + ingress: test + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + ingressClassName: null + rules: + - host: '"a-host"' + http: + paths: + - backend: + service: + name: console + port: + number: 8080 + path: / + pathType: Exact + tls: + - hosts: + - '"blah"' + secretName: my-secret +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 2000 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 2000 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-with-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + hello: world + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + nodePort: 1000 + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.txtar b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.txtar new file mode 100644 index 000000000..804cca4a6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/testdata/template-cases.txtar @@ -0,0 +1,136 @@ +Manually crafted test cases for TestTemplate +-- default-values -- +# Intentionally left blank. (test of default values) + +-- console-with-roles -- +# console.roles specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + +-- console-with-role-bindings -- +# console.roleBindings specified +console: + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- console-with-roles-and-bindings -- +# console.roles and console.roleBindings both specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- autoscaling-nulls -- +# Autoscaling w/ explicit nulls +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: null + +-- autoscaling-cpu -- +# Autoscaling w/ memory no cpu +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: 10 + +-- autoscaling-memory -- +# Autoscaling w/ cpu no memory +autoscaling: + enabled: true + targetCPUUtilizationPercentage: 14 + targetMemoryUtilizationPercentage: null + +-- service-nodeport -- +# Service type NodePort +service: + type: "NodePort" + targetPort: 2000 + +-- service-with-nodeport -- +# Service w/ NodePort +service: + type: "NodePort" + nodePort: 1000 + annotations: + hello: world + +-- ingress-templating -- +ingress: + enabled: true + annotations: + ingress: test + hosts: + - host: '{{ "a-host" | quote }}' + paths: + - path: / + pathType: Exact + tls: + - secretName: my-secret + hosts: + - '{{ "blah" | quote }}' + +-- no-registry -- +image: + registry: "" + +-- custom-tag-no-registry -- +image: + registry: "" + tag: my-custom-tag + +-- console-config-listen-port -- +console: + config: + server: + listenPort: 3333 + +-- console-config-listen-and-target-port -- +service: + targetPort: 4444 +console: + config: + server: + listenPort: 3333 + +-- extra-init-containers -- +# NB: Many of the generated tests have an invalid value for extraInitContainers +# as it's just a string and render an error message. This case showcases what +# valid YAML looks like. +initContainers: + extraInitContainers: |- + - name: {{ "test-init-container" | quote }} + image: "mintel/docker-alpine-bash-curl-jq:latest" + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + echo "Hello {{ add 1 2 }}!" diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/values.go b/charts/redpanda/redpanda/5.9.5/charts/console/values.go new file mode 100644 index 000000000..0a855af59 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/values.go @@ -0,0 +1,215 @@ +// +gotohelm:ignore=true +package console + +import ( + _ "embed" + + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +var ( + //go:embed values.yaml + DefaultValuesYAML []byte + + //go:embed values.schema.json + ValuesSchemaJSON []byte +) + +type Values struct { + ReplicaCount int32 `json:"replicaCount"` + Image Image `json:"image"` + ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets"` + NameOverride string `json:"nameOverride"` + FullnameOverride string `json:"fullnameOverride"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + ServiceAccount ServiceAccountConfig `json:"serviceAccount"` + CommonLabels map[string]string `json:"commonLabels"` + Annotations map[string]string `json:"annotations"` + PodAnnotations map[string]string `json:"podAnnotations"` + PodLabels map[string]string `json:"podLabels"` + PodSecurityContext corev1.PodSecurityContext `json:"podSecurityContext"` + SecurityContext corev1.SecurityContext `json:"securityContext"` + Service ServiceConfig `json:"service"` + Ingress IngressConfig `json:"ingress"` + Resources corev1.ResourceRequirements `json:"resources"` + Autoscaling AutoScaling `json:"autoscaling"` + NodeSelector map[string]string `json:"nodeSelector"` + Tolerations []corev1.Toleration `json:"tolerations"` + Affinity corev1.Affinity `json:"affinity"` + TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints"` + PriorityClassName string `json:"priorityClassName"` + Console Console `json:"console"` + ExtraEnv []corev1.EnvVar `json:"extraEnv"` + ExtraEnvFrom []corev1.EnvFromSource `json:"extraEnvFrom"` + ExtraVolumes []corev1.Volume `json:"extraVolumes"` + ExtraVolumeMounts []corev1.VolumeMount `json:"extraVolumeMounts"` + ExtraContainers []corev1.Container `json:"extraContainers"` + InitContainers InitContainers `json:"initContainers"` + SecretMounts []SecretMount `json:"secretMounts"` + Secret SecretConfig `json:"secret"` + Enterprise Enterprise `json:"enterprise"` + LivenessProbe corev1.Probe `json:"livenessProbe"` + ReadinessProbe corev1.Probe `json:"readinessProbe"` + ConfigMap Creatable `json:"configmap"` + Deployment DeploymentConfig `json:"deployment"` + Strategy appsv1.DeploymentStrategy `json:"strategy"` + Tests Enableable `json:"tests"` +} + +type DeploymentConfig struct { + Create bool `json:"create"` + Command []string `json:"command,omitempty"` + ExtraArgs []string `json:"extraArgs,omitempty"` +} + +type Enterprise struct { + LicenseSecretRef SecretKeyRef `json:"licenseSecretRef"` +} + +type ServiceAccountConfig struct { + Create bool `json:"create"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + Annotations map[string]string `json:"annotations"` + Name string `json:"name"` +} + +type ServiceConfig struct { + Type corev1.ServiceType `json:"type"` + Port int32 `json:"port"` + NodePort *int32 `json:"nodePort,omitempty"` + TargetPort *int32 `json:"targetPort"` + Annotations map[string]string `json:"annotations"` +} + +type IngressConfig struct { + Enabled bool `json:"enabled"` + ClassName *string `json:"className"` + Annotations map[string]string `json:"annotations"` + Hosts []IngressHost `json:"hosts"` + TLS []networkingv1.IngressTLS `json:"tls"` +} + +type IngressHost struct { + Host string `json:"host"` + Paths []IngressPath `json:"paths"` +} + +type IngressPath struct { + Path string `json:"path"` + PathType *networkingv1.PathType `json:"pathType"` +} + +type AutoScaling struct { + Enabled bool `json:"enabled"` + MinReplicas int32 `json:"minReplicas"` + MaxReplicas int32 `json:"maxReplicas"` + TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage *int32 `json:"targetMemoryUtilizationPercentage,omitempty"` +} + +// TODO the typing of these values are unclear. All of them get marshalled to +// YAML and then run through tpl which gives no indication of what they are +// aside from YAML marshal-able. +type Console struct { + Config map[string]any `json:"config"` + Roles []map[string]any `json:"roles,omitempty"` + RoleBindings []map[string]any `json:"roleBindings,omitempty"` +} + +type InitContainers struct { + ExtraInitContainers *string `json:"extraInitContainers"` // XXX Templated YAML +} + +type SecretConfig struct { + Create bool `json:"create"` + Kafka KafkaSecrets `json:"kafka"` + Login LoginSecrets `json:"login"` + Enterprise EnterpriseSecrets `json:"enterprise"` + Redpanda RedpandaSecrets `json:"redpanda"` +} + +type SecretMount struct { + Name string `json:"name"` + SecretName string `json:"secretName"` + Path string `json:"path"` + SubPath *string `json:"subPath,omitempty"` + DefaultMode *int32 `json:"defaultMode"` +} + +type KafkaSecrets struct { + SASLPassword *string `json:"saslPassword,omitempty"` + AWSMSKIAMSecretKey *string `json:"awsMskIamSecretKey,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` + TLSPassphrase *string `json:"tlsPassphrase,omitempty"` + SchemaRegistryPassword *string `json:"schemaRegistryPassword,omitempty"` + SchemaRegistryTLSCA *string `json:"schemaRegistryTlsCa,omitempty"` + SchemaRegistryTLSCert *string `json:"schemaRegistryTlsCert,omitempty"` + SchemaRegistryTLSKey *string `json:"schemaRegistryTlsKey,omitempty"` + ProtobufGitBasicAuthPassword *string `json:"protobufGitBasicAuthPassword,omitempty"` +} + +type LoginSecrets struct { + JWTSecret string `json:"jwtSecret"` + Google GoogleLoginSecrets `json:"google"` + Github GithubLoginSecrets `json:"github"` + Okta OktaLoginSecrets `json:"okta"` + OIDC OIDCLoginSecrets `json:"oidc"` +} + +type GoogleLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + GroupsServiceAccount *string `json:"groupsServiceAccount,omitempty"` +} + +type GithubLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + PersonalAccessToken *string `json:"personalAccessToken,omitempty"` +} + +type OktaLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + DirectoryAPIToken *string `json:"directoryApiToken,omitempty"` +} + +type OIDCLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` +} + +type EnterpriseSecrets struct { + License *string `json:"License,omitempty"` +} + +type RedpandaSecrets struct { + AdminAPI RedpandaAdminAPISecrets `json:"adminApi"` +} + +type RedpandaAdminAPISecrets struct { + Password *string `json:"password,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` +} + +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + +type Enableable struct { + Enabled bool `json:"enabled"` +} + +type Creatable struct { + Create bool `json:"create"` +} + +type Image struct { + Registry string `json:"registry"` + Repository string `json:"repository"` + PullPolicy corev1.PullPolicy `json:"pullPolicy"` + Tag *string `json:"tag"` +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.5/charts/console/values.schema.json new file mode 100644 index 000000000..f4f369e98 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/values.schema.json @@ -0,0 +1,323 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "affinity": { + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "configmap": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "console": { + "type": "object" + }, + "deployment": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "extraContainers": { + "type": "array" + }, + "extraEnv": { + "type": "array" + }, + "extraEnvFrom": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "className": { + "type": ["string", "null"] + }, + "enabled": { + "type": "boolean" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + } + } + } + } + } + } + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "secret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "enterprise": { + "type": "object" + }, + "kafka": { + "type": "object" + }, + "login": { + "type": "object", + "properties": { + "jwtSecret": { + "type": "string" + }, + "github": { + "type": "object" + }, + "google": { + "type": "object" + }, + "oidc": { + "type": "object" + }, + "okta": { + "type": "object" + } + } + }, + "redpanda": { + "type": "object", + "properties": { + "adminApi": { + "type": "object" + } + } + } + } + }, + "secretMounts": { + "type": "array" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "targetPort": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "type": { + "type": "string" + } + } + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "initContainers": { + "type": "object", + "properties": { + "extraInitContainers": { + "type": "string" + } + } + }, + "strategy": { + "type": "object" + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } +} diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.5/charts/console/values.yaml new file mode 100644 index 000000000..4825fc487 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/values.yaml @@ -0,0 +1,279 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for console. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# -- Redpanda Console Docker image settings. +image: + registry: docker.redpanda.com + # -- Docker repository from which to pull the Redpanda Docker image. + repository: redpandadata/console + # -- The imagePullPolicy. + pullPolicy: IfNotPresent + # -- The Redpanda Console version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + # @default -- `Chart.appVersion` + tag: "" + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +# -- Override `console.name` template. +nameOverride: "" +# -- Override `console.fullname` template. +fullnameOverride: "" + +# -- Automount API credentials for the Service Account into the pod. +automountServiceAccountToken: true + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `console.fullname` template + name: "" + +# Common labels to add to all the pods +commonLabels: {} + +# -- Annotations to add to the deployment. +annotations: {} + +podAnnotations: {} + +podLabels: {} + +podSecurityContext: + runAsUser: 99 + fsGroup: 99 + +securityContext: + runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + # nodePort: 30001 + # -- Override the value in `console.config.server.listenPort` if not `nil` + targetPort: + annotations: {} + +ingress: + enabled: false + className: + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as minikube. If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +# -- PriorityClassName given to Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). +priorityClassName: "" + +console: + # -- Settings for the `Config.yaml` (required). + # For a reference of configuration settings, + # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + config: {} + # roles: + # roleBindings: + +# -- Additional environment variables for the Redpanda Console Deployment. +extraEnv: [] + # - name: KAFKA_RACKID + # value: "1" + +# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. +extraEnvFrom: [] +# - secretRef: +# name: kowl-config-secret + +# -- Add additional volumes, such as for TLS keys. +extraVolumes: [] +# - name: kafka-certs +# secret: +# secretName: kafka-certs +# - name: config +# configMap: +# name: console-config + +# -- Add additional volume mounts, such as for TLS keys. +extraVolumeMounts: [] +# - name: kafka-certs # Must match the volume name +# mountPath: /etc/kafka/certs +# readOnly: true + +# -- Add additional containers, such as for oauth2-proxy. +extraContainers: [] + +# -- Any initContainers defined should be written here +initContainers: + # -- Additional set of init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + +# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem. +# Under the hood it creates a volume and a volume mount for the Redpanda Console container. +secretMounts: [] +# - name: kafka-certs +# secretName: kafka-certs +# path: /etc/console/certs +# defaultMode: 0755 + +# -- Create a new Kubernetes Secret for all sensitive configuration inputs. +# Each provided Secret is mounted automatically and made available to the +# Pod. +# If you want to use one or more existing Secrets, +# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. +secret: + create: true + + # Secret values in case you want the chart to create a Secret. All Certificates are mounted + # as files and the path to those files are configured through environment variables so + # that Console can automatically pick them up. + # -- Kafka Secrets. + kafka: {} + # saslPassword: + # awsMskIamSecretKey: + # tlsCa: + # tlsCert: + # tlsKey: + # tlsPassphrase: + # schemaRegistryPassword: + # schemaRegistryTlsCa: + # schemaRegistryTlsCert: + # schemaRegistryTlsKey: + # protobufGitBasicAuthPassword + # Enterprise version secrets + # - SSO secrets (Enterprise version). + login: + # Configurable JWT value + jwtSecret: "" + google: {} + # clientSecret: + # groupsServiceAccount: + github: {} + # clientSecret: + # personalAccessToken: + okta: {} + # clientSecret: + # directoryApiToken: + oidc: {} + # clientSecret: + + enterprise: {} + # license: + + redpanda: + adminApi: {} + # password: + # tlsCa: + # tlsCert: + # tlsKey: + +# -- Settings for license key, as an alternative to secret.enterprise when +# a license secret is available +enterprise: + licenseSecretRef: + name: "" + key: "" + +# -- Settings for liveness and readiness probes. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). +livenessProbe: + # initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +readinessProbe: + # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +configmap: + create: true +deployment: + create: true + +strategy: {} + +tests: + enabled: true diff --git a/charts/redpanda/redpanda/5.9.5/charts/console/values_partial.gen.go b/charts/redpanda/redpanda/5.9.5/charts/console/values_partial.gen.go new file mode 100644 index 000000000..723065a25 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/charts/console/values_partial.gen.go @@ -0,0 +1,206 @@ +//go:build !generate + +// +gotohelm:ignore=true +// +// Code generated by genpartial DO NOT EDIT. +package console + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +type PartialValues struct { + ReplicaCount *int32 "json:\"replicaCount,omitempty\"" + Image *PartialImage "json:\"image,omitempty\"" + ImagePullSecrets []corev1.LocalObjectReference "json:\"imagePullSecrets,omitempty\"" + NameOverride *string "json:\"nameOverride,omitempty\"" + FullnameOverride *string "json:\"fullnameOverride,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + ServiceAccount *PartialServiceAccountConfig "json:\"serviceAccount,omitempty\"" + CommonLabels map[string]string "json:\"commonLabels,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + PodAnnotations map[string]string "json:\"podAnnotations,omitempty\"" + PodLabels map[string]string "json:\"podLabels,omitempty\"" + PodSecurityContext *corev1.PodSecurityContext "json:\"podSecurityContext,omitempty\"" + SecurityContext *corev1.SecurityContext "json:\"securityContext,omitempty\"" + Service *PartialServiceConfig "json:\"service,omitempty\"" + Ingress *PartialIngressConfig "json:\"ingress,omitempty\"" + Resources *corev1.ResourceRequirements "json:\"resources,omitempty\"" + Autoscaling *PartialAutoScaling "json:\"autoscaling,omitempty\"" + NodeSelector map[string]string "json:\"nodeSelector,omitempty\"" + Tolerations []corev1.Toleration "json:\"tolerations,omitempty\"" + Affinity *corev1.Affinity "json:\"affinity,omitempty\"" + TopologySpreadConstraints []corev1.TopologySpreadConstraint "json:\"topologySpreadConstraints,omitempty\"" + PriorityClassName *string "json:\"priorityClassName,omitempty\"" + Console *PartialConsole "json:\"console,omitempty\"" + ExtraEnv []corev1.EnvVar "json:\"extraEnv,omitempty\"" + ExtraEnvFrom []corev1.EnvFromSource "json:\"extraEnvFrom,omitempty\"" + ExtraVolumes []corev1.Volume "json:\"extraVolumes,omitempty\"" + ExtraVolumeMounts []corev1.VolumeMount "json:\"extraVolumeMounts,omitempty\"" + ExtraContainers []corev1.Container "json:\"extraContainers,omitempty\"" + InitContainers *PartialInitContainers "json:\"initContainers,omitempty\"" + SecretMounts []PartialSecretMount "json:\"secretMounts,omitempty\"" + Secret *PartialSecretConfig "json:\"secret,omitempty\"" + Enterprise *PartialEnterprise "json:\"enterprise,omitempty\"" + LivenessProbe *corev1.Probe "json:\"livenessProbe,omitempty\"" + ReadinessProbe *corev1.Probe "json:\"readinessProbe,omitempty\"" + ConfigMap *PartialCreatable "json:\"configmap,omitempty\"" + Deployment *PartialDeploymentConfig "json:\"deployment,omitempty\"" + Strategy *appsv1.DeploymentStrategy "json:\"strategy,omitempty\"" + Tests *PartialEnableable "json:\"tests,omitempty\"" +} + +type PartialImage struct { + Registry *string "json:\"registry,omitempty\"" + Repository *string "json:\"repository,omitempty\"" + PullPolicy *corev1.PullPolicy "json:\"pullPolicy,omitempty\"" + Tag *string "json:\"tag,omitempty\"" +} + +type PartialServiceAccountConfig struct { + Create *bool "json:\"create,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Name *string "json:\"name,omitempty\"" +} + +type PartialServiceConfig struct { + Type *corev1.ServiceType "json:\"type,omitempty\"" + Port *int32 "json:\"port,omitempty\"" + NodePort *int32 "json:\"nodePort,omitempty\"" + TargetPort *int32 "json:\"targetPort,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" +} + +type PartialIngressConfig struct { + Enabled *bool "json:\"enabled,omitempty\"" + ClassName *string "json:\"className,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Hosts []PartialIngressHost "json:\"hosts,omitempty\"" + TLS []networkingv1.IngressTLS "json:\"tls,omitempty\"" +} + +type PartialAutoScaling struct { + Enabled *bool "json:\"enabled,omitempty\"" + MinReplicas *int32 "json:\"minReplicas,omitempty\"" + MaxReplicas *int32 "json:\"maxReplicas,omitempty\"" + TargetCPUUtilizationPercentage *int32 "json:\"targetCPUUtilizationPercentage,omitempty\"" + TargetMemoryUtilizationPercentage *int32 "json:\"targetMemoryUtilizationPercentage,omitempty\"" +} + +type PartialConsole struct { + Config map[string]any "json:\"config,omitempty\"" + Roles []map[string]any "json:\"roles,omitempty\"" + RoleBindings []map[string]any "json:\"roleBindings,omitempty\"" +} + +type PartialInitContainers struct { + ExtraInitContainers *string "json:\"extraInitContainers,omitempty\"" +} + +type PartialSecretConfig struct { + Create *bool "json:\"create,omitempty\"" + Kafka *PartialKafkaSecrets "json:\"kafka,omitempty\"" + Login *PartialLoginSecrets "json:\"login,omitempty\"" + Enterprise *PartialEnterpriseSecrets "json:\"enterprise,omitempty\"" + Redpanda *PartialRedpandaSecrets "json:\"redpanda,omitempty\"" +} + +type PartialEnterprise struct { + LicenseSecretRef *PartialSecretKeyRef "json:\"licenseSecretRef,omitempty\"" +} + +type PartialCreatable struct { + Create *bool "json:\"create,omitempty\"" +} + +type PartialDeploymentConfig struct { + Create *bool "json:\"create,omitempty\"" + Command []string "json:\"command,omitempty\"" + ExtraArgs []string "json:\"extraArgs,omitempty\"" +} + +type PartialEnableable struct { + Enabled *bool "json:\"enabled,omitempty\"" +} + +type PartialSecretMount struct { + Name *string "json:\"name,omitempty\"" + SecretName *string "json:\"secretName,omitempty\"" + Path *string "json:\"path,omitempty\"" + SubPath *string "json:\"subPath,omitempty\"" + DefaultMode *int32 "json:\"defaultMode,omitempty\"" +} + +type PartialKafkaSecrets struct { + SASLPassword *string "json:\"saslPassword,omitempty\"" + AWSMSKIAMSecretKey *string "json:\"awsMskIamSecretKey,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" + TLSPassphrase *string "json:\"tlsPassphrase,omitempty\"" + SchemaRegistryPassword *string "json:\"schemaRegistryPassword,omitempty\"" + SchemaRegistryTLSCA *string "json:\"schemaRegistryTlsCa,omitempty\"" + SchemaRegistryTLSCert *string "json:\"schemaRegistryTlsCert,omitempty\"" + SchemaRegistryTLSKey *string "json:\"schemaRegistryTlsKey,omitempty\"" + ProtobufGitBasicAuthPassword *string "json:\"protobufGitBasicAuthPassword,omitempty\"" +} + +type PartialLoginSecrets struct { + JWTSecret *string "json:\"jwtSecret,omitempty\"" + Google *PartialGoogleLoginSecrets "json:\"google,omitempty\"" + Github *PartialGithubLoginSecrets "json:\"github,omitempty\"" + Okta *PartialOktaLoginSecrets "json:\"okta,omitempty\"" + OIDC *PartialOIDCLoginSecrets "json:\"oidc,omitempty\"" +} + +type PartialEnterpriseSecrets struct { + License *string "json:\"License,omitempty\"" +} + +type PartialRedpandaSecrets struct { + AdminAPI *PartialRedpandaAdminAPISecrets "json:\"adminApi,omitempty\"" +} + +type PartialSecretKeyRef struct { + Name *string "json:\"name,omitempty\"" + Key *string "json:\"key,omitempty\"" +} + +type PartialIngressHost struct { + Host *string "json:\"host,omitempty\"" + Paths []PartialIngressPath "json:\"paths,omitempty\"" +} + +type PartialGoogleLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + GroupsServiceAccount *string "json:\"groupsServiceAccount,omitempty\"" +} + +type PartialGithubLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + PersonalAccessToken *string "json:\"personalAccessToken,omitempty\"" +} + +type PartialOktaLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + DirectoryAPIToken *string "json:\"directoryApiToken,omitempty\"" +} + +type PartialOIDCLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" +} + +type PartialRedpandaAdminAPISecrets struct { + Password *string "json:\"password,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" +} + +type PartialIngressPath struct { + Path *string "json:\"path,omitempty\"" + PathType *networkingv1.PathType "json:\"pathType,omitempty\"" +} diff --git a/charts/redpanda/redpanda/5.9.5/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.5/templates/NOTES.txt new file mode 100644 index 000000000..6992f8e36 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/NOTES.txt @@ -0,0 +1,26 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $warning := $warnings }} +{{ $warning }} +{{- end }} + +{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_cert-issuers.go.tpl new file mode 100644 index 000000000..ce5bf092a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_cert-issuers.go.tpl @@ -0,0 +1,57 @@ +{{- /* Generated from "cert_issuers.go" */ -}} + +{{- define "redpanda.CertIssuers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $issuers := $tmp_tuple_1.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $issuers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RootCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $cas := $tmp_tuple_2.T2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cas) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.certIssuersAndCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $issuers := (coalesce nil) -}} +{{- $certs := (coalesce nil) -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- if (eq $data.issuerRef (coalesce nil)) -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}} +{{- end -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (default "43800h" $data.duration) "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_certs.go.tpl new file mode 100644 index 000000000..b8d1160e5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_certs.go.tpl @@ -0,0 +1,71 @@ +{{- /* Generated from "certs.go" */ -}} + +{{- define "redpanda.ClientCerts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $certs := (coalesce nil) -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $names := (coalesce nil) -}} +{{- if (or (eq $data.issuerRef (coalesce nil)) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}} +{{- end -}} +{{- if (ne $values.external.domain (coalesce nil)) -}} +{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}} +{{- $names = (concat (default (list ) $names) (list (tpl (printf "*.%s" $values.external.domain) $dot))) -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $name := $values.listeners.kafka.tls.cert -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $data := $tmp_tuple_1.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- end -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $certs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}} +{{- if (ne $data.issuerRef (coalesce nil)) -}} +{{- $issuerRef = $data.issuerRef -}} +{{- $_ := (set $issuerRef "group" "cert-manager.io") -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_configmap.go.tpl new file mode 100644 index 000000000..e51139032 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_configmap.go.tpl @@ -0,0 +1,494 @@ +{{- /* Generated from "configmap.tpl.go" */ -}} + +{{- define "redpanda.ConfigMaps" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot true) ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapFile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Storage.Translate" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $bootstrap)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigFile" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $redpanda := (dict "empty_seed_starts_cluster" false ) -}} +{{- if $includeSeedServer -}} +{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- end -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}} +{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}} +{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkNodeConfig" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}} +{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}} +{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RPKProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.external.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_1 := $tmp_tuple_1.T2 -}} +{{- if $ok_1 -}} +{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $adminTLS := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- if $ok_2 -}} +{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}} +{{- end -}} +{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $ka "tls" $kafkaTLS) -}} +{{- end -}} +{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $aa "tls" $adminTLS) -}} +{{- end -}} +{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedKafkaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}} +{{- $listener := (index $values.listeners.kafka.external $externalKafkaListenerName) -}} +{{- $port := (($values.listeners.kafka.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedAdminPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.admin.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalAdminListenerName := (first $keys) -}} +{{- $listener := (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) -}} +{{- $port := (($values.listeners.admin.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHost" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $address = (index $values.external.addresses $i) -}} +{{- end -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address $values.external.domain) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.getFirstExternalKafkaListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BrokerList" -}} +{{- $dot := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $bl := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $bl) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkNodeConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}} +{{- $adminTLS := (coalesce nil) -}} +{{- $tls_3 := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_3) ))) "r") | int) (0 | int)) -}} +{{- $adminTLS = $tls_3 -}} +{{- end -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- $tls_4 := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_4) ))) "r") | int) (0 | int)) -}} +{{- $brokerTLS = $tls_4 -}} +{{- end -}} +{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) ) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkKafkaClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.kafka.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkAdminAPIClientTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tls := $values.listeners.admin.tls -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}} +{{- if $tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kafkaClient" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := $values.listeners.kafka.tls -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}} +{{- if $kafkaTLS.requireClientAuth -}} +{{- $_ := (set $brokerTLS "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $brokerTLS "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- end -}} +{{- $cfg := (dict "brokers" $brokerList ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cfg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.configureListeners" -}} +{{- $redpanda := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}} +{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}} +{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}} +{{- $tls_5 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_5) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "admin_api_tls" $tls_5) -}} +{{- end -}} +{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}} +{{- $tls_6 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_6) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "kafka_api_tls" $tls_6) -}} +{{- end -}} +{{- $tls_7 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "rpc_server_tls" $tls_7) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.pandaProxyListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $pandaProxy := (dict ) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}} +{{- $tls_8 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_8) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pandaProxy) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.schemaRegistry" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaReg := (dict ) -}} +{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}} +{{- $tls_9 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_9) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $schemaReg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListenersTLS" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $r := $values.listeners.rpc -}} +{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq $r.tls.enabled (coalesce nil)) $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}} +{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $certName := $r.tls.cert -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListeners" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerTLSCfg" -}} +{{- $tls := (index .a 0) -}} +{{- $internal := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $internal.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerCfg" -}} +{{- $port := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAdditionalStartFlags" -}} +{{- $dot := (index .a 0) -}} +{{- $smp := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}} +{{- if (eq (index $values.config.node "developer_mode") true) -}} +{{- $_ := (unset $chartFlags "reserve-memory") -}} +{{- end -}} +{{- range $flag, $_ := $chartFlags -}} +{{- range $_, $userFlag := $values.statefulset.additionalRedpandaCmdFlags -}} +{{- if (regexMatch (printf "^--%s" $flag) $userFlag) -}} +{{- $_ := (unset $chartFlags $flag) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $keys := (keys $chartFlags) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $flags := (list ) -}} +{{- range $_, $key := $keys -}} +{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (index $chartFlags $key)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_console.go.tpl new file mode 100644 index 000000000..f8498e998 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_console.go.tpl @@ -0,0 +1,60 @@ +{{- /* Generated from "console.tpl.go" */ -}} + +{{- define "redpanda.ConsoleConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaURLs := (coalesce nil) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsolemTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} +{{- if $values.connectors.enabled -}} +{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $p := ($tmp_tuple_1.T1 | int) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c) | toJson -}} +{{- break -}} +{{- end -}} +{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.ConnectorsFullName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}} +{{- $_ := (set $c "connect" (mustMergeOverwrite (dict "enabled" false "clusters" (coalesce nil) "connectTimeout" 0 "readTimeout" 0 "requestTimeout" 0 ) (dict "enabled" $values.connectors.enabled "clusters" (list (mustMergeOverwrite (dict "name" "" "url" "" "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" ) (dict "name" "connectors" "url" $connectorsURL "tls" (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false )) "username" "" "password" "" "token" "" ))) ))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConnectorsFullName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (dig "connectors" "connectors" "fullnameOverwrite" "" $dot.Values.AsMap) "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.connectors.connectors.fullnameOverwrite) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s-connectors" $dot.Release.Name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.5/templates/_example-commands.tpl new file mode 100644 index 000000000..9a5c695e3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_example-commands.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +{{/* +Any rpk command that's given to the user in NOTES.txt must be defined in this template file +and tested in a test. +*/}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-user-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-cluster-info" -}} +{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-create" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-describe" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-delete" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_helpers.go.tpl new file mode 100644 index 000000000..c910f646a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_helpers.go.tpl @@ -0,0 +1,535 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "redpanda.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $override_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (ne $override_1 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $override_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (ne $override_3 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict ) -}} +{{- if (ne $values.commonLabels (coalesce nil)) -}} +{{- $labels = $values.commonLabels -}} +{{- end -}} +{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $serviceAccount := $values.serviceAccount -}} +{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- else -}}{{- if $serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- else -}}{{- if (ne $serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "default") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (toString $values.image.tag) -}} +{{- if (eq $tag "") -}} +{{- $tag = $dot.Chart.AppVersion -}} +{{- end -}} +{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (regexMatch $pattern $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne $values.service (coalesce nil)) (ne $values.service.name (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalDomain" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSEnabled" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.tls.enabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}} +{{- if (empty $external) -}} +{{- continue -}} +{{- end -}} +{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}} +{{- range $_, $key := $keys -}} +{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}} +{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClientAuthRequired" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}} +{{- if (not (empty $required)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts := (list ) -}} +{{- $sasl_5 := $values.auth.sasl -}} +{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (list ) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- $cert := (index $values.tls.certs $adminTLS.cert) -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if (ne $cert.clientSecretRef (coalesce nil)) -}} +{{- $secretName = $cert.clientSecretRef.name -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}} +{{- end -}} +{{- end -}} +{{- $sasl_6 := $values.auth.sasl -}} +{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CertSecretName" -}} +{{- $dot := (index .a 0) -}} +{{- $certName := (index .a 1) -}} +{{- $cert := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $cert.secretRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PodSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_2" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_2_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.redpandaAtLeast" -}} +{{- $dot := (index .a 0) -}} +{{- $constraint := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (list (semverCompare $constraint $version) nil)) ))) "r") -}} +{{- $err := $tmp_tuple_3.T2 -}} +{{- $result := $tmp_tuple_3.T1 -}} +{{- if (ne $err (coalesce nil)) -}} +{{- $_ := (fail $err) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cleanForK8s" -}} +{{- $in := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaSMP" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillies (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (1 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.coalesce" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- range $_, $v := $values -}} +{{- if (ne $v (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $v) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StrategicMergePatch" -}} +{{- $overrides := (index .a 0) -}} +{{- $original := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $overrides.labels (coalesce nil)) -}} +{{- $_ := (set $original.metadata "labels" (merge (dict ) $overrides.labels (default (dict ) $original.metadata.labels))) -}} +{{- end -}} +{{- if (ne $overrides.annotations (coalesce nil)) -}} +{{- $_ := (set $original.metadata "annotations" (merge (dict ) $overrides.annotations (default (dict ) $original.metadata.annotations))) -}} +{{- end -}} +{{- if (ne $overrides.spec.securityContext (coalesce nil)) -}} +{{- $_ := (set $original.spec "securityContext" (merge (dict ) $overrides.spec.securityContext (default (mustMergeOverwrite (dict ) (dict )) $original.spec.securityContext))) -}} +{{- end -}} +{{- $overrideContainers := (dict ) -}} +{{- range $i, $_ := $overrides.spec.containers -}} +{{- $container := (index $overrides.spec.containers $i) -}} +{{- $_ := (set $overrideContainers (toString $container.name) $container) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $merged := (coalesce nil) -}} +{{- range $_, $container := $original.spec.containers -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideContainers $container.name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_4.T2 -}} +{{- $override_7 := $tmp_tuple_4.T1 -}} +{{- if $ok_8 -}} +{{- $env := (concat (default (list ) $container.env) (default (list ) $override_7.env)) -}} +{{- $container = (merge (dict ) $override_7 $container) -}} +{{- $_ := (set $container "env" $env) -}} +{{- end -}} +{{- if (eq $container.env (coalesce nil)) -}} +{{- $_ := (set $container "env" (list )) -}} +{{- end -}} +{{- $merged = (concat (default (list ) $merged) (list $container)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $original.spec "containers" $merged) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $original) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.5/templates/_helpers.tpl new file mode 100644 index 000000000..a885f9dcd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_helpers.tpl @@ -0,0 +1,368 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redpanda.name" -}} +{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "redpanda.fullname" -}} +{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default service name +*/}} +{{- define "redpanda.servicename" -}} +{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redpanda.chart" -}} +{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redpanda.serviceAccountName" -}} +{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "redpanda.tag" -}} +{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* Generate internal fqdn */}} +{{- define "redpanda.internal.domain" -}} +{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* ConfigMap variables */}} +{{- define "admin-internal-tls-enabled" -}} +{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}} +{{- end -}} + +{{- define "kafka-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.kafka -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "kafka-external-tls-cert" -}} +{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}} +{{- end -}} + +{{- define "http-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.http -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "schemaRegistry-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.schemaRegistry -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "tls-enabled" -}} +{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $tlsenabled) -}} +{{- end -}} + +{{- define "sasl-enabled" -}} +{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}} +{{- end -}} + +{{- define "admin-api-urls" -}} +{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "admin-api-service-url" -}} +{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "sasl-mechanism" -}} +{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}} +{{- end -}} + +{{- define "fail-on-insecure-sasl-logging" -}} +{{- if (include "sasl-enabled" .|fromJson).bool -}} + {{- $check := list + (include "redpanda-atleast-23-1-1" .|fromJson).bool + (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool + (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool + -}} + {{- if not (mustHas true $check) -}} + {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "fail-on-unsupported-helm-version" -}} + {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}} + {{- if semverCompare "<3.8.0-0" $helmVer -}} + {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}} + {{- end -}} +{{- end -}} + +{{- define "redpanda-atleast-22-2-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-22-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-2" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-3-atleast-22-3-13" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-2-atleast-22-2-10" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-2-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} + +{{- define "redpanda-22-2-x-without-sasl" -}} +{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} +{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}} +{{- $result := false -}} +{{- end -}} +{{- toJson (dict "bool" $result) -}} +{{- end -}} + +{{- define "pod-security-context" -}} +{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "container-security-context" -}} +{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "admin-tls-curl-flags" -}} + {{- $result := "" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}} + {{- $result = (printf "--cacert %s/tls.crt" $path) -}} + {{- if .Values.listeners.admin.tls.requireClientAuth -}} + {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}} + {{- end -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- define "admin-http-protocol" -}} + {{- $result := "http" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $result = "https" -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- /* +advertised-port returns either the only advertised port if only one is specified, +or the port specified for this pod ordinal when there is a full list provided. + +This will return a string int or panic if there is more than one port provided, +but not enough ports for the number of replicas requested. +*/ -}} +{{- define "advertised-port" -}} + {{- $port := dig "port" .listenerVals.port .externalVals -}} + {{- if .externalVals.advertisedPorts -}} + {{- if eq (len .externalVals.advertisedPorts) 1 -}} + {{- $port = mustFirst .externalVals.advertisedPorts -}} + {{- else -}} + {{- $port = index .externalVals.advertisedPorts .replicaIndex -}} + {{- end -}} + {{- end -}} + {{ $port }} +{{- end -}} + +{{- /* +advertised-host returns a json string with the data needed for configuring the advertised listener +*/ -}} +{{- define "advertised-host" -}} + {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}} + {{- if .values.external.addresses -}} + {{- $address := "" -}} + {{- if gt (len .values.external.addresses) 1 -}} + {{- $address = (index .values.external.addresses .replicaIndex) -}} + {{- else -}} + {{- $address = (index .values.external.addresses 0) -}} + {{- end -}} + {{- if ( .values.external.domain | default "" ) }} + {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}} + {{- else -}} + {{- $host = dict "name" .externalName "address" $address "port" .port -}} + {{- end -}} + {{- end -}} + {{- toJson $host -}} +{{- end -}} + +{{- define "is-licensed" -}} +{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}} +{{- end -}} + +{{- define "seed-server-list" -}} + {{- $brokers := list -}} + {{- range $ordinal := until (.Values.statefulset.replicas | int) -}} + {{- $brokers = append $brokers (printf "%s-%d.%s" + (include "redpanda.fullname" $) + $ordinal + (include "redpanda.internal.domain" $)) + -}} + {{- end -}} + {{- toJson $brokers -}} +{{- end -}} + +{{/* +return license checks deprecated values if current values is empty +*/}} +{{- define "enterprise-license" -}} +{{- if dig "license" dict .Values.enterprise -}} + {{- .Values.enterprise.license -}} +{{- else -}} + {{- .Values.license_key -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.name checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-name" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "name" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_name" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.key checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-key" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "key" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_key" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to all containers */}} +{{- define "common-mounts" -}} +{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to most containers */}} +{{- define "default-mounts" -}} +{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* volumes that are common to all pods */}} +{{- define "common-volumes" -}} +{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* the default set of volumes for most pods, except the sts pod */}} +{{- define "default-volumes" -}} +{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* support legacy storage.tieredConfig */}} +{{- define "storage-tiered-config" -}} +{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }} +{{- if $cfg -}} +{{- toYaml $cfg -}} +{{- end -}} +{{- end -}} + +{{/* + rpk sasl environment variables + + this will return a string with the correct environment variables to use for SASL based on the + version of the redpada container being used +*/}} +{{- define "rpk-sasl-environment-variables" -}} +{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}} +RPK_USER RPK_PASS RPK_SASL_MECHANISM +{{- else -}} +REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM +{{- end -}} +{{- end -}} + +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} + +{{- define "advertised-address-template" -}} + {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}} + {{- if empty $prefixTemplate -}} + {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}} + {{- end -}} + {{ quote $prefixTemplate }} +{{- end -}} + +{{/* check if client auth is enabled for any of the listeners */}} +{{- define "client-auth-required" -}} +{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $requireClientAuth) -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/_memory.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_memory.go.tpl new file mode 100644 index 000000000..9f839e66b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_memory.go.tpl @@ -0,0 +1,63 @@ +{{- /* Generated from "memory.go" */ -}} + +{{- define "redpanda.RedpandaReserveMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $rpMem_1 := $values.resources.memory.redpanda -}} +{{- if (and (ne $rpMem_1 (coalesce nil)) (ne $rpMem_1.reserveMemory (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $memory := ((0 | int64) | int64) -}} +{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}} +{{- $rpMem_2 := $values.resources.memory.redpanda -}} +{{- if (and (ne $rpMem_2 (coalesce nil)) (ne $rpMem_2.memory (coalesce nil))) -}} +{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}} +{{- else -}} +{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}} +{{- end -}} +{{- if (eq $memory (0 | int64)) -}} +{{- $_ := (fail "unable to get memory value redpanda-memory") -}} +{{- end -}} +{{- if (lt $memory (256 | int64)) -}} +{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}} +{{- end -}} +{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}} +{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $memory) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.resources.memory.container.min (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_notes.go.tpl new file mode 100644 index 000000000..6c1e88a61 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_notes.go.tpl @@ -0,0 +1,167 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "redpanda.Warnings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $warnings := (coalesce nil) -}} +{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $w_1 "") -}} +{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $warnings) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cpuWarning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillis (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $notes := (coalesce nil) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}} +{{- end -}} +{{- $profiles := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $profiles) -}} +{{- $profileName := (index $profiles (0 | int)) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} +{{- $profile := (index $values.listeners.kafka.external $profileName) -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $external := "" -}} +{{- if (and (ne $profile.tls (coalesce nil)) (ne $profile.tls.cert (coalesce nil))) -}} +{{- $external = $profile.tls.cert -}} +{{- else -}} +{{- $external = $values.listeners.kafka.tls.cert -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}} +{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $notes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLUserCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SASLMechanism" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.auth.sasl (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-512") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLCreate" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkClusterInfo" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk cluster info`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDescribe" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic describe test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDelete" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic delete test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkSASLEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_poddisruptionbudget.go.tpl new file mode 100644 index 000000000..763b7b0bd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_poddisruptionbudget.go.tpl @@ -0,0 +1,21 @@ +{{- /* Generated from "poddisruptionbudget.go" */ -}} + +{{- define "redpanda.PodDisruptionBudget" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}} +{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}} +{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}} +{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}} +{{- end -}} +{{- $maxUnavailable := ($budget | int) -}} +{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_post-install-upgrade-job.go.tpl new file mode 100644 index 000000000..348724b7d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_post-install-upgrade-job.go.tpl @@ -0,0 +1,233 @@ +{{- /* Generated from "post_install_upgrade_job.go" */ -}} + +{{- define "redpanda.PostInstallUpgradeJob" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_install_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (default (dict ) $values.post_install_job.labels)) "annotations" (merge (dict ) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" ) (default (dict ) $values.post_install_job.annotations)) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r")) ))) "r") "command" (list "bash" "-c") "args" (list ) "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}} +{{- $script := (coalesce nil) -}} +{{- $script = (concat (default (list ) $script) (list `set -e`)) -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r") -}} +{{- $script = (concat (default (list ) $script) (list `if [[ -n "$REDPANDA_LICENSE" ]] then` ` rpk cluster license set "$REDPANDA_LICENSE"` `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list `` `` `` `` `rpk cluster config export -f /tmp/cfg.yml` `` `` `for KEY in "${!RPK_@}"; do` ` if ! [[ "$KEY" =~ ^(RPK_USER|RPK_PASS|RPK_SASL_MECHANISM)$ ]]; then` ` config="${KEY#*RPK_}"` ` rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}"` ` fi` `done` `` `` `rpk cluster config import -f /tmp/cfg.yml` ``)) -}} +{{- $_ := (set (index $job.spec.template.spec.containers (0 | int)) "args" (concat (default (list ) (index $job.spec.template.spec.containers (0 | int)).args) (list (join "\n" $script)))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $job) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.postInstallJobAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.post_install_job.affinity)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.post_install_job.affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.tolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $t := $values.tolerations -}} +{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $envars := (list ) -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $license_1 "") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}} +{{- else -}}{{- if (ne $secretReference_2 (coalesce nil)) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}} +{{- end -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_container" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $azureContainerExists := $tmp_tuple_1.T2 -}} +{{- $ac := $tmp_tuple_1.T1 -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $azureStorageAccountExists := $tmp_tuple_2.T2 -}} +{{- $asa := $tmp_tuple_2.T1 -}} +{{- if (and (and (and $azureContainerExists (ne $ac (coalesce nil))) $azureStorageAccountExists) (ne $asa (coalesce nil))) -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addAzureSharedKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- else -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageSecretKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- end -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageAccessKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- range $k, $v := $tieredStorageConfig -}} +{{- if (or (or (eq $k "cloud_storage_access_key") (eq $k "cloud_storage_secret_key")) (eq $k "cloud_storage_azure_shared_key")) -}} +{{- continue -}} +{{- end -}} +{{- if (or (eq $v (coalesce nil)) (empty $v)) -}} +{{- continue -}} +{{- end -}} +{{- if (eq $k "cloud_storage_cache_size") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (toJson ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64)) )))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $str_3 := $tmp_tuple_3.T1 -}} +{{- if $ok_4 -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" $str_3 )))) -}} +{{- else -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (mustToJson $v) )))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addCloudStorageAccessKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $v_5 := $tmp_tuple_4.T1 -}} +{{- $ak_7 := $values.storage.tiered.credentialsSecretRef.accessKey -}} +{{- if (and $ok_6 (ne $v_5 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_5) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $ak_7) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $ak_7.name )) (dict "key" $ak_7.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addCloudStorageSecretKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_9 := $tmp_tuple_5.T2 -}} +{{- $v_8 := $tmp_tuple_5.T1 -}} +{{- $sk_10 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_9 (ne $v_8 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_8) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_10) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_10.name )) (dict "key" $sk_10.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addAzureSharedKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_12 := $tmp_tuple_6.T2 -}} +{{- $v_11 := $tmp_tuple_6.T1 -}} +{{- $sk_13 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_12 (ne $v_11 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_11) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_13) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_13.name )) (dict "key" $sk_13.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseLiteral" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.enterprise.license "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.enterprise.license) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.license_key) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseSecretReference" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.enterprise.licenseSecretRef)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_secrets.go.tpl new file mode 100644 index 000000000..65ccf5d71 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_secrets.go.tpl @@ -0,0 +1,422 @@ +{{- /* Generated from "secrets.go" */ -}} + +{{- define "redpanda.Secrets" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $secrets := (coalesce nil) -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}} +{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $saslUsers_1 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}} +{{- end -}} +{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $configWatcher_2 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}} +{{- end -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $fsValidator_3 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}} +{{- end -}} +{{- $bootstrapUser_4 := (get (fromJson (include "redpanda.SecretBootstrapUser" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $bootstrapUser_4 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $bootstrapUser_4)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secrets) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSTSLifecycle" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}} +{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done`) -}} +{{- if (and $values.auth.sasl.enabled (ne $values.auth.sasl.secretRef "")) -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list ` # Setup and export SASL bootstrap-user` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` rpk acl user create ${USER_NAME} -p {PASSWORD} --mechanism ${MECHANISM} || true`)) -}} +{{- end -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`)) -}} +{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}} +{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}} +{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}} +{{- else -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}} +{{- end -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}} +{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSASLUsers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $usersTxt := (list ) -}} +{{- range $_, $user := $values.auth.sasl.users -}} +{{- if (empty $user.mechanism) -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}} +{{- else -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}} +{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretBootstrapUser" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.auth.sasl.enabled) (ne $values.auth.sasl.bootstrapUser.secretKeyRef (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secretName := (printf "%s-bootstrap-user" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "v1" "Secret" $dot.Release.Namespace $secretName) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_1.T2 -}} +{{- $existing_5 := $tmp_tuple_1.T1 -}} +{{- if $ok_6 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_5) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $password := (randAlphaNum (32 | int)) -}} +{{- $userPassword := $values.auth.sasl.bootstrapUser.password -}} +{{- if (ne $userPassword (coalesce nil)) -}} +{{- $password = $userPassword -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $secretName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "password" $password ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sasl := $values.auth.sasl -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $saslUserSh := (coalesce nil) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}} +{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` USERS_LIST="kubernetes-controller"` ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # before we do anything ensure we have the bootstrap user` ` echo "Ensuring bootstrap user ${RPK_USER}..."` ` creation_result=$(rpk acl user create ${RPK_USER} -p ${RPK_PASS} --mechanism ${RPK_SASL_MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Bootstrap user already created"` ` else` ` echo "error creating user ${RPK_USER}: ${creation_result}"` ` fi` ` fi` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}} +{{- else -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-fs-validator" (substr 0 (49 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e +EXPECTED_FS_TYPE=$1 + +DATA_DIR="/var/lib/redpanda/data" +TEST_FILE="testfile" + +echo "checking data directory exist..." +if [ ! -d "${DATA_DIR}" ]; then + echo "data directory does not exists, exiting" + exit 1 +fi + +echo "checking filesystem type..." +FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') + +if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then + echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" + exit 1 +fi + +echo "checking if able to create a test file..." + +touch ${DATA_DIR}/${TEST_FILE} +result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not write testfile, may not have write permission" + exit 1 +fi + +echo "checking if able to delete a test file..." + +result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not delete testfile" + exit 1 +fi + +echo "passed"`) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $configuratorSh := (list ) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"` `cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml`)) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}} +{{- end -}} +{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}} +{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}} +{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorKafkaConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "kafka" -}} +{{- $listenerAdvertisedName := $listenerName -}} +{{- $redpandaConfigPart := "redpanda" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.kafka.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorHTTPConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "http" -}} +{{- $listenerAdvertisedName := "pandaproxy" -}} +{{- $redpandaConfigPart := "pandaproxy" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.http.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSCurlFlags" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $path := (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $path := (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s" $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.externalAdvertiseAddress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $eaa := "${SERVICE_NAME}" -}} +{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- $expanded := (tpl $externalDomainTemplate $dot) -}} +{{- if (not (empty $expanded)) -}} +{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $eaa) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHostJSON" -}} +{{- $dot := (index .a 0) -}} +{{- $externalName := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- $replicaIndex := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $address := "" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses $replicaIndex) -}} +{{- else -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- end -}} +{{- $domain_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- if (ne $domain_7 "") -}} +{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address $domain_7) "port" $port ) -}} +{{- else -}} +{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $host) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalHTTPProtocol" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "https") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "http") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalURL" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_service.internal.go.tpl new file mode 100644 index 000000000..9c63aac1c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_service.internal.go.tpl @@ -0,0 +1,38 @@ +{{- /* Generated from "service_internal.go" */ -}} + +{{- define "redpanda.MonitoringEnabledLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceInternal" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list ) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- if $values.listeners.http.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}} +{{- end -}} +{{- $annotations := (dict ) -}} +{{- if (ne $values.service (coalesce nil)) -}} +{{- $annotations = $values.service.internal.annotations -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_service.loadbalancer.go.tpl new file mode 100644 index 000000000..dbc754750 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_service.loadbalancer.go.tpl @@ -0,0 +1,101 @@ +{{- /* Generated from "service.loadbalancer.go" */ -}} + +{{- define "redpanda.LoadBalancerServices" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "LoadBalancer") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}} +{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}} +{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $services := (coalesce nil) -}} +{{- $replicas := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}} +{{- $annotations := (dict ) -}} +{{- range $k, $v := $values.external.annotations -}} +{{- $_ := (set $annotations $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if $externalDNS.enabled -}} +{{- $prefix := $podname -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) ($i | int)) -}} +{{- $prefix = (index $values.external.addresses $i) -}} +{{- end -}} +{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}} +{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}} +{{- end -}} +{{- $podSelector := (dict ) -}} +{{- range $k, $v := $selector -}} +{{- $_ := (set $podSelector $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}} +{{- $services = (concat (default (list ) $services) (list $svc)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $services) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_service.nodeport.go.tpl new file mode 100644 index 000000000..5bec96af5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_service.nodeport.go.tpl @@ -0,0 +1,80 @@ +{{- /* Generated from "service.nodeport.go" */ -}} + +{{- define "redpanda.NodePortService" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "NodePort") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $annotations := $values.external.annotations -}} +{{- if (eq $annotations (coalesce nil)) -}} +{{- $annotations = (dict ) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..9122cbd2a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "redpanda.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_servicemonitor.go.tpl new file mode 100644 index 000000000..97d3f3325 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_servicemonitor.go.tpl @@ -0,0 +1,26 @@ +{{- /* Generated from "servicemonitor.go" */ -}} + +{{- define "redpanda.ServiceMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}} +{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne $values.monitoring.tlsConfig (coalesce nil))) -}} +{{- $_ := (set $endpoint "scheme" "https") -}} +{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}} +{{- if (eq $endpoint.tlsConfig (coalesce nil)) -}} +{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.5/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_statefulset.go.tpl new file mode 100644 index 000000000..a084cb9d1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_statefulset.go.tpl @@ -0,0 +1,711 @@ +{{- /* Generated from "statefulset.go" */ -}} + +{{- define "redpanda.statefulSetRedpandaEnv" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabelsSelector" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $existing_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $additionalSelectorLabels := (dict ) -}} +{{- if (ne $values.statefulset.additionalSelectorLabels (coalesce nil)) -}} +{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}} +{{- end -}} +{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} +{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $existing_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $statefulSetLabels := (dict ) -}} +{{- if (ne $values.statefulset.podTemplate.labels (coalesce nil)) -}} +{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}} +{{- end -}} +{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodAnnotations" -}} +{{- $dot := (index .a 0) -}} +{{- $configMapChecksum := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}} +{{- if (ne $values.statefulset.podTemplate.annotations (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" $fullname )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}} +{{- if $values.statefulset.initContainers.fsValidator.enabled -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}} +{{- end -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne $vol_5 (coalesce nil)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}} +{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $v_6 (coalesce nil)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeDataDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if $values.storage.persistentVolume.enabled -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}} +{{- else -}}{{- if (ne $values.storage.hostPath "") -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq $tieredType "hostPath") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.Storage.CloudStorageCacheSize" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetInitContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $containers := (coalesce nil) -}} +{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_7 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}} +{{- end -}} +{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_8 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}} +{{- end -}} +{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_9 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}} +{{- end -}} +{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_10 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}} +{{- end -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerTuning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.tuning.tune_aio_events) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_3.T2 | int64) -}} +{{- $uid := ($tmp_tuple_3.T1 | int64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.securityContextUidGid" -}} +{{- $dot := (index .a 0) -}} +{{- $containerName := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $uid := $values.statefulset.securityContext.runAsUser -}} +{{- if (and (ne $values.statefulset.podSecurityContext (coalesce nil)) (ne $values.statefulset.podSecurityContext.runAsUser (coalesce nil))) -}} +{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}} +{{- end -}} +{{- if (eq $uid (coalesce nil)) -}} +{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}} +{{- end -}} +{{- $gid := $values.statefulset.securityContext.fsGroup -}} +{{- if (and (ne $values.statefulset.podSecurityContext (coalesce nil)) (ne $values.statefulset.podSecurityContext.fsGroup (coalesce nil))) -}} +{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}} +{{- end -}} +{{- if (eq $gid (coalesce nil)) -}} +{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $uid $gid)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_4.T2 | int64) -}} +{{- $uid := ($tmp_tuple_4.T1 | int64) -}} +{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}} +{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne $values.storage.persistentVolume (coalesce nil)) (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) )))) ))) "r") "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $containers := (coalesce nil) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}} +{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_11 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}} +{{- end -}} +{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_12 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerRedpanda" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r")) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/postStart.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true` ``))) )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/preStop.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true # do not fail and cause the pod to terminate` ``))) )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}} +{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.admin.external -}} +{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.http.external -}} +{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.kafka.external -}} +{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}} +{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne $values.storage.persistentVolume (coalesce nil)) (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}} +{{- end -}} +{{- $_ := (set $container.resources "limits" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.max )) -}} +{{- if (ne $values.resources.memory.container.min (coalesce nil)) -}} +{{- $_ := (set $container.resources "requests" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.min )) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $container) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminApiURLs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (coalesce nil)) ))) "r") "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerControllers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne $values.auth.sasl (coalesce nil)) $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.bootstrapEnvVars" -}} +{{- $dot := (index .a 0) -}} +{{- $envVars := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne $values.auth.sasl (coalesce nil)) $values.auth.sasl.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.BootstrapEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envVars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToContainers" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSet" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}} +{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}} +{{- end -}} +{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}} +{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}} +{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $t_13 (coalesce nil)) -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}} +{{- end -}} +{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $t_14 (coalesce nil)) -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetChecksumAnnotation" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $dependencies := (coalesce nil) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot false) ))) "r"))) -}} +{{- if $values.external.enabled -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}} +{{- if (empty $values.external.addresses) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}} +{{- else -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetNodeSelectors" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}} +{{- if (not (empty $values.statefulset.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}} +{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}} +{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}} +{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateDatadir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.storage.persistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}} +{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}} +{{- if (eq $values.storage.persistentVolume.storageClass "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}} +{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}} +{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (eq $sc_15 "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}}{{- if (not (empty $sc_15)) -}} +{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTopologySpreadConstraints" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}} +{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}} +{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StorageTieredConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/_values.go.tpl new file mode 100644 index 000000000..7862512dc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/_values.go.tpl @@ -0,0 +1,1313 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "redpanda.AuditLogging.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $isSASLEnabled := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $enabled := (and $a.enabled $isSASLEnabled) -}} +{{- $_ := (set $result "audit_enabled" $enabled) -}} +{{- if (not $enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}} +{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}} +{{- end -}} +{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}} +{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}} +{{- end -}} +{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}} +{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}} +{{- end -}} +{{- if (ne (($a.partitions | int) | int) (12 | int)) -}} +{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}} +{{- end -}} +{{- if (ne ($a.replicationFactor | int) (0 | int)) -}} +{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.IsSASLEnabled" -}} +{{- $a := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $a.sasl (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $a.sasl.enabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $isSASLEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not $isSASLEnabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $users := (list "kubernetes-controller") -}} +{{- range $_, $u := $a.sasl.users -}} +{{- $users = (concat (default (list ) $users) (list $u.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "superusers" $users )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Logging.Translate" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}} +{{- if (ne $clusterID_1 "") -}} +{{- $_ := (set $result "cluster_id" $clusterID_1) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.IsTieredStorageEnabled" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_3.T2 -}} +{{- $b := $tmp_tuple_3.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageConfig" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredConfig) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageHostPath" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $hp := $s.tieredStorageHostPath -}} +{{- if (and (empty $hp) (ne $s.tiered (coalesce nil))) -}} +{{- $hp = $s.tiered.hostPath -}} +{{- end -}} +{{- if (empty $hp) -}} +{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $hp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.CloudStorageCacheSize" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") `cloud_storage_cache_size` (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_4.T2 -}} +{{- $value := $tmp_tuple_4.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredCacheDirectory" -}} +{{- $s := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}} +{{- $ok_3 := $tmp_tuple_5.T2 -}} +{{- $dir_2 := $tmp_tuple_5.T1 -}} +{{- if $ok_3 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_2) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}} +{{- $ok_5 := $tmp_tuple_6.T2 -}} +{{- $dir_4 := $tmp_tuple_6.T1 -}} +{{- if $ok_5 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir_4) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredMountType" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne $s.tieredStoragePersistentVolume (coalesce nil)) $s.tieredStoragePersistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "persistentVolume") | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (empty $s.tieredStorageHostPath)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "hostPath") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.mountType) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.Translate" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $s) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- range $k, $v := $tieredStorageConfig -}} +{{- if (or (eq $v (coalesce nil)) (empty $v)) -}} +{{- continue -}} +{{- end -}} +{{- if (eq $k "cloud_storage_cache_size") -}} +{{- $_ := (set $result $k (printf "%d" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_7 := $tmp_tuple_8.T2 -}} +{{- $str_6 := $tmp_tuple_8.T1 -}} +{{- $tmp_tuple_9 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_9 := $tmp_tuple_9.T2 -}} +{{- $b_8 := $tmp_tuple_9.T1 -}} +{{- $tmp_tuple_10 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $isFloat_11 := $tmp_tuple_10.T2 -}} +{{- $f_10 := ($tmp_tuple_10.T1 | float64) -}} +{{- if $ok_7 -}} +{{- $_ := (set $result $k $str_6) -}} +{{- else -}}{{- if $ok_9 -}} +{{- $_ := (set $result $k $b_8) -}} +{{- else -}}{{- if $isFloat_11 -}} +{{- $_ := (set $result $k ($f_10 | int)) -}} +{{- else -}} +{{- $_ := (set $result $k (mustToJson $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.StorageMinFreeBytes" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne $s.persistentVolume (coalesce nil)) (not $s.persistentVolume.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (5368709120 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tuning.Translate" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $s := (toJson $t) -}} +{{- $tune := (fromJson $s) -}} +{{- $tmp_tuple_11 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_11.T2 -}} +{{- $m := $tmp_tuple_11.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $k, $v := $m -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.CreateSeedServers" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.AdminList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServerList" -}} +{{- $replicas := (index .a 0) -}} +{{- $prefix := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- $port := (index .a 4) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStoreVolume" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cmSources := (dict ) -}} +{{- $secretSources := (dict ) -}} +{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}} +{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}} +{{- if (ne $projection.secret (coalesce nil)) -}} +{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}} +{{- else -}} +{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $sources := (coalesce nil) -}} +{{- range $_, $name := (sortAlpha (keys $cmSources)) -}} +{{- $keys := (index $cmSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (sortAlpha (keys $secretSources)) -}} +{{- $keys := (index $secretSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.dedupKeyToPaths" -}} +{{- $items := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $seen := (dict ) -}} +{{- $deduped := (coalesce nil) -}} +{{- range $_, $item := $items -}} +{{- $tmp_tuple_12 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_12 := $tmp_tuple_12.T2 -}} +{{- if $ok_12 -}} +{{- continue -}} +{{- end -}} +{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}} +{{- $_ := (set $seen $item.key true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $deduped) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Config.CreateRPKConfiguration" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c.rpk -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCertMap.MustGet" -}} +{{- $m := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_13 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_13.T2 -}} +{{- $cert := $tmp_tuple_13.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.BootstrapEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $b $fullname) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RP_BOOTSTRAP_USER" "value" "$(RPK_USER):$(RPK_PASS):$(RPK_SASL_MECHANISM)" ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.RpkEnvironment" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_PASS" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (get (fromJson (include "redpanda.BootstrapUser.SecretKeySelector" (dict "a" (list $b $fullname) ))) "r") )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_USER" "value" "kubernetes-controller" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_SASL_MECHANISM" "value" (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $b) ))) "r") )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.GetMechanism" -}} +{{- $b := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $b.mechanism "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-256") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapUser.SecretKeySelector" -}} +{{- $b := (index .a 0) -}} +{{- $fullname := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $b.secretKeyRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $b.secretKeyRef) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (printf "%s-bootstrap-user" $fullname) )) (dict "key" "password" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.RelativePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.VolumeProjection" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.ServerCAPath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/tls.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCert" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCertName" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $t (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $adminAPIPrefix := "/mnt/cert/adminapi" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}} +{{- range $k, $lis := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $admin = (concat (default (list ) $admin) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (list ) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $internal "authentication_method" $am_13) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_14 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_14 "") -}} +{{- $_ := (set $listener "authentication_method" $am_14) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $pp := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $pp = (concat (default (list ) $pp) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $auth := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $internal "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_15 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_15 "") -}} +{{- $_ := (set $internal "authentication_method" $am_15) -}} +{{- end -}} +{{- $kafka := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $listener "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_16 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_16 "") -}} +{{- $_ := (set $listener "authentication_method" $am_16) -}} +{{- end -}} +{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $kafka := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ConsolemTLS" -}} +{{- $k := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $kafkaPathPrefix := "/mnt/cert/kafka" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- if (not $k.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.Listeners" -}} +{{- $sr := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_17 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_17 "") -}} +{{- $_ := (set $internal "authentication_method" $am_17) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $sr.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_18 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_18 "") -}} +{{- $_ := (set $listener "authentication_method" $am_18) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listeners) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}} +{{- $sr := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $sr.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $schemaRegistryPrefix := "/mnt/cert/schemaregistry" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- if (not $sr.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TunableConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $c (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.NodeConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $tmp_tuple_16 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_19 := $tmp_tuple_16.T2 -}} +{{- if $ok_19 -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}}{{- if (kindIs "bool" $v) -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}} +{{- $_ := (set $result $k (toYaml $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- $tmp_tuple_17 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_21 := $tmp_tuple_17.T2 -}} +{{- $b_20 := $tmp_tuple_17.T1 -}} +{{- if $ok_21 -}} +{{- $_ := (set $result $k $b_20) -}} +{{- continue -}} +{{- end -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.IsValid" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $sr (coalesce nil)) (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsAccessKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $tsc.accessKey (coalesce nil)) (ne $tsc.accessKey.name "")) (ne $tsc.accessKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsSecretKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $tsc.secretKey (coalesce nil)) (ne $tsc.secretKey.name "")) (ne $tsc.secretKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/cert-issuers.yaml b/charts/redpanda/redpanda/5.9.5/templates/cert-issuers.yaml new file mode 100644 index 000000000..f5c966752 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/cert-issuers.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.CertIssuers" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.RootCAs" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/certs.yaml b/charts/redpanda/redpanda/5.9.5/templates/certs.yaml new file mode 100644 index 000000000..08437f58e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/certs.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ClientCerts" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/configmap.yaml b/charts/redpanda/redpanda/5.9.5/templates/configmap.yaml new file mode 100644 index 000000000..8c33ab337 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ConfigMaps" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/5.9.5/templates/connectors/connectors.yaml new file mode 100644 index 000000000..25343f584 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/connectors/connectors.yaml @@ -0,0 +1,109 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{ if and .Values.connectors.enabled (not .Values.connectors.deployment.create) }} + +{{ $values := .Values }} + +{{/* brokers */}} +{{ $kafkaBrokers := list }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} +{{ end }} + +{{ $connectorsValues := dict + "Values" (dict + "connectors" (dict + "bootstrapServers" (join "," $kafkaBrokers) + "brokerTLS" (dict + "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool + "ca" (dict + "secretRef" (ternary (printf "%s-default-cert" (include "redpanda.fullname" .)) "" (include "kafka-internal-tls-enabled" . | fromJson).bool) + ) + ) + ) + ) +}} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $extraEnv := .Values.connectors.deployment.extraEnv }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "bash" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;" ( include "sasl-mechanism" . | lower )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }} + {{ $command = append $command $consoleSASLConfig }} + + {{ $extraVolumes = concat $extraVolumes .Values.connectors.storage.volume }} + + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + + {{ $extraVolumeMounts = concat $extraVolumeMounts .Values.connectors.storage.volumeMounts }} + + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "emptyDir" (dict) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "mountPath" "/opt/kafka/connect-password/rc-credentials" + )}} + {{ $extraEnv = append $extraEnv (dict + "name" "CONNECT_SASL_PASSWORD_FILE" + "value" "rc-credentials/password" + )}} + {{ $connectorsValues := merge $connectorsValues (dict + "Values" (dict + "storage" (dict + "volumeMounts" $extraVolumeMounts + "volume" $extraVolumes + ) + "auth" (dict + "sasl" (dict + "enabled" .Values.auth.sasl.enabled + ) + ) + "deployment" (dict + "command" $command + "extraEnv" $extraEnv + ) + ) + )}} +{{ end }} + +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "deployment" (dict "create" (not .Values.connectors.deployment.create)))) }} +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "test" (dict "create" (not .Values.connectors.test.create)))) }} +{{ $helmVars := merge $connectorsValues .Subcharts.connectors }} +{{ $helmVars = (dict "Chart" .Subcharts.connectors.Chart "Release" .Release "Values" (merge (dict "AsMap" $helmVars.Values) $helmVars.Values)) }} +{{ include (print .Subcharts.connectors.Template.BasePath "/deployment.yaml") $helmVars }} +--- +{{ include (print .Subcharts.connectors.Template.BasePath "/tests/01-mm2-values.yaml") $helmVars }} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/5.9.5/templates/console/configmap-and-deployment.yaml new file mode 100644 index 000000000..a03229aae --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/console/configmap-and-deployment.yaml @@ -0,0 +1,234 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* Secret */}} +{{ $secretConfig := dict ( dict + "create" $.Values.console.secret.create + ) +}} +{{/* if the console chart has the creation of the secret disabled, create it here instead if needed */}} +{{ if and .Values.console.enabled (not .Values.console.secret.create) }} +{{ $licenseKey := ( include "enterprise-license" . ) }} +# before license changes, this was not printing a secret, so we gather in which case to print +# for now only if we have a license do we print, however, this may be an issue for some +# since if we do include a license we MUST also print all secret items. + {{ if ( not (empty $licenseKey ) ) }} +{{/* License and license are set twice here as a work around to a bug in the post-go console chart. */}} +{{ $secretConfig = ( dict + "create" true + "enterprise" ( dict "license" $licenseKey "License" $licenseKey) + ) +}} + +{{ $config := dict + "Values" (dict + "secret" $secretConfig + )}} + +{{ $secretValues := merge $config .Subcharts.console }} +{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $secretValues.Values)) }} +--- +{{- include "_shims.render-manifest" (list "console.Secret" $wrappedSecretValues) -}} + {{ end }} +{{ end }} + +{{ $configmap := dict }} +{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleConfigmap := dict "create" true }} + +{{ $consoleConfig := merge .Values.console.config (get ((include "redpanda.ConsoleConfig" (dict "a" (list .))) | fromJson) "r") }} + +{{ $config := dict + "Values" (dict + "console" (dict "config" $consoleConfig) + "configmap" $consoleConfigmap + "secret" $secretConfig + ) +}} + +{{ $configMapValues := merge $config .Subcharts.console }} +--- +{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $configMapValues.Values)) }} +{{- include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) -}} +{{ $configmap = include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) }} +{{ end }} + +{{/* Deployment */}} +{{ if and .Values.console.enabled (not .Values.console.deployment.create) }} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "sh" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" ( include "sasl-mechanism" . )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " /app/console $@" }} + {{ $command = append $command $consoleSASLConfig }} + {{ $command = append $command "--" }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + ) }} +{{ end }} + +{{ $kafkaTLS := list }} +{{ if (include "kafka-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.kafka }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $kafkaTLS = append $kafkaTLS (dict + "name" "KAFKA_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/kafka/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/kafka/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $schemaRegistryTLS := list }} +{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.schemaRegistry }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $schemaRegistryTLS = append $schemaRegistryTLS (dict + "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/schemaregistry/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $adminAPI := list }} +{{ if (include "admin-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.admin }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/adminapi/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $enterprise := dict }} +{{ if ( include "enterprise-secret" .) }} + {{ $enterprise = dict + "licenseSecretRef" ( dict + "name" ( include "enterprise-secret-name" . ) + "key" ( include "enterprise-secret-key" . ) + ) + }} +{{ end }} + +{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI .Values.console.extraEnv }} +{{ $extraVolumes = concat $extraVolumes .Values.console.extraVolumes }} +{{ $extraVolumeMounts = concat $extraVolumeMounts .Values.console.extraVolumeMounts }} +{{ $consoleValues := dict + "Values" (dict + "extraVolumes" $extraVolumes + "extraVolumeMounts" $extraVolumeMounts + "extraEnv" $extraEnv + "secret" $secretConfig + "enterprise" $enterprise + "image" $.Values.console.image + "autoscaling" .Values.console.autoscaling + "replicaCount" .Values.console.replicaCount + "strategy" .Values.console.strategy + "podAnnotations" .Values.console.podAnnotations + "podLabels" .Values.console.podLabels + "imagePullSecrets" .Values.console.imagePullSecrets + "podSecurityContext" .Values.console.podSecurityContext + "secretMounts" .Values.console.secretMounts + "initContainers" .Values.console.initContainers + "extraArgs" .Values.console.extraArgs + "securityContext" .Values.console.securityContext + "livenessProbe" .Values.console.livenessProbe + "readinessProbe" .Values.console.readinessProbe + "resources" .Values.console.resources + "extraContainers" .Values.console.extraContainers + "nodeSelector" .Values.console.nodeSelector + "affinity" .Values.console.affinity + "topologySpreadConstraints" .Values.console.topologySpreadConstraints + "priorityClassName" .Values.console.priorityClassName + "tolerations" .Values.console.tolerations +)}} + +{{ if not (empty $command) }} + {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }} +{{ end }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }} + +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "podAnnotations" (dict "checksum-redpanda-chart/config" ( $configmap | toYaml | sha256sum )))) }} +{{ end }} + +{{ $deploymentValues := merge $consoleValues .Subcharts.console }} +{{ $wrappedDeploymentValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $deploymentValues.Values)) }} + +--- +{{- include "_shims.render-manifest" (list "console.Deployment" $wrappedDeploymentValues) -}} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/poddisruptionbudget.yaml b/charts/redpanda/redpanda/5.9.5/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..28688dd27 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PodDisruptionBudget" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/post-install-upgrade-job.yaml b/charts/redpanda/redpanda/5.9.5/templates/post-install-upgrade-job.yaml new file mode 100644 index 000000000..106872e05 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/post-install-upgrade-job.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PostInstallUpgradeJob" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/post-upgrade.yaml b/charts/redpanda/redpanda/5.9.5/templates/post-upgrade.yaml new file mode 100644 index 000000000..e4775a7d0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/post-upgrade.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PostUpgrade" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/post_upgrade_job.yaml b/charts/redpanda/redpanda/5.9.5/templates/post_upgrade_job.yaml new file mode 100644 index 000000000..6a95bb94e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/post_upgrade_job.yaml @@ -0,0 +1,87 @@ +{{- /* Generated from "post_upgrade_job.go" */ -}} + +{{- define "redpanda.PostUpgrade" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_upgrade_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}} +{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}} +{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot $values.post_upgrade_job.extraEnv) ))) "r") "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostUpgradeJobScript" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $script := (list `set -e` ``) -}} +{{- range $key, $value := $values.config.cluster -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}} +{{- $isInt64 := $tmp_tuple_1.T2 -}} +{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- $asBool_1 := $tmp_tuple_2.T1 -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $asStr_3 := $tmp_tuple_3.T1 -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $asSlice_5 := $tmp_tuple_4.T1 -}} +{{- if (and $ok_2 $asBool_1) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}} +{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}} +{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}} +{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}} +{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}} +{{- else -}}{{- if (not (empty $value)) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_7 := $tmp_tuple_5.T2 -}} +{{- if (and (not $ok_7) (ge ($values.statefulset.replicas | int) (3 | int))) -}} +{{- $script = (concat (default (list ) $script) (list "rpk cluster config set default_topic_replications 3")) -}} +{{- end -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_6.T2 -}} +{{- if (not $ok_8) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $service := $values.listeners.admin -}} +{{- $caCert := "" -}} +{{- $scheme := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}} +{{- $scheme = "https" -}} +{{- $caCert = (printf "--cacert %q" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $service.tls $values.tls) ))) "r")) -}} +{{- end -}} +{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}} +{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $script)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/rbac.go.tpl b/charts/redpanda/redpanda/5.9.5/templates/rbac.go.tpl new file mode 100644 index 000000000..38fe5363f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/rbac.go.tpl @@ -0,0 +1,116 @@ +{{- /* Generated from "rbac.go" */ -}} + +{{- define "redpanda.ClusterRoles" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crs := (coalesce nil) -}} +{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $cr_1 (coalesce nil)) -}} +{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterRoleBindings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crbs := (coalesce nil) -}} +{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $crb_2 (coalesce nil)) -}} +{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.5/templates/rbac.yaml b/charts/redpanda/redpanda/5.9.5/templates/rbac.yaml new file mode 100644 index 000000000..d746dda30 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/rbac.yaml @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ClusterRoles" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.ClusterRoleBindings" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.SidecarControllersRole" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.SidecarControllersRoleBinding" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/secrets.yaml b/charts/redpanda/redpanda/5.9.5/templates/secrets.yaml new file mode 100644 index 000000000..7fa8524d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.Secrets" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/service.internal.yaml b/charts/redpanda/redpanda/5.9.5/templates/service.internal.yaml new file mode 100644 index 000000000..572550b7a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/service.internal.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceInternal" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/service.loadbalancer.yaml b/charts/redpanda/redpanda/5.9.5/templates/service.loadbalancer.yaml new file mode 100644 index 000000000..12a8562a0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/service.loadbalancer.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.LoadBalancerServices" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/service.nodeport.yaml b/charts/redpanda/redpanda/5.9.5/templates/service.nodeport.yaml new file mode 100644 index 000000000..da82c9e70 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/service.nodeport.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.NodePortService" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.5/templates/serviceaccount.yaml new file mode 100644 index 000000000..5e62c0ec6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/servicemonitor.yaml b/charts/redpanda/redpanda/5.9.5/templates/servicemonitor.yaml new file mode 100644 index 000000000..cafedbf91 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/servicemonitor.yaml @@ -0,0 +1,17 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceMonitor" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/statefulset.yaml b/charts/redpanda/redpanda/5.9.5/templates/statefulset.yaml new file mode 100644 index 000000000..d231e4b77 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/statefulset.yaml @@ -0,0 +1,21 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- include "fail-on-unsupported-helm-version" . -}} +{{- include "fail-on-insecure-sasl-logging" . -}} + +{{- include "_shims.render-manifest" (list "redpanda.StatefulSet" .) -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-api-status.yaml new file mode 100644 index 000000000..330a2c4a4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-api-status.yaml @@ -0,0 +1,52 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-api-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} + do sleep 2 + done + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-auditLogging.yaml new file mode 100644 index 000000000..fea34776f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-auditLogging.yaml @@ -0,0 +1,86 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{/* + This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met + as part of setting auditLogging being enabled. +*/}} +{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-audit-logging" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: { { - toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + old_setting=${-//[^x]/} + audit_topic_name="_redpanda.audit_log" + expected_partitions={{ .Values.auditLogging.partitions }} + + # sasl configurations + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + + # now run the to determine if we have the right results + # should describe topic without error + rpk topic describe ${audit_topic_name} + # should get the expected values + result=$(rpk topic list | grep ${audit_topic_name}) + name=$(echo $result | awk '{print $1}') + partitions=$(echo $result | awk '{print $2}') + if [ "${name}" != "${audit_topic_name}" ]; then + echo "expected topic name does not match" + exit 1 + fi + if [ ${partitions} != ${expected_partitions} ]; then + echo "expected partition size did not match" + exit 1 + fi + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-connector-via-console.yaml new file mode 100644 index 000000000..67619a829 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-connector-via-console.yaml @@ -0,0 +1,166 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} +{{- $sasl := .Values.auth.sasl }} +{{- $values := .Values }} +{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}} +{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}} +{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}} +{{/* brokers */}} +{{- $kafkaBrokers := list }} +{{- range (include "seed-server-list" . | mustFromJson) }} + {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} +{{- end }} +{{- $brokersString := join "," $kafkaBrokers}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + test-name: test-connectors-via-console + annotations: + test-name: test-connectors-via-console + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: TLS_ENABLED + value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)" + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + RPK_USER="${REDPANDA_SASL_USERNAME}" + RPK_PASS="${REDPANDA_SASL_PASSWORD}" + RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}" + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + set -x + set +e + {{- end }} + + {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} + rpk topic create {{ $testTopic }} + rpk topic list + echo "Test message!" | rpk topic produce {{ $testTopic }} + + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$RPK_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "connectorName": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "{{ $testTopic }}", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.alias": "test-only-redpanda", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM" + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors + {{/* outputting to /dev/null because the output contains the user password */}} + echo "Creating mm2 connector" + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json + + rpk topic consume source.{{ $testTopic }} -n 1 + + echo "Destroying mm2 connector" + curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}" + + rpk topic list + rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-console.yaml new file mode 100644 index 000000000..aeef1117a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-console.yaml @@ -0,0 +1,49 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.console.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-internal-external-tls-secrets.yaml new file mode 100644 index 000000000..53d75bb1b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-internal-external-tls-secrets.yaml @@ -0,0 +1,122 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - bash + - -c + - | + set -x + + retry() { + local retries="$1" + local command="$2" + + # Run the command, and save the exit code + bash -c $command + local exit_code=$? + + # If the exit code is non-zero (i.e. command failed), and we have not + # reached the maximum number of retries, run the command again + if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then + retry $(($retries - 1)) "$command" + else + # Return the exit code from the command + return $exit_code + fi + } + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + echo testing cert: {{ $name | quote }} + + {{- if eq $cert.secretRef.name "internal-tls-secret" }} + echo "---> testing internal tls" + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ include "admin-api-urls" $ }}' + {{- end }} + + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- end }} + echo "----" + + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-internal-tls-status.yaml new file mode 100644 index 000000000..dcfc02cbd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-internal-tls-status.yaml @@ -0,0 +1,62 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} + {{- $service := .Values.listeners.kafka -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \ + --tls-enabled \ + {{- if $cert.caEnabled }} + --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + --tls-truststore /etc/ssl/certs/ca-certificates.crt + {{- end }} + do sleep 2 + done + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-nodelete.yaml new file mode 100644 index 000000000..9b5fe4237 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-nodelete.yaml @@ -0,0 +1,100 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} +{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$exists" != "my_sample_topic" ]]; then + until rpk topic create my_sample_topic {{ $cloudStorageFlags }} + do sleep 2 + done + fi + + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce my_sample_topic + {{- end }} + sleep 2 + rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" + + # now check if we can delete the topic (we should not) + rpk topic delete my_sample_topic + + {{- if has "my_sample_topic" $noDeleteTopics }} + result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$result" != "my_sample_topic" ]]; then + echo "topic should not have been deleted" + exit 1 + fi + {{- end }} + + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-produce-consume.yaml new file mode 100644 index 000000000..d8f0ee751 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-produce-consume.yaml @@ -0,0 +1,83 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }} + do sleep 2 + done + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME + {{- end }} + sleep 2 + rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!" + rpk topic delete produce.consume.test.$POD_NAME + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-sasl-status.yaml new file mode 100644 index 000000000..0519c44bb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-kafka-sasl-status.yaml @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + until rpk acl user delete myuser + do sleep 2 + done + sleep 3 + + {{ include "rpk-cluster-info" $ }} + {{ include "rpk-acl-user-create" $ }} + {{ include "rpk-acl-create" $ }} + sleep 3 + {{ include "rpk-topic-create" $ }} + {{ include "rpk-topic-describe" $ }} + {{ include "rpk-topic-delete" $ }} + rpk acl user delete myuser + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-license-with-console.yaml new file mode 100644 index 000000000..1edf7a350 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-license-with-console.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} +{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-license-with-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + echo "testing that we do NOT have an open source license" + set -xe + + max_iteration=10 + curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do + max_iteration=$(( max_iteration - 1 )) + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + done + if [[ "$type" == "open_source" || "$type" == "" ]]; then + curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + exit 1 + fi + set +x + echo "license test passed." +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-lifecycle-scripts.yaml new file mode 100644 index 000000000..5c72e1d9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-lifecycle-scripts.yaml @@ -0,0 +1,66 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-lifecycle" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: SERVICE_NAME + value: {{ include "redpanda.fullname" . }}-0 + command: + - /bin/timeout + - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}" + - bash + - -xec + - | + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + ls -l /tmp/preStop* + test -f /tmp/preStopHookStarted + test -f /tmp/preStopHookFinished + + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + ls -l /tmp/postStart* + test -f /tmp/postStartHookStarted + test -f /tmp/postStartHookFinished + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: lifecycle-scripts + mountPath: /var/lifecycle + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} + - name: lifecycle-scripts + secret: + secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle + defaultMode: 0o775 + {{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-loadbalancer-tls.yaml new file mode 100644 index 000000000..4db3523d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-loadbalancer-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + serviceAccountName: test-loadbalancer-tls-redpanda + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing LoadBalancer connectivity + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-loadbalancer-tls-redpanda +subjects: + - kind: ServiceAccount + name: test-loadbalancer-tls-redpanda + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get + +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-nodeport-tls.yaml new file mode 100644 index 000000000..4310eaf3a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-nodeport-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-nodeport-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + serviceAccountName: test-nodeport-tls-redpanda-no-a-test + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.hostIP ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing NodePort connectivity + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-nodeport-tls-redpanda-no-a-test +subjects: + - kind: ServiceAccount + name: test-nodeport-tls-redpanda-no-a-test + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-internal-tls-status.yaml new file mode 100644 index 000000000..4cb6aaa0f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -0,0 +1,81 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $service := .Values.listeners.http -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-status.yaml new file mode 100644 index 000000000..4f5ee6bb7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-pandaproxy-status.yaml @@ -0,0 +1,72 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-prometheus-targets.yaml new file mode 100644 index 000000000..81f83a34e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-prometheus-targets.yaml @@ -0,0 +1,84 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} + +{{- if and .Values.tests.enabled .Values.monitoring.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + + HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy) + if [ $HEALTHY != 200 ]; then + echo "prometheus is not healthy, exiting" + exit 1 + fi + + echo "prometheus is healthy, checking if ready..." + + READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready) + if [ $READY != 200 ]; then + echo "prometheus is not ready, exiting" + exit 1 + fi + + echo "prometheus is ready, requesting target information..." + + + curl_prometheus() { + + # Run the command, and save the exit code + # from: https://prometheus.io/docs/prometheus/latest/querying/api/ + local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l ) + + echo $RESULT + } + for d in $(seq 1 30); do + RESULT=$(curl_prometheus) + if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then + break + fi + sleep 15 + done + + set +x + if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then + curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq . + echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}" + exit 1 + fi +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-rack-awareness.yaml new file mode 100644 index 000000000..82a31937f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-rack-awareness.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rack-awareness + namespace: {{ .Release.Namespace | quote }} +{{- with include "full.labels" . }} + labels: {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /bin/bash + - -c + - | + set -e +{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + curl {{ template "curl-options" . }} \ + {{- if (include "tls-enabled" . | fromJson).bool }} + {{- if (dig "default" "caEnabled" false .Values.tls.certs) }} + --cacert "/etc/tls/certs/default/ca.crt" \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- else }} + http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- end }} +{{- end }} + + rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}' + + rpk cluster config get enable_rack_awareness + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-rpk-debug-bundle.yaml new file mode 100644 index 000000000..3230f0881 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-rpk-debug-bundle.yaml @@ -0,0 +1,104 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* + +This test currently fails because of a bug where when multiple containers exist +The api returns an error. We should be requesting logs from each container. + + +{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} + {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} + + +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0 + topologyKey: kubernetes.io/hostname + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + initContainers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /usr/share/redpanda/test + - name: datadir + mountPath: /var/lib/redpanda/data + command: + - /bin/bash + - -c + - | + set -e + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }} + containers: + - name: {{ template "redpanda.name" . }}-tester + image: busybox:latest + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /test + command: + - /bin/ash + - -c + - | + set -e + unzip /test/debug-test.zip -d /tmp/bundle + + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt + + test -d /tmp/bundle/controller + + test -f /tmp/bundle/k8s/pods.json + test -f /tmp/bundle/k8s/configmaps.json + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} +*/}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.5/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.5/templates/tests/test-sasl-updated.yaml new file mode 100644 index 000000000..5f61be552 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/templates/tests/test-sasl-updated.yaml @@ -0,0 +1,71 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + set -x + + # check that the users list did update + ready_result_exit_code=1 + while [[ ${ready_result_exit_code} -ne 0 ]]; do + ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$? + sleep 2 + done + + # check that sasl is not broken + {{ include "rpk-cluster-info" $ }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.5/values.schema.json b/charts/redpanda/redpanda/5.9.5/values.schema.json new file mode 100644 index 000000000..28a6708ae --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/values.schema.json @@ -0,0 +1,5854 @@ +{ + "$id": "https://github.com/redpanda-data/helm-charts/charts/redpanda/values", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go", + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "auditLogging": { + "properties": { + "clientMaxBufferSize": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "enabledEventTypes": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedPrincipals": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedTopics": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "listener": { + "type": "string" + }, + "partitions": { + "type": "integer" + }, + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "auth": { + "properties": { + "sasl": { + "properties": { + "bootstrapUser": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "password": { + "type": "string" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "mechanism": { + "type": "string" + }, + "secretRef": { + "type": "string" + }, + "users": { + "oneOf": [ + { + "items": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "sasl" + ], + "type": "object" + }, + "clusterDomain": { + "type": "string" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "config": { + "properties": { + "cluster": { + "type": "object" + }, + "node": { + "type": "object" + }, + "pandaproxy_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "rpk": { + "type": "object" + }, + "schema_registry_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tunable": { + "additionalProperties": true, + "properties": { + "group_initial_rebalance_delay": { + "type": "integer" + }, + "log_retention_ms": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "cluster", + "node", + "tunable" + ], + "type": "object" + }, + "connectors": { + "properties": { + "connectors": { + "properties": { + "fullnameOverwrite": { + "type": "string" + }, + "restPort": { + "type": "integer" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "console": { + "properties": { + "console": { + "properties": { + "config": { + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + }, + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external": { + "properties": { + "addresses": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "domain": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalDns": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "prefixTemplate": { + "type": "string" + }, + "service": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "sourceRanges": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "type": { + "pattern": "^(LoadBalancer|NodePort)$", + "type": "string" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "force": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "description": "Values used to define the container image to be used for Redpanda", + "properties": { + "pullPolicy": { + "description": "The Kubernetes Pod image pull policy.", + "pattern": "^(Always|Never|IfNotPresent)$", + "type": "string" + }, + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda", + "description": "container image repository", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "repository", + "pullPolicy" + ], + "type": "object" + }, + "imagePullSecrets": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "license_key": { + "deprecated": true, + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", + "type": "string" + }, + "license_secret_ref": { + "deprecated": true, + "properties": { + "secret_key": { + "type": "string" + }, + "secret_name": { + "type": "string" + } + }, + "type": "object" + }, + "listeners": { + "properties": { + "admin": { + "properties": { + "appProtocol": { + "type": "string" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "http": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "tls", + "kafkaEndpoint", + "port" + ], + "type": "object" + }, + "kafka": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "tls", + "port" + ], + "type": "object" + }, + "rpc": { + "properties": { + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "schemaRegistry": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "kafkaEndpoint", + "port", + "tls" + ], + "type": "object" + } + }, + "required": [ + "admin", + "http", + "kafka", + "schemaRegistry", + "rpc" + ], + "type": "object" + }, + "logging": { + "properties": { + "logLevel": { + "pattern": "^(error|warn|info|debug|trace)$", + "type": "string" + }, + "usageStats": { + "properties": { + "clusterId": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "logLevel", + "usageStats" + ], + "type": "object" + }, + "monitoring": { + "properties": { + "enableHttp2": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "scrapeInterval": { + "type": "string" + }, + "tlsConfig": { + "properties": { + "ca": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "caFile": { + "type": "string" + }, + "cert": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "certFile": { + "type": "string" + }, + "insecureSkipVerify": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + }, + "keySecret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serverName": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "enabled", + "scrapeInterval" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "post_install_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "post_upgrade_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "oneOf": [ + { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "oneOf": [ + { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "backoffLimit": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "extraEnv": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "extraEnvFrom": { + "oneOf": [ + { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "rackAwareness": { + "properties": { + "enabled": { + "type": "boolean" + }, + "nodeAnnotation": { + "type": "string" + } + }, + "required": [ + "enabled", + "nodeAnnotation" + ], + "type": "object" + }, + "rbac": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "cpu": { + "properties": { + "cores": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "overprovisioned": { + "type": "boolean" + } + }, + "required": [ + "cores" + ], + "type": "object" + }, + "memory": { + "properties": { + "container": { + "properties": { + "max": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "min": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "required": [ + "max" + ], + "type": "object" + }, + "enable_memory_locking": { + "type": "boolean" + }, + "redpanda": { + "properties": { + "memory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "reserveMemory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "container" + ], + "type": "object" + } + }, + "required": [ + "cpu", + "memory" + ], + "type": "object" + }, + "service": { + "properties": { + "internal": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name", + "annotations" + ], + "type": "object" + }, + "statefulset": { + "properties": { + "additionalRedpandaCmdFlags": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "additionalSelectorLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { + "properties": { + "maxUnavailable": { + "type": "integer" + } + }, + "required": [ + "maxUnavailable" + ], + "type": "object" + }, + "extraVolumeMounts": { + "type": "string" + }, + "extraVolumes": { + "type": "string" + }, + "initContainerImage": { + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "initContainers": { + "properties": { + "configurator": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "extraInitContainers": { + "type": "string" + }, + "fsValidator": { + "properties": { + "enabled": { + "type": "boolean" + }, + "expectedFS": { + "type": "string" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setDataDirOwnership": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setTieredStorageCacheDirOwnership": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "tuning": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "nodeAffinity": { + "type": "object" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAffinity": { + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "custom": { + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "pattern": "^(hard|soft|custom)$", + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "topologyKey", + "type", + "weight" + ], + "type": "object" + }, + "podSecurityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "oneOf": [ + { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "oneOf": [ + { + "items": { + "type": "integer" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "sysctls": { + "oneOf": [ + { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "sideCars": { + "properties": { + "configWatcher": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "controllers": { + "properties": { + "createRBAC": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "healthProbeAddress": { + "type": "string" + }, + "image": { + "properties": { + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda-operator", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "tag", + "repository" + ], + "type": "object" + }, + "metricsAddress": { + "type": "string" + }, + "resources": true, + "run": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "drop": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "topologySpreadConstraints": { + "oneOf": [ + { + "items": { + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "pattern": "^(ScheduleAnyway|DoNotSchedule)$", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "updateStrategy": { + "properties": { + "type": { + "pattern": "^(RollingUpdate|OnDelete)$", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + } + }, + "required": [ + "additionalSelectorLabels", + "replicas", + "updateStrategy", + "podTemplate", + "budget", + "startupProbe", + "livenessProbe", + "readinessProbe", + "podAffinity", + "podAntiAffinity", + "nodeSelector", + "priorityClassName", + "topologySpreadConstraints", + "tolerations", + "securityContext", + "sideCars" + ], + "type": "object" + }, + "storage": { + "properties": { + "hostPath": { + "type": "string" + }, + "persistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "size", + "storageClass" + ], + "type": "object" + }, + "tiered": { + "properties": { + "config": { + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "required": [ + "cloud_storage_enabled" + ], + "type": "object" + }, + "credentialsSecretRef": { + "properties": { + "accessKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "configurationKey": { + "deprecated": true, + "type": "string" + }, + "key": { + "deprecated": true, + "type": "string" + }, + "name": { + "deprecated": true, + "type": "string" + }, + "secretKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "hostPath": { + "type": "string" + }, + "mountType": { + "pattern": "^(none|hostPath|emptyDir|persistentVolume)$", + "type": "string" + }, + "persistentVolume": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "mountType" + ], + "type": "object" + }, + "tieredConfig": { + "deprecated": true, + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tieredStorageHostPath": { + "deprecated": true, + "type": "string" + }, + "tieredStoragePersistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "hostPath", + "tiered", + "persistentVolume" + ], + "type": "object" + }, + "tests": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "tls": { + "properties": { + "certs": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "applyInternalDNSNames": { + "type": "boolean" + }, + "caEnabled": { + "type": "boolean" + }, + "clientSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "duration": { + "pattern": ".*[smh]$", + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "issuerRef": { + "properties": { + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "caEnabled" + ], + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "certs" + ], + "type": "object" + }, + "tolerations": { + "oneOf": [ + { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "tuning": { + "properties": { + "ballast_file_path": { + "type": "string" + }, + "ballast_file_size": { + "type": "string" + }, + "tune_aio_events": { + "type": "boolean" + }, + "tune_ballast_file": { + "type": "boolean" + }, + "tune_clocksource": { + "type": "boolean" + }, + "well_known_io": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "affinity", + "image" + ], + "type": "object" +} diff --git a/charts/redpanda/redpanda/5.9.5/values.yaml b/charts/redpanda/redpanda/5.9.5/values.yaml new file mode 100644 index 000000000..7a30a2387 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.5/values.yaml @@ -0,0 +1,1174 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `redpanda.name` template. +nameOverride: "" +# -- Override `redpanda.fullname` template. +fullnameOverride: "" +# -- Default Kubernetes cluster domain. +clusterDomain: cluster.local +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Node selection constraints for scheduling Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). +nodeSelector: {} +# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). +affinity: {} +# -- Taints to be tolerated by Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/redpanda + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Redpanda Service settings. +# service: +# -- set service.name to override the default service name +# name: redpanda +# -- internal Service +# internal: +# -- add annotations to the internal Service +# annotations: {} +# +# -- eg. for a bare metal install using external-dns +# annotations: +# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom +# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP + +# -- Pull secrets may be used to provide credentials to image repositories +# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). +imagePullSecrets: [] + +# -- DEPRECATED Enterprise license key (optional). +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +license_key: "" +# -- DEPRECATED Secret name and secret key where the license key is stored. +license_secret_ref: {} + # secret_name: my-secret + # secret_key: key-where-license-is-stored + +# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication +# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. +auditLogging: + # -- Enable or disable audit logging, for production clusters we suggest you enable, + # however, this will only work if you also enable sasl and a listener with sasl enabled. + enabled: false + # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. + # For external listeners, use the external listener name, such as `default`. + listener: internal + # -- Integer value defining the number of partitions used by a newly created audit topic. + partitions: 12 + # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + enabledEventTypes: + # -- List of topics to exclude from auditing, default is null. + excludedTopics: + # -- List of principals to exclude from auditing, default is null. + excludedPrincipals: + # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + clientMaxBufferSize: 16777216 + # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log. + queueDrainIntervalMs: 500 + # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + queueMaxBufferSizePerShard: 1048576 + # -- Defines the replication factor for a newly created audit log topic. This configuration applies + # only to the audit log topic and may be different from the cluster or other topic configurations. + # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, + # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + replicationFactor: + +# -- Enterprise (optional) +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +enterprise: + # -- license (optional). + license: "" + # -- Secret name and key where the license key is stored. + licenseSecretRef: {} + # name: my-secret + # key: key-where-license-is-stored + +# -- Rack Awareness settings. +# For details, +# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). +rackAwareness: + # -- When running in multiple racks or availability zones, use a Kubernetes Node + # annotation value as the Redpanda rack value. + # Enabling this requires running with a service account with "get" Node permissions. + # To have the Helm chart configure these permissions, + # set `serviceAccount.create=true` and `rbac.enabled=true`. + enabled: false + # -- The common well-known annotation to use as the rack ID. + # Override this only if you use a custom Node annotation. + nodeAnnotation: topology.kubernetes.io/zone + +# +# -- Redpanda Console settings. +# For a reference of configuration settings, +# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). +console: + enabled: true + configmap: + create: false + secret: + create: false + deployment: + create: false + config: {} + +# +# -- Redpanda Managed Connectors settings +# For a reference of configuration settings, +# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). +connectors: + enabled: false + deployment: + create: false + test: + create: false + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +auth: + sasl: + # -- Enable SASL authentication. + # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-512 + # -- A Secret that contains your superuser credentials. + # For details, + # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + secretRef: "redpanda-users" + # -- Optional list of superusers. + # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. + # If this list is empty, + # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. + # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + users: [] + # - name: admin + # password: change-me + # mechanism: SCRAM-SHA-512 + # -- Details about how to create the bootstrap user for the cluster. + # The secretKeyRef is optionally specified. If it is specified, the + # chart will use a password written to that secret when creating the + # "kubernetes-controller" bootstrap user. If it is unspecified, then + # the secret will be generated and stored in the secret + # "releasename"-bootstrap-user, with the key "password". + bootstrapUser: + # -- The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-256 + # secretKeyRef: + # name: my-password + # key: my-key + +# -- TLS settings. +# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). +tls: + # -- Enable TLS globally for all listeners. + # Each listener must include a Certificate name in its `.tls` object. + # To allow you to enable TLS for individual listeners, + # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. + # See `listeners..tls.enabled`. + enabled: true + # -- List all Certificates here, + # then you can reference a specific Certificate's name + # in each listener's `listeners..tls.cert` setting. + certs: + # -- This key is the Certificate name. + # To apply the Certificate to a specific listener, + # reference the Certificate's name in `listeners..tls.cert`. + default: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer. + # applyInternalDNSNames: false + # -- Example external tls configuration + # uncomment and set the right key to the listeners that require them + # also enable the tls setting for those listeners. + external: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Indicates whether or not the Secret holding this certificate + # includes a `ca.crt` key. When `true`, chart managed clients, such as + # rpk, will use `ca.crt` for certificate verification and listeners with + # `require_client_auth` and no explicit `truststore` will use `ca.crt` as + # their `truststore_file` for verification of client certificates. When + # `false`, chart managed clients will use `tls.crt` for certificate + # verification and listeners with `require_client_auth` and no explicit + # `truststore` will use the container's CA certificates. + caEnabled: true + # duration: 43800h + # if you wish to for apply internal dns names to the certificate even when supplying an issuer + # applyInternalDNSNames: false + +# -- External access settings. +# For details, +# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). +external: + # -- Service allows you to manage the creation of an external kubernetes service object + service: + # -- Enabled if set to false will not create the external service type + # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). + # Set this to false if you rather manage your own service. + enabled: true + # -- Enable external access for each Service. + # You can toggle external access for each listener in + # `listeners..external..enabled`. + enabled: true + # -- External access type. Only `NodePort` and `LoadBalancer` are supported. + # If undefined, then advertised listeners will be configured in Redpanda, + # but the helm chart will not create a Service. + # You must create a Service manually. + # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. + # NodePort is recommended in cases where latency is a priority. + type: NodePort + # Optional source range for external access. Only applicable when external.type is LoadBalancer + # sourceRanges: [] + # -- Optional domain advertised to external clients + # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address + # domain: local + # Optional list of addresses that the Redpanda brokers advertise. + # Provide one entry for each broker in order of StatefulSet replicas. + # The number of brokers is defined in statefulset.replicas. + # The values can be IP addresses or DNS names. + # If external.domain is set, the domain is appended to these values. + # There is an option to define a single external address for all brokers and leverage + # prefixTemplate as it will be calculated during initContainer execution. + # addresses: + # - redpanda-0 + # - redpanda-1 + # - redpanda-2 + # + # annotations: + # For example: + # cloud.google.com/load-balancer-type: "Internal" + # service.beta.kubernetes.io/aws-load-balancer-type: nlb + # If you enable externalDns, each LoadBalancer service instance + # will be annotated with external-dns hostname + # matching external.addresses + external.domain + # externalDns: + # enabled: true + # prefixTemplate: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + logLevel: info + # -- Send usage statistics back to Redpanda Data. + # For details, + # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + usageStats: + # Enable the `rpk.enable_usage_stats` property. + enabled: true + # Your cluster ID (optional) + # clusterId: your-helm-cluster + +# -- Monitoring. +# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig. + # enableHttp2: true + # tlsConfig: + # caFile: /etc/prom-certs/root-cert.pem + # certFile: /etc/prom-certs/cert-chain.pem + # insecureSkipVerify: true + # keyFile: /etc/prom-certs/key.pem + +# -- Pod resource management. +# This section simplifies resource allocation +# by providing a single location where resources are defined. +# Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. +# +# The default values are for a development environment. +# Production-level values and other considerations are documented, +# where those values are different from the default. +# For details, +# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). +resources: + # + # -- CPU resources. + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + cpu: + # -- Redpanda makes use of a thread per core model. + # For details, see this [blog](https://redpanda.com/blog/tpc-buffers). + # For this reason, Redpanda should only be given full cores. + # + # Note: You can increase cores, but decreasing cores is not currently supported. + # See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). + # + # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. + # For production, use `4` or greater. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. See + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + cores: 1 + # + # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU. + # This should be true unless the container has CPU affinity. + # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0` + # + # If the value of full cores in `resources.cpu.cores` is less than `1`, this + # setting is set to `true`. + # overprovisioned: false + # + # -- Memory resources + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + memory: + # -- Enables memory locking. + # For production, set to `true`. + # enable_memory_locking: false + # + # It is recommended to have at least 2Gi of memory per core for the Redpanda binary. + # This memory is taken from the total memory given to each container. + # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for + # the Seastar subsystem (reserveMemory) and other container processes. + # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. + # + # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory + # requests/limits in the StatefulSet. + # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi + # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. + # For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # + container: + # Minimum memory count for each Redpanda broker. + # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits). + # This setting is equivalent to `resources.requests.memory`. + # For production, use 10Gi or greater. + # min: 2.5Gi + # + # -- Maximum memory count for each Redpanda broker. + # Equivalent to `resources.limits.memory`. + # For production, use `10Gi` or greater. + max: 2.5Gi + # + # This optional `redpanda` object allows you to specify the memory size for both the Redpanda + # process and the underlying reserved memory used by Seastar. + # This section is omitted by default, and memory sizes are calculated automatically + # based on container memory. + # Uncommenting this section and setting memory and reserveMemory values will disable + # automatic calculation. + # + # If you are setting the following values manually, keep in mind the following guidelines. + # Getting this wrong may lead to performance issues, instability, and loss of data: + # The amount of memory to allocate to a container is determined by the sum of three values: + # 1. Redpanda (at least 2Gi per core, ~80% of the container's total memory) + # 2. Seastar subsystem (200Mi * 0.2% of the container's total memory, 200Mi < x < 1Gi) + # 3. Other container processes (whatever small amount remains) + # redpanda: + # Memory for the Redpanda process. + # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise + # resources.memory.container.max). + # Equivalent to --memory. + # For production, use 8Gi or greater. + # memory: 2Gi + # + # Memory reserved for the Seastar subsystem. + # Any value above 1Gi will provide diminishing performance benefits. + # Equivalent to --reserve-memory. + # For production, use 1Gi. + # reserveMemory: 200Mi + +# -- Persistence settings. +# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). +storage: + # -- Absolute path on the host to store Redpanda's data. + # If unspecified, then an `emptyDir` volume is used. + # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + hostPath: "" + # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and + # used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + persistentVolume: + enabled: true + size: 20Gi + # -- To disable dynamic provisioning, set to `-`. + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + # -- Option to change volume claim template name for tiered storage persistent volume + # if tiered.mountType is set to `persistentVolume` + nameOverwrite: "" + # + # Settings for the Tiered Storage cache. + # For details, + # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching). + + tiered: + # mountType can be one of: + # - none: does not mount a volume. Tiered storage will use the data directory. + # - hostPath: will allow you to chose a path on the Node the pod is running on + # - emptyDir: will mount a fresh empty directory every time the pod starts + # - persistentVolume: creates and mounts a PersistentVolumeClaim + mountType: emptyDir + + # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`. + # + # -- Absolute path on the host to store Redpanda's Tiered Storage cache. + hostPath: "" + # PersistentVolumeClaim to be created for the Tiered Storage cache and + # used to store data retrieved from cloud storage, such as S3). + persistentVolume: + # -- To disable dynamic provisioning, set to "-". + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + + # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from + # referenced Kubernetes Secret + credentialsSecretRef: + accessKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_access_key + configurationKey: cloud_storage_access_key + # name: + # key: + secretKey: + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_secret_key + # or + # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_azure_shared_key + configurationKey: cloud_storage_secret_key + # name: + # key + # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey` + # configurationKey: cloud_storage_secret_key + # name: + # key: + # + # -- Tiered Storage settings + # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` + # For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + # For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/). + config: + # -- Global flag that enables Tiered Storage if a license key is provided. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled). + cloud_storage_enabled: false + # -- Cluster level default remote write configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write). + cloud_storage_enable_remote_write: true + # -- Cluster level default remote read configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read). + cloud_storage_enable_remote_read: true + # -- Maximum size of the disk cache used by Tiered Storage. + # Default is 20 GiB. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size). + cloud_storage_cache_size: 5368709120 + +post_install_job: + enabled: true + # Resource requests and limits for the post-install batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + affinity: {} + + podTemplate: + # -- Additional labels to apply to the Pods of this Job. + labels: {} + # -- Additional annotations to apply to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-install + securityContext: {} + env: [] + +post_upgrade_job: + enabled: true + # Resource requests and limits for the post-upgrade batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + # Additional environment variables for the Post Upgrade Job + # extraEnv: + # - name: AWS_SECRET_ACCESS_KEY + # valueFrom: + # secretKeyRef: + # name: my-secret + # key: redpanda-aws-secret-access-key + # Additional environment variables for the Post Upgrade Job mapped from Secret or ConfigMap + # extraEnvFrom: + # - secretRef: + # name: redpanda-aws-secrets + # DEPRECATED. Please use podTemplate.securityContext + # You can set the security context as nessesary for the post-upgrade job as follows + # securityContext: + # allowPrivilegeEscalation: false + # runAsNonRoot: true + affinity: {} + # When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish + # its rollout. User can extend Job default backoff limit of `6`. + # backoffLimit: + + podTemplate: + # -- Additional labels to apply to the Pods of this Job. + labels: {} + # -- Additional annotations to apply to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-upgrade + securityContext: {} + env: [] + +statefulset: + # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + replicas: 3 + updateStrategy: + type: RollingUpdate + budget: + maxUnavailable: 1 + # -- DEPRECATED Please use statefulset.podTemplate.annotations. + # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have + # any dedicated annotation. + annotations: {} + # -- Additional labels to be added to statefulset label selector. + # For example, `my.k8s.service: redpanda`. + additionalSelectorLabels: {} + podTemplate: + # -- Additional labels to apply to the Pods of the StatefulSet. + labels: {} + # -- Additional annotations to apply to the Pods of the StatefulSet. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: redpanda + securityContext: {} + env: [] + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + startupProbe: + initialDelaySeconds: 1 + failureThreshold: 120 + periodSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + readinessProbe: + initialDelaySeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + # + # StatefulSet resources: + # Resources are set through the top-level resources section above. + # It is recommended to set resource values in that section rather than here, as this will guarantee + # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly. + # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags + # at startup that set the amount of memory available to each process. + # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled. + # Adding a resource section here will be ignored. + # + # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply to other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this StatefulSet. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this StatefulSet. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + sideCars: + configWatcher: + enabled: true + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + extraVolumeMounts: |- + # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers. + # Available controllers: + # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations. + # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating + # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned + # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim. + # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers. + # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when + # an existing node is removed. + controllers: + image: + tag: v2.1.10-23.2.18 + repository: docker.redpanda.com/redpandadata/redpanda-operator + # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + healthProbeAddress: ":8085" + metricsAddress: ":9082" + run: + - all + createRBAC: true + initContainers: + fsValidator: + enabled: false + expectedFS: xfs + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + tuning: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setDataDirOwnership: + # -- In environments where root is not allowed, you cannot change the ownership of files and directories. + # Enable `setDataDirOwnership` when using default minikube cluster configuration. + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setTieredStorageCacheDirOwnership: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + configurator: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + ## Additional init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + initContainerImage: + repository: busybox + tag: latest + # -- Additional flags to pass to redpanda, + additionalRedpandaCmdFlags: [] +# - --unsafe-bypass-fsync + # -- Termination grace period in seconds is time required to execute preStop hook + # which puts particular Redpanda Pod (process/container) into maintenance mode. + # Before settle down on particular value please put Redpanda under load and perform + # rolling upgrade or rolling restart. That value needs to accommodate two processes: + # * preStop hook needs to put Redpanda into maintenance mode + # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal + # + # Both processes are executed sequentially where preStop hook has hard deadline in the + # middle of terminationGracePeriodSeconds. + # + # REF: + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + terminationGracePeriodSeconds: 90 + ## Additional Volumes that you mount + extraVolumes: |- + ## Additional Volume mounts for redpanda container + extraVolumeMounts: |- + +# -- Service account management. +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `redpanda.fullname` template. + name: "" + +# -- Role Based Access Control. +rbac: + # -- Enable for features that need extra privileges. + # If you use the Redpanda Operator, + # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag + # to give it the required ClusterRoles. + enabled: false + # -- Annotations to add to the `rbac` resources. + annotations: {} + +# -- Redpanda tuning settings. +# Each is set to their default values in Redpanda. +tuning: + # -- Increase the maximum number of outstanding asynchronous IO operations if the + # current value is below a certain threshold. This allows Redpanda to make as many + # simultaneous IO requests as possible, increasing throughput. + # + # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. + # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + tune_aio_events: true + # + # Syncs NTP + # tune_clocksource: false + # + # Creates a "ballast" file so that, if a Redpanda node runs out of space, + # you can delete the ballast file to allow the node to resume operations and then + # delete a topic or records to reduce the space used by Redpanda. + # tune_ballast_file: false + # + # The path where the ballast file will be created. + # ballast_file_path: "/var/lib/redpanda/data/ballast" + # + # The ballast file size. + # ballast_file_size: "1GiB" + # + # (Optional) The vendor, VM type and storage device type that redpanda will run on, in + # the format ::. This hints to rpk which configuration values it + # should use for the redpanda IO scheduler. + # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default" + # well_known_io: "" + # + # The following tuning parameters must be false in container environments and will be ignored: + # tune_network + # tune_disk_scheduler + # tune_disk_nomerges + # tune_disk_irq + # tune_fstrim + # tune_cpu + # tune_swappiness + # tune_transparent_hugepages + # tune_coredump + + +# -- Listener settings. +# +# Override global settings configured above for individual +# listeners. +# For details, +# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). +listeners: + # -- Admin API listener (only one). + admin: + # -- The port for both internal and external connections to the Admin API. + port: 9644 + # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + # appProtocol: + # -- Optional external access settings. + external: + # -- Name of the external listener. + default: + port: 9645 + # Override the global `external.enabled` for only this listener. + # enabled: true + # -- The port advertised to this listener's external clients. + # List one port if you want to use the same port for each broker (would be the case when using NodePort service). + # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. + # If undefined, `listeners.admin.port` is used. + tls: + # enabled: true + cert: external + advertisedPorts: + - 31644 + # -- Optional TLS section (required if global TLS is enabled) + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + cert: default + # -- If true, the truststore file for this listener is included in the ConfigMap. + requireClientAuth: false + # -- Kafka API listeners. + kafka: + # -- The port for internal client connections. + port: 9093 + # default is "sasl" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + # -- The port used for external client connections. + port: 9094 + # prefixTemplate: "" + # -- If undefined, `listeners.kafka.external.default.port` is used. + advertisedPorts: + - 31092 + tls: + # enabled: true + cert: external + # default is "sasl" + authenticationMethod: + # -- RPC listener (this is never externally accessible). + rpc: + port: 33145 + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + # -- Schema registry listeners. + schemaRegistry: + enabled: true + port: 8081 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8084 + advertisedPorts: + - 30081 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + # -- HTTP API listeners (aka PandaProxy). + http: + enabled: true + port: 8082 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8083 + # prefixTemplate: "" + advertisedPorts: + - 30082 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + +# Expert Config +# Here be dragons! +# +# -- This section contains various settings supported by Redpanda that may not work +# correctly in a Kubernetes cluster. Changing these settings comes with some risk. +# +# Use these settings to customize various Redpanda configurations that are not covered in other sections. +# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, +# and therefore should not be modified for the purpose of configuring those objects. +# Instead, these settings get passed directly to the Redpanda binary at startup. +# For descriptions of these properties, +# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). +config: + rpk: {} + # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"` + # -- [Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/) + cluster: {} + + # -- Tunable cluster properties. + # Deprecated: all settings here may be specified via `config.cluster`. + tunable: + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min). + log_segment_size_min: 16777216 # 16 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max). + log_segment_size_max: 268435456 # 256 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size). + compacted_log_segment_size: 67108864 # 64 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size). + max_compacted_log_segment_size: 536870912 # 512 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + kafka_connection_rate_limit: 1000 + + # -- [Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/). + node: + # -- Crash loop limit + # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. + # This limit prevents a broker from getting stuck in an infinite cycle of crashes. + # User can disable this crash loop limit check by the following action: + # + # * One hour elapses since the last crash + # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects + # * The startup_log file in the node’s data_directory is manually deleted + # + # Default to 5 + # REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit + crash_loop_limit: 5 + + # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/ + schema_registry_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/ + pandaproxy_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Invalid properties + # Any of these properties will be ignored. These otherwise valid properties are not allowed + # to be used in this section since they impact deploying Redpanda in Kubernetes. + # Make use of the above sections to modify these values instead (see comments below). + # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin + # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls + # advertised_kafka_api: None # Address of Kafka API published to the clients + # advertised_pandaproxy_api: None # Rest API address and port to publish to client + # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members + # enable_admin_api: true # Enable the admin API + # enable_sasl: false # Enable SASL authentication for Kafka connections + # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests + # kafka_api_tls: None # TLS configuration for Kafka API endpoint + # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port + # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api + # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server + # rpc_server_tls: validate # TLS configuration for RPC server + # superusers: None # List of superuser usernames + +tests: + enabled: true diff --git a/charts/speedscale/speedscale-operator/2.2.476/.helmignore b/charts/speedscale/speedscale-operator/2.2.476/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/speedscale/speedscale-operator/2.2.476/Chart.yaml b/charts/speedscale/speedscale-operator/2.2.476/Chart.yaml new file mode 100644 index 000000000..6decc8761 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator +apiVersion: v1 +appVersion: 2.2.476 +description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. +home: https://speedscale.com +icon: file://assets/icons/speedscale-operator.png +keywords: +- speedscale +- test +- testing +- regression +- reliability +- load +- replay +- network +- traffic +kubeVersion: '>= 1.17.0-0' +maintainers: +- email: support@speedscale.com + name: Speedscale Support +name: speedscale-operator +version: 2.2.476 diff --git a/charts/speedscale/speedscale-operator/2.2.476/LICENSE b/charts/speedscale/speedscale-operator/2.2.476/LICENSE new file mode 100644 index 000000000..b78723d62 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 Speedscale + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/speedscale/speedscale-operator/2.2.476/README.md b/charts/speedscale/speedscale-operator/2.2.476/README.md new file mode 100644 index 000000000..6ca25eed9 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/README.md @@ -0,0 +1,111 @@ +![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm) + + +# Speedscale Operator + +The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) +that watches for deployments to be applied to the cluster and takes action based on annotations. The operator +can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around +a deployment for testing. The operator itself is a deployment that will be always present on the cluster once +the helm chart is installed. + +## Prerequisites + +- Kubernetes 1.20+ +- Helm 3+ +- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic + +## Get Repo Info + +```bash +helm repo add speedscale https://speedscale.github.io/operator-helm/ +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one. + +```bash +helm install speedscale-operator speedscale/speedscale-operator \ + -n speedscale \ + --create-namespace \ + --set apiKey= \ + --set clusterName= +``` + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +### Pre-install job failure + +We use pre-install job to check provided API key and provision some of the required resources. + +If the job failed during the installation, you'll see the following error during install: + +``` +Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded +``` + +You can inspect the logs using this command: + +```bash +kubectl -n speedscale logs job/speedscale-operator-pre-install +``` + +After fixing the error, uninstall the helm release, delete the failed job +and try installing again: + +```bash +helm -n speedscale uninstall speedscale-operator +kubectl -n speedscale delete job speedscale-operator-pre-install +``` + +## Uninstall Chart + +```bash +helm -n speedscale uninstall speedscale-operator +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +CRDs created by this chart are not removed by default and should be manually cleaned up: + +```bash +kubectl delete crd trafficreplays.speedscale.com +``` + +## Upgrading Chart + +```bash +helm repo update +helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator +``` + +Resources capturing traffic will need to be rolled to pick up the latest +Speedscale sidecar. Use the rollout restart command for each namespace and +resource type: + +```bash +kubectl -n rollout restart deployment +``` + +With Helm v3, CRDs created by this chart are not updated by default +and should be manually updated. +Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading an existing Release to a new version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + + +## Help + +Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us +on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)! diff --git a/charts/speedscale/speedscale-operator/2.2.476/app-readme.md b/charts/speedscale/speedscale-operator/2.2.476/app-readme.md new file mode 100644 index 000000000..6ca25eed9 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/app-readme.md @@ -0,0 +1,111 @@ +![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm) + + +# Speedscale Operator + +The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) +that watches for deployments to be applied to the cluster and takes action based on annotations. The operator +can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around +a deployment for testing. The operator itself is a deployment that will be always present on the cluster once +the helm chart is installed. + +## Prerequisites + +- Kubernetes 1.20+ +- Helm 3+ +- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic + +## Get Repo Info + +```bash +helm repo add speedscale https://speedscale.github.io/operator-helm/ +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one. + +```bash +helm install speedscale-operator speedscale/speedscale-operator \ + -n speedscale \ + --create-namespace \ + --set apiKey= \ + --set clusterName= +``` + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +### Pre-install job failure + +We use pre-install job to check provided API key and provision some of the required resources. + +If the job failed during the installation, you'll see the following error during install: + +``` +Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded +``` + +You can inspect the logs using this command: + +```bash +kubectl -n speedscale logs job/speedscale-operator-pre-install +``` + +After fixing the error, uninstall the helm release, delete the failed job +and try installing again: + +```bash +helm -n speedscale uninstall speedscale-operator +kubectl -n speedscale delete job speedscale-operator-pre-install +``` + +## Uninstall Chart + +```bash +helm -n speedscale uninstall speedscale-operator +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +CRDs created by this chart are not removed by default and should be manually cleaned up: + +```bash +kubectl delete crd trafficreplays.speedscale.com +``` + +## Upgrading Chart + +```bash +helm repo update +helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator +``` + +Resources capturing traffic will need to be rolled to pick up the latest +Speedscale sidecar. Use the rollout restart command for each namespace and +resource type: + +```bash +kubectl -n rollout restart deployment +``` + +With Helm v3, CRDs created by this chart are not updated by default +and should be manually updated. +Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Upgrading an existing Release to a new version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + + +## Help + +Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us +on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)! diff --git a/charts/speedscale/speedscale-operator/2.2.476/questions.yaml b/charts/speedscale/speedscale-operator/2.2.476/questions.yaml new file mode 100644 index 000000000..29aee3895 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/questions.yaml @@ -0,0 +1,9 @@ +questions: +- variable: apiKey + default: "fffffffffffffffffffffffffffffffffffffffffffff" + description: "An API key is required to connect to the Speedscale cloud." + required: true + type: string + label: API Key + group: Authentication + diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/NOTES.txt b/charts/speedscale/speedscale-operator/2.2.476/templates/NOTES.txt new file mode 100644 index 000000000..cabb59b17 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/NOTES.txt @@ -0,0 +1,12 @@ +Thank you for installing the Speedscale Operator! + +Next you'll need to add the Speedscale Proxy Sidecar to your deployments. +See https://docs.speedscale.com/setup/sidecar/install/ + +If upgrading use the rollout restart command for each namespace and resource +type to ensure Speedscale sidecars are updated: + + kubectl -n rollout restart deployment + +Once your deployment is running the sidecar your service will show up on +https://app.speedscale.com/. diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/admission.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/admission.yaml new file mode 100644 index 000000000..301748a61 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/admission.yaml @@ -0,0 +1,209 @@ +{{- $cacrt := "" -}} +{{- $crt := "" -}} +{{- $key := "" -}} +{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-webhook-certs") -}} +{{- if $s -}} +{{- $cacrt = index $s.data "ca.crt" | default (index $s.data "tls.crt") | b64dec -}} +{{- $crt = index $s.data "tls.crt" | b64dec -}} +{{- $key = index $s.data "tls.key" | b64dec -}} +{{ else }} +{{- $altNames := list ( printf "speedscale-operator.%s" .Release.Namespace ) ( printf "speedscale-operator.%s.svc" .Release.Namespace ) -}} +{{- $ca := genCA "speedscale-operator" 3650 -}} +{{- $cert := genSignedCert "speedscale-operator" nil $altNames 3650 $ca -}} +{{- $cacrt = $ca.Cert -}} +{{- $crt = $cert.Cert -}} +{{- $key = $cert.Key -}} +{{- end -}} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: speedscale-operator + annotations: + argocd.argoproj.io/hook: PreSync + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ $cacrt | b64enc }} + service: + name: speedscale-operator + namespace: {{ .Release.Namespace }} + path: /mutate + failurePolicy: Ignore + name: sidecar.speedscale.com + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: "NotIn" + values: + - kube-system + - kube-node-lease + {{- if .Values.namespaceSelector }} + - key: kubernetes.io/metadata.name + operator: "In" + values: + {{- range .Values.namespaceSelector }} + - {{ . | quote }} + {{- end }} + {{- end }} + reinvocationPolicy: IfNeeded + rules: + - apiGroups: + - apps + - batch + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - deployments + - statefulsets + - daemonsets + - jobs + - replicasets + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - pods + - apiGroups: + - argoproj.io + apiVersions: + - "*" + operations: + - CREATE + - UPDATE + - DELETE + resources: + - rollouts + sideEffects: None + timeoutSeconds: 10 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + creationTimestamp: null + name: speedscale-operator-replay + annotations: + argocd.argoproj.io/hook: PreSync + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ $cacrt | b64enc }} + service: + name: speedscale-operator + namespace: {{ .Release.Namespace }} + path: /mutate-speedscale-com-v1-trafficreplay + failurePolicy: Fail + name: replay.speedscale.com + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: "NotIn" + values: + - kube-system + - kube-node-lease + {{- if .Values.namespaceSelector }} + - key: kubernetes.io/metadata.name + operator: "In" + values: + {{- range .Values.namespaceSelector }} + - {{ . | quote }} + {{- end }} + {{- end }} + rules: + - apiGroups: + - speedscale.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - trafficreplays + sideEffects: None + timeoutSeconds: 10 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: speedscale-operator-replay + annotations: + argocd.argoproj.io/hook: PreSync + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ $cacrt | b64enc }} + service: + name: speedscale-operator + namespace: {{ .Release.Namespace }} + path: /validate-speedscale-com-v1-trafficreplay + failurePolicy: Fail + name: replay.speedscale.com + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: "NotIn" + values: + - kube-system + - kube-node-lease + {{- if .Values.namespaceSelector }} + - key: kubernetes.io/metadata.name + operator: "In" + values: + {{- range .Values.namespaceSelector }} + - {{ . | quote }} + {{- end }} + {{- end }} + rules: + - apiGroups: + - speedscale.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - trafficreplays + sideEffects: None + timeoutSeconds: 10 +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + name: speedscale-webhook-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + ca.crt: {{ $cacrt | b64enc }} + tls.crt: {{ $crt | b64enc }} + tls.key: {{ $key | b64enc }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/configmap.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/configmap.yaml new file mode 100644 index 000000000..04dfda91a --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/configmap.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: speedscale-operator + namespace: {{ .Release.Namespace }} + annotations: + argocd.argoproj.io/hook: PreSync + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} +data: + CLUSTER_NAME: {{ .Values.clusterName }} + IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }} + IMAGE_PULL_SECRETS: "" + IMAGE_REGISTRY: {{ .Values.image.registry }} + IMAGE_TAG: {{ .Values.image.tag }} + INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}' + LOG_LEVEL: {{ .Values.logLevel }} + SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }} + SPEEDSCALE_FILTER_RULE: {{ .Values.filterRule }} + TELEMETRY_INTERVAL: 1s + WITH_DLP: {{ .Values.dlp.enabled | quote }} + WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }} + API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }} + DEPLOY_DEMO: {{ .Values.deployDemo | quote }} + GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }} + GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }} + {{- if .Values.http_proxy }} + HTTP_PROXY: {{ .Values.http_proxy }} + {{- end }} + {{- if .Values.https_proxy }} + HTTPS_PROXY: {{ .Values.https_proxy }} + {{- end }} + {{- if .Values.no_proxy }} + NO_PROXY: {{ .Values.no_proxy }} + {{- end }} + PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }} + DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }} + SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }} + FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }} + TEST_PREP_TIMEOUT: {{ .Values.operator.test_prep_timeout }} + CONTROL_PLANE_TIMEOUT: {{ .Values.operator.control_plane_timeout }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/crds/trafficreplays.yaml new file mode 100644 index 000000000..aea331547 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/crds/trafficreplays.yaml @@ -0,0 +1,525 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + creationTimestamp: null + name: trafficreplays.speedscale.com +spec: + group: speedscale.com + names: + kind: TrafficReplay + listKind: TrafficReplayList + plural: trafficreplays + shortNames: + - replay + singular: trafficreplay + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.active + name: Active + type: boolean + - jsonPath: .spec.mode + name: Mode + type: string + - jsonPath: .status.conditions[-1:].message + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TrafficReplay is the Schema for the trafficreplays API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TrafficReplaySpec defines the desired state of TrafficReplay + properties: + buildTag: + description: |- + BuildTag links a unique tag, build hash, etc. to the generated + traffic replay report. That way you can connect the report results to the + version of the code that was tested. + type: string + cleanup: + description: |- + Cleanup is the name of cleanup mode used for this TrafficReplay. Set to + "none" to leave resources in the state they were during the replay. The + default mode "inventory" will revert the environment to the state it was + before the replay. + enum: + - inventory + - all + - none + type: string + collectLogs: + description: |- + CollectLogs enables or disables log collection from target + workload. Defaults to true. + DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs + type: boolean + configChecksum: + description: |- + ConfigChecksum, managed my the operator, is the SHA1 checksum of the + configuration. + type: string + customURL: + description: |- + CustomURL specifies a custom URL to send *ALL* traffic to. Use + Workload.CustomURI to send traffic to a specific URL for only that + workload. + type: string + generatorLowData: + description: |- + GeneratorLowData forces the generator into a high + efficiency/low data output mode. This is ideal for high volume + performance tests. Defaults to false. + DEPRECATED + type: boolean + mode: + description: Mode is the name of replay mode used for this TrafficReplay. + enum: + - full-replay + - responder-only + - generator-only + type: string + needsReport: + description: Indicates whether a responder-only replay needs a report. + type: boolean + proxyMode: + description: |- + ProxyMode defines proxy operational mode used with injected sidecar. + DEPRECATED + type: string + responderLowData: + description: |- + ResponderLowData forces the responder into a high + efficiency/low data output mode. This is ideal for high volume + performance tests. Defaults to false. + DEPRECATED + type: boolean + secretRefs: + description: |- + SecretRefs hold the references to the secrets which contain + various secrets like (e.g. short-lived JWTs to be used by the generator + for authorization with HTTP calls). + items: + description: |- + LocalObjectReference contains enough information to locate the referenced + Kubernetes resource object. + properties: + name: + description: Name of the referent. + type: string + required: + - name + type: object + type: array + sidecar: + description: |- + Sidecar defines sidecar specific configuration. + DEPRECATED: use Workloads + properties: + inject: + description: 'DEPRECATED: do not use' + type: boolean + patch: + description: Patch is .yaml file patch for the Workload + format: byte + type: string + tls: + properties: + in: + description: In provides configuration for sidecar inbound + TLS. + properties: + private: + description: Private is the filename of the TLS inbound + private key. + type: string + public: + description: Public is the filename of the TLS inbound + public key. + type: string + secret: + description: Secret is a secret with the TLS keys to use + for inbound traffic. + type: string + type: object + mutual: + description: Mutual provides configuration for sidecar mutual + TLS. + properties: + private: + description: Private is the filename of the mutual TLS + private key. + type: string + public: + description: Public is the filename of the mutual TLS + public key. + type: string + secret: + description: Secret is a secret with the mutual TLS keys. + type: string + type: object + out: + description: |- + Out enables or disables TLS out on the + sidecar during replay. + type: boolean + type: object + type: object + snapshotID: + description: |- + SnapshotID is the id of the traffic snapshot for this + TrafficReplay. + type: string + testConfigID: + description: |- + TestConfigID is the id of the replay configuration to be used + by the generator and responder for the TrafficReplay. + type: string + timeout: + description: |- + Timeout is the time to wait for replay test to finish. Defaults + to value of the `TIMEOUT` setting of the operator. + type: string + ttlAfterReady: + description: |- + TTLAfterReady provides a TTL (time to live) mechanism to limit + the lifetime of TrafficReplay object that have finished the execution and + reached its final state (either complete or failed). + type: string + workloadRef: + description: |- + WorkloadRef is the reference to the target workload (SUT) for + TrafficReplay. The operations will be performed in the namespace of the + target object. + DEPRECATED: use Workloads + properties: + apiVersion: + description: API version of the referenced object. + type: string + kind: + description: Kind of the referenced object. Defaults to "Deployment". + type: string + name: + description: |- + Name of the referenced object. Required when defining for a test unless a + custom URI is provided. Always required when defining mocks. + type: string + namespace: + description: Namespace of the referenced object. Defaults to the + TrafficReplay namespace. + type: string + required: + - name + type: object + workloads: + description: |- + Workloads define target workloads (SUT) for a TrafficReplay. Many + workloads may be provided, or none. Workloads may be modified and + restarted during replay to configure communication with a responder. + items: + description: |- + Workload represents a Kubernetes workload to be targeted during replay and + associated settings. + properties: + customURI: + description: |- + CustomURI will be target of the traffic instead of directly targeting + workload. This is required if a Ref is not specified. + type: string + inTrafficKey: + description: 'DEPRECATED: use Tests' + type: string + inTrafficKeys: + description: 'DEPRECATED: use Tests' + items: + type: string + type: array + mocks: + description: |- + Mocks are strings used to identify slices of outbound snapshot traffic to + mock for this workload and maps directly to a snapshot's `OutTraffic` + field. Snapshot egress traffic can be split across multiple slices where + each slice contains part of the traffic. A workload may specify multiple + keys and multiple workloads may specify the same key. + + + Only the traffic slices defined here will be mocked. A workload with no + keys defined will not mock any traffic. Pass '*' to mock all traffic. + + + Mock strings may only match part of the snapshot's `OutTraffic` key if the + string matches exactly one key. For example, the test string + `foo.example.com` would match the `OutTraffic` key of + my-service:foo.example.com:8080, as long as no other keys would match + `foo.example.com`. Multiple mocks must be specified for multiple keys + unless using '*'. + items: + type: string + type: array + outTrafficKeys: + description: 'DEPRECATED: use Mocks' + items: + type: string + type: array + ref: + description: |- + Ref is a reference to a cluster workload, like a deployment or a + statefulset. This is required unless a CustomURI is specified. + properties: + apiVersion: + description: API version of the referenced object. + type: string + kind: + description: Kind of the referenced object. Defaults to + "Deployment". + type: string + name: + description: |- + Name of the referenced object. Required when defining for a test unless a + custom URI is provided. Always required when defining mocks. + type: string + namespace: + description: Namespace of the referenced object. Defaults + to the TrafficReplay namespace. + type: string + required: + - name + type: object + routing: + description: Routing configures how workloads route egress traffic + to responders + enum: + - hostalias + - nat + type: string + sidecar: + description: |- + TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings + Sidecar defines sidecar specific configuration. + properties: + inject: + description: 'DEPRECATED: do not use' + type: boolean + patch: + description: Patch is .yaml file patch for the Workload + format: byte + type: string + tls: + properties: + in: + description: In provides configuration for sidecar inbound + TLS. + properties: + private: + description: Private is the filename of the TLS + inbound private key. + type: string + public: + description: Public is the filename of the TLS inbound + public key. + type: string + secret: + description: Secret is a secret with the TLS keys + to use for inbound traffic. + type: string + type: object + mutual: + description: Mutual provides configuration for sidecar + mutual TLS. + properties: + private: + description: Private is the filename of the mutual + TLS private key. + type: string + public: + description: Public is the filename of the mutual + TLS public key. + type: string + secret: + description: Secret is a secret with the mutual + TLS keys. + type: string + type: object + out: + description: |- + Out enables or disables TLS out on the + sidecar during replay. + type: boolean + type: object + type: object + tests: + description: |- + Tests are strings used to identify slices of inbound snapshot traffic this + workload is targeting and maps directly to a snapshot's `InTraffic` field. + Snapshot ingress traffic can be split across multiple slices where each + slice contains part of the traffic. A key must only be specified once + across all workloads, but a workload may specify multiple keys. Pass '*' + to match all keys. + + + Test strings may only match part of the snapshot's `InTraffic` key if the + string matches exactly one key. For example, the test string + `foo.example.com` would match the `InTraffic` key of + my-service:foo.example.com:8080, as long as no other keys would match + `foo.example.com` + + + This field is optional in the spec to provide support for single-workload + and legacy replays, but must be specified for multi-workload replays in + order to provide deterministic replay configuration. + items: + type: string + type: array + type: object + type: array + required: + - snapshotID + - testConfigID + type: object + status: + default: + observedGeneration: -1 + description: TrafficReplayStatus defines the observed state of TrafficReplay + properties: + active: + description: Active indicates whether this traffic replay is currently + underway or not. + type: boolean + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + finishedTime: + description: Information when the traffic replay has finished. + format: date-time + type: string + initializedTime: + description: Information when the test environment was successfully + prepared. + format: date-time + type: string + lastHeartbeatTime: + description: 'DEPRECATED: will not be set' + format: date-time + type: string + observedGeneration: + description: ObservedGeneration is the last observed generation. + format: int64 + type: integer + reconcileFailures: + description: |- + ReconcileFailures is the number of times the traffic replay controller + experienced an error during the reconciliation process. The traffic + replay will be deleted if too many errors occur. + format: int64 + type: integer + reportID: + description: The id of the traffic replay report created. + type: string + reportURL: + description: The url to the traffic replay report. + type: string + startedTime: + description: Information when the traffic replay has started. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/deployments.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/deployments.yaml new file mode 100644 index 000000000..e5f329257 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/deployments.yaml @@ -0,0 +1,132 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + operator.speedscale.com/ignore: "true" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + labels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + {{- if .Values.globalLabels }} +{{ toYaml .Values.globalLabels | indent 4}} + {{- end }} + name: speedscale-operator + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + strategy: + type: Recreate + template: + metadata: + annotations: + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 8}} + {{- end }} + labels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + {{- if .Values.globalLabels }} +{{ toYaml .Values.globalLabels | indent 8}} + {{- end }} + spec: + containers: + - command: + - /operator + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: speedscale-operator + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core + # When a key exists in multiple sources, the value associated with the last source will take precedence. + # Values defined by an Env with a duplicate key will take precedence. + - configMapRef: + name: speedscale-operator-override + optional: true + - secretRef: + name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}' + optional: false + image: '{{ .Values.image.registry }}/operator:{{ .Values.image.tag }}' + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: health-check + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: operator + ports: + - containerPort: 443 + name: webhook-server + - containerPort: 8081 + name: health-check + readinessProbe: + failureThreshold: 10 + httpGet: + path: /readyz + port: health-check + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + resources: {{- toYaml .Values.operator.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + # Run as root to bind 443 https://github.com/kubernetes/kubernetes/issues/56374 + runAsUser: 0 + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + - mountPath: /etc/ssl/speedscale + name: speedscale-tls-out + readOnly: true + hostNetwork: {{ .Values.hostNetwork }} + securityContext: + runAsNonRoot: true + serviceAccountName: speedscale-operator + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: tmp + - name: webhook-certs + secret: + secretName: speedscale-webhook-certs + - name: speedscale-tls-out + secret: + secretName: speedscale-certs + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{ toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/hooks.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/hooks.yaml new file mode 100644 index 000000000..3e8231f19 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/hooks.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "4" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + name: speedscale-operator-pre-install + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.globalLabels }} +{{ toYaml .Values.globalLabels | indent 4}} + {{- end }} +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 30 + template: + metadata: + annotations: + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 8}} + {{- end }} + creationTimestamp: null + labels: + {{- if .Values.globalLabels }} +{{ toYaml .Values.globalLabels | indent 8}} + {{- end }} + spec: + containers: + - args: + - |- + # ensure valid settings before the chart reports a successfull install + {{- if .Values.http_proxy }} + HTTP_PROXY={{ .Values.http_proxy | quote }} \ + {{- end }} + {{- if .Values.https_proxy }} + HTTPS_PROXY={{ .Values.https_proxy | quote }} \ + {{- end }} + {{- if .Values.no_proxy }} + NO_PROXY={{ .Values.no_proxy | quote }} \ + {{- end }} + speedctl init --overwrite --no-rcfile-update \ + --api-key $SPEEDSCALE_API_KEY \ + --app-url $SPEEDSCALE_APP_URL + + # in case we're in istio + curl -X POST http://127.0.0.1:15000/quitquitquit || true + command: + - sh + - -c + envFrom: + - secretRef: + name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}' + optional: false + image: '{{ .Values.image.registry }}/speedscale-cli:{{ .Values.image.tag }}' + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: speedscale-cli + resources: {} + restartPolicy: Never + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{ toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/rbac.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/rbac.yaml new file mode 100644 index 000000000..e1ea42d99 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/rbac.yaml @@ -0,0 +1,244 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: speedscale-operator + {{- if .Values.globalAnnotations }} + annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - apps + resources: + - deployments + - statefulsets + - daemonsets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - pods + - services + - serviceaccounts + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - networking.istio.io + resources: + - envoyfilters + - sidecars + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - security.istio.io + resources: + - peerauthentications + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - speedscale.com + resources: + - trafficreplays + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - speedscale.com + resources: + - trafficreplays/status + verbs: + - get + - update + - patch +- apiGroups: + - argoproj.io + resources: + - rollouts + verbs: + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: speedscale-operator + {{- if .Values.globalAnnotations }} + annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: speedscale-operator +subjects: +- kind: ServiceAccount + name: speedscale-operator + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + name: speedscale-operator + namespace: {{ .Release.Namespace }} + {{- if .Values.globalAnnotations }} + annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }} + {{- end }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/secrets.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/secrets.yaml new file mode 100644 index 000000000..1fb6999e4 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/secrets.yaml @@ -0,0 +1,18 @@ +--- +{{ if .Values.apiKey }} +apiVersion: v1 +kind: Secret +metadata: + name: speedscale-apikey + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install + helm.sh/hook-weight: "3" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} +type: Opaque +data: + SPEEDSCALE_API_KEY: {{ .Values.apiKey | b64enc }} + SPEEDSCALE_APP_URL: {{ .Values.appUrl | b64enc }} +{{ end }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/services.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/services.yaml new file mode 100644 index 000000000..f9da2c25c --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/services.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + name: speedscale-operator + namespace: {{ .Release.Namespace }} + {{- if .Values.globalAnnotations }} + annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }} + {{- end }} +spec: + ports: + - port: 443 + protocol: TCP + selector: + app: speedscale-operator + controlplane.speedscale.com/component: operator +status: + loadBalancer: {} diff --git a/charts/speedscale/speedscale-operator/2.2.476/templates/tls.yaml b/charts/speedscale/speedscale-operator/2.2.476/templates/tls.yaml new file mode 100644 index 000000000..4a2456288 --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/templates/tls.yaml @@ -0,0 +1,183 @@ +{{- $crt := "" -}} +{{- $key := "" -}} +{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-certs") -}} +{{- if $s -}} +{{- $crt = index $s.data "tls.crt" | b64dec -}} +{{- $key = index $s.data "tls.key" | b64dec -}} +{{ else }} +{{- $cert := genCA "Speedscale" 3650 -}} +{{- $crt = $cert.Cert -}} +{{- $key = $cert.Key -}} +{{- end -}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "5" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + name: speedscale-operator-create-jks + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.globalLabels }} +{{ toYaml .Values.globalLabels | indent 4}} + {{- end }} +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 30 + template: + metadata: + annotations: + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 8}} + {{- end }} + creationTimestamp: null + labels: + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 8}} + {{- end }} + spec: + containers: + - args: + - |- + keytool -keystore /usr/lib/jvm/jre/lib/security/cacerts -importcert -noprompt -trustcacerts -storepass changeit -alias speedscale -file /etc/ssl/speedscale/tls.crt + kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true + kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=/usr/lib/jvm/jre/lib/security/cacerts + + # in case we're in istio + curl -X POST http://127.0.0.1:15000/quitquitquit || true + command: + - sh + - -c + volumeMounts: + - mountPath: /etc/ssl/speedscale + name: speedscale-tls-out + readOnly: true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}' + optional: false + image: '{{ .Values.image.registry }}/amazoncorretto' + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: create-jks + resources: {} + restartPolicy: Never + serviceAccountName: speedscale-operator-provisioning + volumes: + - name: speedscale-tls-out + secret: + secretName: speedscale-certs + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{ toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "1" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + labels: + app: speedscale-operator + controlplane.speedscale.com/component: operator + name: speedscale-operator-provisioning + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "2" + creationTimestamp: null + name: speedscale-operator-provisioning +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "3" + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + name: speedscale-operator-provisioning +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: speedscale-operator-provisioning +subjects: +- kind: ServiceAccount + name: speedscale-operator-provisioning + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + {{- if .Values.globalAnnotations }} +{{ toYaml .Values.globalAnnotations | indent 4}} + {{- end }} + creationTimestamp: null + name: speedscale-certs + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + tls.crt: {{ $crt | b64enc }} + tls.key: {{ $key | b64enc }} diff --git a/charts/speedscale/speedscale-operator/2.2.476/values.yaml b/charts/speedscale/speedscale-operator/2.2.476/values.yaml new file mode 100644 index 000000000..13c76b82b --- /dev/null +++ b/charts/speedscale/speedscale-operator/2.2.476/values.yaml @@ -0,0 +1,138 @@ +# An API key is required to connect to the Speedscale cloud. +# If you need a key email support@speedscale.com. +apiKey: "" + +# A secret name can be referenced instead of the api key itself. +# The secret must be of the format: +# +# type: Opaque +# data: +# SPEEDSCALE_API_KEY: +# SPEEDSCALE_APP_URL: +apiKeySecret: "" + +# Speedscale domain to use. +appUrl: "app.speedscale.com" + +# The name of your cluster. +clusterName: "my-cluster" + +# Speedscale components image settings. +image: + registry: gcr.io/speedscale + tag: v2.2.476 + pullPolicy: Always + +# Log level for Speedscale components. +logLevel: "info" + +# Namespaces to be watched by Speedscale Operator as a list of names. +namespaceSelector: [] + +# Instructs operator to deploy resources necessary to interact with your cluster from the Speedscale dashboard. +dashboardAccess: true + +# Filter Rule to apply to the Speedscale Forwarder +filterRule: "standard" + +# Data Loss Prevention settings. +dlp: + # Instructs operator to enable data loss prevention features + enabled: false + + # Configuration for data loss prevention + config: "standard" + +# If the operator pod/webhooks need to be on the host network. +# This is only needed if the control plane cannot connect directly to a pod +# for eg. if Calico is used as EKS's default networking +# https://docs.tigera.io/calico/3.25/getting-started/kubernetes/managed-public-cloud/eks#install-eks-with-calico-networking +hostNetwork: false + +# A set of annotations to be applied to all Speedscale related deployments, +# services, jobs, pods, etc. +# +# Example: +# annotation.first: value +# annotation.second: value +globalAnnotations: {} + +# A set of labels to be applied to all Speedscale related deployments, +# services, jobs, pods, etc. +# +# Example: +# label1: value +# label2: value +globalLabels: {} + +# A full affinity object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity +affinity: {} + +# The list of tolerations as detailed: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +tolerations: [] + +# A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ +nodeSelector: {} + +# Deploy a demo app at startup. Set this to an empty string to not deploy. +# Valid values: ["java", ""] +deployDemo: "java" + +# Proxy connection settings if required by your network. These translate to standard proxy environment +# variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY +http_proxy: "" +https_proxy: "" +no_proxy: "" + +# control if sidecar init containers should run with privileged set +privilegedSidecars: false + +# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN) +disableSidecarSmartReverseDNS: false + +# Operator settings. These limits are recommended unless you have a cluster +# with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.). +operator: + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + # how long to wait for the SUT to become ready + test_prep_timeout: 10m + # timeout for deploying & upgrading control plane components + control_plane_timeout: 5m + + +# Default sidecar settings. Example: +# sidecar: +# resources: +# limits: +# cpu: 500m +# memory: 512Mi +# ephemeral-storage: 100Mi +# requests: +# cpu: 10m +# memory: 32Mi +# ephemeral-storage: 100Mi +# ignore_src_hosts: example.com, example.org +# ignore_src_ips: 8.8.8.8, 1.1.1.1 +# ignore_dst_hosts: example.com, example.org +# ignore_dst_ips: 8.8.8.8, 1.1.1.1 +# insert_init_first: false +# tls_out: false +# reinitialize_iptables: false +sidecar: {} + +# Forwarder settings +# forwarder: +# resources: +# limits: +# cpu: 500m +# memory: 500M +# requests: +# cpu: 300m +# memory: 250M +forwarder: {} diff --git a/charts/traefik/traefik/32.0.0/.helmignore b/charts/traefik/traefik/32.0.0/.helmignore new file mode 100644 index 000000000..9c42ddd90 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/.helmignore @@ -0,0 +1,2 @@ +tests/ +crds/kustomization.yaml diff --git a/charts/traefik/traefik/32.0.0/Changelog.md b/charts/traefik/traefik/32.0.0/Changelog.md new file mode 100644 index 000000000..3841d4cc9 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/Changelog.md @@ -0,0 +1,10261 @@ +# Change Log + +## 32.0.0 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-27 + +* chore(release): :rocket: publish 32.0.0 +* fix: replace `CLF` with `common` in `values.yaml` +* feat(Traefik Hub): add APIPlans and APIBundles CRDs + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 51dec67..f36a9dd 100644 +index d5173dc..f36a9dd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -345,7 +345,7 @@ logs: + # -- To enable access logs + enabled: false + # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) +- format: # @schema enum:["CLF", "json", null]; type:[string, null]; default: "CLF" ++ format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" + # filePath: "/var/log/traefik/access.log + # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) + bufferingSize: # @schema type:[integer, null] +@@ -911,35 +911,34 @@ hub: + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + +- ratelimit: +- redis: +- # -- Enable Redis Cluster. Default: true. +- cluster: # @schema type:[boolean, null] +- # -- Database used to store information. Default: "0". +- database: # @schema type:[string, null] +- # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: "" +- # -- The username to use when connecting to Redis endpoints. Default: "". ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: # @schema type:[boolean, null] ++ # -- Database used to store information. Default: "0". ++ database: # @schema type:[string, null] ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: "" ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: "" ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: "" ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: "" ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" +- # -- The password to use when connecting to Redis endpoints. Default: "". ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" +- sentinel: +- # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: "" +- # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: "" +- # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: "" +- # -- Timeout applied on connection with redis. Default: "0s". +- timeout: "" +- tls: +- # -- Path to the certificate authority used for the secured connection. +- ca: "" +- # -- Path to the public certificate used for the secure connection. +- cert: "" +- # -- Path to the private key used for the secure connection. +- key: "" +- # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: false ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: "" ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: "" ++ # -- Path to the public certificate used for the secure connection. ++ cert: "" ++ # -- Path to the private key used for the secure connection. ++ key: "" ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] +``` + +## 32.0.0-rc1 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-20 + +* feat(Traefik Hub): add APIPlans and APIBundles CRDs +* chore(release): 🚀 publish 32.0.0-rc1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d5173dc..51dec67 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -911,35 +911,34 @@ hub: + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + +- ratelimit: +- redis: +- # -- Enable Redis Cluster. Default: true. +- cluster: # @schema type:[boolean, null] +- # -- Database used to store information. Default: "0". +- database: # @schema type:[string, null] +- # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: "" +- # -- The username to use when connecting to Redis endpoints. Default: "". ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: # @schema type:[boolean, null] ++ # -- Database used to store information. Default: "0". ++ database: # @schema type:[string, null] ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: "" ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: "" ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: "" ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: "" ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" +- # -- The password to use when connecting to Redis endpoints. Default: "". ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" +- sentinel: +- # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: "" +- # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: "" +- # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: "" +- # -- Timeout applied on connection with redis. Default: "0s". +- timeout: "" +- tls: +- # -- Path to the certificate authority used for the secured connection. +- ca: "" +- # -- Path to the public certificate used for the secure connection. +- cert: "" +- # -- Path to the private key used for the secure connection. +- key: "" +- # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: false ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: "" ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: "" ++ # -- Path to the public certificate used for the secure connection. ++ cert: "" ++ # -- Path to the private key used for the secure connection. ++ key: "" ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] +``` + +## 31.1.1 ![AppVersion: v3.1.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-20 + +* fix: 🐛 updateStrategy behavior +* feat(deps): update traefik docker tag to v3.1.4 +* chore(release): 🚀 publish v31.1.1 + +## 31.1.0 ![AppVersion: v3.1.3](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.3&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-18 + +* fix: 🐛 update CRD to v3.1 +* feat: ✨ input validation using schema +* feat: ✨ add AllowACMEByPass and improve schema/doc on ports values +* feat: add new webhooks and removes unnecessary ones +* feat(deps): update traefik docker tag to v3.1.3 +* chore(release): 🚀 publish v31.1.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2232d9e..1b9d0fd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -2,13 +2,13 @@ + # This is a YAML-formatted file. + # Declare variables to be passed into templates + +-image: ++image: # @schema additionalProperties: false + # -- Traefik image host registry + registry: docker.io + # -- Traefik image repository + repository: traefik + # -- defaults to appVersion +- tag: ++ tag: # @schema type:[string, null] + # -- Traefik image pull policy + pullPolicy: IfNotPresent + +@@ -23,27 +23,27 @@ deployment: + # -- Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) +- # revisionHistoryLimit: 1 ++ revisionHistoryLimit: # @schema type:[integer, null];minimum:0 + # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 +- ## Override the liveness/readiness port. This is useful to integrate traefik ++ ## -- Override the liveness/readiness port. This is useful to integrate traefik + ## with an external Load Balancer that performs healthchecks. + ## Default: ports.traefik.port +- # healthchecksPort: 9000 +- ## Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint. ++ healthchecksPort: # @schema type:[integer, null];minimum:0 ++ ## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint. + ## Default: ports.traefik.hostIP if set, otherwise Pod IP +- # healthchecksHost: localhost +- ## Override the liveness/readiness scheme. Useful for getting ping to ++ healthchecksHost: "" ++ ## -- Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. +- # healthchecksScheme: HTTPS +- ## Override the readiness path. ++ healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP ++ ## -- Override the readiness path. + ## Default: /ping +- # readinessPath: /ping +- # Override the liveness path. ++ readinessPath: "" ++ # -- Override the liveness path. + # Default: /ping +- # livenessPath: /ping ++ livenessPath: "" + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -80,7 +80,7 @@ deployment: + # -- Use process namespace sharing + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` +- # dnsPolicy: ClusterFirstWithHostNet ++ dnsPolicy: "" + # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) + dnsConfig: {} + # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) +@@ -99,24 +99,24 @@ deployment: + # host: localhost + # scheme: HTTP + # -- Set a runtimeClassName on pod +- runtimeClassName: ++ runtimeClassName: "" + + # -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) +-podDisruptionBudget: +- enabled: +- maxUnavailable: +- minAvailable: ++podDisruptionBudget: # @schema additionalProperties: false ++ enabled: false ++ maxUnavailable: # @schema type:[string, integer, null];minimum:0 ++ minAvailable: # @schema type:[string, integer, null];minimum:0 + + # -- Create a default IngressClass for Traefik +-ingressClass: ++ingressClass: # @schema additionalProperties: false + enabled: true + isDefaultClass: true +- # name: my-custom-class ++ name: "" + +-core: ++core: # @schema additionalProperties: false + # -- Can be used to use globally v2 router syntax + # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes +- defaultRuleSyntax: ++ defaultRuleSyntax: "" + + # Traefik experimental features + experimental: +@@ -133,11 +133,11 @@ gateway: + # -- When providers.kubernetesGateway.enabled, deploy a default gateway + enabled: true + # -- Set a custom name to gateway +- name: ++ name: "" + # -- By default, Gateway is created in the same `Namespace` than Traefik. +- namespace: ++ namespace: "" + # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) +- annotations: ++ annotations: {} + # -- Define listeners + listeners: + web: +@@ -145,11 +145,11 @@ gateway: + # The port must match a port declared in ports section. + port: 8000 + # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) +- hostname: ++ hostname: "" + # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) + protocol: HTTP + # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces +- namespacePolicy: ++ namespacePolicy: # @schema type:[string, null] + # websecure listener is disabled by default because certificateRefs needs to be added, + # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section. + # websecure: +@@ -167,13 +167,13 @@ gateway: + # # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). + # mode: + +-gatewayClass: ++gatewayClass: # @schema additionalProperties: false + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass + enabled: true + # -- Set a custom name to GatewayClass +- name: ++ name: "" + # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) +- labels: ++ labels: {} + + ingressRoute: + dashboard: +@@ -218,14 +218,14 @@ ingressRoute: + # -- TLS options (e.g. secret containing certificate) + tls: {} + +-updateStrategy: ++updateStrategy: # @schema additionalProperties: false + # -- Customize updateStrategy: RollingUpdate or OnDelete + type: RollingUpdate + rollingUpdate: +- maxUnavailable: 0 +- maxSurge: 1 ++ maxUnavailable: 0 # @schema type:[integer, string, null] ++ maxSurge: 1 # @schema type:[integer, string, null] + +-readinessProbe: ++readinessProbe: # @schema additionalProperties: false + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 1 + # -- The number of seconds to wait before starting the first probe. +@@ -236,7 +236,7 @@ readinessProbe: + successThreshold: 1 + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 +-livenessProbe: ++livenessProbe: # @schema additionalProperties: false + # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 3 + # -- The number of seconds to wait before starting the first probe. +@@ -249,9 +249,9 @@ livenessProbe: + timeoutSeconds: 2 + + # -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) +-startupProbe: ++startupProbe: {} + +-providers: ++providers: # @schema additionalProperties: false + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider + enabled: true +@@ -262,12 +262,12 @@ providers: + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: true + # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. +- ingressClass: ++ ingressClass: "" + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # -- Defines whether to use Native Kubernetes load-balancing mode by default. +- nativeLBByDefault: ++ nativeLBByDefault: false + + kubernetesIngress: + # -- Load Kubernetes Ingress provider +@@ -277,7 +277,7 @@ providers: + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: true + # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. +- ingressClass: ++ ingressClass: # @schema type:[string, null] + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +@@ -288,7 +288,7 @@ providers: + # By default this Traefik service + # pathOverride: "" + # -- Defines whether to use Native Kubernetes load-balancing mode by default. +- nativeLBByDefault: ++ nativeLBByDefault: false + + kubernetesGateway: + # -- Enable Traefik Gateway provider for Gateway API +@@ -299,7 +299,7 @@ providers: + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # -- A label selector can be defined to filter on specific GatewayClass objects only. +- labelselector: ++ labelselector: "" + + file: + # -- Create a file provider +@@ -307,7 +307,7 @@ providers: + # -- Allows Traefik to automatically watch for file changes + watch: true + # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) +- content: ++ content: "" + + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -333,90 +333,88 @@ additionalVolumeMounts: [] + logs: + general: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) +- # @default common +- format: ++ format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" + # By default, the level is set to INFO. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. +- level: INFO +- # +- # filePath: "/var/log/traefik/traefik.log +- # noColor: true ++ level: "INFO" # @schema enum:[INFO,WARN,ERROR,FATAL,PANIC,DEBUG]; default: "INFO" ++ # -- To write the logs into a log file, use the filePath option. ++ filePath: "" ++ # -- When set to true and format is common, it disables the colorized output. ++ noColor: false + access: + # -- To enable access logs + enabled: false + # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) +- format: ++ format: # @schema enum:["CLF", "json", null]; type:[string, null]; default: "CLF" + # filePath: "/var/log/traefik/access.log + # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) +- bufferingSize: ++ bufferingSize: # @schema type:[integer, null] + # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) + filters: {} +- # statuscodes: "200,300-302" +- # retryattempts: true +- # minduration: 10ms ++ statuscodes: "" ++ retryattempts: false ++ minduration: "" + # -- Enables accessLogs for internal resources. Default: false. +- addInternals: ++ addInternals: false + fields: + general: +- # -- Available modes: keep, drop, redact. +- defaultmode: keep ++ # -- Set default mode for fields.names ++ defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep + # -- Names of the fields to limit. + names: {} +- ## Examples: +- # ClientUsername: drop + # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) + headers: +- # -- Available modes: keep, drop, redact. +- defaultmode: drop ++ # -- Set default mode for fields.headers ++ defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop + names: {} + + metrics: + ## -- Enable metrics for internal resources. Default: false +- addInternals: ++ addInternals: false + + ## -- Prometheus is enabled by default. + ## -- It can be disabled by setting "prometheus: null" + prometheus: + # -- Entry point used to expose metrics. + entryPoint: metrics +- ## Enable metrics on entry points. Default=true +- # addEntryPointsLabels: false +- ## Enable metrics on routers. Default=false +- # addRoutersLabels: true +- ## Enable metrics on services. Default=true +- # addServicesLabels: false ++ ## Enable metrics on entry points. Default: true ++ addEntryPointsLabels: # @schema type:[boolean, null] ++ ## Enable metrics on routers. Default: false ++ addRoutersLabels: # @schema type:[boolean, null] ++ ## Enable metrics on services. Default: true ++ addServicesLabels: # @schema type:[boolean, null] + ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" +- # buckets: "0.5,1.0,2.5" ++ buckets: "" + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. +- # manualRouting: true ++ manualRouting: false + service: + # -- Create a dedicated metrics service to use with ServiceMonitor +- enabled: +- labels: +- annotations: ++ enabled: false ++ labels: {} ++ annotations: {} + # -- When set to true, it won't check if Prometheus Operator CRDs are deployed +- disableAPICheck: ++ disableAPICheck: # @schema type:[boolean, null] + serviceMonitor: + # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. + enabled: false +- metricRelabelings: +- relabelings: +- jobLabel: +- interval: +- honorLabels: +- scrapeTimeout: +- honorTimestamps: +- enableHttp2: +- followRedirects: +- additionalLabels: +- namespace: +- namespaceSelector: ++ metricRelabelings: [] ++ relabelings: [] ++ jobLabel: "" ++ interval: "" ++ honorLabels: false ++ scrapeTimeout: "" ++ honorTimestamps: false ++ enableHttp2: false ++ followRedirects: false ++ additionalLabels: {} ++ namespace: "" ++ namespaceSelector: {} + prometheusRule: + # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. + enabled: false +- additionalLabels: +- namespace: ++ additionalLabels: {} ++ namespace: "" + + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. +@@ -469,55 +467,55 @@ metrics: + # -- Set to true in order to enable the OpenTelemetry metrics + enabled: false + # -- Enable metrics on entry points. Default: true +- addEntryPointsLabels: ++ addEntryPointsLabels: # @schema type:[boolean, null] + # -- Enable metrics on routers. Default: false +- addRoutersLabels: ++ addRoutersLabels: # @schema type:[boolean, null] + # -- Enable metrics on services. Default: true +- addServicesLabels: ++ addServicesLabels: # @schema type:[boolean, null] + # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] +- explicitBoundaries: ++ explicitBoundaries: [] + # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s +- pushInterval: ++ pushInterval: "" + http: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- headers: ++ headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: # @schema type:[boolean, null] + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- insecure: ++ insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ +-tracing: ++tracing: # @schema additionalProperties: false + # -- Enables tracing for internal resources. Default: false. +- addInternals: ++ addInternals: false + otlp: + # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ + enabled: false +@@ -525,36 +523,36 @@ tracing: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- headers: ++ headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics +- endpoint: ++ endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- insecure: ++ insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. +- ca: ++ ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. +- cert: ++ cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. +- key: ++ key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- insecureSkipVerify: ++ insecureSkipVerify: false + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +@@ -587,13 +585,12 @@ ports: + traefik: + port: 9000 + # -- Use hostPort if set. +- # hostPort: 9000 +- # ++ hostPort: # @schema type:[integer, null]; minimum:0 + # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. +- # hostIP: 192.168.100.10 ++ hostIP: # @schema type:[string, null] + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. +@@ -617,112 +614,93 @@ ports: + default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB +- # targetPort: 80 ++ targetPort: # @schema type:[integer, null]; minimum:0 + # The port protocol (TCP/UDP) + protocol: TCP +- # -- Use nodeport if set. This is useful if you have configured Traefik in a +- # LoadBalancer. +- # nodePort: 32080 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) ++ nodePort: # @schema type:[integer, null]; minimum:0 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- # redirectTo: +- # port: websecure +- # (Optional) +- # priority: 10 +- # permanent: true +- # +- # -- Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # ++ redirectTo: {} ++ forwardedHeaders: ++ # -- Trust forwarded headers information (X-Forwarded-*). ++ trustedIPs: [] ++ insecure: false ++ proxyProtocol: ++ # -- Enable the Proxy Protocol header parsing for the entry point ++ trustedIPs: [] ++ insecure: false + # -- Set transport settings for the entrypoint; see also + # https://doc.traefik.io/traefik/routing/entrypoints/#transport + transport: + respondingTimeouts: +- readTimeout: +- writeTimeout: +- idleTimeout: ++ readTimeout: # @schema type:[string, integer, null] ++ writeTimeout: # @schema type:[string, integer, null] ++ idleTimeout: # @schema type:[string, integer, null] + lifeCycle: +- requestAcceptGraceTimeout: +- graceTimeOut: +- keepAliveMaxRequests: +- keepAliveMaxTime: ++ requestAcceptGraceTimeout: # @schema type:[string, integer, null] ++ graceTimeOut: # @schema type:[string, integer, null] ++ keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 ++ keepAliveMaxTime: # @schema type:[string, integer, null] + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 +- # hostPort: 8443 +- # containerPort: 8443 ++ hostPort: # @schema type:[integer, null]; minimum:0 ++ containerPort: # @schema type:[integer, null]; minimum:0 + expose: + default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB +- # targetPort: 80 ++ targetPort: # @schema type:[integer, null]; minimum:0 + ## -- The port protocol (TCP/UDP) + protocol: TCP +- # nodePort: 32443 +- ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. +- # appProtocol: https +- # +- ## -- Enable HTTP/3 on the entrypoint +- ## Enabling it will also enable http3 experimental feature +- ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 +- ## There are known limitations when trying to listen on same ports for +- ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. +- ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) ++ nodePort: # @schema type:[integer, null]; minimum:0 ++ # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) ++ appProtocol: # @schema type:[string, null] ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) ++ allowACMEByPass: false + http3: ++ ## -- Enable HTTP/3 on the entrypoint ++ ## Enabling it will also enable http3 experimental feature ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 ++ ## There are known limitations when trying to listen on same ports for ++ ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. ++ ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + enabled: false +- # advertisedPort: 4443 +- # +- # -- Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # +- # -- Set transport settings for the entrypoint; see also +- # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ advertisedPort: # @schema type:[integer, null]; minimum:0 ++ forwardedHeaders: ++ # -- Trust forwarded headers information (X-Forwarded-*). ++ trustedIPs: [] ++ insecure: false ++ proxyProtocol: ++ # -- Enable the Proxy Protocol header parsing for the entry point ++ trustedIPs: [] ++ insecure: false ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) + transport: + respondingTimeouts: +- readTimeout: +- writeTimeout: +- idleTimeout: ++ readTimeout: # @schema type:[string, integer, null] ++ writeTimeout: # @schema type:[string, integer, null] ++ idleTimeout: # @schema type:[string, integer, null] + lifeCycle: +- requestAcceptGraceTimeout: +- graceTimeOut: +- keepAliveMaxRequests: +- keepAliveMaxTime: +- # +- ## Set TLS at the entrypoint +- ## https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ requestAcceptGraceTimeout: # @schema type:[string, integer, null] ++ graceTimeOut: # @schema type:[string, integer, null] ++ keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 ++ keepAliveMaxTime: # @schema type:[string, integer, null] ++ # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) + tls: + enabled: true +- # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] +- # - main: example.com +- # sans: +- # - foo.example.com +- # - bar.example.com +- # + # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace +- # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] +@@ -730,10 +708,6 @@ ports: + # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 +- # hostPort: 9100 +- # Defines whether the port is exposed if service.type is LoadBalancer or +- # NodePort. +- # + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +@@ -810,15 +784,15 @@ persistence: + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data +- # existingClaim: "" ++ existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi +- # storageClass: "" +- # volumeName: "" ++ storageClass: "" ++ volumeName: "" + path: /data + annotations: {} + # -- Only mount a subpath of the Volume into the pod +- # subPath: "" ++ subPath: "" + + # -- Certificates resolvers configuration. + # Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers +@@ -832,7 +806,7 @@ certResolvers: {} + hostNetwork: false + + # -- Whether Role Based Access Control objects like roles and rolebindings should be created +-rbac: ++rbac: # @schema additionalProperties: false + enabled: true + # When set to true: + # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. +@@ -843,7 +817,7 @@ rbac: + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +- # aggregateTo: [ "admin" ] ++ aggregateTo: [] + # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. + secretResourceNames: [] + +@@ -852,7 +826,7 @@ podSecurityPolicy: + enabled: false + + # -- The service account the pods will use to interact with the Kubernetes API +-serviceAccount: ++serviceAccount: # @schema additionalProperties: false + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" +@@ -918,54 +892,54 @@ extraObjects: [] + + # -- This field override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +-namespaceOverride: ++namespaceOverride: "" + + ## -- This field override the default app.kubernetes.io/instance label for all Objects. +-instanceLabelOverride: ++instanceLabelOverride: "" + + # Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ + hub: + # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. +- token: ++ token: "" + apimanagement: + # -- Set to true in order to enable API Management. Requires a valid license token. +- enabled: ++ enabled: false + admission: + # -- WebHook admission server listen address. Default: "0.0.0.0:9943". +- listenAddr: ++ listenAddr: "" + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". +- secretName: ++ secretName: "" + + ratelimit: + redis: + # -- Enable Redis Cluster. Default: true. +- cluster: ++ cluster: # @schema type:[boolean, null] + # -- Database used to store information. Default: "0". +- database: ++ database: # @schema type:[string, null] + # -- Endpoints of the Redis instances to connect to. Default: "". +- endpoints: ++ endpoints: "" + # -- The username to use when connecting to Redis endpoints. Default: "". +- username: ++ username: "" + # -- The password to use when connecting to Redis endpoints. Default: "". +- password: ++ password: "" + sentinel: + # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". +- masterset: ++ masterset: "" + # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". +- username: ++ username: "" + # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". +- password: ++ password: "" + # -- Timeout applied on connection with redis. Default: "0s". +- timeout: ++ timeout: "" + tls: + # -- Path to the certificate authority used for the secured connection. +- ca: ++ ca: "" + # -- Path to the public certificate used for the secure connection. +- cert: ++ cert: "" + # -- Path to the private key used for the secure connection. +- key: ++ key: "" + # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. +- insecureSkipVerify: ++ insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. +- sendlogs: ++ sendlogs: # @schema type:[boolean, null] +``` + +## 31.0.0 ![AppVersion: v3.1.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-09-03 + +* fix(Traefik Hub): update CRDs to v1.5.0 +* fix(HTTP3): split udp and tcp Service when service.single is false +* fix!: 🐛 set allowEmptyServices to true by default +* feat(Traefik Hub): update CRDs to v1.7.0 +* chore(release): 🚀 publish v31.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 78eeacf..2232d9e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -260,7 +260,7 @@ providers: + # -- Allows to reference ExternalName services in IngressRoute + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available +- allowEmptyServices: false ++ allowEmptyServices: true + # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. + ingressClass: + # labelSelector: environment=production,method=traefik +@@ -275,7 +275,7 @@ providers: + # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available +- allowEmptyServices: false ++ allowEmptyServices: true + # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. + ingressClass: + # labelSelector: environment=production,method=traefik +``` + +## 30.1.0 ![AppVersion: v3.1.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-08-14 + +* fix: disable default HTTPS listener for gateway +* fix(Gateway API): wildcard support in hostname +* fix(Gateway API): use Standard channel by default +* feat: ✨ rework namespaced RBAC with `disableClusterScopeResources` +* chore(release): 🚀 publish v30.1.0 +* chore(deps): update traefik docker tag to v3.1.2 +* chore(deps): update traefik docker tag to v3.1.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 83b6d98..78eeacf 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -150,20 +150,22 @@ gateway: + protocol: HTTP + # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces + namespacePolicy: +- websecure: +- # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. +- # The port must match a port declared in ports section. +- port: 8443 +- # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) +- hostname: +- # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) +- protocol: HTTPS +- # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) +- namespacePolicy: +- # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) +- certificateRefs: +- # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). +- mode: ++ # websecure listener is disabled by default because certificateRefs needs to be added, ++ # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section. ++ # websecure: ++ # # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # # The port must match a port declared in ports section. ++ # port: 8443 ++ # # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ # hostname: ++ # # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ # protocol: HTTPS ++ # # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) ++ # namespacePolicy: ++ # # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ # certificateRefs: ++ # # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). ++ # mode: + + gatewayClass: + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass +@@ -279,10 +281,6 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" +- # Disable cluster IngressClass Lookup - Requires Traefik V3. +- # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName. +- disableIngressClassLookup: false + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -836,9 +834,12 @@ hostNetwork: false + # -- Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true +- # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace. +- # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled. ++ # When set to true: ++ # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. ++ # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1 ++ # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+ ++ # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. ++ # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +``` + +## 30.0.2 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-30 + +* fix(Traefik Hub): missing RBACs for Traefik Hub +* chore(release): 🚀 publish v30.0.2 + +## 30.0.1 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-29 + +* fix(Traefik Hub): support new RBACs for upcoming traefik hub release +* fix(Traefik Hub): RBACs missing with API Gateway +* feat: :release: v30.0.1 + +## 30.0.0 ![AppVersion: v3.1.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.1.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-24 + +* fix: 🐛 ingressroute default name +* fix: namespaced RBACs hub api gateway +* fix: can't set gateway name +* fix(Gateway API): provide expected roles when using namespaced RBAC +* fix(Gateway API)!: revamp Gateway implementation +* feat: ✨ display release name and image full path in installation notes +* feat: use single ingressRoute template +* feat: handle log filePath and noColor +* chore(release): 🚀 publish v30.0.0 +* chore(deps): update traefik docker tag to v3.1.0 + +**Upgrade Notes** + +There is a breaking upgrade on how to configure Gateway with _values_. +This release supports Traefik Proxy v3.0 **and** v3.1. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c8bfd5b..83b6d98 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -134,14 +134,36 @@ gateway: + enabled: true + # -- Set a custom name to gateway + name: +- # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces) +- namespacePolicy: +- # -- See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) +- certificateRefs: + # -- By default, Gateway is created in the same `Namespace` than Traefik. + namespace: + # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) + annotations: ++ # -- Define listeners ++ listeners: ++ web: ++ # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # The port must match a port declared in ports section. ++ port: 8000 ++ # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ hostname: ++ # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ protocol: HTTP ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces ++ namespacePolicy: ++ websecure: ++ # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. ++ # The port must match a port declared in ports section. ++ port: 8443 ++ # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) ++ hostname: ++ # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType) ++ protocol: HTTPS ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces) ++ namespacePolicy: ++ # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ certificateRefs: ++ # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType). ++ mode: + + gatewayClass: + # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass +@@ -161,6 +183,10 @@ ingressRoute: + labels: {} + # -- The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) ++ # -- The internal service used for the dashboard ingressRoute ++ services: ++ - name: api@internal ++ kind: TraefikService + # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ +@@ -178,6 +204,10 @@ ingressRoute: + labels: {} + # -- The router match rule used for the healthcheck ingressRoute + matchRule: PathPrefix(`/ping`) ++ # -- The internal service used for the healthcheck ingressRoute ++ services: ++ - name: ping@internal ++ kind: TraefikService + # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + entryPoints: ["traefik"] +@@ -307,9 +337,12 @@ logs: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) + # @default common + format: +- # By default, the level is set to ERROR. ++ # By default, the level is set to INFO. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: INFO ++ # ++ # filePath: "/var/log/traefik/traefik.log ++ # noColor: true + access: + # -- To enable access logs + enabled: false +``` + + +## 29.0.1 ![AppVersion: v3.0.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-07-09 + +* fix: semverCompare failing on some legitimate tags +* fix: RBACs for hub and disabled namespaced RBACs +* chore(release): 🚀 publish v29.0.1 +* chore(deps): update jnorwood/helm-docs docker tag to v1.14.0 + +## 29.0.0 ![AppVersion: v3.0.4](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.4&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Upgrade Notes** + +This is a major breaking upgrade. [Migration guide](https://doc.traefik.io/traefik/v3.1/migration/v3/#v30-to-v31) from v3.0 to v3.1rc has been applied on this chart. + +This release supports both Traefik Proxy v3.0.x and v3.1rc. + +It comes with those breaking changes: + +- Far better support on Gateway API v1.1: Gateway, GatewayClass, CRDs & RBAC (#1107) +- Many changes on CRDs & RBAC (#1072 & #1108) +- Refactor on Prometheus Operator support. Values has changed (#1114) +- Dashboard `IngressRoute` is now disabled by default (#1111) + +CRDs needs to be upgraded: `kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/` + +**Release date:** 2024-07-05 + +* fix: 🐛 improve error message on additional service without ports +* fix: allow multiples values in the `secretResourceNames` slice +* fix(rbac)!: nodes API permissions for Traefik v3.1+ +* fix(dashboard): Only set ingressClass annotation when kubernetesCRD provider is listening for it +* fix!: prometheus operator settings +* feat: ✨ update CRDs & RBAC for Traefik Proxy +* feat: ✨ migrate to endpointslices rbac +* feat: allow to set hostAliases for traefik pod +* feat(providers): add nativeLBByDefault support +* feat(providers)!: improve kubernetesGateway and Gateway API support +* feat(dashboard)!: dashboard `IngressRoute` should be disabled by default +* docs: fix typos and broken link +* chore: update CRDs to v1.5.0 +* chore: update CRDs to v1.4.0 +* chore(release): publish v29.0.0 +* chore(deps): update traefik docker tag to v3.0.4 +* chore(deps): update traefik docker tag to v3.0.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e440dcf..c8bfd5b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -8,7 +8,7 @@ image: + # -- Traefik image repository + repository: traefik + # -- defaults to appVersion +- tag: "" ++ tag: + # -- Traefik image pull policy + pullPolicy: IfNotPresent + +@@ -81,19 +81,12 @@ deployment: + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) + dnsConfig: {} +- # nameservers: +- # - 192.0.2.1 # this is an example +- # searches: +- # - ns1.svc.cluster-domain.example +- # - my.dns.search.suffix +- # options: +- # - name: ndots +- # value: "2" +- # - name: edns0 +- # -- Additional imagePullSecrets ++ # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) ++ hostAliases: [] ++ # -- Pull secret for fetching traefik container image + imagePullSecrets: [] +- # - name: myRegistryKeySecretName + # -- Pod lifecycle actions + lifecycle: {} + # preStop: +@@ -135,24 +128,33 @@ experimental: + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +- ## Routes are restricted to namespace of the gateway by default. +- ## https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces +- # namespacePolicy: All +- # certificate: +- # group: "core" +- # kind: "Secret" +- # name: "mysecret" +- # -- By default, Gateway would be created to the Namespace you are deploying Traefik to. +- # You may create that Gateway in another namespace, setting its name below: +- # namespace: default +- # Additional gateway annotations (e.g. for cert-manager.io/issuer) +- # annotations: +- # cert-manager.io/issuer: letsencrypt ++ ++gateway: ++ # -- When providers.kubernetesGateway.enabled, deploy a default gateway ++ enabled: true ++ # -- Set a custom name to gateway ++ name: ++ # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces) ++ namespacePolicy: ++ # -- See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig) ++ certificateRefs: ++ # -- By default, Gateway is created in the same `Namespace` than Traefik. ++ namespace: ++ # -- Additional gateway annotations (e.g. for cert-manager.io/issuer) ++ annotations: ++ ++gatewayClass: ++ # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass ++ enabled: true ++ # -- Set a custom name to GatewayClass ++ name: ++ # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) ++ labels: + + ingressRoute: + dashboard: + # -- Create an IngressRoute for the dashboard +- enabled: true ++ enabled: false + # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) +@@ -227,11 +229,13 @@ providers: + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false +- # ingressClass: traefik-internal ++ # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. ++ ingressClass: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # -- Defines whether to use Native Kubernetes load-balancing mode by default. ++ nativeLBByDefault: + + kubernetesIngress: + # -- Load Kubernetes Ingress provider +@@ -240,7 +244,8 @@ providers: + allowExternalNameServices: false + # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false +- # ingressClass: traefik-internal ++ # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. ++ ingressClass: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +@@ -254,6 +259,19 @@ providers: + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" ++ # -- Defines whether to use Native Kubernetes load-balancing mode by default. ++ nativeLBByDefault: ++ ++ kubernetesGateway: ++ # -- Enable Traefik Gateway provider for Gateway API ++ enabled: false ++ # -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation). ++ # This option currently enables support for TCPRoute and TLSRoute. ++ experimentalChannel: false ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. ++ namespaces: [] ++ # -- A label selector can be defined to filter on specific GatewayClass objects only. ++ labelselector: + + file: + # -- Create a file provider +@@ -341,6 +359,34 @@ metrics: + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true ++ service: ++ # -- Create a dedicated metrics service to use with ServiceMonitor ++ enabled: ++ labels: ++ annotations: ++ # -- When set to true, it won't check if Prometheus Operator CRDs are deployed ++ disableAPICheck: ++ serviceMonitor: ++ # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. ++ enabled: false ++ metricRelabelings: ++ relabelings: ++ jobLabel: ++ interval: ++ honorLabels: ++ scrapeTimeout: ++ honorTimestamps: ++ enableHttp2: ++ followRedirects: ++ additionalLabels: ++ namespace: ++ namespaceSelector: ++ prometheusRule: ++ # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. ++ enabled: false ++ additionalLabels: ++ namespace: ++ + # datadog: + # ## Address instructs exporter to send metrics to datadog-agent at this address. + # address: "127.0.0.1:8125" +@@ -436,55 +482,6 @@ metrics: + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: + +- ## -- enable optional CRDs for Prometheus Operator +- ## +- ## Create a dedicated metrics service for use with ServiceMonitor +- # service: +- # enabled: false +- # labels: {} +- # annotations: {} +- ## When set to true, it won't check if Prometheus Operator CRDs are deployed +- # disableAPICheck: false +- # serviceMonitor: +- # metricRelabelings: [] +- # - sourceLabels: [__name__] +- # separator: ; +- # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ +- # replacement: $1 +- # action: drop +- # relabelings: [] +- # - sourceLabels: [__meta_kubernetes_pod_node_name] +- # separator: ; +- # regex: ^(.*)$ +- # targetLabel: nodename +- # replacement: $1 +- # action: replace +- # jobLabel: traefik +- # interval: 30s +- # honorLabels: true +- # # (Optional) +- # # scrapeTimeout: 5s +- # # honorTimestamps: true +- # # enableHttp2: true +- # # followRedirects: true +- # # additionalLabels: +- # # foo: bar +- # # namespace: "another-namespace" +- # # namespaceSelector: {} +- # prometheusRule: +- # additionalLabels: {} +- # namespace: "another-namespace" +- # rules: +- # - alert: TraefikDown +- # expr: up{job="traefik"} == 0 +- # for: 5m +- # labels: +- # context: traefik +- # severity: warning +- # annotations: +- # summary: "Traefik Down" +- # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +- + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: +``` + +## 28.3.0 ![AppVersion: v3.0.2](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.2&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-06-14 + +* fix: 🐛 namespaced rbac when kubernetesIngress provider is disabled +* fix: 🐛 add divisor: '1' to GOMAXPROCS and GOMEMLIMIT +* fix(security): 🐛 🔒️ mount service account token on pod level +* fix(Traefik Hub): remove obsolete CRD +* fix(Traefik Hub): remove namespace in mutating webhook +* feat: allow setting permanent on redirectTo +* chore(release): publish v28.3.0 +* chore(deps): update traefik docker tag to v3.0.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c558c78..e440dcf 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -602,6 +602,7 @@ ports: + # port: websecure + # (Optional) + # priority: 10 ++ # permanent: true + # + # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: +``` + +## 28.2.0 ![AppVersion: v3.0.1](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.1&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-28 + +* fix(IngressClass): provides annotation on IngressRoutes when it's enabled +* feat: ✨ simplify values and provide more examples +* feat: add deletecollection right on secrets +* chore(release): 🚀 publish v28.2.0 +* chore(deps): update traefik docker tag to v3.0.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2fd9282..c558c78 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,4 +1,7 @@ + # Default values for Traefik ++# This is a YAML-formatted file. ++# Declare variables to be passed into templates ++ + image: + # -- Traefik image host registry + registry: docker.io +@@ -12,9 +15,6 @@ image: + # -- Add additional label to all resources + commonLabels: {} + +-# +-# Configure the deployment +-# + deployment: + # -- Enable deployment + enabled: true +@@ -74,10 +74,6 @@ deployment: + # - name: volume-permissions + # image: busybox:latest + # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] +- # securityContext: +- # runAsNonRoot: true +- # runAsGroup: 65532 +- # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data +@@ -112,13 +108,11 @@ deployment: + # -- Set a runtimeClassName on pod + runtimeClassName: + +-# -- Pod disruption budget ++# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) + podDisruptionBudget: +- enabled: false +- # maxUnavailable: 1 +- # maxUnavailable: 33% +- # minAvailable: 0 +- # minAvailable: 25% ++ enabled: ++ maxUnavailable: ++ minAvailable: + + # -- Create a default IngressClass for Traefik + ingressClass: +@@ -155,7 +149,6 @@ experimental: + # annotations: + # cert-manager.io/issuer: letsencrypt + +-## Create an IngressRoute for the dashboard + ingressRoute: + dashboard: + # -- Create an IngressRoute for the dashboard +@@ -221,15 +214,7 @@ livenessProbe: + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + +-# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +-# eg. +-# `startupProbe: +-# exec: +-# command: +-# - mycommand +-# - foo +-# initialDelaySeconds: 5 +-# periodSeconds: 5` ++# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) + startupProbe: + + providers: +@@ -276,18 +261,8 @@ providers: + # -- Allows Traefik to automatically watch for file changes + watch: true + # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) +- content: "" +- # http: +- # routers: +- # router0: +- # entryPoints: +- # - web +- # middlewares: +- # - my-basic-auth +- # service: service-foo +- # rule: Path(`/foo`) ++ content: + +-# + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +@@ -311,26 +286,21 @@ additionalVolumeMounts: [] + + logs: + general: +- # -- By default, the logs use a text format (common), but you can +- # also ask for the json format in the format option +- # format: json ++ # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) ++ # @default common ++ format: + # By default, the level is set to ERROR. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: INFO + access: + # -- To enable access logs + enabled: false +- ## By default, logs are written using the Common Log Format (CLF) on stdout. +- ## To write logs in JSON, use json in the format option. +- ## If the given format is unsupported, the default (CLF) is used instead. +- # format: json ++ # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) ++ format: + # filePath: "/var/log/traefik/access.log +- ## To write the logs in an asynchronous fashion, specify a bufferingSize option. +- ## This option represents the number of log lines Traefik will keep in memory before writing +- ## them to the selected output. In some cases, this option can greatly help performances. +- # bufferingSize: 100 +- ## Filtering +- # -- https://docs.traefik.io/observability/access-logs/#filtering ++ # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) ++ bufferingSize: ++ # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true +@@ -345,15 +315,11 @@ logs: + names: {} + ## Examples: + # ClientUsername: drop ++ # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) + headers: + # -- Available modes: keep, drop, redact. + defaultmode: drop +- # -- Names of the headers to limit. + names: {} +- ## Examples: +- # User-Agent: redact +- # Authorization: drop +- # Content-Type: keep + + metrics: + ## -- Enable metrics for internal resources. Default: false +@@ -567,16 +533,15 @@ globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + +-# +-# Configure Traefik static configuration + # -- Additional arguments to be passed at Traefik's binary +-# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` ++# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) ++# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + + # -- Environment variables to be passed to Traefik's binary ++# @default -- See _values.yaml_ + env: + - name: POD_NAME + valueFrom: +@@ -586,25 +551,9 @@ env: + valueFrom: + fieldRef: + fieldPath: metadata.namespace +-# - name: SOME_VAR +-# value: some-var-value +-# - name: SOME_VAR_FROM_CONFIG_MAP +-# valueFrom: +-# configMapRef: +-# name: configmap-name +-# key: config-key +-# - name: SOME_SECRET +-# valueFrom: +-# secretKeyRef: +-# name: secret-name +-# key: secret-key + + # -- Environment variables to be passed to Traefik's binary from configMaps or secrets + envFrom: [] +-# - configMapRef: +-# name: config-map-name +-# - secretRef: +-# name: secret-name + + ports: + traefik: +@@ -766,28 +715,12 @@ ports: + # -- The port protocol (TCP/UDP) + protocol: TCP + +-# -- TLS Options are created as TLSOption CRDs +-# https://doc.traefik.io/traefik/https/tls/#tls-options ++# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. +-# Example: +-# tlsOptions: +-# default: +-# labels: {} +-# sniStrict: true +-# custom-options: +-# labels: {} +-# curvePreferences: +-# - CurveP521 +-# - CurveP384 ++# See EXAMPLE.md for details. + tlsOptions: {} + +-# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +-# https://doc.traefik.io/traefik/https/tls/#default-certificate +-# Example: +-# tlsStore: +-# default: +-# defaultCertificate: +-# secretName: tls-cert ++# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. + tlsStore: {} + + service: +@@ -839,29 +772,8 @@ service: + + autoscaling: + # -- Create HorizontalPodAutoscaler object. ++ # See EXAMPLES.md for more details. + enabled: false +-# minReplicas: 1 +-# maxReplicas: 10 +-# metrics: +-# - type: Resource +-# resource: +-# name: cpu +-# target: +-# type: Utilization +-# averageUtilization: 60 +-# - type: Resource +-# resource: +-# name: memory +-# target: +-# type: Utilization +-# averageUtilization: 60 +-# behavior: +-# scaleDown: +-# stabilizationWindowSeconds: 300 +-# policies: +-# - type: Pods +-# value: 1 +-# periodSeconds: 60 + + persistence: + # -- Enable persistence using Persistent Volume Claims +@@ -879,27 +791,10 @@ persistence: + # -- Only mount a subpath of the Volume into the pod + # subPath: "" + +-# -- Certificates resolvers configuration ++# -- Certificates resolvers configuration. ++# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers ++# See EXAMPLES.md for more details. + certResolvers: {} +-# letsencrypt: +-# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +-# email: email@example.com +-# dnsChallenge: +-# # also add the provider's required configuration under env +-# # or expand then from secrets/configmaps with envfrom +-# # cf. https://doc.traefik.io/traefik/https/acme/#providers +-# provider: digitalocean +-# # add futher options for the dns challenge as needed +-# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge +-# delayBeforeCheck: 30 +-# resolvers: +-# - 1.1.1.1 +-# - 8.8.8.8 +-# tlsChallenge: true +-# httpChallenge: +-# entryPoint: "web" +-# # It has to match the path with a persistent volume +-# storage: /data/acme.json + + # -- If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true +@@ -933,14 +828,8 @@ serviceAccount: + # -- Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + +-# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. ++# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. + resources: {} +-# requests: +-# cpu: "100m" +-# memory: "50Mi" +-# limits: +-# cpu: "300m" +-# memory: "150Mi" + + # -- This example pod anti-affinity forces the scheduler to put traefik pods + # -- on nodes where no other traefik pods are scheduled. +@@ -970,30 +859,22 @@ topologySpreadConstraints: [] + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + +-# -- Pods can have priority. +-# -- Priority indicates the importance of a Pod relative to other Pods. ++# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) + priorityClassName: "" + +-# -- Set the container security context +-# -- To run the container with ports below 1024 this will need to be adjusted to run as root ++# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) ++# @default -- See _values.yaml_ + securityContext: ++ allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true +- allowPrivilegeEscalation: false + ++# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) ++# @default -- See _values.yaml_ + podSecurityContext: +- # /!\ When setting fsGroup, Kubernetes will recursively change ownership and +- # permissions for the contents of each volume to match the fsGroup. This can +- # be an issue when storing sensitive content like TLS Certificates /!\ +- # fsGroup: 65532 +- # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. +- fsGroupChangePolicy: "OnRootMismatch" +- # -- The ID of the group for all containers in the pod to run as. + runAsGroup: 65532 +- # -- Specifies whether the containers should run as a non-root user. + runAsNonRoot: true +- # -- The ID of the user for all containers in the pod to run as. + runAsUser: 65532 + + # +@@ -1003,16 +884,16 @@ podSecurityContext: + # See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] + +-# This will override the default Release Namespace for Helm. ++# -- This field override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +-# namespaceOverride: traefik +-# +-## -- This will override the default app.kubernetes.io/instance label for all Objects. +-# instanceLabelOverride: traefik ++namespaceOverride: ++ ++## -- This field override the default app.kubernetes.io/instance label for all Objects. ++instanceLabelOverride: + +-# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ ++# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ + hub: +- # Name of Secret with key 'token' set to a valid license token. ++ # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. + token: + apimanagement: +``` + +## 28.1.0 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +* fix(Traefik Hub): do not deploy mutating webhook when enabling only API Gateway +* feat(Traefik Hub): use Traefik Proxy otlp config +* chore: 🔧 update Traefik Hub CRD to v1.3.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 70297f6..2fd9282 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1010,3 +1010,49 @@ + ## -- This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik + ++# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ ++hub: ++ # Name of Secret with key 'token' set to a valid license token. ++ # It enables API Gateway. ++ token: ++ apimanagement: ++ # -- Set to true in order to enable API Management. Requires a valid license token. ++ enabled: ++ admission: ++ # -- WebHook admission server listen address. Default: "0.0.0.0:9943". ++ listenAddr: ++ # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". ++ secretName: ++ ++ ratelimit: ++ redis: ++ # -- Enable Redis Cluster. Default: true. ++ cluster: ++ # -- Database used to store information. Default: "0". ++ database: ++ # -- Endpoints of the Redis instances to connect to. Default: "". ++ endpoints: ++ # -- The username to use when connecting to Redis endpoints. Default: "". ++ username: ++ # -- The password to use when connecting to Redis endpoints. Default: "". ++ password: ++ sentinel: ++ # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". ++ masterset: ++ # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". ++ username: ++ # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". ++ password: ++ # -- Timeout applied on connection with redis. Default: "0s". ++ timeout: ++ tls: ++ # -- Path to the certificate authority used for the secured connection. ++ ca: ++ # -- Path to the public certificate used for the secure connection. ++ cert: ++ # -- Path to the private key used for the secure connection. ++ key: ++ # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. ++ insecureSkipVerify: ++ # Enable export of errors logs to the platform. Default: true. ++ sendlogs: +``` + +## 28.1.0-beta.3 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-03 + +* chore: 🔧 update Traefik Hub CRD to v1.3.2 +* chore(release): 🚀 publish v28.1.0-beta.3 + +## 28.1.0-beta.2 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-05-02 + +* fix: 🐛 refine Traefik Hub support +* chore(release): 🚀 publish v28.1.0-beta.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ce0a7a3..70297f6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1015,13 +1015,15 @@ hub: + # Name of Secret with key 'token' set to a valid license token. + # It enables API Gateway. + token: +- admission: +- # -- WebHook admission server listen address. Default: "0.0.0.0:9943". +- listenAddr: +- # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". +- secretName: +- # -- Set to true in order to enable API Management. Requires a valid license token. + apimanagement: ++ # -- Set to true in order to enable API Management. Requires a valid license token. ++ enabled: ++ admission: ++ # -- WebHook admission server listen address. Default: "0.0.0.0:9943". ++ listenAddr: ++ # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". ++ secretName: ++ + metrics: + opentelemetry: + # -- Set to true to enable OpenTelemetry metrics exporter of Traefik Hub. +``` + +## 28.1.0-beta.1 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-30 + +* feat: :rocket: add initial support for Traefik Hub Api Gateway +* chore(release): 🚀 publish v28.1.0-beta.1 + +## 28.0.0 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-30 + +* style: 🎨 consistent capitalization on `--entryPoints` CLI flag +* fix: 🐛 only expose http3 port on service when TCP variant is exposed +* fix: 🐛 logs filters on status codes +* feat: ✨ add support of `experimental-v3.0` unstable version +* feat: ability to override liveness and readiness probe paths +* feat(ports): add transport options +* chore(release): publish v28.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c0d72d8..2bff10d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -38,6 +38,12 @@ deployment: + ## Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. + # healthchecksScheme: HTTPS ++ ## Override the readiness path. ++ ## Default: /ping ++ # readinessPath: /ping ++ # Override the liveness path. ++ # Default: /ping ++ # livenessPath: /ping + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -648,15 +654,28 @@ ports: + # (Optional) + # priority: 10 + # +- # Trust forwarded headers information (X-Forwarded-*). ++ # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- # Enable the Proxy Protocol header parsing for the entry point ++ # -- Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false ++ # ++ # -- Set transport settings for the entrypoint; see also ++ # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ transport: ++ respondingTimeouts: ++ readTimeout: ++ writeTimeout: ++ idleTimeout: ++ lifeCycle: ++ requestAcceptGraceTimeout: ++ graceTimeOut: ++ keepAliveMaxRequests: ++ keepAliveMaxTime: + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true +@@ -684,16 +703,29 @@ ports: + enabled: false + # advertisedPort: 4443 + # +- ## -- Trust forwarded headers information (X-Forwarded-*). ++ # -- Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- ## -- Enable the Proxy Protocol header parsing for the entry point ++ # -- Enable the Proxy Protocol header parsing for the entry point + # proxyProtocol: + # trustedIPs: [] + # insecure: false + # ++ # -- Set transport settings for the entrypoint; see also ++ # https://doc.traefik.io/traefik/routing/entrypoints/#transport ++ transport: ++ respondingTimeouts: ++ readTimeout: ++ writeTimeout: ++ idleTimeout: ++ lifeCycle: ++ requestAcceptGraceTimeout: ++ graceTimeOut: ++ keepAliveMaxRequests: ++ keepAliveMaxTime: ++ # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +``` + +## 28.0.0-rc1 ![AppVersion: v3.0.0-rc5](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0-rc5&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-17 + +**Upgrade Notes** + +This is a major breaking upgrade. [Migration guide](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) have been applied on the chart. + +It needs a Kubernetes v1.22 or higher. +All CRDs using _API Group_ `traefik.containo.us` are not supported anymore in Traefik Proxy v3 + +CRDs needs to be upgraded: `kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/` + +After upgrade, CRDs with _API Group_ `traefik.containo.us` can be removed: + +```shell +kubectl delete crds \ + ingressroutes.traefik.containo.us \ + ingressroutetcps.traefik.containo.us \ + ingressrouteudps.traefik.containo.us \ + middlewares.traefik.containo.us \ + middlewaretcps.traefik.containo.us \ + serverstransports.traefik.containo.us \ + tlsoptions.traefik.containo.us \ + tlsstores.traefik.containo.us \ + traefikservices.traefik.containo.us +``` + +**Changes** + +* feat(podtemplate): set GOMEMLIMIT, GOMAXPROCS when limits are defined +* feat: ✨ fail gracefully when required port number is not set +* feat!: :boom: initial support of Traefik Proxy v3 +* docs: 📚️ improve EXAMPLES on acme resolver +* chore(release): 🚀 publish v28 rc1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cd9fb6e..c0d72d8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,12 +120,13 @@ ingressClass: + isDefaultClass: true + # name: my-custom-class + ++core: ++ # -- Can be used to use globally v2 router syntax ++ # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes ++ defaultRuleSyntax: ++ + # Traefik experimental features + experimental: +- # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" +- # v3: +- # -- Enable traefik version 3 +- + # -- Enable traefik experimental plugins + plugins: {} + # demo: +@@ -309,7 +310,7 @@ logs: + # format: json + # By default, the level is set to ERROR. + # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. +- level: ERROR ++ level: INFO + access: + # -- To enable access logs + enabled: false +@@ -328,6 +329,8 @@ logs: + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms ++ # -- Enables accessLogs for internal resources. Default: false. ++ addInternals: + fields: + general: + # -- Available modes: keep, drop, redact. +@@ -347,6 +350,9 @@ logs: + # Content-Type: keep + + metrics: ++ ## -- Enable metrics for internal resources. Default: false ++ addInternals: ++ + ## -- Prometheus is enabled by default. + ## -- It can be disabled by setting "prometheus: null" + prometheus: +@@ -376,31 +382,6 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- # influxdb: +- # ## Address instructs exporter to send metrics to influxdb at this address. +- # address: localhost:8089 +- # ## InfluxDB's address protocol (udp or http). Default="udp" +- # protocol: udp +- # ## InfluxDB database used when protocol is http. Default="" +- # # database: "" +- # ## InfluxDB retention policy used when protocol is http. Default="" +- # # retentionPolicy: "" +- # ## InfluxDB username (only with http). Default="" +- # # username: "" +- # ## InfluxDB password (only with http). Default="" +- # # password: "" +- # ## The interval used by the exporter to push metrics to influxdb. Default=10s +- # # pushInterval: 30s +- # ## Additional labels (influxdb tags) on all metrics. +- # # additionalLabels: +- # # env: production +- # # foo: bar +- # ## Enable metrics on entry points. Default=true +- # # addEntryPointsLabels: false +- # ## Enable metrics on routers. Default=false +- # # addRoutersLabels: true +- # ## Enable metrics on services. Default=true +- # # addServicesLabels: false + # influxdb2: + # ## Address instructs exporter to send metrics to influxdb v2 at this address. + # address: localhost:8086 +@@ -435,43 +416,53 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- # openTelemetry: +- # ## Address of the OpenTelemetry Collector to send metrics to. +- # address: "localhost:4318" +- # ## Enable metrics on entry points. +- # addEntryPointsLabels: true +- # ## Enable metrics on routers. +- # addRoutersLabels: true +- # ## Enable metrics on services. +- # addServicesLabels: true +- # ## Explicit boundaries for Histogram data points. +- # explicitBoundaries: +- # - "0.1" +- # - "0.3" +- # - "1.2" +- # - "5.0" +- # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +- # headers: +- # foo: bar +- # test: test +- # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +- # insecure: true +- # ## Interval at which metrics are sent to the OpenTelemetry Collector. +- # pushInterval: 10s +- # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. +- # path: /foo/v1/traces +- # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. +- # tls: +- # ## The path to the certificate authority, it defaults to the system bundle. +- # ca: path/to/ca.crt +- # ## The path to the public certificate. When using this option, setting the key option is required. +- # cert: path/to/foo.cert +- # ## The path to the private key. When using this option, setting the cert option is required. +- # key: path/to/key.key +- # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +- # insecureSkipVerify: true +- # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +- # grpc: true ++ otlp: ++ # -- Set to true in order to enable the OpenTelemetry metrics ++ enabled: false ++ # -- Enable metrics on entry points. Default: true ++ addEntryPointsLabels: ++ # -- Enable metrics on routers. Default: false ++ addRoutersLabels: ++ # -- Enable metrics on services. Default: true ++ addServicesLabels: ++ # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] ++ explicitBoundaries: ++ # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s ++ pushInterval: ++ http: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ headers: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: ++ grpc: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ insecure: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: + + ## -- enable optional CRDs for Prometheus Operator + ## +@@ -524,51 +515,46 @@ metrics: + + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ +-tracing: {} +-# openTelemetry: # traefik v3+ only +-# grpc: true +-# insecure: true +-# address: localhost:4317 +-# instana: +-# localAgentHost: 127.0.0.1 +-# localAgentPort: 42699 +-# logLevel: info +-# enableAutoProfile: true +-# datadog: +-# localAgentHostPort: 127.0.0.1:8126 +-# debug: false +-# globalTag: "" +-# prioritySampling: false +-# jaeger: +-# samplingServerURL: http://localhost:5778/sampling +-# samplingType: const +-# samplingParam: 1.0 +-# localAgentHostPort: 127.0.0.1:6831 +-# gen128Bit: false +-# propagation: jaeger +-# traceContextHeaderName: uber-trace-id +-# disableAttemptReconnecting: true +-# collector: +-# endpoint: "" +-# user: "" +-# password: "" +-# zipkin: +-# httpEndpoint: http://localhost:9411/api/v2/spans +-# sameSpan: false +-# id128Bit: true +-# sampleRate: 1.0 +-# haystack: +-# localAgentHost: 127.0.0.1 +-# localAgentPort: 35000 +-# globalTag: "" +-# traceIDHeaderName: "" +-# parentIDHeaderName: "" +-# spanIDHeaderName: "" +-# baggagePrefixHeaderName: "" +-# elastic: +-# serverURL: http://localhost:8200 +-# secretToken: "" +-# serviceEnvironment: "" ++tracing: ++ # -- Enables tracing for internal resources. Default: false. ++ addInternals: ++ otlp: ++ # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ ++ enabled: false ++ http: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ headers: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: ++ grpc: ++ # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC ++ enabled: false ++ # -- Format: ://:. Default: http://localhost:4318/v1/metrics ++ endpoint: ++ # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ insecure: ++ ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ tls: ++ # -- The path to the certificate authority, it defaults to the system bundle. ++ ca: ++ # -- The path to the public certificate. When using this option, setting the key option is required. ++ cert: ++ # -- The path to the private key. When using this option, setting the cert option is required. ++ key: ++ # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ insecureSkipVerify: + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +@@ -756,7 +742,6 @@ ports: + # default: + # labels: {} + # sniStrict: true +-# preferServerCipherSuites: true + # custom-options: + # labels: {} + # curvePreferences: +``` + +## 27.0.0 ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-04-02 + +**Upgrade notes** + +Custom services and port exposure have been redesigned, requiring the following changes: +- if you were overriding port exposure behavior using the `expose` or `exposeInternal` flags, you should replace them with a service name to boolean mapping, i.e. replace this: + +```yaml +ports: + web: + expose: false + exposeInternal: true +``` + +with this: + +```yaml +ports: + web: + expose: + default: false + internal: true +``` + +- if you were previously using the `service.internal` value, you should migrate the values to the `service.additionalServices.internal` value instead; this should yield the same results, but make sure to carefully check for any changes! + +**Changes** + +* fix: remove null annotations on dashboard `IngressRoute` +* fix(rbac): do not create clusterrole for namespace deployment on Traefik v3 +* feat: restrict access to secrets +* feat!: :boom: refactor custom services and port exposure +* chore(release): 🚀 publish v27.0.0 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index dbd078f..363871d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -250,6 +250,9 @@ providers: + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" ++ # Disable cluster IngressClass Lookup - Requires Traefik V3. ++ # When combined with rbac.namespaced: true, ClusterRole will not be created and ingresses must use kubernetes.io/ingress.class annotation instead of spec.ingressClassName. ++ disableIngressClassLookup: false + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -626,22 +629,20 @@ ports: + # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +- expose: false ++ expose: ++ default: false + # -- The exposed port for this service + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 +- expose: true ++ expose: ++ default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 +@@ -650,10 +651,6 @@ ports: + # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +@@ -677,17 +674,14 @@ ports: + port: 8443 + # hostPort: 8443 + # containerPort: 8443 +- expose: true ++ expose: ++ default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. + # appProtocol: https + # +@@ -744,15 +738,12 @@ ports: + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress +- expose: false ++ expose: ++ default: false + # -- The exposed port for this service + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP +- # -- Defines whether the port is exposed on the internal service; +- # note that ports exposed on the default service are exposed on the internal +- # service by default as well. +- exposeInternal: false + + # -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +@@ -814,6 +805,7 @@ service: + # - IPv4 + # - IPv6 + ## ++ additionalServices: {} + ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: +@@ -899,11 +891,14 @@ hostNetwork: false + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. ++ # If set to true, installs Role and RoleBinding instead of ClusterRole/ClusterRoleBinding. Providers will only watch target namespace. ++ # When combined with providers.kubernetesIngress.disableIngressClassLookup: true and Traefik V3, ClusterRole to watch IngressClass is also disabled. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] ++ # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. ++ secretResourceNames: [] + + # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: +``` + +## 26.1.0 ![AppVersion: v2.11.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.11.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2024-02-19 + +* fix: 🐛 set runtimeClassName at pod level +* fix: 🐛 missing quote on experimental plugin args +* fix: update traefik v3 serverstransporttcps CRD +* feat: set runtimeClassName on pod spec +* feat: create v1 Gateway and GatewayClass Version for Traefik v3 +* feat: allow exposure of ports on internal service only +* doc: fix invalid suggestion on TLSOption (#996) +* chore: 🔧 update maintainers +* chore: 🔧 promote jnoordsij to Traefik Helm Chart maintainer +* chore(release): 🚀 publish v26.1.0 +* chore(deps): update traefik docker tag to v2.11.0 +* chore(deps): update traefik docker tag to v2.10.7 +* chore(crds): update definitions for traefik v2.11 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f9dac91..dbd078f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,6 +100,8 @@ deployment: + # port: 9000 + # host: localhost + # scheme: HTTP ++ # -- Set a runtimeClassName on pod ++ runtimeClassName: + + # -- Pod disruption budget + podDisruptionBudget: +@@ -629,6 +631,10 @@ ports: + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true +@@ -644,6 +650,10 @@ ports: + # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +@@ -674,6 +684,10 @@ ports: + ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. + # appProtocol: https + # +@@ -735,6 +749,10 @@ ports: + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP ++ # -- Defines whether the port is exposed on the internal service; ++ # note that ports exposed on the default service are exposed on the internal ++ # service by default as well. ++ exposeInternal: false + + # -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +@@ -745,7 +763,7 @@ ports: + # labels: {} + # sniStrict: true + # preferServerCipherSuites: true +-# customOptions: ++# custom-options: + # labels: {} + # curvePreferences: + # - CurveP521 +@@ -796,7 +814,7 @@ service: + # - IPv4 + # - IPv6 + ## +- ## -- An additionnal and optional internal Service. ++ ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP +``` + +## 26.0.0 ![AppVersion: v2.10.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.6&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-12-05 + +* fix: 🐛 improve confusing suggested value on openTelemetry.grpc +* fix: 🐛 declare http3 udp port, with or without hostport +* feat: 💥 deployment.podannotations support interpolation with tpl +* feat: allow update of namespace policy for websecure listener +* feat: allow defining startupProbe +* feat: add file provider +* feat: :boom: unify plugin import between traefik and this chart +* chore(release): 🚀 publish v26 +* chore(deps): update traefik docker tag to v2.10.6 +* Release namespace for Prometheus Operator resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 71e377e..f9dac91 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,6 +40,7 @@ deployment: + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' + podAnnotations: {} + # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} +@@ -119,10 +120,12 @@ experimental: + # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + # v3: + # -- Enable traefik version 3 +- # enabled: false +- plugins: +- # -- Enable traefik experimental plugins +- enabled: false ++ ++ # -- Enable traefik experimental plugins ++ plugins: {} ++ # demo: ++ # moduleName: github.com/traefik/plugindemo ++ # version: v0.2.1 + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +@@ -206,6 +209,17 @@ livenessProbe: + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + ++# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes ++# eg. ++# `startupProbe: ++# exec: ++# command: ++# - mycommand ++# - foo ++# initialDelaySeconds: 5 ++# periodSeconds: 5` ++startupProbe: ++ + providers: + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider +@@ -241,6 +255,23 @@ providers: + # By default this Traefik service + # pathOverride: "" + ++ file: ++ # -- Create a file provider ++ enabled: false ++ # -- Allows Traefik to automatically watch for file changes ++ watch: true ++ # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) ++ content: "" ++ # http: ++ # routers: ++ # router0: ++ # entryPoints: ++ # - web ++ # middlewares: ++ # - my-basic-auth ++ # service: service-foo ++ # rule: Path(`/foo`) ++ + # + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -487,7 +518,7 @@ metrics: + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} + # openTelemetry: # traefik v3+ only +-# grpc: {} ++# grpc: true + # insecure: true + # address: localhost:4317 + # instana: +``` + +## 25.0.0 ![AppVersion: v2.10.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.5&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-10-23 + +* revert: "fix: 🐛 remove old CRDs using traefik.containo.us" +* fix: 🐛 remove old CRDs using traefik.containo.us +* fix: disable ClusterRole and ClusterRoleBinding when not needed +* fix: detect correctly v3 version when using sha in `image.tag` +* fix: allow updateStrategy.rollingUpdate.maxUnavailable to be passed in as an int or string +* fix: add missing separator in crds +* fix: add Prometheus scraping annotations only if serviceMonitor not created +* feat: ✨ add healthcheck ingressRoute +* feat: :boom: support http redirections and http challenges with cert-manager +* feat: :boom: rework and allow update of namespace policy for Gateway +* docs: Fix typo in the default values file +* chore: remove label whitespace at TLSOption +* chore(release): publish v25.0.0 +* chore(deps): update traefik docker tag to v2.10.5 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.3 +* chore(ci): 🔧 👷 add e2e test when releasing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index aeec85c..71e377e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -45,60 +45,60 @@ deployment: + podLabels: {} + # -- Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] +- # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host +- # - name: socat-proxy +- # image: alpine/socat:1.0.5 +- # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] +- # volumeMounts: +- # - name: dsdsocket +- # mountPath: /socket ++ # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host ++ # - name: socat-proxy ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket + # -- Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] +- # - name: dsdsocket +- # hostPath: +- # path: /var/run/statsd-exporter ++ # - name: dsdsocket ++ # hostPath: ++ # path: /var/run/statsd-exporter + # -- Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] +- # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 +- # - name: volume-permissions +- # image: busybox:latest +- # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] +- # securityContext: +- # runAsNonRoot: true +- # runAsGroup: 65532 +- # runAsUser: 65532 +- # volumeMounts: +- # - name: data +- # mountPath: /data ++ # The "volume-permissions" init container is required if you run into permission issues. ++ # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 ++ # - name: volume-permissions ++ # image: busybox:latest ++ # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ++ # securityContext: ++ # runAsNonRoot: true ++ # runAsGroup: 65532 ++ # runAsUser: 65532 ++ # volumeMounts: ++ # - name: data ++ # mountPath: /data + # -- Use process namespace sharing + shareProcessNamespace: false + # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + dnsConfig: {} +- # nameservers: +- # - 192.0.2.1 # this is an example +- # searches: +- # - ns1.svc.cluster-domain.example +- # - my.dns.search.suffix +- # options: +- # - name: ndots +- # value: "2" +- # - name: edns0 ++ # nameservers: ++ # - 192.0.2.1 # this is an example ++ # searches: ++ # - ns1.svc.cluster-domain.example ++ # - my.dns.search.suffix ++ # options: ++ # - name: ndots ++ # value: "2" ++ # - name: edns0 + # -- Additional imagePullSecrets + imagePullSecrets: [] +- # - name: myRegistryKeySecretName ++ # - name: myRegistryKeySecretName + # -- Pod lifecycle actions + lifecycle: {} +- # preStop: +- # exec: +- # command: ["/bin/sh", "-c", "sleep 40"] +- # postStart: +- # httpGet: +- # path: /ping +- # port: 9000 +- # host: localhost +- # scheme: HTTP ++ # preStop: ++ # exec: ++ # command: ["/bin/sh", "-c", "sleep 40"] ++ # postStart: ++ # httpGet: ++ # path: /ping ++ # port: 9000 ++ # host: localhost ++ # scheme: HTTP + + # -- Pod disruption budget + podDisruptionBudget: +@@ -116,9 +116,9 @@ ingressClass: + + # Traefik experimental features + experimental: +- #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" +- #v3: +- # -- Enable traefik version 3 ++ # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" ++ # v3: ++ # -- Enable traefik version 3 + # enabled: false + plugins: + # -- Enable traefik experimental plugins +@@ -126,9 +126,9 @@ experimental: + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +- gateway: +- # -- Enable traefik regular kubernetes gateway +- enabled: true ++ ## Routes are restricted to namespace of the gateway by default. ++ ## https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces ++ # namespacePolicy: All + # certificate: + # group: "core" + # kind: "Secret" +@@ -159,6 +159,22 @@ ingressRoute: + middlewares: [] + # -- TLS options (e.g. secret containing certificate) + tls: {} ++ healthcheck: ++ # -- Create an IngressRoute for the healthcheck probe ++ enabled: false ++ # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ annotations: {} ++ # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ labels: {} ++ # -- The router match rule used for the healthcheck ingressRoute ++ matchRule: PathPrefix(`/ping`) ++ # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). ++ # By default, it's using traefik entrypoint, which is not exposed. ++ entryPoints: ["traefik"] ++ # -- Additional ingressRoute middlewares (e.g. for authentication) ++ middlewares: [] ++ # -- TLS options (e.g. secret containing certificate) ++ tls: {} + + updateStrategy: + # -- Customize updateStrategy: RollingUpdate or OnDelete +@@ -204,10 +220,10 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # - "default" + + kubernetesIngress: +- # -- Load Kubernetes IngressRoute provider ++ # -- Load Kubernetes Ingress provider + enabled: true + # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false +@@ -217,7 +233,7 @@ providers: + # labelSelector: environment=production,method=traefik + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] +- # - "default" ++ # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +@@ -243,9 +259,9 @@ volumes: [] + + # -- Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] +- # -- For instance when using a logshipper for access logs +- # - name: traefik-logs +- # mountPath: /var/log/traefik ++# -- For instance when using a logshipper for access logs ++# - name: traefik-logs ++# mountPath: /var/log/traefik + + logs: + general: +@@ -270,26 +286,26 @@ logs: + ## Filtering + # -- https://docs.traefik.io/observability/access-logs/#filtering + filters: {} +- # statuscodes: "200,300-302" +- # retryattempts: true +- # minduration: 10ms ++ # statuscodes: "200,300-302" ++ # retryattempts: true ++ # minduration: 10ms + fields: + general: + # -- Available modes: keep, drop, redact. + defaultmode: keep + # -- Names of the fields to limit. + names: {} +- ## Examples: +- # ClientUsername: drop ++ ## Examples: ++ # ClientUsername: drop + headers: + # -- Available modes: keep, drop, redact. + defaultmode: drop + # -- Names of the headers to limit. + names: {} +- ## Examples: +- # User-Agent: redact +- # Authorization: drop +- # Content-Type: keep ++ ## Examples: ++ # User-Agent: redact ++ # Authorization: drop ++ # Content-Type: keep + + metrics: + ## -- Prometheus is enabled by default. +@@ -308,118 +324,118 @@ metrics: + ## When manualRouting is true, it disables the default internal router in + ## order to allow creating a custom router for prometheus@internal service. + # manualRouting: true +-# datadog: +-# ## Address instructs exporter to send metrics to datadog-agent at this address. +-# address: "127.0.0.1:8125" +-# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s +-# # pushInterval: 30s +-# ## The prefix to use for metrics collection. Default="traefik" +-# # prefix: traefik +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# influxdb: +-# ## Address instructs exporter to send metrics to influxdb at this address. +-# address: localhost:8089 +-# ## InfluxDB's address protocol (udp or http). Default="udp" +-# protocol: udp +-# ## InfluxDB database used when protocol is http. Default="" +-# # database: "" +-# ## InfluxDB retention policy used when protocol is http. Default="" +-# # retentionPolicy: "" +-# ## InfluxDB username (only with http). Default="" +-# # username: "" +-# ## InfluxDB password (only with http). Default="" +-# # password: "" +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## Additional labels (influxdb tags) on all metrics. +-# # additionalLabels: +-# # env: production +-# # foo: bar +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# influxdb2: +-# ## Address instructs exporter to send metrics to influxdb v2 at this address. +-# address: localhost:8086 +-# ## Token with which to connect to InfluxDB v2. +-# token: xxx +-# ## Organisation where metrics will be stored. +-# org: "" +-# ## Bucket where metrics will be stored. +-# bucket: "" +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## Additional labels (influxdb tags) on all metrics. +-# # additionalLabels: +-# # env: production +-# # foo: bar +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# statsd: +-# ## Address instructs exporter to send metrics to statsd at this address. +-# address: localhost:8125 +-# ## The interval used by the exporter to push metrics to influxdb. Default=10s +-# # pushInterval: 30s +-# ## The prefix to use for metrics collection. Default="traefik" +-# # prefix: traefik +-# ## Enable metrics on entry points. Default=true +-# # addEntryPointsLabels: false +-# ## Enable metrics on routers. Default=false +-# # addRoutersLabels: true +-# ## Enable metrics on services. Default=true +-# # addServicesLabels: false +-# openTelemetry: +-# ## Address of the OpenTelemetry Collector to send metrics to. +-# address: "localhost:4318" +-# ## Enable metrics on entry points. +-# addEntryPointsLabels: true +-# ## Enable metrics on routers. +-# addRoutersLabels: true +-# ## Enable metrics on services. +-# addServicesLabels: true +-# ## Explicit boundaries for Histogram data points. +-# explicitBoundaries: +-# - "0.1" +-# - "0.3" +-# - "1.2" +-# - "5.0" +-# ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. +-# headers: +-# foo: bar +-# test: test +-# ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. +-# insecure: true +-# ## Interval at which metrics are sent to the OpenTelemetry Collector. +-# pushInterval: 10s +-# ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. +-# path: /foo/v1/traces +-# ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. +-# tls: +-# ## The path to the certificate authority, it defaults to the system bundle. +-# ca: path/to/ca.crt +-# ## The path to the public certificate. When using this option, setting the key option is required. +-# cert: path/to/foo.cert +-# ## The path to the private key. When using this option, setting the cert option is required. +-# key: path/to/key.key +-# ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. +-# insecureSkipVerify: true +-# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +-# grpc: true +- +-## -- enable optional CRDs for Prometheus Operator +-## ++ # datadog: ++ # ## Address instructs exporter to send metrics to datadog-agent at this address. ++ # address: "127.0.0.1:8125" ++ # ## The interval used by the exporter to push metrics to datadog-agent. Default=10s ++ # # pushInterval: 30s ++ # ## The prefix to use for metrics collection. Default="traefik" ++ # # prefix: traefik ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # influxdb: ++ # ## Address instructs exporter to send metrics to influxdb at this address. ++ # address: localhost:8089 ++ # ## InfluxDB's address protocol (udp or http). Default="udp" ++ # protocol: udp ++ # ## InfluxDB database used when protocol is http. Default="" ++ # # database: "" ++ # ## InfluxDB retention policy used when protocol is http. Default="" ++ # # retentionPolicy: "" ++ # ## InfluxDB username (only with http). Default="" ++ # # username: "" ++ # ## InfluxDB password (only with http). Default="" ++ # # password: "" ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## Additional labels (influxdb tags) on all metrics. ++ # # additionalLabels: ++ # # env: production ++ # # foo: bar ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # influxdb2: ++ # ## Address instructs exporter to send metrics to influxdb v2 at this address. ++ # address: localhost:8086 ++ # ## Token with which to connect to InfluxDB v2. ++ # token: xxx ++ # ## Organisation where metrics will be stored. ++ # org: "" ++ # ## Bucket where metrics will be stored. ++ # bucket: "" ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## Additional labels (influxdb tags) on all metrics. ++ # # additionalLabels: ++ # # env: production ++ # # foo: bar ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # statsd: ++ # ## Address instructs exporter to send metrics to statsd at this address. ++ # address: localhost:8125 ++ # ## The interval used by the exporter to push metrics to influxdb. Default=10s ++ # # pushInterval: 30s ++ # ## The prefix to use for metrics collection. Default="traefik" ++ # # prefix: traefik ++ # ## Enable metrics on entry points. Default=true ++ # # addEntryPointsLabels: false ++ # ## Enable metrics on routers. Default=false ++ # # addRoutersLabels: true ++ # ## Enable metrics on services. Default=true ++ # # addServicesLabels: false ++ # openTelemetry: ++ # ## Address of the OpenTelemetry Collector to send metrics to. ++ # address: "localhost:4318" ++ # ## Enable metrics on entry points. ++ # addEntryPointsLabels: true ++ # ## Enable metrics on routers. ++ # addRoutersLabels: true ++ # ## Enable metrics on services. ++ # addServicesLabels: true ++ # ## Explicit boundaries for Histogram data points. ++ # explicitBoundaries: ++ # - "0.1" ++ # - "0.3" ++ # - "1.2" ++ # - "5.0" ++ # ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++ # headers: ++ # foo: bar ++ # test: test ++ # ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++ # insecure: true ++ # ## Interval at which metrics are sent to the OpenTelemetry Collector. ++ # pushInterval: 10s ++ # ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. ++ # path: /foo/v1/traces ++ # ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++ # tls: ++ # ## The path to the certificate authority, it defaults to the system bundle. ++ # ca: path/to/ca.crt ++ # ## The path to the public certificate. When using this option, setting the key option is required. ++ # cert: path/to/foo.cert ++ # ## The path to the private key. When using this option, setting the cert option is required. ++ # key: path/to/key.key ++ # ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++ # insecureSkipVerify: true ++ # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. ++ # grpc: true ++ ++ ## -- enable optional CRDs for Prometheus Operator ++ ## + ## Create a dedicated metrics service for use with ServiceMonitor + # service: + # enabled: false +@@ -470,55 +486,55 @@ metrics: + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} +- # openTelemetry: # traefik v3+ only +- # grpc: {} +- # insecure: true +- # address: localhost:4317 +- # instana: +- # localAgentHost: 127.0.0.1 +- # localAgentPort: 42699 +- # logLevel: info +- # enableAutoProfile: true +- # datadog: +- # localAgentHostPort: 127.0.0.1:8126 +- # debug: false +- # globalTag: "" +- # prioritySampling: false +- # jaeger: +- # samplingServerURL: http://localhost:5778/sampling +- # samplingType: const +- # samplingParam: 1.0 +- # localAgentHostPort: 127.0.0.1:6831 +- # gen128Bit: false +- # propagation: jaeger +- # traceContextHeaderName: uber-trace-id +- # disableAttemptReconnecting: true +- # collector: +- # endpoint: "" +- # user: "" +- # password: "" +- # zipkin: +- # httpEndpoint: http://localhost:9411/api/v2/spans +- # sameSpan: false +- # id128Bit: true +- # sampleRate: 1.0 +- # haystack: +- # localAgentHost: 127.0.0.1 +- # localAgentPort: 35000 +- # globalTag: "" +- # traceIDHeaderName: "" +- # parentIDHeaderName: "" +- # spanIDHeaderName: "" +- # baggagePrefixHeaderName: "" +- # elastic: +- # serverURL: http://localhost:8200 +- # secretToken: "" +- # serviceEnvironment: "" ++# openTelemetry: # traefik v3+ only ++# grpc: {} ++# insecure: true ++# address: localhost:4317 ++# instana: ++# localAgentHost: 127.0.0.1 ++# localAgentPort: 42699 ++# logLevel: info ++# enableAutoProfile: true ++# datadog: ++# localAgentHostPort: 127.0.0.1:8126 ++# debug: false ++# globalTag: "" ++# prioritySampling: false ++# jaeger: ++# samplingServerURL: http://localhost:5778/sampling ++# samplingType: const ++# samplingParam: 1.0 ++# localAgentHostPort: 127.0.0.1:6831 ++# gen128Bit: false ++# propagation: jaeger ++# traceContextHeaderName: uber-trace-id ++# disableAttemptReconnecting: true ++# collector: ++# endpoint: "" ++# user: "" ++# password: "" ++# zipkin: ++# httpEndpoint: http://localhost:9411/api/v2/spans ++# sameSpan: false ++# id128Bit: true ++# sampleRate: 1.0 ++# haystack: ++# localAgentHost: 127.0.0.1 ++# localAgentPort: 35000 ++# globalTag: "" ++# traceIDHeaderName: "" ++# parentIDHeaderName: "" ++# spanIDHeaderName: "" ++# baggagePrefixHeaderName: "" ++# elastic: ++# serverURL: http://localhost:8200 ++# secretToken: "" ++# serviceEnvironment: "" + + # -- Global command arguments to be passed to all traefik's pods + globalArguments: +- - "--global.checknewversion" +- - "--global.sendanonymoususage" ++- "--global.checknewversion" ++- "--global.sendanonymoususage" + + # + # Configure Traefik static configuration +@@ -531,14 +547,14 @@ additionalArguments: [] + + # -- Environment variables to be passed to Traefik's binary + env: +- - name: POD_NAME +- valueFrom: +- fieldRef: +- fieldPath: metadata.name +- - name: POD_NAMESPACE +- valueFrom: +- fieldRef: +- fieldPath: metadata.namespace ++- name: POD_NAME ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.name ++- name: POD_NAMESPACE ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.namespace + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP +@@ -600,7 +616,10 @@ ports: + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- # redirectTo: websecure ++ # redirectTo: ++ # port: websecure ++ # (Optional) ++ # priority: 10 + # + # Trust forwarded headers information (X-Forwarded-*). + # forwardedHeaders: +@@ -638,14 +657,14 @@ ports: + # advertisedPort: 4443 + # + ## -- Trust forwarded headers information (X-Forwarded-*). +- #forwardedHeaders: +- # trustedIPs: [] +- # insecure: false ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false + # + ## -- Enable the Proxy Protocol header parsing for the entry point +- #proxyProtocol: +- # trustedIPs: [] +- # insecure: false ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false + # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls +@@ -728,16 +747,16 @@ service: + # -- Additional entries here will be added to the service spec. + # -- Cannot contain type, selector or ports entries. + spec: {} +- # externalTrafficPolicy: Cluster +- # loadBalancerIP: "1.2.3.4" +- # clusterIP: "2.3.4.5" ++ # externalTrafficPolicy: Cluster ++ # loadBalancerIP: "1.2.3.4" ++ # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] +- # - 192.168.0.1/32 +- # - 172.16.0.0/16 ++ # - 192.168.0.1/32 ++ # - 172.16.0.0/16 + ## -- Class of the load balancer implementation + # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] +- # - 1.2.3.4 ++ # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). +@@ -789,7 +808,7 @@ persistence: + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data +-# existingClaim: "" ++ # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" +@@ -852,12 +871,12 @@ serviceAccountAnnotations: {} + + # -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. + resources: {} +- # requests: +- # cpu: "100m" +- # memory: "50Mi" +- # limits: +- # cpu: "300m" +- # memory: "150Mi" ++# requests: ++# cpu: "100m" ++# memory: "50Mi" ++# limits: ++# cpu: "300m" ++# memory: "150Mi" + + # -- This example pod anti-affinity forces the scheduler to put traefik pods + # -- on nodes where no other traefik pods are scheduled. +``` + +## 24.0.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-08-10 + +* fix: 💥 BREAKING CHANGE on healthchecks and traefik port +* fix: tracing.opentelemetry.tls is optional for all values +* fix: http3 support broken when advertisedPort set +* feat: multi namespace RBAC manifests +* chore(tests): 🔧 fix typo on tracing test +* chore(release): 🚀 publish v24.0.0 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.2 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 947ba56..aeec85c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -28,6 +28,13 @@ deployment: + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 ++ ## Override the liveness/readiness port. This is useful to integrate traefik ++ ## with an external Load Balancer that performs healthchecks. ++ ## Default: ports.traefik.port ++ # healthchecksPort: 9000 ++ ## Override the liveness/readiness scheme. Useful for getting ping to ++ ## respond on websecure entryPoint. ++ # healthchecksScheme: HTTPS + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -112,7 +119,7 @@ experimental: + #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + #v3: + # -- Enable traefik version 3 +- # enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -564,15 +571,6 @@ ports: + # only. + # hostIP: 192.168.100.10 + +- # Override the liveness/readiness port. This is useful to integrate traefik +- # with an external Load Balancer that performs healthchecks. +- # Default: ports.traefik.port +- # healthchecksPort: 9000 +- +- # Override the liveness/readiness scheme. Useful for getting ping to +- # respond on websecure entryPoint. +- # healthchecksScheme: HTTPS +- + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +@@ -877,7 +875,7 @@ affinity: {} + nodeSelector: {} + # -- Tolerations allow the scheduler to schedule pods with matching taints. + tolerations: [] +-# -- You can use topology spread constraints to control ++# -- You can use topology spread constraints to control + # how Pods are spread across your cluster among failure-domains. + topologySpreadConstraints: [] + # This example topologySpreadConstraints forces the scheduler to put traefik pods +``` + +## 23.2.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-07-27 + +* ⬆️ Upgrade traefik Docker tag to v2.10.3 +* release: :rocket: publish v23.2.0 +* fix: 🐛 update traefik.containo.us CRDs to v2.10 +* fix: 🐛 traefik or metrics port can be disabled +* fix: ingressclass name should be customizable (#864) +* feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry +* feat: disable allowPrivilegeEscalation +* feat: add pod_name as default in values.yaml +* chore(tests): 🔧 use more accurate asserts on refactor'd isNull test +* chore(deps): update traefik docker tag to v2.10.4 +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.11.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 345bbd8..947ba56 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -105,12 +105,14 @@ podDisruptionBudget: + ingressClass: + enabled: true + isDefaultClass: true ++ # name: my-custom-class + + # Traefik experimental features + experimental: +- v3: ++ #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" ++ #v3: + # -- Enable traefik version 3 +- enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -461,6 +463,10 @@ metrics: + ## Tracing + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} ++ # openTelemetry: # traefik v3+ only ++ # grpc: {} ++ # insecure: true ++ # address: localhost:4317 + # instana: + # localAgentHost: 127.0.0.1 + # localAgentPort: 42699 +@@ -517,7 +523,15 @@ additionalArguments: [] + # - "--log.level=DEBUG" + + # -- Environment variables to be passed to Traefik's binary +-env: [] ++env: ++ - name: POD_NAME ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.name ++ - name: POD_NAMESPACE ++ valueFrom: ++ fieldRef: ++ fieldPath: metadata.namespace + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP +@@ -563,7 +577,7 @@ ports: + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -571,7 +585,7 @@ ports: + # -- The port protocol (TCP/UDP) + protocol: TCP + web: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 +@@ -600,7 +614,7 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: +- ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 +@@ -666,7 +680,7 @@ ports: + # NodePort. + # + # -- You may not want to expose the metrics port on production deployments. +- # If you want to access it from outside of your cluster, ++ # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # -- The exposed port for this service +@@ -880,14 +894,15 @@ topologySpreadConstraints: [] + priorityClassName: "" + + # -- Set the container security context +-# -- To run the container with ports below 1024 this will need to be adjust to run as root ++# -- To run the container with ports below 1024 this will need to be adjusted to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true ++ allowPrivilegeEscalation: false + + podSecurityContext: +- # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++ # /!\ When setting fsGroup, Kubernetes will recursively change ownership and + # permissions for the contents of each volume to match the fsGroup. This can + # be an issue when storing sensitive content like TLS Certificates /!\ + # fsGroup: 65532 +``` + +## 23.1.0 ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-06-06 + +* release: 🚀 publish v23.1.0 +* fix: 🐛 use k8s version for hpa api version +* fix: 🐛 http3 support on traefik v3 +* fix: use `targetPort` instead of `port` on ServiceMonitor +* feat: ➖ remove Traefik Hub v1 integration +* feat: ✨ add a warning when labelSelector don't match +* feat: common labels for all resources +* feat: allow specifying service loadBalancerClass +* feat: add optional `appProtocol` field on Service ports +* doc: added values README via helm-docs cli + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 71273cc..345bbd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,70 +1,56 @@ + # Default values for Traefik + image: ++ # -- Traefik image host registry + registry: docker.io ++ # -- Traefik image repository + repository: traefik +- # defaults to appVersion ++ # -- defaults to appVersion + tag: "" ++ # -- Traefik image pull policy + pullPolicy: IfNotPresent + +-# +-# Configure integration with Traefik Hub +-# +-hub: +- ## Enabling Hub will: +- # * enable Traefik Hub integration on Traefik +- # * add `traefikhub-tunl` endpoint +- # * enable Prometheus metrics with addRoutersLabels +- # * enable allowExternalNameServices on KubernetesIngress provider +- # * enable allowCrossNamespace on KubernetesCRD provider +- # * add an internal (ClusterIP) Service, dedicated for Traefik Hub +- enabled: false +- ## Default port can be changed +- # tunnelPort: 9901 +- ## TLS is optional. Insecure is mutually exclusive with any other options +- # tls: +- # insecure: false +- # ca: "/path/to/ca.pem" +- # cert: "/path/to/cert.pem" +- # key: "/path/to/key.pem" ++# -- Add additional label to all resources ++commonLabels: {} + + # + # Configure the deployment + # + deployment: ++ # -- Enable deployment + enabled: true +- # Can be either Deployment or DaemonSet ++ # -- Deployment or DaemonSet + kind: Deployment +- # Number of pods of the deployment (only applies when kind == Deployment) ++ # -- Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 +- # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) ++ # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 +- # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down ++ # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 +- # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available ++ # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 +- # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} +- # Additional deployment labels (e.g. for filtering deployment by custom labels) ++ # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} +- # Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} +- # Additional Pod labels (e.g. for filtering Pod by custom labels) ++ # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} +- # Additional containers (e.g. for metric offloading sidecars) ++ # -- Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy +- # image: alpine/socat:1.0.5 +- # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] +- # volumeMounts: +- # - name: dsdsocket +- # mountPath: /socket +- # Additional volumes available for use with initContainers and additionalContainers ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket ++ # -- Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter +- # Additional initContainers (e.g. for setting file permission as shown below) ++ # -- Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 +@@ -78,9 +64,9 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data +- # Use process namespace sharing ++ # -- Use process namespace sharing + shareProcessNamespace: false +- # Custom pod DNS policy. Apply if `hostNetwork: true` ++ # -- Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + dnsConfig: {} + # nameservers: +@@ -92,10 +78,10 @@ deployment: + # - name: ndots + # value: "2" + # - name: edns0 +- # Additional imagePullSecrets ++ # -- Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName +- # Pod lifecycle actions ++ # -- Pod lifecycle actions + lifecycle: {} + # preStop: + # exec: +@@ -107,7 +93,7 @@ deployment: + # host: localhost + # scheme: HTTP + +-# Pod disruption budget ++# -- Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 +@@ -115,93 +101,112 @@ podDisruptionBudget: + # minAvailable: 0 + # minAvailable: 25% + +-# Create a default IngressClass for Traefik ++# -- Create a default IngressClass for Traefik + ingressClass: + enabled: true + isDefaultClass: true + +-# Enable experimental features ++# Traefik experimental features + experimental: + v3: ++ # -- Enable traefik version 3 + enabled: false + plugins: ++ # -- Enable traefik experimental plugins + enabled: false + kubernetesGateway: ++ # -- Enable traefik experimental GatewayClass CRD + enabled: false + gateway: ++ # -- Enable traefik regular kubernetes gateway + enabled: true + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" +- # By default, Gateway would be created to the Namespace you are deploying Traefik to. ++ # -- By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt + +-# Create an IngressRoute for the dashboard ++## Create an IngressRoute for the dashboard + ingressRoute: + dashboard: ++ # -- Create an IngressRoute for the dashboard + enabled: true +- # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} +- # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} +- # The router match rule used for the dashboard ingressRoute ++ # -- The router match rule used for the dashboard ingressRoute + matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) +- # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). ++ # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] +- # Additional ingressRoute middlewares (e.g. for authentication) ++ # -- Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] +- # TLS options (e.g. secret containing certificate) ++ # -- TLS options (e.g. secret containing certificate) + tls: {} + +-# Customize updateStrategy of traefik pods + updateStrategy: ++ # -- Customize updateStrategy: RollingUpdate or OnDelete + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + +-# Customize liveness and readiness probe values. + readinessProbe: ++ # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 1 ++ # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 ++ # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 ++ # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 ++ # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 +- + livenessProbe: ++ # -- The number of consecutive failures allowed before considering the probe as failed. + failureThreshold: 3 ++ # -- The number of seconds to wait before starting the first probe. + initialDelaySeconds: 2 ++ # -- The number of seconds to wait between consecutive probes. + periodSeconds: 10 ++ # -- The minimum consecutive successes required to consider the probe successful. + successThreshold: 1 ++ # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + +-# +-# Configure providers +-# + providers: + kubernetesCRD: ++ # -- Load Kubernetes IngressRoute provider + enabled: true ++ # -- Allows IngressRoute to reference resources in namespace other than theirs + allowCrossNamespace: false ++ # -- Allows to reference ExternalName services in IngressRoute + allowExternalNameServices: false ++ # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + + kubernetesIngress: ++ # -- Load Kubernetes IngressRoute provider + enabled: true ++ # -- Allows to reference ExternalName services in Ingress + allowExternalNameServices: false ++ # -- Allows to return 503 when there is no endpoints available + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik ++ # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints +@@ -212,13 +217,13 @@ providers: + # pathOverride: "" + + # +-# Add volumes to the traefik pod. The volume name will be passed to tpl. ++# -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +-# additionalArguments: ++# `additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" + # - "--ping" +-# - "--ping.entrypoint=web" ++# - "--ping.entrypoint=web"` + volumes: [] + # - name: public-cert + # mountPath: "/certs" +@@ -227,25 +232,22 @@ volumes: [] + # mountPath: "/config" + # type: configMap + +-# Additional volumeMounts to add to the Traefik container ++# -- Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] +- # For instance when using a logshipper for access logs ++ # -- For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + +-## Logs +-## https://docs.traefik.io/observability/logs/ + logs: +- ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: +- # By default, the logs use a text format (common), but you can ++ # -- By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. +- # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: +- # To enable access logs ++ # -- To enable access logs + enabled: false + ## By default, logs are written using the Common Log Format (CLF) on stdout. + ## To write logs in JSON, use json in the format option. +@@ -256,21 +258,24 @@ logs: + ## This option represents the number of log lines Traefik will keep in memory before writing + ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 +- ## Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ ## Filtering ++ # -- https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms +- ## Fields +- ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: ++ # -- Available modes: keep, drop, redact. + defaultmode: keep ++ # -- Names of the fields to limit. + names: {} + ## Examples: + # ClientUsername: drop + headers: ++ # -- Available modes: keep, drop, redact. + defaultmode: drop ++ # -- Names of the headers to limit. + names: {} + ## Examples: + # User-Agent: redact +@@ -278,10 +283,10 @@ logs: + # Content-Type: keep + + metrics: +- ## Prometheus is enabled by default. +- ## It can be disabled by setting "prometheus: null" ++ ## -- Prometheus is enabled by default. ++ ## -- It can be disabled by setting "prometheus: null" + prometheus: +- ## Entry point used to expose metrics. ++ # -- Entry point used to expose metrics. + entryPoint: metrics + ## Enable metrics on entry points. Default=true + # addEntryPointsLabels: false +@@ -404,11 +409,9 @@ metrics: + # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. + # grpc: true + +-## +-## enable optional CRDs for Prometheus Operator ++## -- enable optional CRDs for Prometheus Operator + ## + ## Create a dedicated metrics service for use with ServiceMonitor +- ## When hub.enabled is set to true, it's not needed: it will use hub service. + # service: + # enabled: false + # labels: {} +@@ -455,6 +458,8 @@ metrics: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + ++## Tracing ++# -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} + # instana: + # localAgentHost: 127.0.0.1 +@@ -497,20 +502,21 @@ tracing: {} + # secretToken: "" + # serviceEnvironment: "" + ++# -- Global command arguments to be passed to all traefik's pods + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + + # + # Configure Traefik static configuration +-# Additional arguments to be passed at Traefik's binary ++# -- Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + +-# Environment variables to be passed to Traefik's binary ++# -- Environment variables to be passed to Traefik's binary + env: [] + # - name: SOME_VAR + # value: some-var-value +@@ -525,22 +531,20 @@ env: [] + # name: secret-name + # key: secret-key + ++# -- Environment variables to be passed to Traefik's binary from configMaps or secrets + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + +-# Configure ports + ports: +- # The name of this one can't be changed as it is used for the readiness and +- # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 +- # Use hostPort if set. ++ # -- Use hostPort if set. + # hostPort: 9000 + # +- # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which ++ # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. +@@ -558,27 +562,27 @@ ports: + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +- # You SHOULD NOT expose the traefik port on production deployments. ++ # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false +- # The exposed port for this service ++ # -- The exposed port for this service + exposedPort: 9000 +- # The port protocol (TCP/UDP) ++ # -- The port protocol (TCP/UDP) + protocol: TCP + web: +- ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 + expose: true + exposedPort: 80 +- ## Different target traefik port on the cluster, useful for IP type LB ++ ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP +- # Use nodeport if set. This is useful if you have configured Traefik in a ++ # -- Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer. + # nodePort: 32080 + # Port Redirections +@@ -596,20 +600,22 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: +- ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + # hostPort: 8443 + # containerPort: 8443 + expose: true + exposedPort: 443 +- ## Different target traefik port on the cluster, useful for IP type LB ++ ## -- Different target traefik port on the cluster, useful for IP type LB + # targetPort: 80 +- ## The port protocol (TCP/UDP) ++ ## -- The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ ## -- Specify an application protocol. This may be used as a hint for a Layer 7 load balancer. ++ # appProtocol: https + # +- ## Enable HTTP/3 on the entrypoint ++ ## -- Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for +@@ -619,12 +625,12 @@ ports: + enabled: false + # advertisedPort: 4443 + # +- ## Trust forwarded headers information (X-Forwarded-*). ++ ## -- Trust forwarded headers information (X-Forwarded-*). + #forwardedHeaders: + # trustedIPs: [] + # insecure: false + # +- ## Enable the Proxy Protocol header parsing for the entry point ++ ## -- Enable the Proxy Protocol header parsing for the entry point + #proxyProtocol: + # trustedIPs: [] + # insecure: false +@@ -642,33 +648,33 @@ ports: + # - foo.example.com + # - bar.example.com + # +- # One can apply Middlewares on an entrypoint ++ # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +- # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ ++ # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # middlewares: + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: +- # When using hostNetwork, use another port to avoid conflict with node exporter: ++ # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +- # You may not want to expose the metrics port on production deployments. ++ # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false +- # The exposed port for this service ++ # -- The exposed port for this service + exposedPort: 9100 +- # The port protocol (TCP/UDP) ++ # -- The port protocol (TCP/UDP) + protocol: TCP + +-# TLS Options are created as TLSOption CRDs ++# -- TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options + # When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: +@@ -684,7 +690,7 @@ ports: + # - CurveP384 + tlsOptions: {} + +-# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate ++# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate + # https://doc.traefik.io/traefik/https/tls/#default-certificate + # Example: + # tlsStore: +@@ -693,24 +699,22 @@ tlsOptions: {} + # secretName: tls-cert + tlsStore: {} + +-# Options for the main traefik service, where the entrypoints traffic comes +-# from. + service: + enabled: true +- ## Single service is using `MixedProtocolLBService` feature gate. +- ## When set to false, it will create two Service, one for TCP and one for UDP. ++ ## -- Single service is using `MixedProtocolLBService` feature gate. ++ ## -- When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer +- # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) ++ # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} +- # Additional annotations for TCP service only ++ # -- Additional annotations for TCP service only + annotationsTCP: {} +- # Additional annotations for UDP service only ++ # -- Additional annotations for UDP service only + annotationsUDP: {} +- # Additional service labels (e.g. for filtering Service by custom labels) ++ # -- Additional service labels (e.g. for filtering Service by custom labels) + labels: {} +- # Additional entries here will be added to the service spec. +- # Cannot contain type, selector or ports entries. ++ # -- Additional entries here will be added to the service spec. ++ # -- Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" +@@ -718,6 +722,8 @@ service: + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 ++ ## -- Class of the load balancer implementation ++ # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. +@@ -728,7 +734,7 @@ service: + # - IPv4 + # - IPv6 + ## +- ## An additionnal and optional internal Service. ++ ## -- An additionnal and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP +@@ -739,9 +745,8 @@ service: + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + +-## Create HorizontalPodAutoscaler object. +-## + autoscaling: ++ # -- Create HorizontalPodAutoscaler object. + enabled: false + # minReplicas: 1 + # maxReplicas: 10 +@@ -766,10 +771,10 @@ autoscaling: + # value: 1 + # periodSeconds: 60 + +-# Enable persistence using Persistent Volume Claims +-# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +-# It can be used to store TLS certificates, see `storage` in certResolvers + persistence: ++ # -- Enable persistence using Persistent Volume Claims ++ # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ++ # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data + # existingClaim: "" +@@ -779,8 +784,10 @@ persistence: + # volumeName: "" + path: /data + annotations: {} +- # subPath: "" # only mount a subpath of the Volume into the pod ++ # -- Only mount a subpath of the Volume into the pod ++ # subPath: "" + ++# -- Certificates resolvers configuration + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ +@@ -802,13 +809,13 @@ certResolvers: {} + # # It has to match the path with a persistent volume + # storage: /data/acme.json + +-# If hostNetwork is true, runs traefik in the host network namespace ++# -- If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the + # affinity is left as default. + hostNetwork: false + +-# Whether Role Based Access Control objects like roles and rolebindings should be created ++# -- Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +@@ -818,19 +825,20 @@ rbac: + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] + +-# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding ++# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + +-# The service account the pods will use to interact with the Kubernetes API ++# -- The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +-# Additional serviceAccount annotations (e.g. for oidc authentication) ++# -- Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + ++# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. + resources: {} + # requests: + # cpu: "100m" +@@ -839,8 +847,8 @@ resources: {} + # cpu: "300m" + # memory: "150Mi" + +-# This example pod anti-affinity forces the scheduler to put traefik pods +-# on nodes where no other traefik pods are scheduled. ++# -- This example pod anti-affinity forces the scheduler to put traefik pods ++# -- on nodes where no other traefik pods are scheduled. + # It should be used when hostNetwork: true to prevent port conflicts + affinity: {} + # podAntiAffinity: +@@ -851,11 +859,15 @@ affinity: {} + # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + ++# -- nodeSelector is the simplest recommended form of node selection constraint. + nodeSelector: {} ++# -- Tolerations allow the scheduler to schedule pods with matching taints. + tolerations: [] ++# -- You can use topology spread constraints to control ++# how Pods are spread across your cluster among failure-domains. + topologySpreadConstraints: [] +-# # This example topologySpreadConstraints forces the scheduler to put traefik pods +-# # on nodes where no other traefik pods are scheduled. ++# This example topologySpreadConstraints forces the scheduler to put traefik pods ++# on nodes where no other traefik pods are scheduled. + # - labelSelector: + # matchLabels: + # app: '{{ template "traefik.name" . }}' +@@ -863,29 +875,33 @@ topologySpreadConstraints: [] + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + +-# Pods can have priority. +-# Priority indicates the importance of a Pod relative to other Pods. ++# -- Pods can have priority. ++# -- Priority indicates the importance of a Pod relative to other Pods. + priorityClassName: "" + +-# Set the container security context +-# To run the container with ports below 1024 this will need to be adjust to run as root ++# -- Set the container security context ++# -- To run the container with ports below 1024 this will need to be adjust to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + + podSecurityContext: +-# # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and +-# # permissions for the contents of each volume to match the fsGroup. This can +-# # be an issue when storing sensitive content like TLS Certificates /!\ +-# fsGroup: 65532 ++ # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++ # permissions for the contents of each volume to match the fsGroup. This can ++ # be an issue when storing sensitive content like TLS Certificates /!\ ++ # fsGroup: 65532 ++ # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. + fsGroupChangePolicy: "OnRootMismatch" ++ # -- The ID of the group for all containers in the pod to run as. + runAsGroup: 65532 ++ # -- Specifies whether the containers should run as a non-root user. + runAsNonRoot: true ++ # -- The ID of the user for all containers in the pod to run as. + runAsUser: 65532 + + # +-# Extra objects to deploy (value evaluated as a template) ++# -- Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. + # See #595 for more details and traefik/tests/values/extra.yaml for example. +@@ -895,5 +911,5 @@ extraObjects: [] + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik + # +-## This will override the default app.kubernetes.io/instance label for all Objects. ++## -- This will override the default app.kubernetes.io/instance label for all Objects. + # instanceLabelOverride: traefik +``` + +## 23.0.1 ![AppVersion: v2.10.1](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.1&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-28 + +* fix: ⬆️ Upgrade traefik Docker tag to v2.10.1 + + +## 23.0.0 ![AppVersion: v2.10.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-26 + +* BREAKING CHANGE: Traefik 2.10 comes with CRDs update on API Group + + +## 22.3.0 ![AppVersion: v2.10.0](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.0&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-25 + +* ⬆️ Upgrade traefik Docker tag to v2.10.0 +* fix: 🐛 update rbac for both traefik.io and containo.us apigroups (#836) +* breaking: 💥 update CRDs needed for Traefik v2.10 + + +## 22.2.0 ![AppVersion: v2.9.10](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.10&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-24 + +* test: 👷 Update unit tests tooling +* fix: 🐛 annotations leaking between aliased subcharts +* fix: indentation on `TLSOption` +* feat: override container port +* feat: allow to set dnsConfig on pod template +* chore: 🔧 new release +* added targetPort support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9ece303..71273cc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -82,6 +82,16 @@ deployment: + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ dnsConfig: {} ++ # nameservers: ++ # - 192.0.2.1 # this is an example ++ # searches: ++ # - ns1.svc.cluster-domain.example ++ # - my.dns.search.suffix ++ # options: ++ # - name: ndots ++ # value: "2" ++ # - name: edns0 + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName +@@ -561,8 +571,11 @@ ports: + # asDefault: true + port: 8000 + # hostPort: 8000 ++ # containerPort: 8000 + expose: true + exposedPort: 80 ++ ## Different target traefik port on the cluster, useful for IP type LB ++ # targetPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a +@@ -587,8 +600,11 @@ ports: + # asDefault: true + port: 8443 + # hostPort: 8443 ++ # containerPort: 8443 + expose: true + exposedPort: 443 ++ ## Different target traefik port on the cluster, useful for IP type LB ++ # targetPort: 80 + ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +``` + +## 22.1.0 ![AppVersion: v2.9.10](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.10&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-04-07 + +* ⬆️ Upgrade traefik Docker tag to v2.9.10 +* feat: add additional labels to tlsoption + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4762b77..9ece303 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -654,12 +654,15 @@ ports: + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options ++# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. + # Example: + # tlsOptions: + # default: ++# labels: {} + # sniStrict: true + # preferServerCipherSuites: true +-# foobar: ++# customOptions: ++# labels: {} + # curvePreferences: + # - CurveP521 + # - CurveP384 +``` + +## 22.0.0 ![AppVersion: v2.9.9](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.9&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-29 + +* BREAKING CHANGE: `image.repository` introduction may break during the upgrade. See PR #802. + + +## 21.2.1 ![AppVersion: v2.9.9](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.9&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-28 + +* 🎨 Introduce `image.registry` and add explicit default (it may impact custom `image.repository`) +* ⬆️ Upgrade traefik Docker tag to v2.9.9 +* :memo: Clarify the need of an initContainer when enabling persistence for TLS Certificates + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cadc7a6..4762b77 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,5 +1,6 @@ + # Default values for Traefik + image: ++ registry: docker.io + repository: traefik + # defaults to appVersion + tag: "" +@@ -66,10 +67,14 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik/issues/6825 ++ # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396 + # - name: volume-permissions +- # image: busybox:1.35 +- # command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"] ++ # image: busybox:latest ++ # command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ++ # securityContext: ++ # runAsNonRoot: true ++ # runAsGroup: 65532 ++ # runAsUser: 65532 + # volumeMounts: + # - name: data + # mountPath: /data +@@ -849,13 +854,17 @@ securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true ++ ++podSecurityContext: ++# # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and ++# # permissions for the contents of each volume to match the fsGroup. This can ++# # be an issue when storing sensitive content like TLS Certificates /!\ ++# fsGroup: 65532 ++ fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +-podSecurityContext: +- fsGroup: 65532 +- + # + # Extra objects to deploy (value evaluated as a template) + # +``` + +## 21.2.0 ![AppVersion: v2.9.8](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.8&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-03-08 + +* 🚨 Fail when enabling PSP on Kubernetes v1.25+ (#801) +* ⬆️ Upgrade traefik Docker tag to v2.9.8 +* Separate UDP hostPort for HTTP/3 +* :sparkles: release 21.2.0 (#805) + + +## 21.1.0 ![AppVersion: v2.9.7](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.7&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-02-15 + +* ⬆️ Upgrade traefik Docker tag to v2.9.7 +* ✨ release 21.1.0 +* fix: traefik image name for renovate +* feat: Add volumeName to PersistentVolumeClaim (#792) +* Allow setting TLS options on dashboard IngressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 780b04b..cadc7a6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -142,6 +142,8 @@ ingressRoute: + entryPoints: ["traefik"] + # Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] ++ # TLS options (e.g. secret containing certificate) ++ tls: {} + + # Customize updateStrategy of traefik pods + updateStrategy: +@@ -750,6 +752,7 @@ persistence: + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" ++ # volumeName: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod +``` + +## 21.0.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-02-10 + +* 🙈 Add a setting disable API check on Prometheus Operator (#769) +* 📝 Improve documentation on entrypoint options +* 💥 New release with BREAKING changes (#786) +* ✨ Chart.yaml - add kubeVersion: ">=1.16.0-0" +* fix: allowExternalNameServices for kubernetes ingress when hub enabled (#772) +* fix(service-metrics): invert prometheus svc & fullname length checking +* Configure Renovate (#783) +* :necktie: Improve labels settings behavior on metrics providers (#774) +* :bug: Disabling dashboard ingressroute should delete it (#785) +* :boom: Rename image.name => image.repository (#784) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 42a27f9..780b04b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,6 +1,6 @@ + # Default values for Traefik + image: +- name: traefik ++ repository: traefik + # defaults to appVersion + tag: "" + pullPolicy: IfNotPresent +@@ -396,6 +396,8 @@ metrics: + # enabled: false + # labels: {} + # annotations: {} ++ ## When set to true, it won't check if Prometheus Operator CRDs are deployed ++ # disableAPICheck: false + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] +@@ -580,7 +582,7 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 +- # The port protocol (TCP/UDP) ++ ## The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # +@@ -594,6 +596,16 @@ ports: + enabled: false + # advertisedPort: 4443 + # ++ ## Trust forwarded headers information (X-Forwarded-*). ++ #forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ ## Enable the Proxy Protocol header parsing for the entry point ++ #proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false ++ # + ## Set TLS at the entrypoint + ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +@@ -607,16 +619,6 @@ ports: + # - foo.example.com + # - bar.example.com + # +- # Trust forwarded headers information (X-Forwarded-*). +- # forwardedHeaders: +- # trustedIPs: [] +- # insecure: false +- # +- # Enable the Proxy Protocol header parsing for the entry point +- # proxyProtocol: +- # trustedIPs: [] +- # insecure: false +- # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +``` + +## 20.8.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-12-09 + +* ✨ update chart to version 20.8.0 +* ✨ add support for default entrypoints +* ✨ add support for OpenTelemetry and Traefik v3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b77539d..42a27f9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -107,6 +107,8 @@ ingressClass: + + # Enable experimental features + experimental: ++ v3: ++ enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -347,7 +349,43 @@ metrics: + # # addRoutersLabels: true + # ## Enable metrics on services. Default=true + # # addServicesLabels: false +- ++# openTelemetry: ++# ## Address of the OpenTelemetry Collector to send metrics to. ++# address: "localhost:4318" ++# ## Enable metrics on entry points. ++# addEntryPointsLabels: true ++# ## Enable metrics on routers. ++# addRoutersLabels: true ++# ## Enable metrics on services. ++# addServicesLabels: true ++# ## Explicit boundaries for Histogram data points. ++# explicitBoundaries: ++# - "0.1" ++# - "0.3" ++# - "1.2" ++# - "5.0" ++# ## Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. ++# headers: ++# foo: bar ++# test: test ++# ## Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. ++# insecure: true ++# ## Interval at which metrics are sent to the OpenTelemetry Collector. ++# pushInterval: 10s ++# ## Allows to override the default URL path used for sending metrics. This option has no effect when using gRPC transport. ++# path: /foo/v1/traces ++# ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. ++# tls: ++# ## The path to the certificate authority, it defaults to the system bundle. ++# ca: path/to/ca.crt ++# ## The path to the public certificate. When using this option, setting the key option is required. ++# cert: path/to/foo.cert ++# ## The path to the private key. When using this option, setting the cert option is required. ++# key: path/to/key.key ++# ## If set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. ++# insecureSkipVerify: true ++# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. ++# grpc: true + + ## + ## enable optional CRDs for Prometheus Operator +@@ -510,6 +548,8 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + web: ++ ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ # asDefault: true + port: 8000 + # hostPort: 8000 + expose: true +@@ -534,6 +574,8 @@ ports: + # trustedIPs: [] + # insecure: false + websecure: ++ ## Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint. ++ # asDefault: true + port: 8443 + # hostPort: 8443 + expose: true +``` + +## 20.7.0 ![AppVersion: v2.9.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-12-08 + +* 🐛 Don't fail when prometheus is disabled (#756) +* ⬆️ Update default Traefik release to v2.9.6 (#758) +* ✨ support for Gateway annotations +* add keywords [networking], for artifacthub category quering +* :bug: Fix typo on bufferingSize for access logs (#753) +* :adhesive_bandage: Add quotes for artifacthub changelog parsing (#748) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4f2fb2a..b77539d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,9 @@ experimental: + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default ++ # Additional gateway annotations (e.g. for cert-manager.io/issuer) ++ # annotations: ++ # cert-manager.io/issuer: letsencrypt + + # Create an IngressRoute for the dashboard + ingressRoute: +@@ -219,7 +222,8 @@ logs: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json +- # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ # By default, the level is set to ERROR. ++ # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs +``` + +## 20.6.0 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-30 + +* 🔍️ Add filePath support on access logs (#747) +* :memo: Improve documentation on using PVC with TLS certificates +* :bug: Add missing scheme in help on Traefik Hub integration (#746) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15f1682..4f2fb2a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -211,10 +211,10 @@ additionalVolumeMounts: [] + # - name: traefik-logs + # mountPath: /var/log/traefik + +-# Logs +-# https://docs.traefik.io/observability/logs/ ++## Logs ++## https://docs.traefik.io/observability/logs/ + logs: +- # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). ++ ## Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option +@@ -224,31 +224,32 @@ logs: + access: + # To enable access logs + enabled: false +- # By default, logs are written using the Common Log Format (CLF). +- # To write logs in JSON, use json in the format option. +- # If the given format is unsupported, the default (CLF) is used instead. ++ ## By default, logs are written using the Common Log Format (CLF) on stdout. ++ ## To write logs in JSON, use json in the format option. ++ ## If the given format is unsupported, the default (CLF) is used instead. + # format: json +- # To write the logs in an asynchronous fashion, specify a bufferingSize option. +- # This option represents the number of log lines Traefik will keep in memory before writing +- # them to the selected output. In some cases, this option can greatly help performances. ++ # filePath: "/var/log/traefik/access.log ++ ## To write the logs in an asynchronous fashion, specify a bufferingSize option. ++ ## This option represents the number of log lines Traefik will keep in memory before writing ++ ## them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 +- # Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ ## Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms +- # Fields +- # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers ++ ## Fields ++ ## https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} +- # Examples: ++ ## Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} +- # Examples: ++ ## Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep +@@ -693,10 +694,7 @@ autoscaling: + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +-# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +-# additionalArguments: +-# - "--certificatesresolvers.le.acme.storage=/data/acme.json" +-# It will persist TLS certificates. ++# It can be used to store TLS certificates, see `storage` in certResolvers + persistence: + enabled: false + name: data +@@ -726,7 +724,7 @@ certResolvers: {} + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" +-# # match the path to persistence ++# # It has to match the path with a persistent volume + # storage: /data/acme.json + + # If hostNetwork is true, runs traefik in the host network namespace +``` + +## 20.5.3 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-25 + +* 🐛 Fix template issue with obsolete helm version + add helm version requirement (#743) + + +## 20.5.2 ![AppVersion: v2.9.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-24 + +* ⬆️Update Traefik to v2.9.5 (#740) + + +## 20.5.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-23 + +* 🐛 Fix namespaceSelector on ServiceMonitor (#737) + + +## 20.5.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-23 + +* 🚀 Add complete support on metrics options (#735) +* 🐛 make tests use fixed version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e49d02d..15f1682 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -12,7 +12,7 @@ hub: + ## Enabling Hub will: + # * enable Traefik Hub integration on Traefik + # * add `traefikhub-tunl` endpoint +- # * enable addRoutersLabels on prometheus metrics ++ # * enable Prometheus metrics with addRoutersLabels + # * enable allowExternalNameServices on KubernetesIngress provider + # * enable allowCrossNamespace on KubernetesCRD provider + # * add an internal (ClusterIP) Service, dedicated for Traefik Hub +@@ -254,16 +254,96 @@ logs: + # Content-Type: keep + + metrics: +- # datadog: +- # address: 127.0.0.1:8125 +- # influxdb: +- # address: localhost:8089 +- # protocol: udp ++ ## Prometheus is enabled by default. ++ ## It can be disabled by setting "prometheus: null" + prometheus: ++ ## Entry point used to expose metrics. + entryPoint: metrics +- # addRoutersLabels: true +- # statsd: +- # address: localhost:8125 ++ ## Enable metrics on entry points. Default=true ++ # addEntryPointsLabels: false ++ ## Enable metrics on routers. Default=false ++ # addRoutersLabels: true ++ ## Enable metrics on services. Default=true ++ # addServicesLabels: false ++ ## Buckets for latency metrics. Default="0.1,0.3,1.2,5.0" ++ # buckets: "0.5,1.0,2.5" ++ ## When manualRouting is true, it disables the default internal router in ++ ## order to allow creating a custom router for prometheus@internal service. ++ # manualRouting: true ++# datadog: ++# ## Address instructs exporter to send metrics to datadog-agent at this address. ++# address: "127.0.0.1:8125" ++# ## The interval used by the exporter to push metrics to datadog-agent. Default=10s ++# # pushInterval: 30s ++# ## The prefix to use for metrics collection. Default="traefik" ++# # prefix: traefik ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# influxdb: ++# ## Address instructs exporter to send metrics to influxdb at this address. ++# address: localhost:8089 ++# ## InfluxDB's address protocol (udp or http). Default="udp" ++# protocol: udp ++# ## InfluxDB database used when protocol is http. Default="" ++# # database: "" ++# ## InfluxDB retention policy used when protocol is http. Default="" ++# # retentionPolicy: "" ++# ## InfluxDB username (only with http). Default="" ++# # username: "" ++# ## InfluxDB password (only with http). Default="" ++# # password: "" ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## Additional labels (influxdb tags) on all metrics. ++# # additionalLabels: ++# # env: production ++# # foo: bar ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# influxdb2: ++# ## Address instructs exporter to send metrics to influxdb v2 at this address. ++# address: localhost:8086 ++# ## Token with which to connect to InfluxDB v2. ++# token: xxx ++# ## Organisation where metrics will be stored. ++# org: "" ++# ## Bucket where metrics will be stored. ++# bucket: "" ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## Additional labels (influxdb tags) on all metrics. ++# # additionalLabels: ++# # env: production ++# # foo: bar ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++# statsd: ++# ## Address instructs exporter to send metrics to statsd at this address. ++# address: localhost:8125 ++# ## The interval used by the exporter to push metrics to influxdb. Default=10s ++# # pushInterval: 30s ++# ## The prefix to use for metrics collection. Default="traefik" ++# # prefix: traefik ++# ## Enable metrics on entry points. Default=true ++# # addEntryPointsLabels: false ++# ## Enable metrics on routers. Default=false ++# # addRoutersLabels: true ++# ## Enable metrics on services. Default=true ++# # addServicesLabels: false ++ ++ + ## + ## enable optional CRDs for Prometheus Operator + ## +``` + +## 20.4.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* 🐛 fix namespace references to support namespaceOverride + + +## 20.4.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* Add (optional) dedicated metrics service (#727) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ca15f6a..e49d02d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -267,6 +267,12 @@ metrics: + ## + ## enable optional CRDs for Prometheus Operator + ## ++ ## Create a dedicated metrics service for use with ServiceMonitor ++ ## When hub.enabled is set to true, it's not needed: it will use hub service. ++ # service: ++ # enabled: false ++ # labels: {} ++ # annotations: {} + # serviceMonitor: + # metricRelabelings: [] + # - sourceLabels: [__name__] +``` + +## 20.3.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-21 + +* 🐛 Fix namespace override which was missing on `ServiceAccount` (#731) + + +## 20.3.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-17 + +* Add overwrite option for instance label value (#725) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c7f84a7..ca15f6a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -731,3 +731,6 @@ extraObjects: [] + # This will override the default Release Namespace for Helm. + # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` + # namespaceOverride: traefik ++# ++## This will override the default app.kubernetes.io/instance label for all Objects. ++# instanceLabelOverride: traefik +``` + +## 20.2.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-17 + +* 🙈 do not namespace ingress class (#723) +* ✨ copy LICENSE and README.md on release + + +## 20.2.0 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-15 + +* ✨ add support for namespace overrides (#718) +* Document recent changes in the README (#717) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 97a1b71..c7f84a7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -725,5 +725,9 @@ podSecurityContext: + # Extra objects to deploy (value evaluated as a template) + # + # In some cases, it can avoid the need for additional, extended or adhoc deployments. +-# See #595 for more details and traefik/tests/extra.yaml for example. ++# See #595 for more details and traefik/tests/values/extra.yaml for example. + extraObjects: [] ++ ++# This will override the default Release Namespace for Helm. ++# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` ++# namespaceOverride: traefik +``` + +## 20.1.1 ![AppVersion: v2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-10 + +* fix: use consistent appVersion with Traefik Proxy + + +## 20.1.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-09 + +* 🔧 Adds more settings for dashboard ingressRoute (#710) +* 🐛 fix chart releases + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2ec3736..97a1b71 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -129,10 +129,14 @@ ingressRoute: + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} ++ # The router match rule used for the dashboard ingressRoute ++ matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] ++ # Additional ingressRoute middlewares (e.g. for authentication) ++ middlewares: [] + + # Customize updateStrategy of traefik pods + updateStrategy: +``` + +## 20.0.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-08 + +* 🐛 remove old deployment workflow +* ✨ migrate to centralised helm repository +* Allow updateStrategy to be configurable + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 413aa88..2ec3736 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -134,9 +134,12 @@ ingressRoute: + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] + +-rollingUpdate: +- maxUnavailable: 0 +- maxSurge: 1 ++# Customize updateStrategy of traefik pods ++updateStrategy: ++ type: RollingUpdate ++ rollingUpdate: ++ maxUnavailable: 0 ++ maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: +``` + +## 19.0.4 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-08 + +* 🔧 Adds more settings & rename (wrong) scrapeInterval to (valid) interval on ServiceMonitor (#703) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b24c1cb..413aa88 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -261,10 +261,6 @@ metrics: + ## enable optional CRDs for Prometheus Operator + ## + # serviceMonitor: +- # additionalLabels: +- # foo: bar +- # namespace: "another-namespace" +- # namespaceSelector: {} + # metricRelabelings: [] + # - sourceLabels: [__name__] + # separator: ; +@@ -279,9 +275,17 @@ metrics: + # replacement: $1 + # action: replace + # jobLabel: traefik +- # scrapeInterval: 30s +- # scrapeTimeout: 5s ++ # interval: 30s + # honorLabels: true ++ # # (Optional) ++ # # scrapeTimeout: 5s ++ # # honorTimestamps: true ++ # # enableHttp2: true ++ # # followRedirects: true ++ # # additionalLabels: ++ # # foo: bar ++ # # namespace: "another-namespace" ++ # # namespaceSelector: {} + # prometheusRule: + # additionalLabels: {} + # namespace: "another-namespace" +``` + +## 19.0.3 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* 🎨 Don't require exposed Ports when enabling Hub (#700) + + +## 19.0.2 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* :speech_balloon: Support volume secrets with '.' in name (#695) + + +## 19.0.1 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-03 + +* 🐛 Fix IngressClass install on EKS (#699) + + +## 19.0.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-11-02 + +* ✨ Provides Default IngressClass for Traefik by default (#693) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 69190f1..b24c1cb 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,11 +100,10 @@ podDisruptionBudget: + # minAvailable: 0 + # minAvailable: 25% + +-# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ++# Create a default IngressClass for Traefik + ingressClass: +- # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 +- enabled: false +- isDefaultClass: false ++ enabled: true ++ isDefaultClass: true + + # Enable experimental features + experimental: +``` + +## 18.3.0 ![AppVersion: 2.9.4](https://img.shields.io/static/v1?label=AppVersion&message=2.9.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-31 + +* ⬆️ Update Traefik appVersion to 2.9.4 (#696) + + +## 18.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-31 + +* 🚩 Add an optional "internal" service (#683) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8033a87..69190f1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -416,7 +416,7 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a +- # LoadBalancer ++ # LoadBalancer. + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. +@@ -549,13 +549,24 @@ service: + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 +- # One of SingleStack, PreferDualStack, or RequireDualStack. ++ ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack +- # List of IP families (e.g. IPv4 and/or IPv6). +- # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ++ ## List of IP families (e.g. IPv4 and/or IPv6). ++ ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 ++ ## ++ ## An additionnal and optional internal Service. ++ ## Same parameters as external Service ++ # internal: ++ # type: ClusterIP ++ # # labels: {} ++ # # annotations: {} ++ # # spec: {} ++ # # loadBalancerSourceRanges: [] ++ # # externalIPs: [] ++ # # ipFamilies: [ "IPv4","IPv6" ] + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 18.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-27 + +* 🚀 Add native support for Traefik Hub (#676) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index acce704..8033a87 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -5,6 +5,27 @@ image: + tag: "" + pullPolicy: IfNotPresent + ++# ++# Configure integration with Traefik Hub ++# ++hub: ++ ## Enabling Hub will: ++ # * enable Traefik Hub integration on Traefik ++ # * add `traefikhub-tunl` endpoint ++ # * enable addRoutersLabels on prometheus metrics ++ # * enable allowExternalNameServices on KubernetesIngress provider ++ # * enable allowCrossNamespace on KubernetesCRD provider ++ # * add an internal (ClusterIP) Service, dedicated for Traefik Hub ++ enabled: false ++ ## Default port can be changed ++ # tunnelPort: 9901 ++ ## TLS is optional. Insecure is mutually exclusive with any other options ++ # tls: ++ # insecure: false ++ # ca: "/path/to/ca.pem" ++ # cert: "/path/to/cert.pem" ++ # key: "/path/to/key.pem" ++ + # + # Configure the deployment + # +@@ -505,6 +526,8 @@ tlsStore: {} + # from. + service: + enabled: true ++ ## Single service is using `MixedProtocolLBService` feature gate. ++ ## When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) +``` + +## 18.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-26 + +* Refactor http3 and merge TCP with UDP ports into a single service (#656) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 807bd09..acce704 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -87,8 +87,6 @@ ingressClass: + + # Enable experimental features + experimental: +- http3: +- enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -421,12 +419,19 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 +- # Enable HTTP/3. +- # Requires enabling experimental http3 feature and tls. +- # Note that you cannot have a UDP entrypoint with the same port. +- # http3: true +- # Set TLS at the entrypoint +- # https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ # ++ ## Enable HTTP/3 on the entrypoint ++ ## Enabling it will also enable http3 experimental feature ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 ++ ## There are known limitations when trying to listen on same ports for ++ ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. ++ ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 ++ http3: ++ enabled: false ++ # advertisedPort: 4443 ++ # ++ ## Set TLS at the entrypoint ++ ## https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: true + # this is the name of a TLSOption definition +@@ -500,6 +505,7 @@ tlsStore: {} + # from. + service: + enabled: true ++ single: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} +``` + +## 17.0.5 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-21 + +* 📝 Add annotations changelog for artifacthub.io & update Maintainers + + +## 17.0.4 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-21 + +* :art: Add helper function for label selector + + +## 17.0.3 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* 🐛 fix changing label selectors + + +## 17.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* fix: setting ports.web.proxyProtocol.insecure=true + + +## 17.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* :bug: Unify all labels selector with traefik chart labels (#681) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6a90bc6..807bd09 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -639,7 +639,7 @@ affinity: {} + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ template "traefik.name" . }}' +-# app.kubernetes.io/instance: '{{ .Release.Name }}' ++# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' + # topologyKey: kubernetes.io/hostname + + nodeSelector: {} +``` + +## 17.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* :bug: Fix `ClusterRole`, `ClusterRoleBinding` names and `app.kubernetes.io/instance` label (#662) + + +## 16.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-20 + +* Add forwardedHeaders and proxyProtocol config (#673) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9b5afc4..6a90bc6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -403,6 +403,16 @@ ports: + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure ++ # ++ # Trust forwarded headers information (X-Forwarded-*). ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ # Enable the Proxy Protocol header parsing for the entry point ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false + websecure: + port: 8443 + # hostPort: 8443 +@@ -428,6 +438,16 @@ ports: + # - foo.example.com + # - bar.example.com + # ++ # Trust forwarded headers information (X-Forwarded-*). ++ # forwardedHeaders: ++ # trustedIPs: [] ++ # insecure: false ++ # ++ # Enable the Proxy Protocol header parsing for the entry point ++ # proxyProtocol: ++ # trustedIPs: [] ++ # insecure: false ++ # + # One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares +``` + +## 16.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-19 + +* ✨ add optional ServiceMonitor & PrometheusRules CRDs (#425) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e335b5..9b5afc4 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -237,8 +237,46 @@ metrics: + prometheus: + entryPoint: metrics + # addRoutersLabels: true +- # statsd: +- # address: localhost:8125 ++ # statsd: ++ # address: localhost:8125 ++## ++## enable optional CRDs for Prometheus Operator ++## ++ # serviceMonitor: ++ # additionalLabels: ++ # foo: bar ++ # namespace: "another-namespace" ++ # namespaceSelector: {} ++ # metricRelabelings: [] ++ # - sourceLabels: [__name__] ++ # separator: ; ++ # regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ ++ # replacement: $1 ++ # action: drop ++ # relabelings: [] ++ # - sourceLabels: [__meta_kubernetes_pod_node_name] ++ # separator: ; ++ # regex: ^(.*)$ ++ # targetLabel: nodename ++ # replacement: $1 ++ # action: replace ++ # jobLabel: traefik ++ # scrapeInterval: 30s ++ # scrapeTimeout: 5s ++ # honorLabels: true ++ # prometheusRule: ++ # additionalLabels: {} ++ # namespace: "another-namespace" ++ # rules: ++ # - alert: TraefikDown ++ # expr: up{job="traefik"} == 0 ++ # for: 5m ++ # labels: ++ # context: traefik ++ # severity: warning ++ # annotations: ++ # summary: "Traefik Down" ++ # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" + + tracing: {} + # instana: +``` + +## 16.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-19 + +* :fire: Remove `Pilot` and `fallbackApiVersion` (#665) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 03fdaed..7e335b5 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -84,15 +84,6 @@ ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false +- # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" +- fallbackApiVersion: "" +- +-# Activate Pilot integration +-pilot: +- enabled: false +- token: "" +- # Toggle Pilot Dashboard +- # dashboard: false + + # Enable experimental features + experimental: +``` + +## 15.3.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-18 + +* :art: Improve `IngressRoute` structure (#674) + + +## 15.3.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-18 + +* 📌 Add capacity to enable User-facing role + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 76aac93..03fdaed 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -553,10 +553,12 @@ hostNetwork: false + # Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true +- + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false ++ # Enable user-facing roles ++ # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles ++ # aggregateTo: [ "admin" ] + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: +``` + +## 15.2.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* Fix provider namespace changes + + +## 15.2.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* 🐛 fix provider namespace changes + + +## 15.2.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* :bug: Allow to watch on specific namespaces without using rbac.namespaced (#666) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 781ac15..76aac93 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -555,7 +555,7 @@ rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. +- # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace ++ # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. + namespaced: false + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +``` + +## 15.1.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-17 + +* :goal_net: Fail gracefully when http3 is not enabled correctly (#667) + + +## 15.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-14 + +* :sparkles: add optional topologySpreadConstraints (#663) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fc2c371..781ac15 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -593,6 +593,15 @@ affinity: {} + + nodeSelector: {} + tolerations: [] ++topologySpreadConstraints: [] ++# # This example topologySpreadConstraints forces the scheduler to put traefik pods ++# # on nodes where no other traefik pods are scheduled. ++# - labelSelector: ++# matchLabels: ++# app: '{{ template "traefik.name" . }}' ++# maxSkew: 1 ++# topologyKey: kubernetes.io/hostname ++# whenUnsatisfiable: DoNotSchedule + + # Pods can have priority. + # Priority indicates the importance of a Pod relative to other Pods. +``` + +## 15.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-13 + +* :rocket: Enable TLS by default on `websecure` port (#657) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 400a29a..fc2c371 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -389,7 +389,7 @@ ports: + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +- enabled: false ++ enabled: true + # this is the name of a TLSOption definition + options: "" + certResolver: "" +``` + +## 14.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-13 + +* :memo: Add Changelog (#661) + + +## 14.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* :memo: Update workaround for permissions 660 on acme.json + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a4e4ff2..400a29a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -45,10 +45,10 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/traefik/traefik/issues/6972 ++ # Related issue: https://github.com/traefik/traefik/issues/6825 + # - name: volume-permissions +- # image: busybox:1.31.1 +- # command: ["sh", "-c", "chmod -Rv 600 /data/*"] ++ # image: busybox:1.35 ++ # command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"] + # volumeMounts: + # - name: data + # mountPath: /data +``` + +## 14.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Limit rbac to only required resources for Ingress and CRD providers + + +## 13.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Add helper function for common labels + + +## 13.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-11 + +* Moved list object to individual objects + + +## 12.0.7 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :lipstick: Affinity templating and example (#557) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4431c36..a4e4ff2 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -578,19 +578,19 @@ resources: {} + # limits: + # cpu: "300m" + # memory: "150Mi" ++ ++# This example pod anti-affinity forces the scheduler to put traefik pods ++# on nodes where no other traefik pods are scheduled. ++# It should be used when hostNetwork: true to prevent port conflicts + affinity: {} +-# # This example pod anti-affinity forces the scheduler to put traefik pods +-# # on nodes where no other traefik pods are scheduled. +-# # It should be used when hostNetwork: true to prevent port conflicts +-# podAntiAffinity: +-# requiredDuringSchedulingIgnoredDuringExecution: +-# - labelSelector: +-# matchExpressions: +-# - key: app.kubernetes.io/name +-# operator: In +-# values: +-# - {{ template "traefik.name" . }} +-# topologyKey: kubernetes.io/hostname ++# podAntiAffinity: ++# requiredDuringSchedulingIgnoredDuringExecution: ++# - labelSelector: ++# matchLabels: ++# app.kubernetes.io/name: '{{ template "traefik.name" . }}' ++# app.kubernetes.io/instance: '{{ .Release.Name }}' ++# topologyKey: kubernetes.io/hostname ++ + nodeSelector: {} + tolerations: [] + +``` + +## 12.0.6 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :bug: Ignore kustomization file used for CRDs update (#653) + + +## 12.0.5 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :memo: Establish Traefik & CRD update process + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3526729..4431c36 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -342,6 +342,7 @@ ports: + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. ++ # Default: ports.traefik.port + # healthchecksPort: 9000 + + # Override the liveness/readiness scheme. Useful for getting ping to +``` + +## 12.0.4 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* Allows ingressClass to be used without semver-compatible image tag + + +## 12.0.3 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-10 + +* :bug: Should check hostNetwork when hostPort != containerPort + + +## 12.0.2 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-07 + +* :goal_net: Fail gracefully when hostNetwork is enabled and hostPort != containerPort + + +## 12.0.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-07 + +* :bug: Fix a typo on `behavior` for HPA v2 + + +## 12.0.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-06 + +* Update default HPA API Version to `v2` and add support for behavior (#518) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2bd51f8..3526729 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -488,11 +488,22 @@ autoscaling: + # - type: Resource + # resource: + # name: cpu +-# targetAverageUtilization: 60 ++# target: ++# type: Utilization ++# averageUtilization: 60 + # - type: Resource + # resource: + # name: memory +-# targetAverageUtilization: 60 ++# target: ++# type: Utilization ++# averageUtilization: 60 ++# behavior: ++# scaleDown: ++# stabilizationWindowSeconds: 300 ++# policies: ++# - type: Pods ++# value: 1 ++# periodSeconds: 60 + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +``` + +## 11.1.1 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-05 + +* 🔊 add failure message when using maxUnavailable 0 and hostNetwork + + +## 11.1.0 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* Update Traefik to v2.9.1 + + +## 11.0.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* tweak default values to avoid downtime when updating + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 844cadc..2bd51f8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -126,20 +126,20 @@ ingressRoute: + entryPoints: ["traefik"] + + rollingUpdate: +- maxUnavailable: 1 ++ maxUnavailable: 0 + maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 +- initialDelaySeconds: 10 ++ initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 +- initialDelaySeconds: 10 ++ initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 +``` + +## 10.33.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-04 + +* :rocket: Add `extraObjects` value that allows creating adhoc resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c926bd9..844cadc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -598,3 +598,10 @@ securityContext: + + podSecurityContext: + fsGroup: 65532 ++ ++# ++# Extra objects to deploy (value evaluated as a template) ++# ++# In some cases, it can avoid the need for additional, extended or adhoc deployments. ++# See #595 for more details and traefik/tests/extra.yaml for example. ++extraObjects: [] +``` + +## 10.32.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* Add support setting middleware on entrypoint + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3957448..c926bd9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -397,6 +397,16 @@ ports: + # sans: + # - foo.example.com + # - bar.example.com ++ # ++ # One can apply Middlewares on an entrypoint ++ # https://doc.traefik.io/traefik/middlewares/overview/ ++ # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares ++ # /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ ++ # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace ++ # middlewares: ++ # - namespace-name1@kubernetescrd ++ # - namespace-name2@kubernetescrd ++ middlewares: [] + metrics: + # When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations +``` + +## 10.31.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* Support setting dashboard entryPoints for ingressRoute resource + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index c9feb76..3957448 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,10 @@ ingressRoute: + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} ++ # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). ++ # By default, it's using traefik entrypoint, which is not exposed. ++ # /!\ Do not expose your dashboard without any protection over the internet /!\ ++ entryPoints: ["traefik"] + + rollingUpdate: + maxUnavailable: 1 +``` + +## 10.30.2 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-10-03 + +* :test_tube: Fail gracefully when asked to provide a service without ports + + +## 10.30.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-30 + +* :arrow_up: Upgrade helm, ct & unittest (#638) + + +## 10.30.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-30 + +* Add support HTTPS scheme for healthcheks + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fed4a8a..c9feb76 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -340,6 +340,10 @@ ports: + # with an external Load Balancer that performs healthchecks. + # healthchecksPort: 9000 + ++ # Override the liveness/readiness scheme. Useful for getting ping to ++ # respond on websecure entryPoint. ++ # healthchecksScheme: HTTPS ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +``` + +## 10.29.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* Add missing tracing options + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d1708cc..fed4a8a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -247,12 +247,45 @@ metrics: + + tracing: {} + # instana: +- # enabled: true ++ # localAgentHost: 127.0.0.1 ++ # localAgentPort: 42699 ++ # logLevel: info ++ # enableAutoProfile: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false ++ # jaeger: ++ # samplingServerURL: http://localhost:5778/sampling ++ # samplingType: const ++ # samplingParam: 1.0 ++ # localAgentHostPort: 127.0.0.1:6831 ++ # gen128Bit: false ++ # propagation: jaeger ++ # traceContextHeaderName: uber-trace-id ++ # disableAttemptReconnecting: true ++ # collector: ++ # endpoint: "" ++ # user: "" ++ # password: "" ++ # zipkin: ++ # httpEndpoint: http://localhost:9411/api/v2/spans ++ # sameSpan: false ++ # id128Bit: true ++ # sampleRate: 1.0 ++ # haystack: ++ # localAgentHost: 127.0.0.1 ++ # localAgentPort: 35000 ++ # globalTag: "" ++ # traceIDHeaderName: "" ++ # parentIDHeaderName: "" ++ # spanIDHeaderName: "" ++ # baggagePrefixHeaderName: "" ++ # elastic: ++ # serverURL: http://localhost:8200 ++ # secretToken: "" ++ # serviceEnvironment: "" + + globalArguments: + - "--global.checknewversion" +``` + +## 10.28.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* feat: add lifecycle for prestop and poststart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 19a133c..d1708cc 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -59,6 +59,17 @@ deployment: + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName ++ # Pod lifecycle actions ++ lifecycle: {} ++ # preStop: ++ # exec: ++ # command: ["/bin/sh", "-c", "sleep 40"] ++ # postStart: ++ # httpGet: ++ # path: /ping ++ # port: 9000 ++ # host: localhost ++ # scheme: HTTP + + # Pod disruption budget + podDisruptionBudget: +``` + +## 10.27.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-29 + +* feat: add create gateway option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d9c745e..19a133c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -91,6 +91,8 @@ experimental: + enabled: false + kubernetesGateway: + enabled: false ++ gateway: ++ enabled: true + # certificate: + # group: "core" + # kind: "Secret" +``` + +## 10.26.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* 🐛 fix rbac templating (#636) + + +## 10.26.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* :bug: Fix ingressClass support when rbac.namespaced=true (#499) + + +## 10.25.1 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-28 + +* Add ingressclasses to traefik role + + +## 10.25.0 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-27 + +* Add TLSStore resource to chart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d4011c3..d9c745e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -373,6 +373,15 @@ ports: + # - CurveP384 + tlsOptions: {} + ++# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate ++# https://doc.traefik.io/traefik/https/tls/#default-certificate ++# Example: ++# tlsStore: ++# default: ++# defaultCertificate: ++# secretName: tls-cert ++tlsStore: {} ++ + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: +``` + +## 10.24.5 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-27 + +* Suggest an alternative port for metrics + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 81f2e85..d4011c3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -344,6 +344,8 @@ ports: + # - foo.example.com + # - bar.example.com + metrics: ++ # When using hostNetwork, use another port to avoid conflict with node exporter: ++ # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or +``` + +## 10.24.4 ![AppVersion: 2.8.7](https://img.shields.io/static/v1?label=AppVersion&message=2.8.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-26 + +* Update Traefik to v2.8.7 + + +## 10.24.3 ![AppVersion: 2.8.5](https://img.shields.io/static/v1?label=AppVersion&message=2.8.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-14 + +* Update Traefik version to v2.8.5 + + +## 10.24.2 ![AppVersion: 2.8.4](https://img.shields.io/static/v1?label=AppVersion&message=2.8.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-09-05 + +* Update Traefik version to v2.8.4 + + +## 10.24.1 ![AppVersion: 2.8.0](https://img.shields.io/static/v1?label=AppVersion&message=2.8.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-08-29 + +* Update PodDisruptionBudget apiVersion to policy/v1 + + +## 10.24.0 ![AppVersion: 2.8.0](https://img.shields.io/static/v1?label=AppVersion&message=2.8.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-30 + +* Update Traefik version to v2.8.0 + + +## 10.23.0 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-27 + +* Support environment variable usage for Datadog + + +## 10.22.0 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-22 + +* Allow setting revisionHistoryLimit for Deployment and DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d5785ab..81f2e85 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 ++ # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) ++ # revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available +``` + +## 10.21.1 ![AppVersion: 2.7.1](https://img.shields.io/static/v1?label=AppVersion&message=2.7.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-15 + +* Update Traefik version to 2.7.1 + + +## 10.21.0 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-15 + +* Support allowEmptyServices config for KubernetesCRD + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e141e29..d5785ab 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -133,6 +133,7 @@ providers: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false ++ allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] +``` + +## 10.20.1 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-06-01 + +* Add Acme certificate resolver configuration + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a16b107..e141e29 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -433,6 +433,27 @@ persistence: + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + ++certResolvers: {} ++# letsencrypt: ++# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ ++# email: email@example.com ++# dnsChallenge: ++# # also add the provider's required configuration under env ++# # or expand then from secrets/configmaps with envfrom ++# # cf. https://doc.traefik.io/traefik/https/acme/#providers ++# provider: digitalocean ++# # add futher options for the dns challenge as needed ++# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge ++# delayBeforeCheck: 30 ++# resolvers: ++# - 1.1.1.1 ++# - 8.8.8.8 ++# tlsChallenge: true ++# httpChallenge: ++# entryPoint: "web" ++# # match the path to persistence ++# storage: /data/acme.json ++ + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the +``` + +## 10.20.0 ![AppVersion: 2.7.0](https://img.shields.io/static/v1?label=AppVersion&message=2.7.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-05-25 + +* Update Traefik Proxy to v2.7.0 + + +## 10.19.5 ![AppVersion: 2.6.6](https://img.shields.io/static/v1?label=AppVersion&message=2.6.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-05-04 + +* Upgrade Traefik to 2.6.6 + + +## 10.19.4 ![AppVersion: 2.6.3](https://img.shields.io/static/v1?label=AppVersion&message=2.6.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-31 + +* Update Traefik dependency version to 2.6.3 + + +## 10.19.3 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Update CRDs to match the ones defined in the reference documentation + + +## 10.19.2 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Revert Traefik version to 2.6.2 + + +## 10.19.1 ![AppVersion: 2.6.3](https://img.shields.io/static/v1?label=AppVersion&message=2.6.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-30 + +* Update Traefik version to 2.6.3 + + +## 10.19.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support ingressClass option for KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 02ab704..a16b107 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -142,6 +142,7 @@ providers: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false ++ # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.18.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support liveness and readyness probes customization + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15f1103..02ab704 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -110,6 +110,20 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++# Customize liveness and readiness probe values. ++readinessProbe: ++ failureThreshold: 1 ++ initialDelaySeconds: 10 ++ periodSeconds: 10 ++ successThreshold: 1 ++ timeoutSeconds: 2 ++ ++livenessProbe: ++ failureThreshold: 3 ++ initialDelaySeconds: 10 ++ periodSeconds: 10 ++ successThreshold: 1 ++ timeoutSeconds: 2 + + # + # Configure providers +``` + +## 10.17.0 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support Datadog tracing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4dccd1a..15f1103 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -217,6 +217,11 @@ metrics: + tracing: {} + # instana: + # enabled: true ++ # datadog: ++ # localAgentHostPort: 127.0.0.1:8126 ++ # debug: false ++ # globalTag: "" ++ # prioritySampling: false + + globalArguments: + - "--global.checknewversion" +``` + +## 10.16.1 ![AppVersion: 2.6.2](https://img.shields.io/static/v1?label=AppVersion&message=2.6.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Update Traefik version to 2.6.2 + + +## 10.16.0 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-28 + +* Support allowEmptyServices for KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1f9dbbe..4dccd1a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -127,6 +127,7 @@ providers: + kubernetesIngress: + enabled: true + allowExternalNameServices: false ++ allowEmptyServices: false + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.15.0 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-03-08 + +* Add metrics.prometheus.addRoutersLabels option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index cd4d49b..1f9dbbe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -209,6 +209,7 @@ metrics: + # protocol: udp + prometheus: + entryPoint: metrics ++ # addRoutersLabels: true + # statsd: + # address: localhost:8125 + +``` + +## 10.14.2 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-18 + +* Update Traefik to v2.6.1 + + +## 10.14.1 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-09 + +* Add missing inFlightConn TCP middleware CRD + + +## 10.14.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-03 + +* Add experimental HTTP/3 support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d49122f..cd4d49b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -83,6 +83,8 @@ pilot: + + # Enable experimental features + experimental: ++ http3: ++ enabled: false + plugins: + enabled: false + kubernetesGateway: +@@ -300,6 +302,10 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # Enable HTTP/3. ++ # Requires enabling experimental http3 feature and tls. ++ # Note that you cannot have a UDP entrypoint with the same port. ++ # http3: true + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: +``` + +## 10.13.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-01 + +* Add support for ipFamilies + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 32fce6f..d49122f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -366,6 +366,11 @@ service: + # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack ++ # List of IP families (e.g. IPv4 and/or IPv6). ++ # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ++ # ipFamilies: ++ # - IPv4 ++ # - IPv6 + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 10.12.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-02-01 + +* Add shareProcessNamespace option to podtemplate + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ab25456..32fce6f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,6 +50,8 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data ++ # Use process namespace sharing ++ shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets +``` + +## 10.11.1 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Fix anti-affinity example + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8c72905..ab25456 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -438,13 +438,13 @@ affinity: {} + # # It should be used when hostNetwork: true to prevent port conflicts + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: +-# - labelSelector: +-# matchExpressions: +-# - key: app +-# operator: In +-# values: +-# - {{ template "traefik.name" . }} +-# topologyKey: failure-domain.beta.kubernetes.io/zone ++# - labelSelector: ++# matchExpressions: ++# - key: app.kubernetes.io/name ++# operator: In ++# values: ++# - {{ template "traefik.name" . }} ++# topologyKey: kubernetes.io/hostname + nodeSelector: {} + tolerations: [] + +``` + +## 10.11.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Add setting to enable Instana tracing + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7fe4a2c..8c72905 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -208,6 +208,10 @@ metrics: + # statsd: + # address: localhost:8125 + ++tracing: {} ++ # instana: ++ # enabled: true ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +``` + +## 10.10.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2022-01-31 + +* Update Traefik to v2.6 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8ae4bd8..7fe4a2c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -85,9 +85,8 @@ experimental: + enabled: false + kubernetesGateway: + enabled: false +- appLabelSelector: "traefik" +- certificates: [] +- # - group: "core" ++ # certificate: ++ # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. +``` + +## 10.9.1 ![AppVersion: 2.5.6](https://img.shields.io/static/v1?label=AppVersion&message=2.5.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-24 + +* Bump traefik version to 2.5.6 + + +## 10.9.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-20 + +* feat: add allowExternalNameServices to KubernetesIngress provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 79df205..8ae4bd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -123,6 +123,7 @@ providers: + + kubernetesIngress: + enabled: true ++ allowExternalNameServices: false + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" +``` + +## 10.8.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-20 + +* Add support to specify minReadySeconds on Deployment/DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e9186b..79df205 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + replicas: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 ++ # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available ++ minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) +``` + +## 10.7.1 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-06 + +* Fix pod disruption when using percentages + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e0655c8..7e9186b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -52,13 +52,15 @@ deployment: + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] +- # - name: myRegistryKeySecretName ++ # - name: myRegistryKeySecretName + + # Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 ++ # maxUnavailable: 33% + # minAvailable: 0 ++ # minAvailable: 25% + + # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x + ingressClass: +``` + +## 10.7.0 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-12-06 + +* Add support for ipFamilyPolicy + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3ec7105..e0655c8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -343,8 +343,8 @@ service: + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} +- # Additional entries here will be added to the service spec. Cannot contains +- # type, selector or ports entries. ++ # Additional entries here will be added to the service spec. ++ # Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" +@@ -354,6 +354,8 @@ service: + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 ++ # One of SingleStack, PreferDualStack, or RequireDualStack. ++ # ipFamilyPolicy: SingleStack + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 10.6.2 ![AppVersion: 2.5.4](https://img.shields.io/static/v1?label=AppVersion&message=2.5.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-11-15 + +* Bump Traefik version to 2.5.4 + + +## 10.6.1 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-11-05 + +* Add missing Gateway API resources to ClusterRole + + +## 10.6.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* feat: allow termination grace period to be configurable + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f06ebc6..3ec7105 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 ++ # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down ++ terminationGracePeriodSeconds: 60 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) +``` + +## 10.5.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* feat: add allowExternalNameServices to Kubernetes CRD provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3bcb350..f06ebc6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -109,6 +109,7 @@ providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false ++ allowExternalNameServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] +``` + +## 10.4.2 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* fix(crd): add permissionsPolicy to headers middleware + + +## 10.4.1 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-13 + +* fix(crd): add peerCertURI option to ServersTransport + + +## 10.4.0 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-10-12 + +* Add Kubernetes CRD labelSelector and ingressClass options + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f54f5fe..3bcb350 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -109,8 +109,11 @@ providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false ++ # ingressClass: traefik-internal ++ # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" ++ + kubernetesIngress: + enabled: true + # labelSelector: environment=production,method=traefik +``` + +## 10.3.6 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-24 + +* Fix missing RequireAnyClientCert value to TLSOption CRD + + +## 10.3.5 ![AppVersion: 2.5.3](https://img.shields.io/static/v1?label=AppVersion&message=2.5.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-23 + +* Bump Traefik version to 2.5.3 + + +## 10.3.4 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-17 + +* Add allowCrossNamespace option on kubernetesCRD provider + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7e3a579..f54f5fe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -108,6 +108,7 @@ rollingUpdate: + providers: + kubernetesCRD: + enabled: true ++ allowCrossNamespace: false + namespaces: [] + # - "default" + kubernetesIngress: +``` + +## 10.3.3 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-09-17 + +* fix(crd): missing alpnProtocols in TLSOption + + +## 10.3.2 ![AppVersion: 2.5.1](https://img.shields.io/static/v1?label=AppVersion&message=2.5.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-23 + +* Releasing 2.5.1 + + +## 10.3.1 ![AppVersion: 2.5.0](https://img.shields.io/static/v1?label=AppVersion&message=2.5.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-20 + +* Fix Ingress RBAC for namespaced scoped deployment + + +## 10.3.0 ![AppVersion: 2.5.0](https://img.shields.io/static/v1?label=AppVersion&message=2.5.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-18 + +* Releasing Traefik 2.5.0 + + +## 10.2.0 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-18 + +* Allow setting TCP and UDP service annotations separately + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 72a01ea..7e3a579 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -328,8 +328,12 @@ tlsOptions: {} + service: + enabled: true + type: LoadBalancer +- # Additional annotations (e.g. for cloud provider specific config) ++ # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} ++ # Additional annotations for TCP service only ++ annotationsTCP: {} ++ # Additional annotations for UDP service only ++ annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. Cannot contains +``` + +## 10.1.6 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix: missing service labels + + +## 10.1.5 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix(pvc-annotaions): see traefik/traefik-helm-chart#471 + + +## 10.1.4 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-17 + +* fix(ingressclass): fallbackApiVersion default shouldn't be `nil` + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 04d336c..72a01ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -64,7 +64,7 @@ ingressClass: + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" +- fallbackApiVersion: ++ fallbackApiVersion: "" + + # Activate Pilot integration + pilot: +``` + +## 10.1.3 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-16 + +* Move Prometheus annotations to Pods + + +## 10.1.2 ![AppVersion: 2.4.13](https://img.shields.io/static/v1?label=AppVersion&message=2.4.13&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-08-10 + +* Version bumped 2.4.13 + + +## 10.1.1 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-20 + +* Fixing Prometheus.io/port annotation + + +## 10.1.0 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-20 + +* Add metrics framework, and prom annotations + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index f6e370a..04d336c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -186,6 +186,17 @@ logs: + # Authorization: drop + # Content-Type: keep + ++metrics: ++ # datadog: ++ # address: 127.0.0.1:8125 ++ # influxdb: ++ # address: localhost:8089 ++ # protocol: udp ++ prometheus: ++ entryPoint: metrics ++ # statsd: ++ # address: localhost:8125 ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +@@ -284,6 +295,20 @@ ports: + # sans: + # - foo.example.com + # - bar.example.com ++ metrics: ++ port: 9100 ++ # hostPort: 9100 ++ # Defines whether the port is exposed if service.type is LoadBalancer or ++ # NodePort. ++ # ++ # You may not want to expose the metrics port on production deployments. ++ # If you want to access it from outside of your cluster, ++ # use `kubectl port-forward` or create a secure ingress ++ expose: false ++ # The exposed port for this service ++ exposedPort: 9100 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options +``` + +## 10.0.2 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-14 + +* feat(gateway): introduces param / pick Namespace installing Gateway + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9bf90ea..f6e370a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -84,6 +84,9 @@ experimental: + # - group: "core" + # kind: "Secret" + # name: "mysecret" ++ # By default, Gateway would be created to the Namespace you are deploying Traefik to. ++ # You may create that Gateway in another namespace, setting its name below: ++ # namespace: default + + # Create an IngressRoute for the dashboard + ingressRoute: +``` + +## 10.0.1 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-14 + +* Add RBAC for middlewaretcps + + +## 10.0.0 ![AppVersion: 2.4.9](https://img.shields.io/static/v1?label=AppVersion&message=2.4.9&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-07 + +* Update CRD versions + + +## 9.20.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-05 + +* Revert CRD templating + + +## 9.20.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-07-05 + +* Add support for apiextensions v1 CRDs + + +## 9.19.2 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-06-16 + +* Add name-metadata for service "List" object + + +## 9.19.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-05-13 + +* fix simple typo + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b30afac..9bf90ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -363,7 +363,7 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +-# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding ++# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + +``` + +## 9.19.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-29 + +* Fix IngressClass api version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 0aa2d6b..b30afac 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -63,6 +63,8 @@ ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false ++ # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" ++ fallbackApiVersion: + + # Activate Pilot integration + pilot: +``` + +## 9.18.3 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-26 + +* Fix: ignore provider namespace args on disabled + + +## 9.18.2 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-04-02 + +* Fix pilot dashboard deactivation + + +## 9.18.1 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-29 + +* Do not disable Traefik Pilot in the dashboard by default + + +## 9.18.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-24 + +* Add an option to toggle the pilot dashboard + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 017f771..0aa2d6b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -68,6 +68,8 @@ ingressClass: + pilot: + enabled: false + token: "" ++ # Toggle Pilot Dashboard ++ # dashboard: false + + # Enable experimental features + experimental: +``` + +## 9.17.6 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-24 + +* Bump Traefik to 2.4.8 + + +## 9.17.5 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* feat(labelSelector): option matching Ingresses based on labelSelectors + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 868a985..017f771 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -105,6 +105,7 @@ providers: + # - "default" + kubernetesIngress: + enabled: true ++ # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints +``` + +## 9.17.4 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* Add helm resource-policy annotation on PVC + + +## 9.17.3 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-17 + +* Throw error with explicit latest tag + + +## 9.17.2 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-10 + +* fix(keywords): removed by mistake + + +## 9.17.1 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-10 + +* feat(healthchecksPort): Support for overriding the liveness/readiness probes port + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 56abb93..868a985 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -120,6 +120,8 @@ providers: + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" ++# - "--ping" ++# - "--ping.entrypoint=web" + volumes: [] + # - name: public-cert + # mountPath: "/certs" +@@ -225,6 +227,10 @@ ports: + # only. + # hostIP: 192.168.100.10 + ++ # Override the liveness/readiness port. This is useful to integrate traefik ++ # with an external Load Balancer that performs healthchecks. ++ # healthchecksPort: 9000 ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +``` + +## 9.16.2 ![AppVersion: 2.4.7](https://img.shields.io/static/v1?label=AppVersion&message=2.4.7&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-09 + +* Bump Traefik to 2.4.7 + + +## 9.16.1 ![AppVersion: 2.4.6](https://img.shields.io/static/v1?label=AppVersion&message=2.4.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-09 + +* Adding custom labels to deployment + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ba24be7..56abb93 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + replicas: 1 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} ++ # Additional deployment labels (e.g. for filtering deployment by custom labels) ++ labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) +``` + +## 9.15.2 ![AppVersion: 2.4.6](https://img.shields.io/static/v1?label=AppVersion&message=2.4.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* Upgrade Traefik to 2.4.6 + + +## 9.15.1 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* Configurable PVC name + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1e0e5a9..ba24be7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -327,6 +327,7 @@ autoscaling: + # It will persist TLS certificates. + persistence: + enabled: false ++ name: data + # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi +``` + +## 9.14.4 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-03-02 + +* fix typo + + +## 9.14.3 ![AppVersion: 2.4.5](https://img.shields.io/static/v1?label=AppVersion&message=2.4.5&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-19 + +* Bump Traefik to 2.4.5 + + +## 9.14.2 ![AppVersion: 2.4.2](https://img.shields.io/static/v1?label=AppVersion&message=2.4.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-03 + +* docs: indent nit for dsdsocket example + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 56485ad..1e0e5a9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -33,7 +33,7 @@ deployment: + additionalVolumes: [] + # - name: dsdsocket + # hostPath: +- # path: /var/run/statsd-exporter ++ # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +``` + +## 9.14.1 ![AppVersion: 2.4.2](https://img.shields.io/static/v1?label=AppVersion&message=2.4.2&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-03 + +* Update Traefik to 2.4.2 + + +## 9.14.0 ![AppVersion: 2.4.0](https://img.shields.io/static/v1?label=AppVersion&message=2.4.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-02-01 + +* Enable Kubernetes Gateway provider with an experimental flag + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 50cab94..56485ad 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -71,6 +71,13 @@ pilot: + experimental: + plugins: + enabled: false ++ kubernetesGateway: ++ enabled: false ++ appLabelSelector: "traefik" ++ certificates: [] ++ # - group: "core" ++ # kind: "Secret" ++ # name: "mysecret" + + # Create an IngressRoute for the dashboard + ingressRoute: +``` + +## 9.13.0 ![AppVersion: 2.4.0](https://img.shields.io/static/v1?label=AppVersion&message=2.4.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2021-01-22 + +* Update Traefik to 2.4 and add resources + + +## 9.12.3 ![AppVersion: 2.3.6](https://img.shields.io/static/v1?label=AppVersion&message=2.3.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-31 + +* Revert API Upgrade + + +## 9.12.2 ![AppVersion: 2.3.6](https://img.shields.io/static/v1?label=AppVersion&message=2.3.6&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-31 + +* Bump Traefik to 2.3.6 + + +## 9.12.1 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-30 + +* Resolve #303, change CRD version from v1beta1 to v1 + + +## 9.12.0 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-12-30 + +* Implement support for DaemonSet + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 60a721d..50cab94 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,7 +10,9 @@ image: + # + deployment: + enabled: true +- # Number of pods of the deployment ++ # Can be either Deployment or DaemonSet ++ kind: Deployment ++ # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} +``` + +## 9.11.0 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-20 + +* add podLabels - custom labels + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a187df7..60a721d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,8 @@ deployment: + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} ++ # Additional Pod labels (e.g. for filtering Pod by custom labels) ++ podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host +``` + +## 9.10.2 ![AppVersion: 2.3.3](https://img.shields.io/static/v1?label=AppVersion&message=2.3.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-20 + +* Bump Traefik to 2.3.3 + + +## 9.10.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-04 + +* Specify IngressClass resource when checking for cluster capability + + +## 9.10.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* Add list of watched provider namespaces + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e6b85ca..a187df7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -88,8 +88,12 @@ rollingUpdate: + providers: + kubernetesCRD: + enabled: true ++ namespaces: [] ++ # - "default" + kubernetesIngress: + enabled: true ++ namespaces: [] ++ # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false +``` + +## 9.9.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* Add additionalVolumeMounts for traefik container + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 37dd151..e6b85ca 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -111,6 +111,12 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++# Additional volumeMounts to add to the Traefik container ++additionalVolumeMounts: [] ++ # For instance when using a logshipper for access logs ++ # - name: traefik-logs ++ # mountPath: /var/log/traefik ++ + # Logs + # https://docs.traefik.io/observability/logs/ + logs: +``` + +## 9.8.4 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-11-03 + +* fix: multiple ImagePullSecrets + + +## 9.8.3 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-30 + +* Add imagePullSecrets + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 87f60c0..37dd151 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -42,6 +42,9 @@ deployment: + # mountPath: /data + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet ++ # Additional imagePullSecrets ++ imagePullSecrets: [] ++ # - name: myRegistryKeySecretName + + # Pod disruption budget + podDisruptionBudget: +``` + +## 9.8.2 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-28 + +* Add chart repo to source + + +## 9.8.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-23 + +* fix semver compare + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4ca1f8f..87f60c0 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,8 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.3.1 ++ # defaults to appVersion ++ tag: "" + pullPolicy: IfNotPresent + + # +``` + +## 9.8.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-20 + +* feat: Enable entrypoint tls config + TLSOption + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index eee3622..4ca1f8f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -231,6 +231,31 @@ ports: + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 ++ # Set TLS at the entrypoint ++ # https://doc.traefik.io/traefik/routing/entrypoints/#tls ++ tls: ++ enabled: false ++ # this is the name of a TLSOption definition ++ options: "" ++ certResolver: "" ++ domains: [] ++ # - main: example.com ++ # sans: ++ # - foo.example.com ++ # - bar.example.com ++ ++# TLS Options are created as TLSOption CRDs ++# https://doc.traefik.io/traefik/https/tls/#tls-options ++# Example: ++# tlsOptions: ++# default: ++# sniStrict: true ++# preferServerCipherSuites: true ++# foobar: ++# curvePreferences: ++# - CurveP521 ++# - CurveP384 ++tlsOptions: {} + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +``` + +## 9.7.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Add a configuration option for an emptyDir as plugin storage + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b7153a1..eee3622 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -54,10 +54,16 @@ ingressClass: + enabled: false + isDefaultClass: false + ++# Activate Pilot integration + pilot: + enabled: false + token: "" + ++# Enable experimental features ++experimental: ++ plugins: ++ enabled: false ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 9.6.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Add additional volumes for init and additional containers + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9bac45e..b7153a1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -17,6 +17,18 @@ deployment: + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] ++ # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host ++ # - name: socat-proxy ++ # image: alpine/socat:1.0.5 ++ # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] ++ # volumeMounts: ++ # - name: dsdsocket ++ # mountPath: /socket ++ # Additional volumes available for use with initContainers and additionalContainers ++ additionalVolumes: [] ++ # - name: dsdsocket ++ # hostPath: ++ # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +``` + +## 9.5.2 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-15 + +* Replace extensions with policy because of deprecation + + +## 9.5.1 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-14 + +* Template custom volume name + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5a8d8ea..9bac45e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -76,7 +76,7 @@ providers: + # pathOverride: "" + + # +-# Add volumes to the traefik pod. ++# Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: +@@ -85,7 +85,7 @@ volumes: [] + # - name: public-cert + # mountPath: "/certs" + # type: secret +-# - name: configs ++# - name: '{{ printf "%s-configs" .Release.Name }}' + # mountPath: "/config" + # type: configMap + +``` + +## 9.5.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Create PodSecurityPolicy and RBAC when needed. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8c4d866..5a8d8ea 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -281,6 +281,10 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + ++# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding ++podSecurityPolicy: ++ enabled: false ++ + # The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used +``` + +## 9.4.3 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Update traefik to v2.3.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 3df75a4..8c4d866 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.3.0 ++ tag: 2.3.1 + pullPolicy: IfNotPresent + + # +``` + +## 9.4.2 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-02 + +* Add Artifact Hub repository metadata file + + +## 9.4.1 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-01 + +* Fix broken chart icon url + + +## 9.4.0 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-10-01 + +* Allow to specify custom labels on Service + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a6175ff..3df75a4 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -221,6 +221,8 @@ service: + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} ++ # Additional service labels (e.g. for filtering Service by custom labels) ++ labels: {} + # Additional entries here will be added to the service spec. Cannot contains + # type, selector or ports entries. + spec: {} +``` + +## 9.3.0 ![AppVersion: 2.3.0](https://img.shields.io/static/v1?label=AppVersion&message=2.3.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-24 + +* Release Traefik 2.3 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index fba955d..a6175ff 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.8 ++ tag: 2.3.0 + pullPolicy: IfNotPresent + + # +@@ -36,6 +36,16 @@ podDisruptionBudget: + # maxUnavailable: 1 + # minAvailable: 0 + ++# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ++ingressClass: ++ # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 ++ enabled: false ++ isDefaultClass: false ++ ++pilot: ++ enabled: false ++ token: "" ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 9.2.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-18 + +* Add new helm url + + +## 9.2.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-16 + +* chore: move to new organization. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9f52c39..fba955d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -20,7 +20,7 @@ deployment: + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. +- # Related issue: https://github.com/containous/traefik/issues/6972 ++ # Related issue: https://github.com/traefik/traefik/issues/6972 + # - name: volume-permissions + # image: busybox:1.31.1 + # command: ["sh", "-c", "chmod -Rv 600 /data/*"] +``` + +## 9.1.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-09-04 + +* Update reference to using kubectl proxy to kubectl port-forward + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7b74a39..9f52c39 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -175,7 +175,7 @@ ports: + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, +- # use `kubectl proxy` or create a secure ingress ++ # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 +``` + +## 9.1.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-24 + +* PublishedService option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e161a14..7b74a39 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -58,6 +58,12 @@ providers: + enabled: true + kubernetesIngress: + enabled: true ++ # IP used for Kubernetes Ingress endpoints ++ publishedService: ++ enabled: false ++ # Published Kubernetes Service to copy status from. Format: namespace/servicename ++ # By default this Traefik service ++ # pathOverride: "" + + # + # Add volumes to the traefik pod. +``` + +## 9.0.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-21 + +* feat: Move Chart apiVersion: v2 + + +## 8.13.3 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-21 + +* bug: Check for port config + + +## 8.13.2 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-19 + +* Fix log level configuration + + +## 8.13.1 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-18 + +* Dont redirect to websecure by default + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 67276f7..e161a14 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -188,7 +188,7 @@ ports: + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection +- redirectTo: websecure ++ # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 +``` + +## 8.13.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-18 + +* Add logging, and http redirect config + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6f79580..67276f7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -73,6 +73,48 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++# Logs ++# https://docs.traefik.io/observability/logs/ ++logs: ++ # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). ++ general: ++ # By default, the logs use a text format (common), but you can ++ # also ask for the json format in the format option ++ # format: json ++ # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. ++ level: ERROR ++ access: ++ # To enable access logs ++ enabled: false ++ # By default, logs are written using the Common Log Format (CLF). ++ # To write logs in JSON, use json in the format option. ++ # If the given format is unsupported, the default (CLF) is used instead. ++ # format: json ++ # To write the logs in an asynchronous fashion, specify a bufferingSize option. ++ # This option represents the number of log lines Traefik will keep in memory before writing ++ # them to the selected output. In some cases, this option can greatly help performances. ++ # bufferingSize: 100 ++ # Filtering https://docs.traefik.io/observability/access-logs/#filtering ++ filters: {} ++ # statuscodes: "200,300-302" ++ # retryattempts: true ++ # minduration: 10ms ++ # Fields ++ # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers ++ fields: ++ general: ++ defaultmode: keep ++ names: {} ++ # Examples: ++ # ClientUsername: drop ++ headers: ++ defaultmode: drop ++ names: {} ++ # Examples: ++ # User-Agent: redact ++ # Authorization: drop ++ # Content-Type: keep ++ + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +@@ -143,6 +185,10 @@ ports: + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 ++ # Port Redirections ++ # Added in 2.2, you can make permanent redirects via entrypoints. ++ # https://docs.traefik.io/routing/entrypoints/#redirection ++ redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 +``` + +## 8.12.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-14 + +* Add image pull policy + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 10b3949..6f79580 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -2,6 +2,7 @@ + image: + name: traefik + tag: 2.2.8 ++ pullPolicy: IfNotPresent + + # + # Configure the deployment +``` + +## 8.11.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-12 + +* Add dns policy option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 80ddaaa..10b3949 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -26,6 +26,8 @@ deployment: + # volumeMounts: + # - name: data + # mountPath: /data ++ # Custom pod DNS policy. Apply if `hostNetwork: true` ++ # dnsPolicy: ClusterFirstWithHostNet + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.10.0 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-11 + +* Add hostIp to port configuration + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 936ab92..80ddaaa 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -112,6 +112,12 @@ ports: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 ++ # ++ # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which ++ # means it's listening on all your interfaces and all your IPs. You may want ++ # to set this value if you need traefik to listen on specific interface ++ # only. ++ # hostIP: 192.168.100.10 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. +``` + +## 8.9.2 ![AppVersion: 2.2.8](https://img.shields.io/static/v1?label=AppVersion&message=2.2.8&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-08-10 + +* Bump Traefik to 2.2.8 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 42ee893..936ab92 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.5 ++ tag: 2.2.8 + + # + # Configure the deployment +``` + +## 8.9.1 ![AppVersion: 2.2.5](https://img.shields.io/static/v1?label=AppVersion&message=2.2.5&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-15 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a7fb668..42ee893 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.1 ++ tag: 2.2.5 + + # + # Configure the deployment +``` + +## 8.9.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-08 + +* run init container to set proper permissions on volume + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 62e3a77..a7fb668 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -16,6 +16,16 @@ deployment: + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] ++ # Additional initContainers (e.g. for setting file permission as shown below) ++ initContainers: [] ++ # The "volume-permissions" init container is required if you run into permission issues. ++ # Related issue: https://github.com/containous/traefik/issues/6972 ++ # - name: volume-permissions ++ # image: busybox:1.31.1 ++ # command: ["sh", "-c", "chmod -Rv 600 /data/*"] ++ # volumeMounts: ++ # - name: data ++ # mountPath: /data + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.8.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-02 + +* Additional container fix + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 85df29c..62e3a77 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -15,7 +15,7 @@ deployment: + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) +- additionalContainers: {} ++ additionalContainers: [] + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.8.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-07-01 + +* added additionalContainers option to chart + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6a9dfd8..85df29c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -14,6 +14,8 @@ deployment: + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} ++ # Additional containers (e.g. for metric offloading sidecars) ++ additionalContainers: {} + + # Pod disruption budget + podDisruptionBudget: +``` + +## 8.7.2 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-30 + +* Update image + + +## 8.7.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-26 + +* Update values.yaml + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 05f9eab..6a9dfd8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -196,7 +196,7 @@ rbac: + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + +-# The service account the pods will use to interact with the Kubernates API ++# The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template +``` + +## 8.7.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-23 + +* Add option to disable providers + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 102ae00..05f9eab 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -34,6 +34,16 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++ ++# ++# Configure providers ++# ++providers: ++ kubernetesCRD: ++ enabled: true ++ kubernetesIngress: ++ enabled: true ++ + # + # Add volumes to the traefik pod. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +``` + +## 8.6.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-18 + +* Fix read-only /tmp + + +## 8.6.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-17 + +* Add existing PVC support(#158) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b2f4fc3..102ae00 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -164,6 +164,7 @@ autoscaling: + # It will persist TLS certificates. + persistence: + enabled: false ++# existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" +``` + +## 8.5.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-16 + +* UDP support + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 9a9b668..b2f4fc3 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -100,11 +100,15 @@ ports: + expose: false + # The exposed port for this service + exposedPort: 9000 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 +@@ -113,6 +117,8 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 ++ # The port protocol (TCP/UDP) ++ protocol: TCP + # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes +``` + +## 8.4.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-10 + +* Fix PDB with minAvailable set + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e812b98..9a9b668 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -18,7 +18,7 @@ deployment: + # Pod disruption budget + podDisruptionBudget: + enabled: false +- maxUnavailable: 1 ++ # maxUnavailable: 1 + # minAvailable: 0 + + # Create an IngressRoute for the dashboard +``` + +## 8.4.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-09 + +* Add pod disruption budget (#192) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5f44e5c..e812b98 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -15,6 +15,12 @@ deployment: + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + ++# Pod disruption budget ++podDisruptionBudget: ++ enabled: false ++ maxUnavailable: 1 ++ # minAvailable: 0 ++ + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: +``` + +## 8.3.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-06-08 + +* Add option to disable RBAC and ServiceAccount + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 96bba18..5f44e5c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -165,6 +165,20 @@ persistence: + # affinity is left as default. + hostNetwork: false + ++# Whether Role Based Access Control objects like roles and rolebindings should be created ++rbac: ++ enabled: true ++ ++ # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. ++ # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace ++ namespaced: false ++ ++# The service account the pods will use to interact with the Kubernates API ++serviceAccount: ++ # If set, an existing service account is used ++ # If not set, a service account is created automatically using the fullname template ++ name: "" ++ + # Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + +``` + +## 8.2.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-25 + +* Remove suggested providers.kubernetesingress value + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e35bdf9..96bba18 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,9 +50,9 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--log.level=DEBUG}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] +-# - "--providers.kubernetesingress" ++# - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + + # Environment variables to be passed to Traefik's binary +``` + +## 8.2.0 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-18 + +* Add kubernetes ingress by default + + +## 8.1.5 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-05-18 + +* Fix example log params in values.yml + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index abe2334..e35bdf9 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,10 +50,10 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--logs.level=DEBUG}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress" +-# - "--logs.level=DEBUG" ++# - "--log.level=DEBUG" + + # Environment variables to be passed to Traefik's binary + env: [] +``` + +## 8.1.4 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-30 + +* Update Traefik to v2.2.1 + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 57cc7e1..abe2334 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.2.0 ++ tag: 2.2.1 + + # + # Configure the deployment +``` + +## 8.1.3 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-29 + +* Clarify additionnal arguments log + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d639f72..57cc7e1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -50,9 +50,10 @@ globalArguments: + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ +-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--logs.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress" ++# - "--logs.level=DEBUG" + + # Environment variables to be passed to Traefik's binary + env: [] +``` + +## 8.1.2 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-23 + +* Remove invalid flags. (#161) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 0e7aaef..d639f72 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -34,8 +34,6 @@ rollingUpdate: + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" +-# - "--tls.certificates.certFile=/certs/tls.crt" +-# - "--tls.certificates.keyFile=/certs/tls.key" + volumes: [] + # - name: public-cert + # mountPath: "/certs" +``` + +## 8.1.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-23 + +* clarify project philosophy and guidelines + + +## 8.1.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-22 + +* Add priorityClassName & securityContext + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index d55a40a..0e7aaef 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -191,3 +191,20 @@ affinity: {} + # topologyKey: failure-domain.beta.kubernetes.io/zone + nodeSelector: {} + tolerations: [] ++ ++# Pods can have priority. ++# Priority indicates the importance of a Pod relative to other Pods. ++priorityClassName: "" ++ ++# Set the container security context ++# To run the container with ports below 1024 this will need to be adjust to run as root ++securityContext: ++ capabilities: ++ drop: [ALL] ++ readOnlyRootFilesystem: true ++ runAsGroup: 65532 ++ runAsNonRoot: true ++ runAsUser: 65532 ++ ++podSecurityContext: ++ fsGroup: 65532 +``` + +## 8.0.4 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-20 + +* Possibility to bind environment variables via envFrom + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7f8092e..d55a40a 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -71,6 +71,12 @@ env: [] + # name: secret-name + # key: secret-key + ++envFrom: [] ++# - configMapRef: ++# name: config-map-name ++# - secretRef: ++# name: secret-name ++ + # Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and +``` + +## 8.0.3 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-15 + +* Add support for data volume subPath. (#147) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 152339b..7f8092e 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -152,6 +152,7 @@ persistence: + # storageClass: "" + path: /data + annotations: {} ++ # subPath: "" # only mount a subpath of the Volume into the pod + + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true +``` + +## 8.0.2 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-10 + +* Ability to add custom labels to dashboard's IngressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5d294b7..152339b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -21,6 +21,8 @@ ingressRoute: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} ++ # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) ++ labels: {} + + rollingUpdate: + maxUnavailable: 1 +``` + +## 8.0.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-10 + +* rbac does not need "pods" per documentation + + +## 8.0.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-07 + +* follow helm best practices + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index e61a9fd..5d294b7 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,7 +10,7 @@ deployment: + enabled: true + # Number of pods of the deployment + replicas: 1 +- # Addtional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} +@@ -19,7 +19,7 @@ deployment: + ingressRoute: + dashboard: + enabled: true +- # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + + rollingUpdate: +``` + +## 7.2.1 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-07 + +* add annotations to ingressRoute + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 15d1c25..e61a9fd 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -19,6 +19,8 @@ deployment: + ingressRoute: + dashboard: + enabled: true ++ # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) ++ annotations: {} + + rollingUpdate: + maxUnavailable: 1 +``` + +## 7.2.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-04-03 + +* Add support for helm 2 + + +## 7.1.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-31 + +* Add support for externalIPs + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 6d6d13f..15d1c25 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -116,6 +116,8 @@ service: + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 ++ externalIPs: [] ++ # - 1.2.3.4 + + ## Create HorizontalPodAutoscaler object. + ## +``` + +## 7.0.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* Remove secretsEnv value key + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 1ac720d..6d6d13f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -52,18 +52,20 @@ globalArguments: + additionalArguments: [] + # - "--providers.kubernetesingress" + +-# Secret to be set as environment variables to be passed to Traefik's binary +-secretEnv: [] +- # - name: SOME_VAR +- # secretName: my-secret-name +- # secretKey: my-secret-key +- + # Environment variables to be passed to Traefik's binary + env: [] +- # - name: SOME_VAR +- # value: some-var-value +- # - name: SOME_OTHER_VAR +- # value: some-other-var-value ++# - name: SOME_VAR ++# value: some-var-value ++# - name: SOME_VAR_FROM_CONFIG_MAP ++# valueFrom: ++# configMapRef: ++# name: configmap-name ++# key: config-key ++# - name: SOME_SECRET ++# valueFrom: ++# secretKeyRef: ++# name: secret-name ++# key: secret-key + + # Configure ports + ports: +``` + +## 6.4.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* Add ability to set serviceAccount annotations + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 85abe42..1ac720d 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -151,6 +151,9 @@ persistence: + # affinity is left as default. + hostNetwork: false + ++# Additional serviceAccount annotations (e.g. for oidc authentication) ++serviceAccountAnnotations: {} ++ + resources: {} + # requests: + # cpu: "100m" +``` + +## 6.3.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-27 + +* hpa + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2f5d132..85abe42 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -115,6 +115,22 @@ service: + # - 192.168.0.1/32 + # - 172.16.0.0/16 + ++## Create HorizontalPodAutoscaler object. ++## ++autoscaling: ++ enabled: false ++# minReplicas: 1 ++# maxReplicas: 10 ++# metrics: ++# - type: Resource ++# resource: ++# name: cpu ++# targetAverageUtilization: 60 ++# - type: Resource ++# resource: ++# name: memory ++# targetAverageUtilization: 60 ++ + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +``` + +## 6.2.0 ![AppVersion: 2.2.0](https://img.shields.io/static/v1?label=AppVersion&message=2.2.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-26 + +* Update to v2.2 (#96) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ebd2fde..2f5d132 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.8 ++ tag: 2.2.0 + + # + # Configure the deployment +``` + +## 6.1.2 ![AppVersion: 2.1.8](https://img.shields.io/static/v1?label=AppVersion&message=2.1.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 65c7665..ebd2fde 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.4 ++ tag: 2.1.8 + + # + # Configure the deployment +``` + +## 6.1.1 ![AppVersion: 2.1.4](https://img.shields.io/static/v1?label=AppVersion&message=2.1.4&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Upgrade traefik version + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 89c7ac1..65c7665 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.3 ++ tag: 2.1.4 + + # + # Configure the deployment +``` + +## 6.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-20 + +* Add ability to add annotations to deployment + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8d66111..89c7ac1 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -10,6 +10,8 @@ deployment: + enabled: true + # Number of pods of the deployment + replicas: 1 ++ # Addtional deployment annotations (e.g. for jaeger-operator sidecar injection) ++ annotations: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + +``` + +## 6.0.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-16 + +* Correct storage class key name + + +## 6.0.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-16 + +* Change default values of arrays from objects to actual arrays + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 490b2b6..8d66111 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -51,13 +51,13 @@ additionalArguments: [] + # - "--providers.kubernetesingress" + + # Secret to be set as environment variables to be passed to Traefik's binary +-secretEnv: {} ++secretEnv: [] + # - name: SOME_VAR + # secretName: my-secret-name + # secretKey: my-secret-key + + # Environment variables to be passed to Traefik's binary +-env: {} ++env: [] + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_OTHER_VAR +@@ -109,7 +109,7 @@ service: + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" +- loadBalancerSourceRanges: {} ++ loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + +``` + +## 6.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-15 + +* Cleanup + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7aebefe..490b2b6 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -18,15 +18,10 @@ ingressRoute: + dashboard: + enabled: true + +-additional: +- checkNewVersion: true +- sendAnonymousUsage: true +- + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +- + # + # Add volumes to the traefik pod. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -43,9 +38,14 @@ volumes: [] + # mountPath: "/config" + # type: configMap + ++globalArguments: ++ - "--global.checknewversion" ++ - "--global.sendanonymoususage" ++ + # +-# Configure Traefik entry points ++# Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary ++# All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` + additionalArguments: [] + # - "--providers.kubernetesingress" +@@ -63,7 +63,7 @@ env: {} + # - name: SOME_OTHER_VAR + # value: some-other-var-value + +-# ++# Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking +@@ -94,7 +94,7 @@ ports: + # hostPort: 8443 + expose: true + exposedPort: 443 +- # nodePort: 32443 ++ # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +@@ -113,9 +113,6 @@ service: + # - 192.168.0.1/32 + # - 172.16.0.0/16 + +-logs: +- loglevel: WARN +- + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: +``` + +## 5.6.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Add field enabled for resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 38bb263..7aebefe 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -7,11 +7,17 @@ image: + # Configure the deployment + # + deployment: ++ enabled: true + # Number of pods of the deployment + replicas: 1 + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + ++# Create an IngressRoute for the dashboard ++ingressRoute: ++ dashboard: ++ enabled: true ++ + additional: + checkNewVersion: true + sendAnonymousUsage: true +@@ -93,6 +99,7 @@ ports: + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: ++ enabled: true + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} +``` + +## 5.5.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* expose hostnetwork option + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ecb2833..38bb263 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -123,6 +123,12 @@ persistence: + path: /data + annotations: {} + ++# If hostNetwork is true, runs traefik in the host network namespace ++# To prevent unschedulabel pods due to port collisions, if hostNetwork=true ++# and replicas>1, a pod anti-affinity is recommended and will be set if the ++# affinity is left as default. ++hostNetwork: false ++ + resources: {} + # requests: + # cpu: "100m" +@@ -131,5 +137,17 @@ resources: {} + # cpu: "300m" + # memory: "150Mi" + affinity: {} ++# # This example pod anti-affinity forces the scheduler to put traefik pods ++# # on nodes where no other traefik pods are scheduled. ++# # It should be used when hostNetwork: true to prevent port conflicts ++# podAntiAffinity: ++# requiredDuringSchedulingIgnoredDuringExecution: ++# - labelSelector: ++# matchExpressions: ++# - key: app ++# operator: In ++# values: ++# - {{ template "traefik.name" . }} ++# topologyKey: failure-domain.beta.kubernetes.io/zone + nodeSelector: {} + tolerations: [] +``` + +## 5.4.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Add support for hostport + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ec1d619..ecb2833 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -63,6 +63,9 @@ ports: + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 ++ # Use hostPort if set. ++ # hostPort: 9000 ++ + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +@@ -74,6 +77,7 @@ ports: + exposedPort: 9000 + web: + port: 8000 ++ # hostPort: 8000 + expose: true + exposedPort: 80 + # Use nodeport if set. This is useful if you have configured Traefik in a +@@ -81,6 +85,7 @@ ports: + # nodePort: 32080 + websecure: + port: 8443 ++ # hostPort: 8443 + expose: true + exposedPort: 443 + # nodePort: 32443 +``` + +## 5.3.3 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-12 + +* Fix replica check + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 7f31548..ec1d619 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,7 +40,7 @@ volumes: [] + # + # Configure Traefik entry points + # Additional arguments to be passed at Traefik's binary +-## Use curly braces to pass values: `helm install --set="{--providers.kubernetesingress,--global.checknewversion=true}" ." ++## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` + additionalArguments: [] + # - "--providers.kubernetesingress" + +``` + +## 5.3.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Fixed typo in README + + +## 5.3.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Production ready + + +## 5.3.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Not authorise acme if replica > 1 + + +## 5.2.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Fix volume mount + + +## 5.2.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-11 + +* Add secret as env var + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index ccea845..7f31548 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -44,12 +44,18 @@ volumes: [] + additionalArguments: [] + # - "--providers.kubernetesingress" + ++# Secret to be set as environment variables to be passed to Traefik's binary ++secretEnv: {} ++ # - name: SOME_VAR ++ # secretName: my-secret-name ++ # secretKey: my-secret-key ++ + # Environment variables to be passed to Traefik's binary + env: {} +-# - name: SOME_VAR +-# value: some-var-value +-# - name: SOME_OTHER_VAR +-# value: some-other-var-value ++ # - name: SOME_VAR ++ # value: some-var-value ++ # - name: SOME_OTHER_VAR ++ # value: some-other-var-value + + # + ports: +``` + +## 5.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Enhance security by add loadBalancerSourceRanges to lockdown ip address. + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 78bbee0..ccea845 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -91,6 +91,9 @@ service: + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" ++ loadBalancerSourceRanges: {} ++ # - 192.168.0.1/32 ++ # - 172.16.0.0/16 + + logs: + loglevel: WARN +``` + +## 5.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Expose dashboard by default but only on traefik entrypoint + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index a442fca..78bbee0 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -92,15 +92,6 @@ service: + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + +-dashboard: +- # Enable the dashboard on Traefik +- enable: true +- +- # Expose the dashboard and api through an ingress route at /dashboard +- # and /api This is not secure and SHOULD NOT be enabled on production +- # deployments +- ingressRoute: false +- + logs: + loglevel: WARN + +``` + +## 4.1.3 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add annotations for PVC (#98) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 8b2f4db..a442fca 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -116,6 +116,7 @@ persistence: + size: 128Mi + # storageClass: "" + path: /data ++ annotations: {} + + resources: {} + # requests: +``` + +## 4.1.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Added persistent volume support. (#86) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 2a2554f..8b2f4db 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -103,7 +103,20 @@ dashboard: + + logs: + loglevel: WARN +-# ++ ++# Enable persistence using Persistent Volume Claims ++# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ++# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: ++# additionalArguments: ++# - "--certificatesresolvers.le.acme.storage=/data/acme.json" ++# It will persist TLS certificates. ++persistence: ++ enabled: false ++ accessMode: ReadWriteOnce ++ size: 128Mi ++ # storageClass: "" ++ path: /data ++ + resources: {} + # requests: + # cpu: "100m" +``` + +## 4.1.1 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add values to mount secrets or configmaps as volumes to the traefik pod (#84) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5401832..2a2554f 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -20,6 +20,23 @@ rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + ++ ++# ++# Add volumes to the traefik pod. ++# This can be used to mount a cert pair or a configmap that holds a config.toml file. ++# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: ++# additionalArguments: ++# - "--providers.file.filename=/config/dynamic.toml" ++# - "--tls.certificates.certFile=/certs/tls.crt" ++# - "--tls.certificates.keyFile=/certs/tls.key" ++volumes: [] ++# - name: public-cert ++# mountPath: "/certs" ++# type: secret ++# - name: configs ++# mountPath: "/config" ++# type: configMap ++ + # + # Configure Traefik entry points + # Additional arguments to be passed at Traefik's binary +``` + +## 4.1.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-10 + +* Add podAnnotations to the deployment (#83) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 5eab74b..5401832 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -9,6 +9,8 @@ image: + deployment: + # Number of pods of the deployment + replicas: 1 ++ # Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ podAnnotations: {} + + additional: + checkNewVersion: true +``` + +## 4.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-03-06 + +* Migrate to helm v3 (#94) + + +## 3.5.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-18 + +* Publish helm chart (#81) + + +## 3.4.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-13 + +* fix: tests. +* feat: bump traefik to v2.1.3 +* Enable configuration of global checknewversion and sendanonymoususage (#80) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index bcc42f8..5eab74b 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -1,7 +1,7 @@ + # Default values for Traefik + image: + name: traefik +- tag: 2.1.1 ++ tag: 2.1.3 + + # + # Configure the deployment +@@ -10,6 +10,10 @@ deployment: + # Number of pods of the deployment + replicas: 1 + ++additional: ++ checkNewVersion: true ++ sendAnonymousUsage: true ++ + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 +``` + +## 3.3.3 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-05 + +* fix: deployment environment variables. +* fix: chart version. + + +## 3.3.2 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-02-03 + +* ix: deployment environment variables. + + +## 3.3.1 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-27 + +* fix: deployment environment variables. + + +## 3.3.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-24 + +* Enable configuration of environment variables in traefik deployment (#71) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 4462359..bcc42f8 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -21,6 +21,13 @@ rollingUpdate: + additionalArguments: [] + # - "--providers.kubernetesingress" + ++# Environment variables to be passed to Traefik's binary ++env: {} ++# - name: SOME_VAR ++# value: some-var-value ++# - name: SOME_OTHER_VAR ++# value: some-other-var-value ++ + # + ports: + # The name of this one can't be changed as it is used for the readiness and +``` + +## 3.2.1 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-22 + +* Add Unit Tests for the chart (#60) + + +## 3.2.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-22 + +* Make NodePort configurable (#67) + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index b1fe42a..4462359 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,10 +40,14 @@ ports: + port: 8000 + expose: true + exposedPort: 80 ++ # Use nodeport if set. This is useful if you have configured Traefik in a ++ # LoadBalancer ++ # nodePort: 32080 + websecure: + port: 8443 + expose: true + exposedPort: 443 ++ # nodePort: 32443 + + # Options for the main traefik service, where the entrypoints traffic comes + # from. +``` + +## 3.1.0 ![AppVersion: 2.1.1](https://img.shields.io/static/v1?label=AppVersion&message=2.1.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2020-01-20 + +* Switch Chart linting to ct (#59) + +### Default value changes + +```diff +# Default values for Traefik +image: + name: traefik + tag: 2.1.1 + +# +# Configure the deployment +# +deployment: + # Number of pods of the deployment + replicas: 1 + +rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + +# +# Configure Traefik entry points +# Additional arguments to be passed at Traefik's binary +## Use curly braces to pass values: `helm install --set="{--providers.kubernetesingress,--global.checknewversion=true}" ." +additionalArguments: [] +# - "--providers.kubernetesingress" + +# +ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl proxy` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + web: + port: 8000 + expose: true + exposedPort: 80 + websecure: + port: 8443 + expose: true + exposedPort: 443 + +# Options for the main traefik service, where the entrypoints traffic comes +# from. +service: + type: LoadBalancer + # Additional annotations (e.g. for cloud provider specific config) + annotations: {} + # Additional entries here will be added to the service spec. Cannot contains + # type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + +dashboard: + # Enable the dashboard on Traefik + enable: true + + # Expose the dashboard and api through an ingress route at /dashboard + # and /api This is not secure and SHOULD NOT be enabled on production + # deployments + ingressRoute: false + +logs: + loglevel: WARN +# +resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" +affinity: {} +nodeSelector: {} +tolerations: [] +``` + +--- +Autogenerated from Helm Chart and git history using [helm-changelog](https://github.com/mogensen/helm-changelog) diff --git a/charts/traefik/traefik/32.0.0/Chart.yaml b/charts/traefik/traefik/32.0.0/Chart.yaml new file mode 100644 index 000000000..6988b7b52 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/Chart.yaml @@ -0,0 +1,33 @@ +annotations: + artifacthub.io/changes: | + - "chore(release): :rocket: publish 32.0.0" + - "fix: replace `CLF` with `common` in `values.yaml`" + - "feat(Traefik Hub): add APIPlans and APIBundles CRDs" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: traefik +apiVersion: v2 +appVersion: v3.1.4 +description: A Traefik based Kubernetes ingress controller +home: https://traefik.io/ +icon: file://assets/icons/traefik.png +keywords: +- traefik +- ingress +- networking +kubeVersion: '>=1.22.0-0' +maintainers: +- email: michel.loiseleur@traefik.io + name: mloiseleur +- email: charlie.haley@traefik.io + name: charlie-haley +- email: remi.buisson@traefik.io + name: darkweaver87 +- name: jnoordsij +name: traefik +sources: +- https://github.com/traefik/traefik +- https://github.com/traefik/traefik-helm-chart +type: application +version: 32.0.0 diff --git a/charts/traefik/traefik/32.0.0/EXAMPLES.md b/charts/traefik/traefik/32.0.0/EXAMPLES.md new file mode 100644 index 000000000..9fb939d96 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/EXAMPLES.md @@ -0,0 +1,1007 @@ +# Install as a DaemonSet + +Default install is using a `Deployment` but it's possible to use `DaemonSet` + +```yaml +deployment: + kind: DaemonSet +``` + +# Configure traefik Pod parameters + +## Extending /etc/hosts records + +In some specific cases, you'll need to add extra records to the `/etc/hosts` file for the Traefik containers. +You can configure it using [hostAliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/): + +```yaml +deployment: + hostAliases: + - ip: "127.0.0.1" # this is an example + hostnames: + - "foo.local" + - "bar.local" +``` +## Extending DNS config + +In order to configure additional DNS servers for your traefik pod, you can use `dnsConfig` option: + +```yaml +deployment: + dnsConfig: + nameservers: + - 192.0.2.1 # this is an example + searches: + - ns1.svc.cluster-domain.example + - my.dns.search.suffix + options: + - name: ndots + value: "2" + - name: edns0 +``` + +# Install in a dedicated namespace, with limited RBAC + +Default install is using Cluster-wide RBAC but it can be restricted to target namespace. + +```yaml +rbac: + namespaced: true +``` + +# Install with auto-scaling + +When enabling [HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +to adjust replicas count according to CPU Usage, you'll need to set resources and nullify replicas. + +```yaml +deployment: + replicas: null +resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "300m" + memory: "150Mi" +autoscaling: + enabled: true + maxReplicas: 2 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 +``` + +# Access Traefik dashboard without exposing it + +This Chart does not expose the Traefik local dashboard by default. It's explained in upstream [documentation](https://doc.traefik.io/traefik/operations/api/) why: + +> Enabling the API in production is not recommended, because it will expose all configuration elements, including sensitive data. + +It says also: + +> In production, it should be at least secured by authentication and authorizations. + +Thus, there are multiple ways to expose the dashboard. For instance, after enabling the creation of dashboard `IngressRoute` in the values: + +```yaml +ingressRoute: + dashboard: + enabled: true +``` + +The traefik admin port can be forwarded locally: + +```bash +kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 +``` + +This command makes the dashboard accessible on the url: http://127.0.0.1:9000/dashboard/ + +# Publish and protect Traefik Dashboard with basic Auth + +To expose the dashboard in a secure way as [recommended](https://doc.traefik.io/traefik/operations/dashboard/#dashboard-router-rule) +in the documentation, it may be useful to override the router rule to specify +a domain to match, or accept requests on the root path (/) in order to redirect +them to /dashboard/. + +```yaml +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: + enabled: true + # Custom match rule with host domain + matchRule: Host(`traefik-dashboard.example.com`) + entryPoints: ["websecure"] + # Add custom middlewares : authentication and redirection + middlewares: + - name: traefik-dashboard-auth + +# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way). +# /!\ Yes, you need to replace "changeme" password with a better one. /!\ +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: traefik-dashboard-auth-secret + type: kubernetes.io/basic-auth + stringData: + username: admin + password: changeme + + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + spec: + basicAuth: + secret: traefik-dashboard-auth-secret +``` + +# Publish and protect Traefik Dashboard with an Ingress + +To expose the dashboard without IngressRoute, it's more complicated and less +secure. You'll need to create an internal Service exposing Traefik API with +special _traefik_ entrypoint. This internal Service can be created from an other tool, with the `extraObjects` section or using [custom services](#add-custom-internal-services). + +You'll need to double check: +1. Service selector with your setup. +2. Middleware annotation on the ingress, _default_ should be replaced with traefik's namespace + +```yaml +ingressRoute: + dashboard: + enabled: false +additionalArguments: +- "--api.insecure=true" +# Create the service, middleware and Ingress used to expose the dashboard (can also be created in another way). +# /!\ Yes, you need to replace "changeme" password with a better one. /!\ +extraObjects: + - apiVersion: v1 + kind: Service + metadata: + name: traefik-api + spec: + type: ClusterIP + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-default + ports: + - port: 8080 + name: traefik + targetPort: 9000 + protocol: TCP + + - apiVersion: v1 + kind: Secret + metadata: + name: traefik-dashboard-auth-secret + type: kubernetes.io/basic-auth + stringData: + username: admin + password: changeme + + - apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: traefik-dashboard-auth + spec: + basicAuth: + secret: traefik-dashboard-auth-secret + + - apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: traefik-dashboard + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: default-traefik-dashboard-auth@kubernetescrd + spec: + rules: + - host: traefik-dashboard.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik-api + port: + name: traefik +``` + + +# Install on AWS + +It can use [native AWS support](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support) on Kubernetes + +```yaml +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb +``` + +Or if [AWS LB controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#legacy-cloud-provider) is installed : +```yaml +service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip +``` + +# Install on GCP + +A [regional IP with a Service](https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip#use_a_service) can be used +```yaml +service: + spec: + loadBalancerIP: "1.2.3.4" +``` + +Or a [global IP on Ingress](https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip#use_an_ingress) +```yaml +service: + type: NodePort +extraObjects: + - apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: traefik + annotations: + kubernetes.io/ingress.global-static-ip-name: "myGlobalIpName" + spec: + defaultBackend: + service: + name: traefik + port: + number: 80 +``` + +Or a [global IP on a Gateway](https://cloud.google.com/kubernetes-engine/docs/how-to/deploying-gateways) with continuous HTTPS encryption. + +```yaml +ports: + websecure: + appProtocol: HTTPS # Hint for Google L7 load balancer +service: + type: ClusterIP +extraObjects: +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + metadata: + name: traefik + annotations: + networking.gke.io/certmap: "myCertificateMap" + spec: + gatewayClassName: gke-l7-global-external-managed + addresses: + - type: NamedAddress + value: "myGlobalIPName" + listeners: + - name: https + protocol: HTTPS + port: 443 +- apiVersion: gateway.networking.k8s.io/v1beta1 + kind: HTTPRoute + metadata: + name: traefik + spec: + parentRefs: + - kind: Gateway + name: traefik + rules: + - backendRefs: + - name: traefik + port: 443 +- apiVersion: networking.gke.io/v1 + kind: HealthCheckPolicy + metadata: + name: traefik + spec: + default: + config: + type: HTTP + httpHealthCheck: + port: 9000 + requestPath: /ping + targetRef: + group: "" + kind: Service + name: traefik +``` + +# Install on Azure + +A [static IP on a resource group](https://learn.microsoft.com/en-us/azure/aks/static-ip) can be used: + +```yaml +service: + spec: + loadBalancerIP: "1.2.3.4" + annotations: + service.beta.kubernetes.io/azure-load-balancer-resource-group: myResourceGroup +``` + +Here is a more complete example, using also native Let's encrypt feature of Traefik Proxy with Azure DNS: + +```yaml +persistence: + enabled: true + size: 128Mi +certResolvers: + letsencrypt: + email: "{{ letsencrypt_email }}" + #caServer: https://acme-v02.api.letsencrypt.org/directory # Production server + caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server + dnsChallenge: + provider: azuredns + storage: /data/acme.json +env: + - name: AZURE_CLIENT_ID + value: "{{ azure_dns_challenge_application_id }}" + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: azuredns-secret + key: client-secret + - name: AZURE_SUBSCRIPTION_ID + value: "{{ azure_subscription_id }}" + - name: AZURE_TENANT_ID + value: "{{ azure_tenant_id }}" + - name: AZURE_RESOURCE_GROUP + value: "{{ azure_resource_group }}" +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "ls -la /; touch /data/acme.json; chmod -v 600 /data/acme.json"] + volumeMounts: + - mountPath: /data + name: data +podSecurityContext: + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" +service: + spec: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/azure-load-balancer-resource-group: "{{ azure_node_resource_group }}" + service.beta.kubernetes.io/azure-pip-name: "{{ azure_resource_group }}" + service.beta.kubernetes.io/azure-dns-label-name: "{{ azure_resource_group }}" + service.beta.kubernetes.io/azure-allowed-ip-ranges: "{{ ip_range | join(',') }}" +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: azuredns-secret + namespace: traefik + type: Opaque + stringData: + client-secret: "{{ azure_dns_challenge_application_secret }}" +``` + +# Use an IngressClass + +Default install comes with an `IngressClass` resource that can be enabled on providers. + +Here's how one can enable it on CRD & Ingress Kubernetes provider: + +```yaml +ingressClass: + name: traefik +providers: + kubernetesCRD: + ingressClass: traefik + kubernetesIngress: + ingressClass: traefik +``` + +# Use HTTP3 + +By default, it will use a Load balancers with mixed protocols on `websecure` +entrypoint. They are available since v1.20 and in beta as of Kubernetes v1.24. +Availability may depend on your Kubernetes provider. + +When using TCP and UDP with a single service, you may encounter [this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741) from Kubernetes. +If you want to avoid this issue, you can set `ports.websecure.http3.advertisedPort` +to an other value than 443 + +```yaml +ports: + websecure: + http3: + enabled: true +``` + +You can also create two `Service`, one for TCP and one for UDP: + +```yaml +ports: + websecure: + http3: + enabled: true +service: + single: false +``` + +# Use PROXY protocol on Digital Ocean + +PROXY protocol is a protocol for sending client connection information, such as origin IP addresses and port numbers, to the final backend server, rather than discarding it at the load balancer. + +```yaml +.DOTrustedIPs: &DOTrustedIPs + - 127.0.0.1/32 + - 10.120.0.0/16 + +service: + enabled: true + type: LoadBalancer + annotations: + # This will tell DigitalOcean to enable the proxy protocol. + service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true" + spec: + # This is the default and should stay as cluster to keep the DO health checks working. + externalTrafficPolicy: Cluster + +ports: + web: + forwardedHeaders: + trustedIPs: *DOTrustedIPs + proxyProtocol: + trustedIPs: *DOTrustedIPs + websecure: + forwardedHeaders: + trustedIPs: *DOTrustedIPs + proxyProtocol: + trustedIPs: *DOTrustedIPs +``` + +# Enable plugin storage + +This chart follows common security practices: it runs as non root with a readonly root filesystem. +When enabling a plugin which needs storage, you have to add it to the deployment. + +Here is a simple example with crowdsec. You may want to replace with your plugin or see complete exemple on crowdsec [here](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/kubernetes/README.md). + +```yaml +deployment: + additionalVolumes: + - name: plugins +additionalVolumeMounts: +- name: plugins + mountPath: /plugins-storage +additionalArguments: +- "--experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" +- "--experimental.plugins.bouncer.version=v1.1.9" +``` + +# Use Traefik native Let's Encrypt integration, without cert-manager + +In Traefik Proxy, ACME certificates are stored in a JSON file. + +This file needs to have 0600 permissions, meaning, only the owner of the file has full read and write access to it. +By default, Kubernetes recursively changes ownership and permissions for the content of each volume. + +=> An initContainer can be used to avoid an issue on this sensitive file. +See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. + +Once the provider is ready, it can be used in an `IngressRoute`: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: [...] +spec: + entryPoints: [...] + routes: [...] + tls: + certResolver: letsencrypt +``` + +:information_source: Change `apiVersion` to `traefik.containo.us/v1alpha1` for charts prior to v28.0.0 + +See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others. + +## Example with CloudFlare + +This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`. + +**Step 1**: Create `Secret` with CloudFlare token: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare +type: Opaque +stringData: + token: {{ SET_A_VALID_TOKEN_HERE }} +``` + +**Step 2**: + +```yaml +persistence: + enabled: true + storageClass: xxx +certResolvers: + letsencrypt: + dnsChallenge: + provider: cloudflare + storage: /data/acme.json +env: + - name: CF_DNS_API_TOKEN + valueFrom: + secretKeyRef: + name: cloudflare + key: token +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] + volumeMounts: + - mountPath: /data + name: data +podSecurityContext: + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" +``` + +# Provide default certificate with cert-manager and CloudFlare DNS + +Setup: + +* cert-manager installed in `cert-manager` namespace +* A cloudflare account on a DNS Zone + +**Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token. +See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/) +for creating this token with needed rights: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare + namespace: traefik +type: Opaque +stringData: + api-token: XXX +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: cloudflare + namespace: traefik +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: email@example.com + privateKeySecretRef: + name: cloudflare-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare + key: api-token +``` + +**Step 2**: Create `Certificate` in traefik namespace + +```yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-example-com + namespace: traefik +spec: + secretName: wildcard-example-com-tls + dnsNames: + - "example.com" + - "*.example.com" + issuerRef: + name: cloudflare + kind: Issuer +``` + +**Step 3**: Check that it's ready + +```bash +kubectl get certificate -n traefik +``` + +If needed, logs of cert-manager pod can give you more information + +**Step 4**: Use it on the TLS Store in **values.yaml** file for this Helm Chart + +```yaml +tlsStore: + default: + defaultCertificate: + secretName: wildcard-example-com-tls +``` + +**Step 5**: Enjoy. All your `IngressRoute` use this certificate by default now. + +They should use websecure entrypoint like this: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: example-com-tls +spec: + entryPoints: + - websecure + routes: + - match: Host(`test.example.com`) + kind: Rule + services: + - name: XXXX + port: 80 +``` + +# Add custom (internal) services + +In some cases you might want to have more than one Traefik service within your cluster, +e.g. a default (external) one and a service that is only exposed internally to pods within your cluster. + +The `service.additionalServices` allows you to add an arbitrary amount of services, +provided as a name to service details mapping; for example you can use the following values: + +```yaml +service: + additionalServices: + internal: + type: ClusterIP + labels: + traefik-service-label: internal +``` + +Ports can then be exposed on this service by using the port name to boolean mapping `expose` on the respective port; +e.g. to expose the `traefik` API port on your internal service so pods within your cluster can use it, you can do: + +```yaml +ports: + traefik: + expose: + # Sensitive data should not be exposed on the internet + # => Keep this disabled ! + default: false + internal: true +``` + +This will then provide an additional Service manifest, looking like this: + +```yaml +--- +# Source: traefik/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: traefik-internal + namespace: traefik +[...] +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + ports: + - port: 9000 + name: "traefik" + targetPort: traefik + protocol: TCP +``` + +# Use this Chart as a dependency of your own chart + + +First, let's create a default Helm Chart, with Traefik as a dependency. +```bash +helm create foo +cd foo +echo " +dependencies: + - name: traefik + version: "24.0.0" + repository: "https://traefik.github.io/charts" +" >> Chart.yaml +``` + +Second, let's tune some values like enabling HPA: + +```bash +cat <<-EOF >> values.yaml +traefik: + autoscaling: + enabled: true + maxReplicas: 3 +EOF +``` + +Third, one can see if it works as expected: +```bash +helm dependency update +helm dependency build +helm template . | grep -A 14 -B 3 Horizontal +``` + +It should produce this output: + +```yaml +--- +# Source: foo/charts/traefik/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: release-name-traefik + namespace: flux-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-flux-system + helm.sh/chart: traefik-24.0.0 + app.kubernetes.io/managed-by: Helm +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: release-name-traefik + maxReplicas: 3 +``` + +# Configure TLS + +The [TLS options](https://doc.traefik.io/traefik/https/tls/#tls-options) allow one to configure some parameters of the TLS connection. + +```yaml +tlsOptions: + default: + labels: {} + sniStrict: true + custom-options: + labels: {} + curvePreferences: + - CurveP521 + - CurveP384 +``` + +# Use latest build of Traefik v3 from master + +An experimental build of Traefik Proxy is available on a specific repository. + +It can be used with those _values_: + +```yaml +image: + repository: traefik/traefik + tag: experimental-v3.0 +``` + +# Use Prometheus Operator + +An optional support of this operator is included in this Chart. See documentation of this operator for more details. + +It can be used with those _values_: + +```yaml +metrics: + prometheus: + service: + enabled: true + disableAPICheck: false + serviceMonitor: + enabled: true + metricRelabelings: + - sourceLabels: [__name__] + separator: ; + regex: ^fluentd_output_status_buffer_(oldest|newest)_.+ + replacement: $1 + action: drop + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + separator: ; + regex: ^(.*)$ + targetLabel: nodename + replacement: $1 + action: replace + jobLabel: traefik + interval: 30s + honorLabels: true + prometheusRule: + enabled: true + rules: + - alert: TraefikDown + expr: up{job="traefik"} == 0 + for: 5m + labels: + context: traefik + severity: warning + annotations: + summary: "Traefik Down" + description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +``` + +# Use kubernetes Gateway API + +One can use the new stable kubernetes gateway API provider setting the following _values_: + +```yaml +providers: + kubernetesGateway: + enabled: true +``` + +
+ +With those values, a whoami service can be exposed with a HTTPRoute + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami +spec: + replicas: 2 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + +--- +apiVersion: v1 +kind: Service +metadata: + name: whoami +spec: + selector: + app: whoami + ports: + - protocol: TCP + port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: whoami +spec: + parentRefs: + - name: traefik-gateway + hostnames: + - whoami.docker.localhost + rules: + - matches: + - path: + type: Exact + value: / + + backendRefs: + - name: whoami + port: 80 + weight: 1 +``` + +Once it's applied, whoami should be accessible on http://whoami.docker.localhost/ + +
+ +# Use Kubernetes Gateway API with cert-manager + +One can use the new stable kubernetes gateway API provider with automatic TLS certificates delivery (with cert-manager) setting the following _values_: + +```yaml +providers: + kubernetesGateway: + enabled: true +gateway: + enabled: true + annotations: + cert-manager.io/issuer: selfsigned-issuer + listeners: + websecure: + hostname: whoami.docker.localhost + port: 8443 + protocol: HTTPS + certificateRefs: + - name: whoami-tls +``` + +Install cert-manager: + +```bash +helm repo add jetstack https://charts.jetstack.io --force-update +helm upgrade --install \ +cert-manager jetstack/cert-manager \ +--namespace cert-manager \ +--create-namespace \ +--version v1.15.1 \ +--set crds.enabled=true \ +--set "extraArgs={--enable-gateway-api}" +``` + +
+ +With those values, a whoami service can be exposed with HTTPRoute on both HTTP and HTTPS + +```yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whoami +spec: + replicas: 2 + selector: + matchLabels: + app: whoami + template: + metadata: + labels: + app: whoami + spec: + containers: + - name: whoami + image: traefik/whoami + +--- +apiVersion: v1 +kind: Service +metadata: + name: whoami +spec: + selector: + app: whoami + ports: + - protocol: TCP + port: 80 + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: whoami +spec: + parentRefs: + - name: traefik-gateway + hostnames: + - whoami.docker.localhost + rules: + - matches: + - path: + type: Exact + value: / + + backendRefs: + - name: whoami + port: 80 + weight: 1 + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} +``` + +Once it's applied, whoami should be accessible on https://whoami.docker.localhost/ + +
diff --git a/charts/traefik/traefik/32.0.0/Guidelines.md b/charts/traefik/traefik/32.0.0/Guidelines.md new file mode 100644 index 000000000..3b72a40cd --- /dev/null +++ b/charts/traefik/traefik/32.0.0/Guidelines.md @@ -0,0 +1,34 @@ +# Traefik Helm Chart Guidelines + +This document outlines the guidelines for developing, managing and extending the Traefik helm chart. + +This Helm Chart is documented using field description from comments with [helm-docs](https://github.com/norwoodj/helm-docs). + +It comes with a JSON schema generated from values with [helm schema](https://github.com/losisin/helm-values-schema-json) plugin. + +## Feature Example + +```yaml +logs: + general: + # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) + format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common" +``` + +Documention is on the first comment, starting with `# --` +Specific instructions for schema, when needed, are done with the inline comment starting with `# @schema`. + +## Whitespace + +Extra whitespace is to be avoided in templating. Conditionals should chomp whitespace: + +```yaml +{{- if .Values }} +{{- end }} +``` + +There should be an empty commented line between each primary key in the values.yaml file to separate features from each other. + +## Values YAML Design + +The values.yaml file is designed to be user-friendly. It does not have to resemble the templated configuration if it is not conducive. Similarly, value names to not have to correspond to fields in the template if it is not conducive. diff --git a/charts/traefik/traefik/32.0.0/LICENSE b/charts/traefik/traefik/32.0.0/LICENSE new file mode 100644 index 000000000..907ff8321 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2020 Containous + Copyright 2020 Traefik Labs + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/traefik/traefik/32.0.0/README.md b/charts/traefik/traefik/32.0.0/README.md new file mode 100644 index 000000000..cd963c199 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/README.md @@ -0,0 +1,158 @@ +# Traefik + +[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy +microservices with ease. + +## Introduction + +Starting with v28.x, this chart now bootstraps Traefik Proxy version 3 as a Kubernetes ingress controller, +using Custom Resources `IngressRoute`: . + +It's possible to use this chart with Traefik Proxy v2 using v27.x +This chart support policy is aligned with [upstream support policy](https://doc.traefik.io/traefik/deprecation/releases/) of Traefik Proxy. + +See [Migration guide from v2 to v3](https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/) and upgrading section of this chart on CRDs. + +### Philosophy + +The Traefik HelmChart is focused on Traefik deployment configuration. + +To keep this HelmChart as generic as possible we tend +to avoid integrating any third party solutions nor any specific use cases. + +Accordingly, the encouraged approach to fulfill your needs: + +1. Override the default Traefik configuration values ([yaml file or cli](https://helm.sh/docs/chart_template_guide/values_files/)) +2. Append your own configurations (`kubectl apply -f myconf.yaml`) + +[Examples](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md) of common usage are provided. + +If needed, one may use [extraObjects](./traefik/tests/values/extra.yaml) or extend this HelmChart [as a Subchart](https://helm.sh/docs/chart_template_guide/subcharts_and_globals/). + +## Installing + +### Prerequisites + +1. [x] Helm **v3 > 3.9.0** [installed](https://helm.sh/docs/using_helm/#installing-helm): `helm version` +2. [x] Traefik's chart repository: `helm repo add traefik https://traefik.github.io/charts` + +### Kubernetes Version Support + +Due to changes in CRD version support, the following versions of the chart are usable and supported on the following Kubernetes versions: + +| | Kubernetes v1.15 and below | Kubernetes v1.16-v1.21 | Kubernetes v1.22 and above | +|-------------------------|-----------------------------|------------------------|----------------------------| +| Chart v9.20.2 and below | [x] | [x] | | +| Chart v10.0.0 and above | | [x] | [x] | +| Chart v22.0.0 and above | | | [x] | + +### CRDs Support of Traefik Proxy + +Due to changes in API Group of Traefik CRDs from `containo.us` to `traefik.io`, this Chart install CRDs needed by default Traefik Proxy version, following this table: + +| | `containo.us` | `traefik.io` | +|-------------------------|-----------------------------|------------------------| +| Chart v22.0.0 and below | [x] | | +| Chart v23.0.0 and above | [x] | [x] | +| Chart v28.0.0 and above | | [x] | + +### Deploying Traefik + +```bash +helm install traefik traefik/traefik +``` + +or: + +```bash +helm install traefik oci://ghcr.io/traefik/helm/traefik +``` + +You can customize the install with a `values` file. There are some [EXAMPLES](./EXAMPLES.md) provided. +Complete documentation on all available parameters is in the [default file](./traefik/values.yaml). + +```bash +helm install -f myvalues.yaml traefik traefik/traefik +``` + +🛂 **Warning**: Helm v2 support was removed in the chart version 10.0.0. + +## Upgrading + +One can check what has changed in the [Changelog](./traefik/Changelog.md). + +:information_source: With Helm v3, CRDs created by this chart can not be updated, cf. the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions). + +:warning: Please read carefully release notes of this chart before upgrading CRDs. + +```bash +# Update repository +helm repo update +# See current Chart & Traefik version +helm search repo traefik/traefik +# Update CRDs (Traefik Proxy v3 CRDs) +kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/ +# Upgrade Traefik +helm upgrade traefik traefik/traefik +``` + +New major version indicates that there is an incompatible breaking change. + +#### Upgrade up to 27.X + +When upgrading on Traefik Proxy v2 version, one need to stay at Traefik Helm Chart v27.x. The command to upgrade to the latest Traefik Proxy v2 CRD is: + +```bash +kubectl apply --server-side --force-conflicts -k https://github.com/traefik/traefik-helm-chart/traefik/crds/?ref=v27 +``` + +### Upgrading after 18.X+ + +It's detailed in [release notes](https://github.com/traefik/traefik-helm-chart/releases). + +### Upgrading from 17.x to 18.x + +Since v18.x, this chart by default merges TCP and UDP ports into a single (LoadBalancer) `Service`. +Load balancers with mixed protocols are available since v1.20 and in +[beta as of Kubernetes v1.24](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types). +Availability may depend on your Kubernetes provider. + +To retain the old default behavior, set `service.single` to `false` in your values. + +When using TCP and UDP with a single service, you may encounter +[this issue](https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741) +from Kubernetes. + +On HTTP/3, if you want to avoid this issue, you can set +`ports.websecure.http3.advertisedPort` to an other value than `443` + +If you were previously using HTTP/3, you should update your values as follows: + - Replace the old value (`true`) of `ports.websecure.http3` with a key `enabled: true` + - Remove `experimental.http3.enabled=true` entry + +### Upgrading from 16.x to 17.x + +Since v17.x, this chart provides unified labels following +[Kubernetes recommendation](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). + +This version needs to change an immutable field, which is not supported by +Kubernetes and Helm, see [this issue](https://github.com/helm/helm/issues/7350) +for more details. +So you will have to delete your `Service`, `Deployment` or `DaemonSet` in +order to be able to upgrade. + +You may also upgrade by deploying another Traefik to a different namespace and +removing after your first Traefik. + +Alternatively, since version 20.3.0 of this chart, you may set `instanceLabelOverride` to the previous value of that label. +This will override the new `Release.Name-Release.Namespace` pattern to avoid any (longer) downtime. + +## Contributing + +If you want to contribute to this chart, please read the [Contributing Guide](./CONTRIBUTING.md). + +Thanks to all the people who have already contributed! + + + + diff --git a/charts/traefik/traefik/32.0.0/VALUES.md b/charts/traefik/traefik/32.0.0/VALUES.md new file mode 100644 index 000000000..867dbdfa7 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/VALUES.md @@ -0,0 +1,316 @@ +# traefik + +![Version: 32.0.0](https://img.shields.io/badge/Version-32.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.1.4](https://img.shields.io/badge/AppVersion-v3.1.4-informational?style=flat-square) + +A Traefik based Kubernetes ingress controller + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| mloiseleur | | | +| charlie-haley | | | +| darkweaver87 | | | +| jnoordsij | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` | +| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container | +| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts | +| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. | +| certResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. | +| commonLabels | object | `{}` | Add additional label to all resources | +| core.defaultRuleSyntax | string | `""` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes | +| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) | +| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers | +| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) | +| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) | +| deployment.dnsPolicy | string | `""` | Custom pod DNS policy. Apply if `hostNetwork: true` | +| deployment.enabled | bool | `true` | Enable deployment | +| deployment.healthchecksHost | string | `""` | | +| deployment.healthchecksPort | string | `nil` | | +| deployment.healthchecksScheme | string | `nil` | | +| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) | +| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image | +| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) | +| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet | +| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) | +| deployment.lifecycle | object | `{}` | Pod lifecycle actions | +| deployment.livenessPath | string | `""` | Override the liveness path. Default: /ping | +| deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available | +| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' | +| deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) | +| deployment.readinessPath | string | `""` | | +| deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) | +| deployment.revisionHistoryLimit | string | `nil` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | +| deployment.runtimeClassName | string | `""` | Set a runtimeClassName on pod | +| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing | +| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down | +| env | list | See _values.yaml_ | Environment variables to be passed to Traefik's binary | +| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets | +| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD | +| experimental.plugins | object | `{}` | Enable traefik experimental plugins | +| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. | +| gateway.annotations | object | `{}` | Additional gateway annotations (e.g. for cert-manager.io/issuer) | +| gateway.enabled | bool | `true` | When providers.kubernetesGateway.enabled, deploy a default gateway | +| gateway.listeners | object | `{"web":{"hostname":"","namespacePolicy":null,"port":8000,"protocol":"HTTP"}}` | Define listeners | +| gateway.listeners.web.hostname | string | `""` | Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname) | +| gateway.listeners.web.namespacePolicy | string | `nil` | Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces | +| gateway.listeners.web.port | int | `8000` | Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. The port must match a port declared in ports section. | +| gateway.name | string | `""` | Set a custom name to gateway | +| gateway.namespace | string | `""` | By default, Gateway is created in the same `Namespace` than Traefik. | +| gatewayClass.enabled | bool | `true` | When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass | +| gatewayClass.labels | object | `{}` | Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels) | +| gatewayClass.name | string | `""` | Set a custom name to GatewayClass | +| globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods | +| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. | +| hub.apimanagement.admission.listenAddr | string | `""` | WebHook admission server listen address. Default: "0.0.0.0:9943". | +| hub.apimanagement.admission.secretName | string | `""` | Certificate of the WebHook admission server. Default: "hub-agent-cert". | +| hub.apimanagement.enabled | bool | `false` | Set to true in order to enable API Management. Requires a valid license token. | +| hub.redis.cluster | string | `nil` | Enable Redis Cluster. Default: true. | +| hub.redis.database | string | `nil` | Database used to store information. Default: "0". | +| hub.redis.endpoints | string | `""` | Endpoints of the Redis instances to connect to. Default: "". | +| hub.redis.password | string | `""` | The password to use when connecting to Redis endpoints. Default: "". | +| hub.redis.sentinel.masterset | string | `""` | Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". | +| hub.redis.sentinel.password | string | `""` | Password to use for sentinel authentication (can be different from endpoint password). Default: "". | +| hub.redis.sentinel.username | string | `""` | Username to use for sentinel authentication (can be different from endpoint username). Default: "". | +| hub.redis.timeout | string | `""` | Timeout applied on connection with redis. Default: "0s". | +| hub.redis.tls.ca | string | `""` | Path to the certificate authority used for the secured connection. | +| hub.redis.tls.cert | string | `""` | Path to the public certificate used for the secure connection. | +| hub.redis.tls.insecureSkipVerify | bool | `false` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. | +| hub.redis.tls.key | string | `""` | Path to the private key used for the secure connection. | +| hub.redis.username | string | `""` | The username to use when connecting to Redis endpoints. Default: "". | +| hub.sendlogs | string | `nil` | | +| hub.token | string | `""` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. | +| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy | +| image.registry | string | `"docker.io"` | Traefik image host registry | +| image.repository | string | `"traefik"` | Traefik image repository | +| image.tag | string | `nil` | defaults to appVersion | +| ingressClass | object | `{"enabled":true,"isDefaultClass":true,"name":""}` | Create a default IngressClass for Traefik | +| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) | +| ingressRoute.dashboard.enabled | bool | `false` | Create an IngressRoute for the dashboard | +| ingressRoute.dashboard.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. /!\ Do not expose your dashboard without any protection over the internet /!\ | +| ingressRoute.dashboard.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) | +| ingressRoute.dashboard.matchRule | string | `"PathPrefix(`/dashboard`) || PathPrefix(`/api`)"` | The router match rule used for the dashboard ingressRoute | +| ingressRoute.dashboard.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) | +| ingressRoute.dashboard.services | list | `[{"kind":"TraefikService","name":"api@internal"}]` | The internal service used for the dashboard ingressRoute | +| ingressRoute.dashboard.tls | object | `{}` | TLS options (e.g. secret containing certificate) | +| ingressRoute.healthcheck.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) | +| ingressRoute.healthcheck.enabled | bool | `false` | Create an IngressRoute for the healthcheck probe | +| ingressRoute.healthcheck.entryPoints | list | `["traefik"]` | Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure). By default, it's using traefik entrypoint, which is not exposed. | +| ingressRoute.healthcheck.labels | object | `{}` | Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) | +| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute | +| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) | +| ingressRoute.healthcheck.services | list | `[{"kind":"TraefikService","name":"ping@internal"}]` | The internal service used for the healthcheck ingressRoute | +| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) | +| instanceLabelOverride | string | `""` | | +| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. | +| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. | +| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. | +| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. | +| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. | +| logs.access.addInternals | bool | `false` | Enables accessLogs for internal resources. Default: false. | +| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) | +| logs.access.enabled | bool | `false` | To enable access logs | +| logs.access.fields.general.defaultmode | string | `"keep"` | Set default mode for fields.names | +| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. | +| logs.access.fields.headers | object | `{"defaultmode":"drop","names":{}}` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) | +| logs.access.fields.headers.defaultmode | string | `"drop"` | Set default mode for fields.headers | +| logs.access.filters | object | `{}` | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) | +| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) | +| logs.access.minduration | string | `""` | | +| logs.access.retryattempts | bool | `false` | | +| logs.access.statuscodes | string | `""` | | +| logs.general.filePath | string | `""` | To write the logs into a log file, use the filePath option. | +| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) | +| logs.general.level | string | `"INFO"` | Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. | +| logs.general.noColor | bool | `false` | When set to true and format is common, it disables the colorized output. | +| metrics.addInternals | bool | `false` | | +| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true | +| metrics.otlp.addRoutersLabels | string | `nil` | Enable metrics on routers. Default: false | +| metrics.otlp.addServicesLabels | string | `nil` | Enable metrics on services. Default: true | +| metrics.otlp.enabled | bool | `false` | Set to true in order to enable the OpenTelemetry metrics | +| metrics.otlp.explicitBoundaries | list | `[]` | Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10] | +| metrics.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC | +| metrics.otlp.grpc.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| metrics.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | +| metrics.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| metrics.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| metrics.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| metrics.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| metrics.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. | +| metrics.otlp.http.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| metrics.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. | +| metrics.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| metrics.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| metrics.otlp.http.tls.insecureSkipVerify | string | `nil` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| metrics.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| metrics.otlp.pushInterval | string | `""` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s | +| metrics.prometheus.addEntryPointsLabels | string | `nil` | | +| metrics.prometheus.addRoutersLabels | string | `nil` | | +| metrics.prometheus.addServicesLabels | string | `nil` | | +| metrics.prometheus.buckets | string | `""` | | +| metrics.prometheus.disableAPICheck | string | `nil` | When set to true, it won't check if Prometheus Operator CRDs are deployed | +| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. | +| metrics.prometheus.manualRouting | bool | `false` | | +| metrics.prometheus.prometheusRule.additionalLabels | object | `{}` | | +| metrics.prometheus.prometheusRule.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. | +| metrics.prometheus.prometheusRule.namespace | string | `""` | | +| metrics.prometheus.service.annotations | object | `{}` | | +| metrics.prometheus.service.enabled | bool | `false` | Create a dedicated metrics service to use with ServiceMonitor | +| metrics.prometheus.service.labels | object | `{}` | | +| metrics.prometheus.serviceMonitor.additionalLabels | object | `{}` | | +| metrics.prometheus.serviceMonitor.enableHttp2 | bool | `false` | | +| metrics.prometheus.serviceMonitor.enabled | bool | `false` | Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details. | +| metrics.prometheus.serviceMonitor.followRedirects | bool | `false` | | +| metrics.prometheus.serviceMonitor.honorLabels | bool | `false` | | +| metrics.prometheus.serviceMonitor.honorTimestamps | bool | `false` | | +| metrics.prometheus.serviceMonitor.interval | string | `""` | | +| metrics.prometheus.serviceMonitor.jobLabel | string | `""` | | +| metrics.prometheus.serviceMonitor.metricRelabelings | list | `[]` | | +| metrics.prometheus.serviceMonitor.namespace | string | `""` | | +| metrics.prometheus.serviceMonitor.namespaceSelector | object | `{}` | | +| metrics.prometheus.serviceMonitor.relabelings | list | `[]` | | +| metrics.prometheus.serviceMonitor.scrapeTimeout | string | `""` | | +| namespaceOverride | string | `""` | This field override the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` | +| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. | +| persistence.accessMode | string | `"ReadWriteOnce"` | | +| persistence.annotations | object | `{}` | | +| persistence.enabled | bool | `false` | Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ It can be used to store TLS certificates, see `storage` in certResolvers | +| persistence.existingClaim | string | `""` | | +| persistence.name | string | `"data"` | | +| persistence.path | string | `"/data"` | | +| persistence.size | string | `"128Mi"` | | +| persistence.storageClass | string | `""` | | +| persistence.subPath | string | `""` | Only mount a subpath of the Volume into the pod | +| persistence.volumeName | string | `""` | | +| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":null,"minAvailable":null}` | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) | +| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) | +| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding | +| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.metrics.exposedPort | int | `9100` | The exposed port for this service | +| ports.metrics.port | int | `9100` | When using hostNetwork, use another port to avoid conflict with node exporter: https://github.com/prometheus/prometheus/wiki/Default-port-allocations | +| ports.metrics.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | +| ports.traefik.expose | object | `{"default":false}` | You SHOULD NOT expose the traefik port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress | +| ports.traefik.exposedPort | int | `9000` | The exposed port for this service | +| ports.traefik.hostIP | string | `nil` | Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which means it's listening on all your interfaces and all your IPs. You may want to set this value if you need traefik to listen on specific interface only. | +| ports.traefik.hostPort | string | `nil` | Use hostPort if set. | +| ports.traefik.port | int | `9000` | | +| ports.traefik.protocol | string | `"TCP"` | The port protocol (TCP/UDP) | +| ports.web.expose.default | bool | `true` | | +| ports.web.exposedPort | int | `80` | | +| ports.web.forwardedHeaders.insecure | bool | `false` | | +| ports.web.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). | +| ports.web.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) | +| ports.web.port | int | `8000` | | +| ports.web.protocol | string | `"TCP"` | | +| ports.web.proxyProtocol.insecure | bool | `false` | | +| ports.web.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point | +| ports.web.redirectTo | object | `{}` | | +| ports.web.targetPort | string | `nil` | | +| ports.web.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport | +| ports.websecure.allowACMEByPass | bool | `false` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) | +| ports.websecure.appProtocol | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) | +| ports.websecure.containerPort | string | `nil` | | +| ports.websecure.expose.default | bool | `true` | | +| ports.websecure.exposedPort | int | `443` | | +| ports.websecure.forwardedHeaders.insecure | bool | `false` | | +| ports.websecure.forwardedHeaders.trustedIPs | list | `[]` | Trust forwarded headers information (X-Forwarded-*). | +| ports.websecure.hostPort | string | `nil` | | +| ports.websecure.http3.advertisedPort | string | `nil` | | +| ports.websecure.http3.enabled | bool | `false` | | +| ports.websecure.middlewares | list | `[]` | /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace - namespace-name1@kubernetescrd - namespace-name2@kubernetescrd | +| ports.websecure.nodePort | string | `nil` | See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) | +| ports.websecure.port | int | `8443` | | +| ports.websecure.protocol | string | `"TCP"` | | +| ports.websecure.proxyProtocol.insecure | bool | `false` | | +| ports.websecure.proxyProtocol.trustedIPs | list | `[]` | Enable the Proxy Protocol header parsing for the entry point | +| ports.websecure.targetPort | string | `nil` | | +| ports.websecure.tls | object | `{"certResolver":"","domains":[],"enabled":true,"options":""}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) | +| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) | +| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) | +| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) | +| providers.file.enabled | bool | `false` | Create a file provider | +| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes | +| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs | +| providers.kubernetesCRD.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available | +| providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute | +| providers.kubernetesCRD.enabled | bool | `true` | Load Kubernetes IngressRoute provider | +| providers.kubernetesCRD.ingressClass | string | `""` | When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled. | +| providers.kubernetesCRD.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesCRD.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. | +| providers.kubernetesGateway.enabled | bool | `false` | Enable Traefik Gateway provider for Gateway API | +| providers.kubernetesGateway.experimentalChannel | bool | `false` | Toggles support for the Experimental Channel resources (Gateway API release channels documentation). This option currently enables support for TCPRoute and TLSRoute. | +| providers.kubernetesGateway.labelselector | string | `""` | A label selector can be defined to filter on specific GatewayClass objects only. | +| providers.kubernetesGateway.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available | +| providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress | +| providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider | +| providers.kubernetesIngress.ingressClass | string | `nil` | When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed. | +| providers.kubernetesIngress.namespaces | list | `[]` | Array of namespaces to watch. If left empty, Traefik watches all namespaces. | +| providers.kubernetesIngress.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. | +| providers.kubernetesIngress.publishedService.enabled | bool | `false` | | +| rbac | object | `{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}` | Whether Role Based Access Control objects like roles and rolebindings should be created | +| readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. | +| readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. | +| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. | +| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. | +| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. | +| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. | +| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | +| service.additionalServices | object | `{}` | | +| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) | +| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only | +| service.annotationsUDP | object | `{}` | Additional annotations for UDP service only | +| service.enabled | bool | `true` | | +| service.externalIPs | list | `[]` | | +| service.labels | object | `{}` | Additional service labels (e.g. for filtering Service by custom labels) | +| service.loadBalancerSourceRanges | list | `[]` | | +| service.single | bool | `true` | | +| service.spec | object | `{}` | Cannot contain type, selector or ports entries. | +| service.type | string | `"LoadBalancer"` | | +| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API | +| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) | +| startupProbe | object | `{}` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) | +| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. | +| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. | +| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. | +| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. | +| tracing | object | `{"addInternals":false,"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":"","insecure":false,"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}},"http":{"enabled":false,"endpoint":"","headers":{},"tls":{"ca":"","cert":"","insecureSkipVerify":false,"key":""}}}}` | https://doc.traefik.io/traefik/observability/tracing/overview/ | +| tracing.addInternals | bool | `false` | Enables tracing for internal resources. Default: false. | +| tracing.otlp.enabled | bool | `false` | See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ | +| tracing.otlp.grpc.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using gRPC | +| tracing.otlp.grpc.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| tracing.otlp.grpc.insecure | bool | `false` | Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. | +| tracing.otlp.grpc.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| tracing.otlp.grpc.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| tracing.otlp.grpc.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| tracing.otlp.grpc.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| tracing.otlp.http.enabled | bool | `false` | Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. | +| tracing.otlp.http.endpoint | string | `""` | Format: ://:. Default: http://localhost:4318/v1/metrics | +| tracing.otlp.http.headers | object | `{}` | Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. | +| tracing.otlp.http.tls.ca | string | `""` | The path to the certificate authority, it defaults to the system bundle. | +| tracing.otlp.http.tls.cert | string | `""` | The path to the public certificate. When using this option, setting the key option is required. | +| tracing.otlp.http.tls.insecureSkipVerify | bool | `false` | When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. | +| tracing.otlp.http.tls.key | string | `""` | The path to the private key. When using this option, setting the cert option is required. | +| updateStrategy.rollingUpdate.maxSurge | int | `1` | | +| updateStrategy.rollingUpdate.maxUnavailable | int | `0` | | +| updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy of Deployment or DaemonSet | +| volumes | list | `[]` | Add volumes to the traefik pod. The volume name will be passed to tpl. This can be used to mount a cert pair or a configmap that holds a config.toml file. After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: `additionalArguments: - "--providers.file.filename=/config/dynamic.toml" - "--ping" - "--ping.entrypoint=web"` | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/traefik/traefik/32.0.0/app-readme.md b/charts/traefik/traefik/32.0.0/app-readme.md new file mode 100644 index 000000000..7289af5d0 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/app-readme.md @@ -0,0 +1,5 @@ +# Traefik Proxy + +[Traefik](https://traefik.io/) is a modern HTTP reverse proxy and load balancer made to deploy microservices with ease. + +This chart bootstraps Traefik version 2 as a Kubernetes ingress controller. diff --git a/charts/traefik/traefik/32.0.0/crds/gateway-standard-install-v1.1.0.yaml b/charts/traefik/traefik/32.0.0/crds/gateway-standard-install-v1.1.0.yaml new file mode 100644 index 000000000..fcb65e66f --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/gateway-standard-install-v1.1.0.yaml @@ -0,0 +1,13478 @@ +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Gateway API Standard channel install +# +--- +# +# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, the GatewayClass's "InvalidParameters" + status condition will be true. + + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + + Example: "example.net/gateway-controller". + + + This field is not mutable and cannot be empty. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + + If the referent cannot be found, the GatewayClass's "InvalidParameters" + status condition will be true. + + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_gateways.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + + Support: Extended + + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on their + targeted conformance profile: + + + HTTP Profile + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + + TLS Profile + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + The implementation can match inbound requests to a single distinct + Listener. When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + + For example, the following Listener scenarios are distinct: + + + 1. Multiple Listeners with the same Port that all use the "HTTP" + Protocol that all have unique Hostname values. + 2. Multiple Listeners with the same Port that use either the "HTTPS" or + "TLS" Protocol that all have unique Hostname values. + 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + with the same Protocol has the same Port value. + + + Some fields in the Listener struct have possible values that affect + whether the Listener is distinct. Hostname is particularly relevant + for HTTP or HTTPS protocols. + + + When using the Hostname value to select between same-Port, same-Protocol + Listeners, the Hostname value must be different on each Listener for the + Listener to be distinct. + + + When the Listeners are distinct based on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + + Exact matches must be processed before wildcard matches, and wildcard + matches must be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are Conflicted, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. To put this another way, implementations may + accept a partial Listener set only if they throw out *all* the conflicting + Listeners. No picking one of the conflicting listeners as the winner. + This also means that the Gateway must have at least one non-conflicting + Listener in this case, otherwise it violates the requirement that at + least one Listener must be present. + + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + + A Gateway's Listeners are considered "compatible" if: + + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + + Note that requests SHOULD match at most one Listener. For example, if + Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + This concept is known as "Listener Isolation". Implementations that do + not support Listener Isolation MUST clearly document this. + + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + + This list may differ from the addresses provided in the spec under some + conditions: + + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + + Support: Extended + + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on their + targeted conformance profile: + + + HTTP Profile + + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + + TLS Profile + + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + + "Distinct" Listeners have the following property: + + + The implementation can match inbound requests to a single distinct + Listener. When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + + For example, the following Listener scenarios are distinct: + + + 1. Multiple Listeners with the same Port that all use the "HTTP" + Protocol that all have unique Hostname values. + 2. Multiple Listeners with the same Port that use either the "HTTPS" or + "TLS" Protocol that all have unique Hostname values. + 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener + with the same Protocol has the same Port value. + + + Some fields in the Listener struct have possible values that affect + whether the Listener is distinct. Hostname is particularly relevant + for HTTP or HTTPS protocols. + + + When using the Hostname value to select between same-Port, same-Protocol + Listeners, the Hostname value must be different on each Listener for the + Listener to be distinct. + + + When the Listeners are distinct based on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + + Exact matches must be processed before wildcard matches, and wildcard + matches must be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are Conflicted, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. To put this another way, implementations may + accept a partial Listener set only if they throw out *all* the conflicting + Listeners. No picking one of the conflicting listeners as the winner. + This also means that the Gateway must have at least one non-conflicting + Listener in this case, otherwise it violates the requirement that at + least one Listener must be present. + + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + + A Gateway's Listeners are considered "compatible" if: + + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + + Note that requests SHOULD match at most one Listener. For example, if + Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + This concept is known as "Listener Isolation". Implementations that do + not support Listener Isolation MUST clearly document this. + + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + + This list may differ from the addresses provided in the spec under some + conditions: + + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + + Known condition types are: + + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST match every gRPC request. + + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + + Support: Implementation-specific (Exact with method specified but no service specified) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} + - deprecated: true + deprecationWarning: The v1alpha2 version of GRPCRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + Support: Implementation-specific + + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + + If no matches are specified, the implementation MUST match every gRPC request. + + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + + Support: Implementation-specific (Exact with method specified but no service specified) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches are implementation-specific. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + ParentRefs must be _distinct_. This means either that: + + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + + Some examples: + + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds of parent + resources. + + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + + Conformance-levels at this level are defined based on the type of filter: + + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + + This filter can be used multiple times within the same rule. + + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + + Support: Extended for Kubernetes Service + + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + + If no port is specified, the redirect port MUST be derived using the + following rules: + + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + add: + - name: "my-header" + value: "bar,baz" + + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + + Config: + remove: ["my-header1", "my-header3"] + + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + + Input: + GET /foo HTTP/1.1 + my-header: foo + + + Config: + set: + - name: "my-header" + value: "bar" + + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + + Request Path | Prefix Match | Replace Prefix | Modified Path + -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | /xyz/bar + /foo/bar | /foo | /xyz/ | /xyz/bar + /foo/bar | /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | /xyz/bar + /foo | /foo | /xyz | /xyz + /foo/ | /foo | /xyz | /xyz/ + /foo/bar | /foo | | /bar + /foo/ | /foo | | / + /foo | /foo | | / + /foo/ | /foo | / | / + /foo | /foo | / | / + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + + For example, take the following matches configuration: + + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + + Note: The precedence of RegularExpression path matches are implementation-specific. + + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\n\nFor example, + the match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n\n```\nmatch:\n\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + + Support: Core (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + + Support: Core (Exact, PathPrefix) + + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + + Support: Extended (Exact) + + + Support: Implementation-specific (RegularExpression) + + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: "Condition contains details for one aspect of + the current state of this API Resource.\n---\nThis struct + is intended for direct use as an array at the field path + .status.conditions. For example,\n\n\n\ttype FooStatus + struct{\n\t // Represents the observations of a foo's + current state.\n\t // Known .status.conditions.type are: + \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // + +listType=map\n\t // +listMapKey=type\n\t Conditions + []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997 + gateway.networking.k8s.io/bundle-version: v1.1.0 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated + and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + + A ReferenceGrant is required for all cross-namespace references in Gateway API + (with the exception of cross-namespace Route-Gateway attachment, which is + governed by the AllowedRoutes configuration on the Gateway, and cross-namespace + Service ParentRefs on a "consumer" mesh Route, which defines routing rules + applicable only to workloads in the Route namespace). ReferenceGrants allowing + a reference from a Route to a Service are only applicable to BackendRefs. + + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: false + storage: false + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + + When used to permit a SecretObjectReference: + + + * Gateway + + + When used to permit a BackendObjectReference: + + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_accesscontrolpolicies.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_accesscontrolpolicies.yaml new file mode 100644 index 000000000..821f969b6 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_accesscontrolpolicies.yaml @@ -0,0 +1,368 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: accesscontrolpolicies.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: AccessControlPolicy + listKind: AccessControlPolicyList + plural: accesscontrolpolicies + singular: accesscontrolpolicy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AccessControlPolicy defines an access control policy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: AccessControlPolicySpec configures an access control policy. + properties: + apiKey: + description: AccessControlPolicyAPIKey configure an APIKey control + policy. + properties: + forwardHeaders: + additionalProperties: + type: string + description: ForwardHeaders instructs the middleware to forward + key metadata as header values upon successful authentication. + type: object + keySource: + description: KeySource defines how to extract API keys from requests. + properties: + cookie: + description: Cookie is the name of a cookie. + type: string + header: + description: Header is the name of a header. + type: string + headerAuthScheme: + description: |- + HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". + If set, this scheme is removed from the token, and all requests not including it are dropped. + type: string + query: + description: Query is the name of a query parameter. + type: string + type: object + keys: + description: Keys define the set of authorized keys to access + a protected resource. + items: + description: AccessControlPolicyAPIKeyKey defines an API key. + properties: + id: + description: ID is the unique identifier of the key. + type: string + metadata: + additionalProperties: + type: string + description: Metadata holds arbitrary metadata for this + key, can be used by ForwardHeaders. + type: object + value: + description: Value is the SHAKE-256 hash (using 64 bytes) + of the API key. + type: string + required: + - id + - value + type: object + type: array + required: + - keySource + type: object + basicAuth: + description: AccessControlPolicyBasicAuth holds the HTTP basic authentication + configuration. + properties: + forwardUsernameHeader: + type: string + realm: + type: string + stripAuthorizationHeader: + type: boolean + users: + items: + type: string + type: array + type: object + jwt: + description: AccessControlPolicyJWT configures a JWT access control + policy. + properties: + claims: + type: string + forwardHeaders: + additionalProperties: + type: string + type: object + jwksFile: + type: string + jwksUrl: + type: string + publicKey: + type: string + signingSecret: + type: string + signingSecretBase64Encoded: + type: boolean + stripAuthorizationHeader: + type: boolean + tokenQueryKey: + type: string + type: object + oAuthIntro: + description: AccessControlOAuthIntro configures an OAuth 2.0 Token + Introspection access control policy. + properties: + claims: + type: string + clientConfig: + description: AccessControlOAuthIntroClientConfig configures the + OAuth 2.0 client for issuing token introspection requests. + properties: + headers: + additionalProperties: + type: string + description: Headers to set when sending requests to the Authorization + Server. + type: object + maxRetries: + default: 3 + description: MaxRetries defines the number of retries for + introspection requests. + type: integer + timeoutSeconds: + default: 5 + description: TimeoutSeconds configures the maximum amount + of seconds to wait before giving up on requests. + type: integer + tls: + description: TLS configures TLS communication with the Authorization + Server. + properties: + ca: + description: CA sets the CA bundle used to sign the Authorization + Server certificate. + type: string + insecureSkipVerify: + description: |- + InsecureSkipVerify skips the Authorization Server certificate validation. + For testing purposes only, do not use in production. + type: boolean + type: object + tokenTypeHint: + description: |- + TokenTypeHint is a hint to pass to the Authorization Server. + See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. + type: string + url: + description: URL of the Authorization Server. + type: string + required: + - url + type: object + forwardHeaders: + additionalProperties: + type: string + type: object + tokenSource: + description: |- + TokenSource describes how to extract tokens from HTTP requests. + If multiple sources are set, the order is the following: header > query > cookie. + properties: + cookie: + description: Cookie is the name of a cookie. + type: string + header: + description: Header is the name of a header. + type: string + headerAuthScheme: + description: |- + HeaderAuthScheme sets an optional auth scheme when Header is set to "Authorization". + If set, this scheme is removed from the token, and all requests not including it are dropped. + type: string + query: + description: Query is the name of a query parameter. + type: string + type: object + required: + - clientConfig + - tokenSource + type: object + oidc: + description: AccessControlPolicyOIDC holds the OIDC authentication + configuration. + properties: + authParams: + additionalProperties: + type: string + type: object + claims: + type: string + clientId: + type: string + disableAuthRedirectionPaths: + items: + type: string + type: array + forwardHeaders: + additionalProperties: + type: string + type: object + issuer: + type: string + logoutUrl: + type: string + redirectUrl: + type: string + scopes: + items: + type: string + type: array + secret: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + session: + description: Session holds session configuration. + properties: + domain: + type: string + path: + type: string + refresh: + type: boolean + sameSite: + type: string + secure: + type: boolean + type: object + stateCookie: + description: StateCookie holds state cookie configuration. + properties: + domain: + type: string + path: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + oidcGoogle: + description: AccessControlPolicyOIDCGoogle holds the Google OIDC authentication + configuration. + properties: + authParams: + additionalProperties: + type: string + type: object + clientId: + type: string + emails: + description: Emails are the allowed emails to connect. + items: + type: string + minItems: 1 + type: array + forwardHeaders: + additionalProperties: + type: string + type: object + logoutUrl: + type: string + redirectUrl: + type: string + secret: + description: |- + SecretReference represents a Secret Reference. It has enough information to retrieve secret + in any namespace + properties: + name: + description: name is unique within a namespace to reference + a secret resource. + type: string + namespace: + description: namespace defines the space within which the + secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + session: + description: Session holds session configuration. + properties: + domain: + type: string + path: + type: string + refresh: + type: boolean + sameSite: + type: string + secure: + type: boolean + type: object + stateCookie: + description: StateCookie holds state cookie configuration. + properties: + domain: + type: string + path: + type: string + sameSite: + type: string + secure: + type: boolean + type: object + type: object + type: object + status: + description: The current status of this access control policy. + properties: + specHash: + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiaccesses.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiaccesses.yaml new file mode 100644 index 000000000..ee8ecaf4e --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiaccesses.yaml @@ -0,0 +1,188 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiaccesses.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIAccess + listKind: APIAccessList + plural: apiaccesses + singular: apiaccess + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIAccess defines who can access to a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIAccess. + properties: + apiBundles: + description: |- + APIBundles defines a set of APIBundle that will be accessible to the configured audience. + Multiple APIAccesses can select the same APIBundles. + items: + description: APIBundleReference references an APIBundle. + properties: + name: + description: Name of the APIBundle. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apiBundles + rule: self.all(x, self.exists_one(y, x.name == y.name)) + apiPlan: + description: APIPlan defines which APIPlan will be used. + properties: + name: + description: Name of the APIPlan. + maxLength: 253 + type: string + required: + - name + type: object + apiSelector: + description: |- + APISelector selects the APIs that will be accessible to the configured audience. + Multiple APIAccesses can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be accessible to the configured audience. + Multiple APIAccesses can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + everyone: + description: Everyone indicates that all users will have access to + the selected APIs. + type: boolean + groups: + description: Groups are the consumer groups that will gain access + to the selected APIs. + items: + type: string + type: array + operationFilter: + description: |- + OperationFilter specifies the allowed operations on APIs and APIVersions. + If not set, all operations are available. + An empty OperationFilter prohibits all operations. + properties: + include: + description: Include defines the names of OperationSets that will + be accessible. + items: + type: string + maxItems: 100 + type: array + type: object + weight: + description: Weight specifies the evaluation order of the plan. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + type: object + x-kubernetes-validations: + - message: groups and everyone are mutually exclusive + rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && + self.groups.size() > 0) : true' + status: + description: The current status of this APIAccess. + properties: + hash: + description: Hash is a hash representing the APIAccess. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apibundles.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apibundles.yaml new file mode 100644 index 000000000..a45a0b137 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apibundles.yaml @@ -0,0 +1,125 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apibundles.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIBundle + listKind: APIBundleList + plural: apibundles + singular: apibundle + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIBundle defines a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIBundle. + properties: + apiSelector: + description: |- + APISelector selects the APIs that will be accessible to the configured audience. + Multiple APIBundles can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be accessible to the configured audience. + Multiple APIBundles can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + type: object + status: + description: The current status of this APIBundle. + properties: + hash: + description: Hash is a hash representing the APIBundle. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiplans.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiplans.yaml new file mode 100644 index 000000000..92e1b9b5c --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiplans.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiplans.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIPlan + listKind: APIPlanList + plural: apiplans + singular: apiplan + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIPlan defines API Plan policy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIPlan. + properties: + description: + description: Description describes the plan. + type: string + quota: + description: Quota defines the quota policy. + properties: + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 9999h + rule: self >= duration('1s') && self <= duration('9999h') + required: + - limit + type: object + rateLimit: + description: RateLimit defines the rate limit policy. + properties: + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 1h + rule: self >= duration('1s') && self <= duration('1h') + required: + - limit + type: object + title: + description: Title is the human-readable name of the plan. + type: string + required: + - title + type: object + status: + description: The current status of this APIPlan. + properties: + hash: + description: Hash is a hash representing the APIPlan. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiportals.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiportals.yaml new file mode 100644 index 000000000..bc0417016 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiportals.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiportals.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIPortal + listKind: APIPortalList + plural: apiportals + singular: apiportal + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIPortal defines a developer portal for accessing the documentation + of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIPortal. + properties: + description: + description: Description of the APIPortal. + type: string + title: + description: Title is the public facing name of the APIPortal. + type: string + trustedUrls: + description: TrustedURLs are the urls that are trusted by the OAuth + 2.0 authorization server. + items: + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-validations: + - message: must be a valid URLs + rule: self.all(x, isURL(x)) + ui: + description: UI holds the UI customization options. + properties: + logoUrl: + description: LogoURL is the public URL of the logo. + type: string + type: object + required: + - trustedUrls + type: object + status: + description: The current status of this APIPortal. + properties: + hash: + description: Hash is a hash representing the APIPortal. + type: string + oidc: + description: OIDC is the OIDC configuration for accessing the exposed + APIPortal WebUI. + properties: + clientId: + description: ClientID is the OIDC ClientID for accessing the exposed + APIPortal WebUI. + type: string + companyClaim: + description: CompanyClaim is the name of the JWT claim containing + the user company. + type: string + emailClaim: + description: EmailClaim is the name of the JWT claim containing + the user email. + type: string + firstnameClaim: + description: FirstnameClaim is the name of the JWT claim containing + the user firstname. + type: string + generic: + description: Generic indicates whether or not the APIPortal authentication + relies on Generic OIDC. + type: boolean + groupsClaim: + description: GroupsClaim is the name of the JWT claim containing + the user groups. + type: string + issuer: + description: Issuer is the OIDC issuer for accessing the exposed + APIPortal WebUI. + type: string + lastnameClaim: + description: LastnameClaim is the name of the JWT claim containing + the user lastname. + type: string + scopes: + description: Scopes is the OIDC scopes for getting user attributes + during the authentication to the exposed APIPortal WebUI. + type: string + secretName: + description: SecretName is the name of the secret containing the + OIDC ClientSecret for accessing the exposed APIPortal WebUI. + type: string + syncedAttributes: + description: SyncedAttributes configure the user attributes to + sync. + items: + type: string + type: array + userIdClaim: + description: UserIDClaim is the name of the JWT claim containing + the user ID. + type: string + type: object + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiratelimits.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiratelimits.yaml new file mode 100644 index 000000000..8e328d3c5 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiratelimits.yaml @@ -0,0 +1,166 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiratelimits.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIRateLimit + listKind: APIRateLimitList + plural: apiratelimits + singular: apiratelimit + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIRateLimit defines how group of consumers are rate limited + on a set of APIs. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIRateLimit. + properties: + apiSelector: + description: |- + APISelector selects the APIs that will be rate limited. + Multiple APIRateLimits can select the same set of APIs. + This field is optional and follows standard label selector semantics. + An empty APISelector matches any API. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + apis: + description: |- + APIs defines a set of APIs that will be rate limited. + Multiple APIRateLimits can select the same APIs. + When combined with APISelector, this set of APIs is appended to the matching APIs. + items: + description: APIReference references an API. + properties: + name: + description: Name of the API. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + type: array + x-kubernetes-validations: + - message: duplicated apis + rule: self.all(x, self.exists_one(y, x.name == y.name)) + everyone: + description: |- + Everyone indicates that all users will, by default, be rate limited with this configuration. + If an APIRateLimit explicitly target a group, the default rate limit will be ignored. + type: boolean + groups: + description: |- + Groups are the consumer groups that will be rate limited. + Multiple APIRateLimits can target the same set of consumer groups, the most restrictive one applies. + When a consumer belongs to multiple groups, the least restrictive APIRateLimit applies. + items: + type: string + type: array + limit: + description: Limit is the maximum number of token in the bucket. + type: integer + x-kubernetes-validations: + - message: must be a positive number + rule: self >= 0 + period: + description: Period is the unit of time for the Limit. + format: duration + type: string + x-kubernetes-validations: + - message: must be between 1s and 1h + rule: self >= duration('1s') && self <= duration('1h') + strategy: + description: |- + Strategy defines how the bucket state will be synchronized between the different Traefik Hub instances. + It can be, either "local" or "distributed". + enum: + - local + - distributed + type: string + required: + - limit + type: object + x-kubernetes-validations: + - message: groups and everyone are mutually exclusive + rule: '(has(self.everyone) && has(self.groups)) ? !(self.everyone && + self.groups.size() > 0) : true' + status: + description: The current status of this APIRateLimit. + properties: + hash: + description: Hash is a hash representing the APIRateLimit. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apis.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apis.yaml new file mode 100644 index 000000000..a7b9e5e60 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apis.yaml @@ -0,0 +1,190 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apis.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: API + listKind: APIList + plural: apis + singular: api + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + API defines an HTTP interface that is exposed to external clients. It specifies the supported versions + and provides instructions for accessing its documentation. Once instantiated, an API object is associated + with an Ingress, IngressRoute, or HTTPRoute resource, enabling the exposure of the described API to the outside world. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APISpec describes the API. + properties: + openApiSpec: + description: OpenAPISpec defines the API contract as an OpenAPI specification. + properties: + operationSets: + description: OperationSets defines the sets of operations to be + referenced for granular filtering in APIAccesses. + items: + description: |- + OperationSet gives a name to a set of matching OpenAPI operations. + This set of operations can then be referenced for granular filtering in APIAccesses. + properties: + matchers: + description: Matchers defines a list of alternative rules + for matching OpenAPI operations. + items: + description: OperationMatcher defines criteria for matching + an OpenAPI operation. + minProperties: 1 + properties: + methods: + description: Methods specifies the HTTP methods to + be included for selection. + items: + type: string + maxItems: 10 + type: array + path: + description: Path specifies the exact path of the + operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathPrefix: + description: PathPrefix specifies the path prefix + of the operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathRegex: + description: PathRegex specifies a regular expression + pattern for matching operations based on their paths. + type: string + type: object + x-kubernetes-validations: + - message: path, pathPrefix and pathRegex are mutually + exclusive + rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, + x).size() <= 1' + maxItems: 100 + minItems: 1 + type: array + name: + description: Name is the name of the OperationSet to reference + in APIAccesses. + maxLength: 253 + type: string + required: + - matchers + - name + type: object + maxItems: 100 + type: array + override: + description: Override holds data used to override OpenAPI specification. + properties: + servers: + items: + properties: + url: + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + required: + - url + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - servers + type: object + path: + description: |- + Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. + The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. + It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. + The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + url: + description: |- + URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. + The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + type: object + x-kubernetes-validations: + - message: path or url must be defined + rule: has(self.path) || has(self.url) + versions: + description: Versions are the different APIVersions available. + items: + description: APIVersionRef references an APIVersion. + properties: + name: + description: Name of the APIVersion. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 100 + minItems: 1 + type: array + type: object + status: + description: The current status of this API. + properties: + hash: + description: Hash is a hash representing the API. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiversions.yaml b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiversions.yaml new file mode 100644 index 000000000..97184effe --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/hub.traefik.io_apiversions.yaml @@ -0,0 +1,194 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: apiversions.hub.traefik.io +spec: + group: hub.traefik.io + names: + kind: APIVersion + listKind: APIVersionList + plural: apiversions + singular: apiversion + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.title + name: Title + type: string + - jsonPath: .spec.release + name: Release + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: APIVersion defines a version of an API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: The desired behavior of this APIVersion. + properties: + openApiSpec: + description: OpenAPISpec defines the API contract as an OpenAPI specification. + properties: + operationSets: + description: OperationSets defines the sets of operations to be + referenced for granular filtering in APIAccesses. + items: + description: |- + OperationSet gives a name to a set of matching OpenAPI operations. + This set of operations can then be referenced for granular filtering in APIAccesses. + properties: + matchers: + description: Matchers defines a list of alternative rules + for matching OpenAPI operations. + items: + description: OperationMatcher defines criteria for matching + an OpenAPI operation. + minProperties: 1 + properties: + methods: + description: Methods specifies the HTTP methods to + be included for selection. + items: + type: string + maxItems: 10 + type: array + path: + description: Path specifies the exact path of the + operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathPrefix: + description: PathPrefix specifies the path prefix + of the operations to select. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + pathRegex: + description: PathRegex specifies a regular expression + pattern for matching operations based on their paths. + type: string + type: object + x-kubernetes-validations: + - message: path, pathPrefix and pathRegex are mutually + exclusive + rule: '[has(self.path), has(self.pathPrefix), has(self.pathRegex)].filter(x, + x).size() <= 1' + maxItems: 100 + minItems: 1 + type: array + name: + description: Name is the name of the OperationSet to reference + in APIAccesses. + maxLength: 253 + type: string + required: + - matchers + - name + type: object + maxItems: 100 + type: array + override: + description: Override holds data used to override OpenAPI specification. + properties: + servers: + items: + properties: + url: + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + required: + - url + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - servers + type: object + path: + description: |- + Path specifies the endpoint path within the Kubernetes Service where the OpenAPI specification can be obtained. + The Service queried is determined by the associated Ingress, IngressRoute, or HTTPRoute resource to which the API is attached. + It's important to note that this option is incompatible if the Ingress or IngressRoute specifies multiple backend services. + The Path must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + maxLength: 255 + type: string + x-kubernetes-validations: + - message: must start with a '/' + rule: self.startsWith('/') + - message: cannot contains '../' + rule: '!self.matches(r"""(\/\.\.\/)|(\/\.\.$)""")' + url: + description: |- + URL is a Traefik Hub agent accessible URL for obtaining the OpenAPI specification. + The URL must be accessible via a GET request method and should serve a YAML or JSON document containing the OpenAPI specification. + type: string + x-kubernetes-validations: + - message: must be a valid URL + rule: isURL(self) + type: object + x-kubernetes-validations: + - message: path or url must be defined + rule: has(self.path) || has(self.url) + release: + description: |- + Release is the version number of the API. + This value must follow the SemVer format: https://semver.org/ + maxLength: 100 + type: string + x-kubernetes-validations: + - message: must be a valid semver version + rule: self.matches(r"""^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$""") + title: + description: Title is the public facing name of the APIVersion. + type: string + required: + - release + type: object + status: + description: The current status of this APIVersion. + properties: + hash: + description: Hash is a hash representing the APIVersion. + type: string + syncedAt: + format: date-time + type: string + version: + type: string + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutes.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutes.yaml new file mode 100644 index 000000000..6ce60d68e --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutes.yaml @@ -0,0 +1,366 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressroutes.traefik.io +spec: + group: traefik.io + names: + kind: IngressRoute + listKind: IngressRouteList + plural: ingressroutes + singular: ingressroute + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRoute is the CRD implementation of a Traefik HTTP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteSpec defines the desired state of IngressRoute. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: Route holds the HTTP route configuration. + properties: + kind: + description: |- + Kind defines the kind of the route. + Rule is the only supported kind. + enum: + - Rule + type: string + match: + description: |- + Match defines the router's rule. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule + type: string + middlewares: + description: |- + Middlewares defines the list of references to Middleware resources. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware + items: + description: MiddlewareRef is a reference to a Middleware + resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + priority: + description: |- + Priority defines the router's priority. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority + type: integer + services: + description: |- + Services defines the list of Service. + It can contain any combination of TraefikService and/or reference to a Kubernetes Service. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be + sent to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for + the health check endpoint. + type: string + port: + description: Port defines the server URL port for + the health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme + for the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to + the client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as + JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie + can only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + syntax: + description: |- + Syntax defines the router's rule syntax. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax + type: string + required: + - kind + - match + type: object + type: array + tls: + description: |- + TLS defines the TLS configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls + properties: + certResolver: + description: |- + CertResolver defines the name of the certificate resolver to use. + Cert resolvers have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers + type: string + domains: + description: |- + Domains defines the list of domains that will be used to issue certificates. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: |- + Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + If not defined, the `default` TLSOption is used. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + name: + description: |- + Name defines the name of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption + type: string + namespace: + description: |- + Namespace defines the namespace of the referenced TLSOption. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption + type: string + required: + - name + type: object + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: |- + Store defines the reference to the TLSStore, that will be used to store certificates. + Please note that only `default` TLSStore can be used. + properties: + name: + description: |- + Name defines the name of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore + type: string + namespace: + description: |- + Namespace defines the namespace of the referenced TLSStore. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutetcps.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutetcps.yaml new file mode 100644 index 000000000..9db38f869 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressroutetcps.yaml @@ -0,0 +1,247 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressroutetcps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteTCP + listKind: IngressRouteTCPList + plural: ingressroutetcps + singular: ingressroutetcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteTCP holds the TCP route configuration. + properties: + match: + description: |- + Match defines the router's rule. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1 + type: string + middlewares: + description: Middlewares defines the list of references to MiddlewareTCP + resources. + items: + description: ObjectReference is a generic reference to a Traefik + resource. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: array + priority: + description: |- + Priority defines the router's priority. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1 + type: integer + services: + description: Services defines the list of TCP services. + items: + description: ServiceTCP defines an upstream TCP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + proxyProtocol: + description: |- + ProxyProtocol defines the PROXY protocol configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol + properties: + version: + description: Version defines the PROXY Protocol version + to use. + type: integer + type: object + serversTransport: + description: |- + ServersTransport defines the name of ServersTransportTCP resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + terminationDelay: + description: |- + TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates + it has closed the writing capability of its connection, to close the reading capability as well, + hence fully terminating the connection. + It is a duration in milliseconds, defaulting to 100. + A negative value means an infinite deadline (i.e. the reading capability is never closed). + Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead. + type: integer + tls: + description: TLS determines whether to use TLS when dialing + with the backend. + type: boolean + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + syntax: + description: |- + Syntax defines the router's rule syntax. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1 + type: string + required: + - match + type: object + type: array + tls: + description: |- + TLS defines the TLS configuration on a layer 4 / TCP Route. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1 + properties: + certResolver: + description: |- + CertResolver defines the name of the certificate resolver to use. + Cert resolvers have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers + type: string + domains: + description: |- + Domains defines the list of domains that will be used to issue certificates. + More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains + items: + description: Domain holds a domain name with SANs. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain + names. + items: + type: string + type: array + type: object + type: array + options: + description: |- + Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection. + If not defined, the `default` TLSOption is used. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + passthrough: + description: Passthrough defines whether a TLS router will terminate + the TLS connection. + type: boolean + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + store: + description: |- + Store defines the reference to the TLSStore, that will be used to store certificates. + Please note that only `default` TLSStore can be used. + properties: + name: + description: Name defines the name of the referenced Traefik + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Traefik resource. + type: string + required: + - name + type: object + type: object + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressrouteudps.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressrouteudps.yaml new file mode 100644 index 000000000..9b04a8355 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_ingressrouteudps.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressrouteudps.traefik.io +spec: + group: traefik.io + names: + kind: IngressRouteUDP + listKind: IngressRouteUDPList + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP. + properties: + entryPoints: + description: |- + EntryPoints defines the list of entry point names to bind to. + Entry points have to be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/ + Default: all. + items: + type: string + type: array + routes: + description: Routes defines the list of routes. + items: + description: RouteUDP holds the UDP route configuration. + properties: + services: + description: Services defines the list of UDP services. + items: + description: ServiceUDP defines an upstream UDP service to + proxy traffic to. + properties: + name: + description: Name defines the name of the referenced Kubernetes + Service. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + weight: + description: Weight defines the weight used when balancing + requests between multiple Kubernetes Service. + type: integer + required: + - name + - port + type: object + type: array + type: object + type: array + required: + - routes + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewares.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewares.yaml new file mode 100644 index 000000000..7bc7f0546 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewares.yaml @@ -0,0 +1,1098 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: middlewares.traefik.io +spec: + group: traefik.io + names: + kind: Middleware + listKind: MiddlewareList + plural: middlewares + singular: middleware + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + Middleware is the CRD implementation of a Traefik Middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/ + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MiddlewareSpec defines the desired state of a Middleware. + properties: + addPrefix: + description: |- + AddPrefix holds the add prefix middleware configuration. + This middleware updates the path of a request before forwarding it. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/ + properties: + prefix: + description: |- + Prefix is the string to add before the current path in the requested URL. + It should include a leading slash (/). + type: string + type: object + basicAuth: + description: |- + BasicAuth holds the basic auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/ + properties: + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield + type: string + realm: + description: |- + Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + Default: traefik. + type: string + removeHeader: + description: |- + RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service. + Default: false. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + buffering: + description: |- + Buffering holds the buffering middleware configuration. + This middleware retries or limits the size of requests that can be forwarded to backends. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes + properties: + maxRequestBodyBytes: + description: |- + MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes). + If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response. + Default: 0 (no maximum). + format: int64 + type: integer + maxResponseBodyBytes: + description: |- + MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes). + If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead. + Default: 0 (no maximum). + format: int64 + type: integer + memRequestBodyBytes: + description: |- + MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory. + Default: 1048576 (1Mi). + format: int64 + type: integer + memResponseBodyBytes: + description: |- + MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory. + Default: 1048576 (1Mi). + format: int64 + type: integer + retryExpression: + description: |- + RetryExpression defines the retry conditions. + It is a logical combination of functions with operators AND (&&) and OR (||). + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression + type: string + type: object + chain: + description: |- + Chain holds the configuration of the chain middleware. + This middleware enables to define reusable combinations of other pieces of middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/ + properties: + middlewares: + description: Middlewares is the list of MiddlewareRef which composes + the chain. + items: + description: MiddlewareRef is a reference to a Middleware resource. + properties: + name: + description: Name defines the name of the referenced Middleware + resource. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Middleware resource. + type: string + required: + - name + type: object + type: array + type: object + circuitBreaker: + description: CircuitBreaker holds the circuit breaker configuration. + properties: + checkPeriod: + anyOf: + - type: integer + - type: string + description: CheckPeriod is the interval between successive checks + of the circuit breaker condition (when in standby state). + x-kubernetes-int-or-string: true + expression: + description: Expression is the condition that triggers the tripped + state. + type: string + fallbackDuration: + anyOf: + - type: integer + - type: string + description: FallbackDuration is the duration for which the circuit + breaker will wait before trying to recover (from a tripped state). + x-kubernetes-int-or-string: true + recoveryDuration: + anyOf: + - type: integer + - type: string + description: RecoveryDuration is the duration for which the circuit + breaker will try to recover (as soon as it is in recovering + state). + x-kubernetes-int-or-string: true + responseCode: + description: ResponseCode is the status code that the circuit + breaker will return while it is in the open state. + type: integer + type: object + compress: + description: |- + Compress holds the compress middleware configuration. + This middleware compresses responses before sending them to the client, using gzip compression. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/ + properties: + defaultEncoding: + description: DefaultEncoding specifies the default encoding if + the `Accept-Encoding` header is not in the request or contains + a wildcard (`*`). + type: string + excludedContentTypes: + description: |- + ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing. + `application/grpc` is always excluded. + items: + type: string + type: array + includedContentTypes: + description: IncludedContentTypes defines the list of content + types to compare the Content-Type header of the responses before + compressing. + items: + type: string + type: array + minResponseBodyBytes: + description: |- + MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed. + Default: 1024. + type: integer + type: object + contentType: + description: |- + ContentType holds the content-type middleware configuration. + This middleware exists to enable the correct behavior until at least the default one can be changed in a future version. + properties: + autoDetect: + description: |- + AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend, + be automatically set to a value derived from the contents of the response. + Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option. + type: boolean + type: object + digestAuth: + description: |- + DigestAuth holds the digest auth middleware configuration. + This middleware restricts access to your services to known users. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/ + properties: + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield + type: string + realm: + description: |- + Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme. + Default: traefik. + type: string + removeHeader: + description: RemoveHeader defines whether to remove the authorization + header before forwarding the request to the backend. + type: boolean + secret: + description: Secret is the name of the referenced Kubernetes Secret + containing user credentials. + type: string + type: object + errors: + description: |- + ErrorPage holds the custom error middleware configuration. + This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/ + properties: + query: + description: |- + Query defines the URL for the error page (hosted by service). + The {status} variable can be used in order to insert the status code in the URL. + type: string + service: + description: |- + Service defines the reference to a Kubernetes Service that will serve the error page. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname in + the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status code + of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can + be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + status: + description: |- + Status defines which status or range of statuses should result in an error page. + It can be either a status code as a number (500), + as multiple comma-separated numbers (500,502), + as ranges by separating two codes with a dash (500-599), + or a combination of the two (404,418,500-599). + items: + type: string + type: array + type: object + forwardAuth: + description: |- + ForwardAuth holds the forward auth middleware configuration. + This middleware delegates the request authentication to a Service. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/ + properties: + addAuthCookiesToResponse: + description: AddAuthCookiesToResponse defines the list of cookies + to copy from the authentication server response to the response. + items: + type: string + type: array + address: + description: Address defines the authentication server address. + type: string + authRequestHeaders: + description: |- + AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server. + If not set or empty then all request headers are passed. + items: + type: string + type: array + authResponseHeaders: + description: AuthResponseHeaders defines the list of headers to + copy from the authentication server response and set on forwarded + request, replacing any existing conflicting headers. + items: + type: string + type: array + authResponseHeadersRegex: + description: |- + AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex + type: string + tls: + description: TLS defines the configuration used to secure the + connection to the authentication server. + properties: + caOptional: + description: 'Deprecated: TLS client authentication is a server + side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).' + type: boolean + caSecret: + description: |- + CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate. + The CA certificate is extracted from key `tls.ca` or `ca.crt`. + type: string + certSecret: + description: |- + CertSecret is the name of the referenced Kubernetes Secret containing the client certificate. + The client certificate is extracted from the keys `tls.crt` and `tls.key`. + type: string + insecureSkipVerify: + description: InsecureSkipVerify defines whether the server + certificates should be validated. + type: boolean + type: object + trustForwardHeader: + description: 'TrustForwardHeader defines whether to trust (ie: + forward) all X-Forwarded-* headers.' + type: boolean + type: object + grpcWeb: + description: |- + GrpcWeb holds the gRPC web middleware configuration. + This middleware converts a gRPC web request to an HTTP/2 gRPC request. + properties: + allowOrigins: + description: |- + AllowOrigins is a list of allowable origins. + Can also be a wildcard origin "*". + items: + type: string + type: array + type: object + headers: + description: |- + Headers holds the headers middleware configuration. + This middleware manages the requests and responses headers. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders + properties: + accessControlAllowCredentials: + description: AccessControlAllowCredentials defines whether the + request can include user credentials. + type: boolean + accessControlAllowHeaders: + description: AccessControlAllowHeaders defines the Access-Control-Request-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlAllowMethods: + description: AccessControlAllowMethods defines the Access-Control-Request-Method + values sent in preflight response. + items: + type: string + type: array + accessControlAllowOriginList: + description: AccessControlAllowOriginList is a list of allowable + origins. Can also be a wildcard origin "*". + items: + type: string + type: array + accessControlAllowOriginListRegex: + description: AccessControlAllowOriginListRegex is a list of allowable + origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/). + items: + type: string + type: array + accessControlExposeHeaders: + description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers + values sent in preflight response. + items: + type: string + type: array + accessControlMaxAge: + description: AccessControlMaxAge defines the time that a preflight + request may be cached. + format: int64 + type: integer + addVaryHeader: + description: AddVaryHeader defines whether the Vary header is + automatically added/updated when the AccessControlAllowOriginList + is set. + type: boolean + allowedHosts: + description: AllowedHosts defines the fully qualified list of + allowed domain names. + items: + type: string + type: array + browserXssFilter: + description: BrowserXSSFilter defines whether to add the X-XSS-Protection + header with the value 1; mode=block. + type: boolean + contentSecurityPolicy: + description: ContentSecurityPolicy defines the Content-Security-Policy + header value. + type: string + contentSecurityPolicyReportOnly: + description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only + header value. + type: string + contentTypeNosniff: + description: ContentTypeNosniff defines whether to add the X-Content-Type-Options + header with the nosniff value. + type: boolean + customBrowserXSSValue: + description: |- + CustomBrowserXSSValue defines the X-XSS-Protection header value. + This overrides the BrowserXssFilter option. + type: string + customFrameOptionsValue: + description: |- + CustomFrameOptionsValue defines the X-Frame-Options header value. + This overrides the FrameDeny option. + type: string + customRequestHeaders: + additionalProperties: + type: string + description: CustomRequestHeaders defines the header names and + values to apply to the request. + type: object + customResponseHeaders: + additionalProperties: + type: string + description: CustomResponseHeaders defines the header names and + values to apply to the response. + type: object + featurePolicy: + description: 'Deprecated: FeaturePolicy option is deprecated, + please use PermissionsPolicy instead.' + type: string + forceSTSHeader: + description: ForceSTSHeader defines whether to add the STS header + even when the connection is HTTP. + type: boolean + frameDeny: + description: FrameDeny defines whether to add the X-Frame-Options + header with the DENY value. + type: boolean + hostsProxyHeaders: + description: HostsProxyHeaders defines the header keys that may + hold a proxied hostname value for the request. + items: + type: string + type: array + isDevelopment: + description: |- + IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing. + Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain. + If you would like your development environment to mimic production with complete Host blocking, SSL redirects, + and STS headers, leave this as false. + type: boolean + permissionsPolicy: + description: |- + PermissionsPolicy defines the Permissions-Policy header value. + This allows sites to control browser features. + type: string + publicKey: + description: PublicKey is the public key that implements HPKP + to prevent MITM attacks with forged certificates. + type: string + referrerPolicy: + description: |- + ReferrerPolicy defines the Referrer-Policy header value. + This allows sites to control whether browsers forward the Referer header to other sites. + type: string + sslForceHost: + description: 'Deprecated: SSLForceHost option is deprecated, please + use RedirectRegex instead.' + type: boolean + sslHost: + description: 'Deprecated: SSLHost option is deprecated, please + use RedirectRegex instead.' + type: string + sslProxyHeaders: + additionalProperties: + type: string + description: |- + SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request. + It can be useful when using other proxies (example: "X-Forwarded-Proto": "https"). + type: object + sslRedirect: + description: 'Deprecated: SSLRedirect option is deprecated, please + use EntryPoint redirection or RedirectScheme instead.' + type: boolean + sslTemporaryRedirect: + description: 'Deprecated: SSLTemporaryRedirect option is deprecated, + please use EntryPoint redirection or RedirectScheme instead.' + type: boolean + stsIncludeSubdomains: + description: STSIncludeSubdomains defines whether the includeSubDomains + directive is appended to the Strict-Transport-Security header. + type: boolean + stsPreload: + description: STSPreload defines whether the preload flag is appended + to the Strict-Transport-Security header. + type: boolean + stsSeconds: + description: |- + STSSeconds defines the max-age of the Strict-Transport-Security header. + If set to 0, the header is not set. + format: int64 + type: integer + type: object + inFlightReq: + description: |- + InFlightReq holds the in-flight request middleware configuration. + This middleware limits the number of requests being processed and served concurrently. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/ + properties: + amount: + description: |- + Amount defines the maximum amount of allowed simultaneous in-flight request. + The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy). + format: int64 + type: integer + sourceCriterion: + description: |- + SourceCriterion defines what criterion is used to group requests as originating from a common source. + If several strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the requestHost. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + ipAllowList: + description: |- + IPAllowList holds the IP allowlist middleware configuration. + This middleware limits allowed requests based on the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/ + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + rejectStatusCode: + description: |- + RejectStatusCode defines the HTTP status code used for refused requests. + If not set, the default is 403 (Forbidden). + type: integer + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + ipWhiteList: + description: 'Deprecated: please use IPAllowList instead.' + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position (starting + from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the X-Forwarded-For + header and select the first IP not in the list. + items: + type: string + type: array + type: object + sourceRange: + description: SourceRange defines the set of allowed IPs (or ranges + of allowed IPs by using CIDR notation). Required. + items: + type: string + type: array + type: object + passTLSClientCert: + description: |- + PassTLSClientCert holds the pass TLS client cert middleware configuration. + This middleware adds the selected data from the passed client TLS certificate to a header. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/ + properties: + info: + description: Info selects the specific client certificate details + you want to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + issuer: + description: Issuer defines the client certificate issuer + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the issuer. + type: boolean + country: + description: Country defines whether to add the country + information into the issuer. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the issuer. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the issuer. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the issuer. + type: boolean + province: + description: Province defines whether to add the province + information into the issuer. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the issuer. + type: boolean + type: object + notAfter: + description: NotAfter defines whether to add the Not After + information from the Validity part. + type: boolean + notBefore: + description: NotBefore defines whether to add the Not Before + information from the Validity part. + type: boolean + sans: + description: Sans defines whether to add the Subject Alternative + Name information from the Subject Alternative Name part. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the client + serialNumber information. + type: boolean + subject: + description: Subject defines the client certificate subject + details to add to the X-Forwarded-Tls-Client-Cert-Info header. + properties: + commonName: + description: CommonName defines whether to add the organizationalUnit + information into the subject. + type: boolean + country: + description: Country defines whether to add the country + information into the subject. + type: boolean + domainComponent: + description: DomainComponent defines whether to add the + domainComponent information into the subject. + type: boolean + locality: + description: Locality defines whether to add the locality + information into the subject. + type: boolean + organization: + description: Organization defines whether to add the organization + information into the subject. + type: boolean + organizationalUnit: + description: OrganizationalUnit defines whether to add + the organizationalUnit information into the subject. + type: boolean + province: + description: Province defines whether to add the province + information into the subject. + type: boolean + serialNumber: + description: SerialNumber defines whether to add the serialNumber + information into the subject. + type: boolean + type: object + type: object + pem: + description: PEM sets the X-Forwarded-Tls-Client-Cert header with + the certificate. + type: boolean + type: object + plugin: + additionalProperties: + x-kubernetes-preserve-unknown-fields: true + description: |- + Plugin defines the middleware plugin configuration. + More info: https://doc.traefik.io/traefik/plugins/ + type: object + rateLimit: + description: |- + RateLimit holds the rate limit configuration. + This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/ + properties: + average: + description: |- + Average is the maximum rate, by default in requests/s, allowed for the given source. + It defaults to 0, which means no rate limiting. + The rate is actually defined by dividing Average by Period. So for a rate below 1req/s, + one needs to define a Period larger than a second. + format: int64 + type: integer + burst: + description: |- + Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time. + It defaults to 1. + format: int64 + type: integer + period: + anyOf: + - type: integer + - type: string + description: |- + Period, in combination with Average, defines the actual maximum rate, such as: + r = Average / Period. It defaults to a second. + x-kubernetes-int-or-string: true + sourceCriterion: + description: |- + SourceCriterion defines what criterion is used to group requests as originating from a common source. + If several strategies are defined at the same time, an error will be raised. + If none are set, the default is to use the request's remote address field (as an ipStrategy). + properties: + ipStrategy: + description: |- + IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy + properties: + depth: + description: Depth tells Traefik to use the X-Forwarded-For + header and take the IP located at the depth position + (starting from the right). + type: integer + excludedIPs: + description: ExcludedIPs configures Traefik to scan the + X-Forwarded-For header and select the first IP not in + the list. + items: + type: string + type: array + type: object + requestHeaderName: + description: RequestHeaderName defines the name of the header + used to group incoming requests. + type: string + requestHost: + description: RequestHost defines whether to consider the request + Host as the source. + type: boolean + type: object + type: object + redirectRegex: + description: |- + RedirectRegex holds the redirect regex middleware configuration. + This middleware redirects a request using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + regex: + description: Regex defines the regex used to match and capture + elements from the request URL. + type: string + replacement: + description: Replacement defines how to modify the URL to have + the new target URL. + type: string + type: object + redirectScheme: + description: |- + RedirectScheme holds the redirect scheme middleware configuration. + This middleware redirects requests from a scheme/port to another. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/ + properties: + permanent: + description: Permanent defines whether the redirection is permanent + (301). + type: boolean + port: + description: Port defines the port of the new URL. + type: string + scheme: + description: Scheme defines the scheme of the new URL. + type: string + type: object + replacePath: + description: |- + ReplacePath holds the replace path middleware configuration. + This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/ + properties: + path: + description: Path defines the path to use as replacement in the + request URL. + type: string + type: object + replacePathRegex: + description: |- + ReplacePathRegex holds the replace path regex middleware configuration. + This middleware replaces the path of a URL using regex matching and replacement. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/ + properties: + regex: + description: Regex defines the regular expression used to match + and capture the path from the request URL. + type: string + replacement: + description: Replacement defines the replacement path format, + which can include captured variables. + type: string + type: object + retry: + description: |- + Retry holds the retry middleware configuration. + This middleware reissues requests a given number of times to a backend server if that server does not reply. + As soon as the server answers, the middleware stops retrying, regardless of the response status. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/ + properties: + attempts: + description: Attempts defines how many times the request should + be retried. + type: integer + initialInterval: + anyOf: + - type: integer + - type: string + description: |- + InitialInterval defines the first wait time in the exponential backoff series. + The maximum interval is calculated as twice the initialInterval. + If unspecified, requests will be retried immediately. + The value of initialInterval should be provided in seconds or as a valid duration format, + see https://pkg.go.dev/time#ParseDuration. + x-kubernetes-int-or-string: true + type: object + stripPrefix: + description: |- + StripPrefix holds the strip prefix middleware configuration. + This middleware removes the specified prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/ + properties: + forceSlash: + description: |- + Deprecated: ForceSlash option is deprecated, please remove any usage of this option. + ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary. + Default: true. + type: boolean + prefixes: + description: Prefixes defines the prefixes to strip from the request + URL. + items: + type: string + type: array + type: object + stripPrefixRegex: + description: |- + StripPrefixRegex holds the strip prefix regex middleware configuration. + This middleware removes the matching prefixes from the URL path. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/ + properties: + regex: + description: Regex defines the regular expression to match the + path prefix from the request URL. + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewaretcps.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewaretcps.yaml new file mode 100644 index 000000000..f09e3d412 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_middlewaretcps.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: middlewaretcps.traefik.io +spec: + group: traefik.io + names: + kind: MiddlewareTCP + listKind: MiddlewareTCPList + plural: middlewaretcps + singular: middlewaretcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MiddlewareTCP is the CRD implementation of a Traefik TCP middleware. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/ + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP. + properties: + inFlightConn: + description: InFlightConn defines the InFlightConn middleware configuration. + properties: + amount: + description: |- + Amount defines the maximum amount of allowed simultaneous connections. + The middleware closes the connection if there are already amount connections opened. + format: int64 + type: integer + type: object + ipAllowList: + description: |- + IPAllowList defines the IPAllowList middleware configuration. + This middleware accepts/refuses connections based on the client IP. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/ + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + ipWhiteList: + description: |- + IPWhiteList defines the IPWhiteList middleware configuration. + This middleware accepts/refuses connections based on the client IP. + Deprecated: please use IPAllowList instead. + More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/ + properties: + sourceRange: + description: SourceRange defines the allowed IPs (or ranges of + allowed IPs by using CIDR notation). + items: + type: string + type: array + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransports.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransports.yaml new file mode 100644 index 000000000..a447c97f1 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransports.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: serverstransports.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransport + listKind: ServersTransportList + plural: serverstransports + singular: serverstransport + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ServersTransport is the CRD implementation of a ServersTransport. + If no serversTransport is specified, the default@internal will be used. + The default@internal serversTransport is created from the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1 + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServersTransportSpec defines the desired state of a ServersTransport. + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + disableHTTP2: + description: DisableHTTP2 disables HTTP/2 for connections with backend + servers. + type: boolean + forwardingTimeouts: + description: ForwardingTimeouts defines the timeouts for requests + forwarded to the backend servers. + properties: + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a + connection to a backend server can be established. + x-kubernetes-int-or-string: true + idleConnTimeout: + anyOf: + - type: integer + - type: string + description: IdleConnTimeout is the maximum period for which an + idle HTTP keep-alive connection will remain open before closing + itself. + x-kubernetes-int-or-string: true + pingTimeout: + anyOf: + - type: integer + - type: string + description: PingTimeout is the timeout after which the HTTP/2 + connection will be closed if a response to ping is not received. + x-kubernetes-int-or-string: true + readIdleTimeout: + anyOf: + - type: integer + - type: string + description: ReadIdleTimeout is the timeout after which a health + check using ping frame will be carried out if no frame is received + on the HTTP/2 connection. + x-kubernetes-int-or-string: true + responseHeaderTimeout: + anyOf: + - type: integer + - type: string + description: ResponseHeaderTimeout is the amount of time to wait + for a server's response headers after fully writing the request + (including its body, if any). + x-kubernetes-int-or-string: true + type: object + insecureSkipVerify: + description: InsecureSkipVerify disables SSL certificate verification. + type: boolean + maxIdleConnsPerHost: + description: MaxIdleConnsPerHost controls the maximum idle (keep-alive) + to keep per-host. + type: integer + peerCertURI: + description: PeerCertURI defines the peer cert URI used to match against + SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to validate + self-signed certificate. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact the + server. + type: string + spiffe: + description: Spiffe defines the SPIFFE configuration. + properties: + ids: + description: IDs defines the allowed SPIFFE IDs (takes precedence + over the SPIFFE TrustDomain). + items: + type: string + type: array + trustDomain: + description: TrustDomain defines the allowed SPIFFE trust domain. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransporttcps.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransporttcps.yaml new file mode 100644 index 000000000..319044709 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_serverstransporttcps.yaml @@ -0,0 +1,120 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: serverstransporttcps.traefik.io +spec: + group: traefik.io + names: + kind: ServersTransportTCP + listKind: ServersTransportTCPList + plural: serverstransporttcps + singular: serverstransporttcp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ServersTransportTCP is the CRD implementation of a TCPServersTransport. + If no tcpServersTransport is specified, a default one named default@internal will be used. + The default@internal tcpServersTransport can be configured in the static configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3 + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP. + properties: + dialKeepAlive: + anyOf: + - type: integer + - type: string + description: DialKeepAlive is the interval between keep-alive probes + for an active network connection. If zero, keep-alive probes are + sent with a default value (currently 15 seconds), if supported by + the protocol and operating system. Network protocols or operating + systems that do not support keep-alives ignore this field. If negative, + keep-alive probes are disabled. + x-kubernetes-int-or-string: true + dialTimeout: + anyOf: + - type: integer + - type: string + description: DialTimeout is the amount of time to wait until a connection + to a backend server can be established. + x-kubernetes-int-or-string: true + terminationDelay: + anyOf: + - type: integer + - type: string + description: TerminationDelay defines the delay to wait before fully + terminating the connection, after one connected peer has closed + its writing capability. + x-kubernetes-int-or-string: true + tls: + description: TLS defines the TLS configuration + properties: + certificatesSecrets: + description: CertificatesSecrets defines a list of secret storing + client certificates for mTLS. + items: + type: string + type: array + insecureSkipVerify: + description: InsecureSkipVerify disables TLS certificate verification. + type: boolean + peerCertURI: + description: |- + MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host. + PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification. + type: string + rootCAsSecrets: + description: RootCAsSecrets defines a list of CA secret used to + validate self-signed certificates. + items: + type: string + type: array + serverName: + description: ServerName defines the server name used to contact + the server. + type: string + spiffe: + description: Spiffe defines the SPIFFE configuration. + properties: + ids: + description: IDs defines the allowed SPIFFE IDs (takes precedence + over the SPIFFE TrustDomain). + items: + type: string + type: array + trustDomain: + description: TrustDomain defines the allowed SPIFFE trust + domain. + type: string + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsoptions.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsoptions.yaml new file mode 100644 index 000000000..932f95811 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsoptions.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: tlsoptions.traefik.io +spec: + group: traefik.io + names: + kind: TLSOption + listKind: TLSOptionList + plural: tlsoptions + singular: tlsoption + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSOptionSpec defines the desired state of a TLSOption. + properties: + alpnProtocols: + description: |- + ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols + items: + type: string + type: array + cipherSuites: + description: |- + CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites + items: + type: string + type: array + clientAuth: + description: ClientAuth defines the server's policy for TLS Client + Authentication. + properties: + clientAuthType: + description: ClientAuthType defines the client authentication + type to apply. + enum: + - NoClientCert + - RequestClientCert + - RequireAnyClientCert + - VerifyClientCertIfGiven + - RequireAndVerifyClientCert + type: string + secretNames: + description: SecretNames defines the names of the referenced Kubernetes + Secret storing certificate details. + items: + type: string + type: array + type: object + curvePreferences: + description: |- + CurvePreferences defines the preferred elliptic curves in a specific order. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences + items: + type: string + type: array + maxVersion: + description: |- + MaxVersion defines the maximum TLS version that Traefik will accept. + Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + Default: None. + type: string + minVersion: + description: |- + MinVersion defines the minimum TLS version that Traefik will accept. + Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + Default: VersionTLS10. + type: string + preferServerCipherSuites: + description: |- + PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's. + It is enabled automatically when minVersion or maxVersion is set. + Deprecated: https://github.com/golang/go/issues/45430 + type: boolean + sniStrict: + description: SniStrict defines whether Traefik allows connections + from clients connections that do not specify a server_name extension. + type: boolean + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsstores.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsstores.yaml new file mode 100644 index 000000000..37afedc02 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_tlsstores.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: tlsstores.traefik.io +spec: + group: traefik.io + names: + kind: TLSStore + listKind: TLSStoreList + plural: tlsstores + singular: tlsstore + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TLSStore is the CRD implementation of a Traefik TLS Store. + For the time being, only the TLSStore named default is supported. + This means that you cannot have two stores that are named default in different Kubernetes namespaces. + More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TLSStoreSpec defines the desired state of a TLSStore. + properties: + certificates: + description: Certificates is a list of secret names, each secret holding + a key/certificate pair to add to the store. + items: + description: Certificate holds a secret name for the TLSStore resource. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + type: array + defaultCertificate: + description: DefaultCertificate defines the default certificate configuration. + properties: + secretName: + description: SecretName is the name of the referenced Kubernetes + Secret to specify the certificate details. + type: string + required: + - secretName + type: object + defaultGeneratedCert: + description: DefaultGeneratedCert defines the default generated certificate + configuration. + properties: + domain: + description: Domain is the domain definition for the DefaultCertificate. + properties: + main: + description: Main defines the main domain name. + type: string + sans: + description: SANs defines the subject alternative domain names. + items: + type: string + type: array + type: object + resolver: + description: Resolver is the name of the resolver that will be + used to issue the DefaultCertificate. + type: string + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/crds/traefik.io_traefikservices.yaml b/charts/traefik/traefik/32.0.0/crds/traefik.io_traefikservices.yaml new file mode 100644 index 000000000..1e1b279d5 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/crds/traefik.io_traefikservices.yaml @@ -0,0 +1,639 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: traefikservices.traefik.io +spec: + group: traefik.io + names: + kind: TraefikService + listKind: TraefikServiceList + plural: traefikservices + singular: traefikservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + TraefikService is the CRD implementation of a Traefik Service. + TraefikService object allows to: + - Apply weight to Services on load-balancing + - Mirror traffic on services + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TraefikServiceSpec defines the desired state of a TraefikService. + properties: + mirroring: + description: Mirroring defines the Mirroring service configuration. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent to + the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname in the + Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the health + check endpoint. + type: string + port: + description: Port defines the server URL port for the health + check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for the + health check endpoint. + type: string + status: + description: Status defines the expected HTTP status code + of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + maxBodySize: + description: |- + MaxBodySize defines the maximum size allowed for the body of the request. + If the body is larger, the request is not mirrored. + Default value is -1, which means unlimited size. + format: int64 + type: integer + mirrors: + description: Mirrors defines the list of mirrors where Traefik + will duplicate the traffic. + items: + description: MirrorService holds the mirror configuration. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + percent: + description: |- + Percent defines the part of the traffic to mirror. + Supported values: 0 to 100. + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards the + response from the upstream Kubernetes Service to the client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + weighted: + description: Weighted defines the Weighted Round Robin configuration. + properties: + services: + description: Services defines the list of Kubernetes Service and/or + TraefikService to load-balance, with weight. + items: + description: Service defines an upstream HTTP service to proxy + traffic to. + properties: + healthCheck: + description: Healthcheck defines health checks for ExternalName + services. + properties: + followRedirects: + description: |- + FollowRedirects defines whether redirects should be followed during the health check calls. + Default: true + type: boolean + headers: + additionalProperties: + type: string + description: Headers defines custom headers to be sent + to the health check endpoint. + type: object + hostname: + description: Hostname defines the value of hostname + in the Host header of the health check request. + type: string + interval: + anyOf: + - type: integer + - type: string + description: |- + Interval defines the frequency of the health check calls. + Default: 30s + x-kubernetes-int-or-string: true + method: + description: Method defines the healthcheck method. + type: string + mode: + description: |- + Mode defines the health check mode. + If defined to grpc, will use the gRPC health check protocol to probe the server. + Default: http + type: string + path: + description: Path defines the server URL path for the + health check endpoint. + type: string + port: + description: Port defines the server URL port for the + health check endpoint. + type: integer + scheme: + description: Scheme replaces the server URL scheme for + the health check endpoint. + type: string + status: + description: Status defines the expected HTTP status + code of the response to the health check request. + type: integer + timeout: + anyOf: + - type: integer + - type: string + description: |- + Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy. + Default: 5s + x-kubernetes-int-or-string: true + type: object + kind: + description: Kind defines the kind of the Service. + enum: + - Service + - TraefikService + type: string + name: + description: |- + Name defines the name of the referenced Kubernetes Service or TraefikService. + The differentiation between the two is specified in the Kind field. + type: string + namespace: + description: Namespace defines the namespace of the referenced + Kubernetes Service or TraefikService. + type: string + nativeLB: + description: |- + NativeLB controls, when creating the load-balancer, + whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. + The Kubernetes Service itself does load-balance to the pods. + By default, NativeLB is false. + type: boolean + nodePortLB: + description: |- + NodePortLB controls, when creating the load-balancer, + whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. + It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. + By default, NodePortLB is false. + type: boolean + passHostHeader: + description: |- + PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service. + By default, passHostHeader is true. + type: boolean + port: + anyOf: + - type: integer + - type: string + description: |- + Port defines the port of a Kubernetes Service. + This can be a reference to a named port. + x-kubernetes-int-or-string: true + responseForwarding: + description: ResponseForwarding defines how Traefik forwards + the response from the upstream Kubernetes Service to the + client. + properties: + flushInterval: + description: |- + FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body. + A negative value means to flush immediately after each write to the client. + This configuration is ignored when ReverseProxy recognizes a response as a streaming response; + for such responses, writes are flushed to the client immediately. + Default: 100ms + type: string + type: object + scheme: + description: |- + Scheme defines the scheme to use for the request to the upstream Kubernetes Service. + It defaults to https when Kubernetes Service port is 443, http otherwise. + type: string + serversTransport: + description: |- + ServersTransport defines the name of ServersTransport resource to use. + It allows to configure the transport between Traefik and your servers. + Can only be used on a Kubernetes Service. + type: string + sticky: + description: |- + Sticky defines the sticky sessions configuration. + More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie + can be accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can + only be transmitted over an encrypted connection + (i.e. HTTPS). + type: boolean + type: object + type: object + strategy: + description: |- + Strategy defines the load balancing strategy between the servers. + RoundRobin is the only supported value at the moment. + type: string + weight: + description: |- + Weight defines the weight and should only be specified when Name references a TraefikService object + (and to be precise, one that embeds a Weighted Round Robin). + type: integer + required: + - name + type: object + type: array + sticky: + description: |- + Sticky defines whether sticky sessions are enabled. + More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing + properties: + cookie: + description: Cookie defines the sticky cookie configuration. + properties: + httpOnly: + description: HTTPOnly defines whether the cookie can be + accessed by client-side APIs, such as JavaScript. + type: boolean + maxAge: + description: |- + MaxAge indicates the number of seconds until the cookie expires. + When set to a negative number, the cookie expires immediately. + When set to zero, the cookie never expires. + type: integer + name: + description: Name defines the Cookie name. + type: string + sameSite: + description: |- + SameSite defines the same site policy. + More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite + type: string + secure: + description: Secure defines whether the cookie can only + be transmitted over an encrypted connection (i.e. HTTPS). + type: boolean + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/traefik/traefik/32.0.0/templates/NOTES.txt b/charts/traefik/traefik/32.0.0/templates/NOTES.txt new file mode 100644 index 000000000..a1a10bfb3 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/NOTES.txt @@ -0,0 +1,36 @@ + + +{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace ! + +{{- if .Values.persistence }} +{{- if and .Values.persistence.enabled (empty .Values.deployment.initContainer)}} + +🚨 When enabling persistence for certificates, permissions on acme.json can be +lost when Traefik restarts. You can ensure correct permissions with an +initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager +for more info. 🚨 + +{{- end }} +{{- end }} +{{- with .Values.providers.kubernetesCRD.labelSelector }} + {{- $labelsApplied := include "traefik.labels" $ }} + {{- $labelSelectors := regexSplit "," . -1 }} + {{- range $labelSelectors }} + {{- $labelSelectorRaw := regexSplit "=" . -1 }} + {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }} + {{- if not (contains $labelSelector $labelsApplied) }} +🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider 🚨 + {{- end }} + {{- end }} +{{- end }} +{{- with .Values.providers.kubernetesIngress.labelSelector }} + {{- $labelsApplied := include "traefik.labels" $ }} + {{- $labelSelectors := regexSplit "," . -1 }} + {{- range $labelSelectors }} + {{- $labelSelectorRaw := regexSplit "=" . -1 }} + {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) }} + {{- if not (contains $labelSelector $labelsApplied) }} +🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider 🚨 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/_helpers.tpl b/charts/traefik/traefik/32.0.0/templates/_helpers.tpl new file mode 100644 index 000000000..2183f84ab --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/_helpers.tpl @@ -0,0 +1,161 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "traefik.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "traefik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the chart image name. +*/}} +{{- define "traefik.image-name" -}} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (.Values.image.tag | default .Chart.AppVersion) }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "traefik.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow customization of the instance label value. +*/}} +{{- define "traefik.instance-name" -}} +{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Shared labels used for selector*/}} +{{/* This is an immutable field: this should not change between upgrade */}} +{{- define "traefik.labelselector" -}} +app.kubernetes.io/name: {{ template "traefik.name" . }} +app.kubernetes.io/instance: {{ template "traefik.instance-name" . }} +{{- end }} + +{{/* Shared labels used in metada */}} +{{- define "traefik.labels" -}} +{{ include "traefik.labelselector" . }} +helm.sh/chart: {{ template "traefik.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Construct the namespace for all namespaced resources +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Preserve the default behavior of the Release namespace if no override is provided +*/}} +{{- define "traefik.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +The name of the service account to use +*/}} +{{- define "traefik.serviceAccountName" -}} +{{- default (include "traefik.fullname" .) .Values.serviceAccount.name -}} +{{- end -}} + +{{/* +The name of the ClusterRole and ClusterRoleBinding to use. +Adds the namespace to name to prevent duplicate resource names when there +are multiple namespaced releases with the same release name. +*/}} +{{- define "traefik.clusterRoleName" -}} +{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Construct the path for the providers.kubernetesingress.ingressendpoint.publishedservice. +By convention this will simply use the / to match the name of the +service generated. +Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride` +*/}} +{{- define "providers.kubernetesIngress.publishedServicePath" -}} +{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct a comma-separated list of whitelisted namespaces +*/}} +{{- define "providers.kubernetesCRD.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesGateway.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesGateway.namespaces) }} +{{- end -}} +{{- define "providers.kubernetesIngress.namespaces" -}} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- end -}} + +{{/* +Renders a complete tree, even values that contains template. +*/}} +{{- define "traefik.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{ else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{- define "imageVersion" -}} +{{/* +Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are +based on semverCompare +*/}} +{{- if $.Values.hub.token -}} +{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "=3.1.2-0" $version) }} + - "--providers.kubernetescrd.disableClusterScopeResources=true" + {{- end }} + {{- if .Values.providers.kubernetesCRD.nativeLBByDefault }} + - "--providers.kubernetescrd.nativeLBByDefault=true" + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesIngress.enabled }} + - "--providers.kubernetesingress" + {{- if .Values.providers.kubernetesIngress.allowExternalNameServices }} + - "--providers.kubernetesingress.allowExternalNameServices=true" + {{- end }} + {{- if .Values.providers.kubernetesIngress.allowEmptyServices }} + - "--providers.kubernetesingress.allowEmptyServices=true" + {{- end }} + {{- if and .Values.service.enabled .Values.providers.kubernetesIngress.publishedService.enabled }} + - "--providers.kubernetesingress.ingressendpoint.publishedservice={{ template "providers.kubernetesIngress.publishedServicePath" . }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.labelSelector }} + - "--providers.kubernetesingress.labelSelector={{ .Values.providers.kubernetesIngress.labelSelector }}" + {{- end }} + {{- if .Values.providers.kubernetesIngress.ingressClass }} + - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}" + {{- end }} + {{- if .Values.rbac.namespaced }} + {{- if semverCompare "<3.1.2-0" $version }} + - "--providers.kubernetesingress.disableIngressClassLookup=true" + {{- else }} + - "--providers.kubernetesingress.disableClusterScopeResources=true" + {{- end }} + {{- end }} + {{- if .Values.providers.kubernetesIngress.nativeLBByDefault }} + - "--providers.kubernetesingress.nativeLBByDefault=true" + {{- end }} + {{- end }} + {{- if .Values.experimental.kubernetesGateway.enabled }} + - "--experimental.kubernetesgateway" + {{- end }} + {{- with .Values.providers.kubernetesCRD }} + {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }} + - "--providers.kubernetescrd.namespaces={{ template "providers.kubernetesCRD.namespaces" $ }}" + {{- end }} + {{- end }} + {{- with .Values.providers.kubernetesGateway }} + {{- if .enabled }} + - "--providers.kubernetesgateway" + {{- if or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced) }} + - "--providers.kubernetesgateway.namespaces={{ template "providers.kubernetesGateway.namespaces" $ }}" + {{- end }} + {{- if .experimentalChannel }} + - "--providers.kubernetesgateway.experimentalchannel=true" + {{- end }} + {{- with .labelselector }} + - "--providers.kubernetesgateway.labelselector={{ . }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.providers.kubernetesIngress }} + {{- if (and .enabled (or .namespaces (and $.Values.rbac.enabled $.Values.rbac.namespaced))) }} + - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" $ }}" + {{- end }} + {{- end }} + {{- with .Values.providers.file }} + {{- if .enabled }} + - "--providers.file.directory=/etc/traefik/dynamic" + {{- if .watch }} + - "--providers.file.watch=true" + {{- end }} + {{- end }} + {{- end }} + {{- range $entrypoint, $config := $.Values.ports }} + {{- if $config }} + {{- if $config.redirectTo }} + {{- $toPort := index $.Values.ports $config.redirectTo.port }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.to=:{{ $toPort.exposedPort }}" + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.scheme=https" + {{- if $config.redirectTo.priority }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.priority={{ $config.redirectTo.priority }}" + {{- end }} + {{- if $config.redirectTo.permanent }} + - "--entryPoints.{{ $entrypoint }}.http.redirections.entryPoint.permanent=true" + {{- end }} + {{- end }} + {{- if $config.middlewares }} + - "--entryPoints.{{ $entrypoint }}.http.middlewares={{ join "," $config.middlewares }}" + {{- end }} + {{- if $config.tls }} + {{- if $config.tls.enabled }} + - "--entryPoints.{{ $entrypoint }}.http.tls=true" + {{- if $config.tls.options }} + - "--entryPoints.{{ $entrypoint }}.http.tls.options={{ $config.tls.options }}" + {{- end }} + {{- if $config.tls.certResolver }} + - "--entryPoints.{{ $entrypoint }}.http.tls.certResolver={{ $config.tls.certResolver }}" + {{- end }} + {{- if $config.tls.domains }} + {{- range $index, $domain := $config.tls.domains }} + {{- if $domain.main }} + - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].main={{ $domain.main }}" + {{- end }} + {{- if $domain.sans }} + - "--entryPoints.{{ $entrypoint }}.http.tls.domains[{{ $index }}].sans={{ join "," $domain.sans }}" + {{- end }} + {{- end }} + {{- end }} + {{- if $config.http3 }} + {{- if $config.http3.enabled }} + - "--entryPoints.{{ $entrypoint }}.http3" + {{- if $config.http3.advertisedPort }} + - "--entryPoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if $config.allowACMEByPass }} + {{- if (semverCompare "<3.1.3-0" $version) }} + {{- fail "ERROR: allowACMEByPass has been introduced with Traefik v3.1.3+" -}} + {{- end }} + - "--entryPoints.name.allowACMEByPass=true" + {{- end }} + {{- if $config.forwardedHeaders }} + {{- if $config.forwardedHeaders.trustedIPs }} + - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.trustedIPs={{ join "," $config.forwardedHeaders.trustedIPs }}" + {{- end }} + {{- if $config.forwardedHeaders.insecure }} + - "--entryPoints.{{ $entrypoint }}.forwardedHeaders.insecure" + {{- end }} + {{- end }} + {{- if $config.proxyProtocol }} + {{- if $config.proxyProtocol.trustedIPs }} + - "--entryPoints.{{ $entrypoint }}.proxyProtocol.trustedIPs={{ join "," $config.proxyProtocol.trustedIPs }}" + {{- end }} + {{- if $config.proxyProtocol.insecure }} + - "--entryPoints.{{ $entrypoint }}.proxyProtocol.insecure" + {{- end }} + {{- end }} + {{- with $config.transport }} + {{- with .respondingTimeouts }} + {{- if and (ne .readTimeout nil) (toString .readTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.readTimeout={{ .readTimeout }}" + {{- end }} + {{- if and (ne .writeTimeout nil) (toString .writeTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.writeTimeout={{ .writeTimeout }}" + {{- end }} + {{- if and (ne .idleTimeout nil) (toString .idleTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.respondingTimeouts.idleTimeout={{ .idleTimeout }}" + {{- end }} + {{- end }} + {{- with .lifeCycle }} + {{- if and (ne .requestAcceptGraceTimeout nil) (toString .requestAcceptGraceTimeout) }} + - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.requestAcceptGraceTimeout={{ .requestAcceptGraceTimeout }}" + {{- end }} + {{- if and (ne .graceTimeOut nil) (toString .graceTimeOut) }} + - "--entryPoints.{{ $entrypoint }}.transport.lifeCycle.graceTimeOut={{ .graceTimeOut }}" + {{- end }} + {{- end }} + {{- if and (ne .keepAliveMaxRequests nil) (toString .keepAliveMaxRequests) }} + - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxRequests={{ .keepAliveMaxRequests }}" + {{- end }} + {{- if and (ne .keepAliveMaxTime nil) (toString .keepAliveMaxTime) }} + - "--entryPoints.{{ $entrypoint }}.transport.keepAliveMaxTime={{ .keepAliveMaxTime }}" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.logs }} + {{- if and .general.format (not (has .general.format (list "common" "json"))) }} + {{- fail "ERROR: .Values.logs.general.format must be either common or json" }} + {{- end }} + {{- with .general.format }} + - "--log.format={{ . }}" + {{- end }} + {{- with .general.filePath }} + - "--log.filePath={{ . }}" + {{- end }} + {{- if and (or (eq .general.format "common") (not .general.format)) (eq .general.noColor true) }} + - "--log.noColor={{ .general.noColor }}" + {{- end }} + {{- with .general.level }} + - "--log.level={{ . | upper }}" + {{- end }} + {{- if .access.enabled }} + - "--accesslog=true" + {{- with .access.format }} + - "--accesslog.format={{ . }}" + {{- end }} + {{- with .access.filePath }} + - "--accesslog.filepath={{ . }}" + {{- end }} + {{- if .access.addInternals }} + - "--accesslog.addinternals" + {{- end }} + {{- with .access.bufferingSize }} + - "--accesslog.bufferingsize={{ . }}" + {{- end }} + {{- with .access.filters }} + {{- with .statuscodes }} + - "--accesslog.filters.statuscodes={{ . }}" + {{- end }} + {{- if .retryattempts }} + - "--accesslog.filters.retryattempts" + {{- end }} + {{- with .minduration }} + - "--accesslog.filters.minduration={{ . }}" + {{- end }} + {{- end }} + - "--accesslog.fields.defaultmode={{ .access.fields.general.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.general.names }} + - "--accesslog.fields.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + - "--accesslog.fields.headers.defaultmode={{ .access.fields.headers.defaultmode }}" + {{- range $fieldname, $fieldaction := .access.fields.headers.names }} + - "--accesslog.fields.headers.names.{{ $fieldname }}={{ $fieldaction }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $resolver, $config := $.Values.certResolvers }} + {{- range $option, $setting := $config }} + {{- if kindIs "map" $setting }} + {{- range $field, $value := $setting }} + - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}.{{ $field }}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}" + {{- end }} + {{- else }} + - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}={{ $setting }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.additionalArguments }} + {{- range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.hub }} + {{- if .token }} + - "--hub.token=$(HUB_TOKEN)" + {{- if and (not .apimanagement.enabled) ($.Values.hub.apimanagement.admission.listenAddr) }} + {{- fail "ERROR: Cannot configure admission without enabling hub.apimanagement" }} + {{- end }} + {{- with .apimanagement }} + {{- if .enabled }} + {{- $listenAddr := default ":9943" .admission.listenAddr }} + - "--hub.apimanagement" + - "--hub.apimanagement.admission.listenAddr={{ $listenAddr }}" + {{- with .admission.secretName }} + - "--hub.apimanagement.admission.secretName={{ . }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .platformUrl }} + - "--hub.platformUrl={{ . }}" + {{- end -}} + {{- range $field, $value := .redis }} + {{- if has $field (list "cluster" "database" "endpoints" "username" "password" "timeout") -}} + {{- with $value }} + - "--hub.redis.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $field, $value := .redis.sentinel }} + {{- if has $field (list "masterset" "password" "username") -}} + {{- with $value }} + - "--hub.redis.sentinel.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- range $field, $value := .redis.tls }} + {{- if has $field (list "ca" "cert" "insecureSkipVerify" "key") -}} + {{- with $value }} + - "--hub.redis.tls.{{ $field }}={{ $value }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .sendlogs }} + - "--hub.sendlogs={{ . }}" + {{- end }} + {{- end }} + {{- end }} + env: + {{- if ($.Values.resources.limits).cpu }} + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + {{- end }} + {{- if ($.Values.resources.limits).memory }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + {{- end }} + {{- with .Values.hub.token }} + - name: HUB_TOKEN + valueFrom: + secretKeyRef: + name: {{ . }} + key: token + {{- end }} + {{- with .Values.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.envFrom }} + envFrom: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.deployment.additionalContainers }} + {{- toYaml .Values.deployment.additionalContainers | nindent 6 }} + {{- end }} + volumes: + - name: {{ .Values.persistence.name }} + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ default (include "traefik.fullname" .) .Values.persistence.existingClaim }} + {{- else }} + emptyDir: {} + {{- end }} + - name: tmp + emptyDir: {} + {{- $root := . }} + {{- range .Values.volumes }} + - name: {{ tpl (.name) $root | replace "." "-" }} + {{- if eq .type "secret" }} + secret: + secretName: {{ tpl (.name) $root }} + {{- else if eq .type "configMap" }} + configMap: + name: {{ tpl (.name) $root }} + {{- end }} + {{- end }} + {{- if .Values.deployment.additionalVolumes }} + {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }} + {{- end }} + {{- if gt (len .Values.experimental.plugins) 0 }} + - name: plugins + emptyDir: {} + {{- end }} + {{- if .Values.providers.file.enabled }} + - name: traefik-extra-config + configMap: + name: {{ template "traefik.fullname" . }}-file-provider + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- tpl (toYaml .Values.affinity) . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + {{- if (semverCompare "<1.19.0-0" .Capabilities.KubeVersion.Version) }} + {{- fail "ERROR: topologySpreadConstraints are supported only on kubernetes >= v1.19" -}} + {{- end }} + topologySpreadConstraints: + {{- tpl (toYaml .Values.topologySpreadConstraints) . | nindent 8 }} + {{- end }} +{{ end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/_service-metrics.tpl b/charts/traefik/traefik/32.0.0/templates/_service-metrics.tpl new file mode 100644 index 000000000..d16a3629d --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/_service-metrics.tpl @@ -0,0 +1,25 @@ +{{- define "traefik.metrics-service-metadata" }} + labels: + {{- include "traefik.metricsservicelabels" . | nindent 4 -}} + {{- with .Values.metrics.prometheus.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{/* Labels used for metrics-relevant selector*/}} +{{/* This is an immutable field: this should not change between upgrade */}} +{{- define "traefik.metricslabelselector" -}} +{{- include "traefik.labelselector" . }} +app.kubernetes.io/component: metrics +{{- end }} + +{{/* Shared labels used in metadata of metrics-service and servicemonitor */}} +{{- define "traefik.metricsservicelabels" -}} +{{ include "traefik.metricslabelselector" . }} +helm.sh/chart: {{ template "traefik.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + diff --git a/charts/traefik/traefik/32.0.0/templates/_service.tpl b/charts/traefik/traefik/32.0.0/templates/_service.tpl new file mode 100644 index 000000000..27d5bc477 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/_service.tpl @@ -0,0 +1,84 @@ +{{- define "traefik.service-name" -}} +{{- $fullname := printf "%s-%s" (include "traefik.fullname" .root) .name -}} +{{- if eq .name "default" -}} +{{- $fullname = include "traefik.fullname" .root -}} +{{- end -}} + +{{- if ge (len $fullname) 60 -}} # 64 - 4 (udp-postfix) = 60 + {{- fail "ERROR: Cannot create a service whose full name contains more than 60 characters" -}} +{{- end -}} + +{{- $fullname -}} +{{- end -}} + +{{- define "traefik.service-metadata" }} + labels: + {{- include "traefik.labels" .root | nindent 4 -}} + {{- with .service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- define "traefik.service-spec" -}} + {{- $type := default "LoadBalancer" .service.type }} + type: {{ $type }} + {{- with .service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end}} + {{- with .service.spec }} + {{- toYaml . | nindent 2 }} + {{- end }} + selector: + {{- include "traefik.labelselector" .root | nindent 4 }} + {{- if eq $type "LoadBalancer" }} + {{- with .service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 2 }} + {{- end -}} + {{- end -}} + {{- with .service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 2 }} + {{- end -}} + {{- with .service.ipFamilyPolicy }} + ipFamilyPolicy: {{ . }} + {{- end }} + {{- with .service.ipFamilies }} + ipFamilies: + {{- toYaml . | nindent 2 }} + {{- end -}} +{{- end }} + +{{- define "traefik.service-ports" }} + {{- range $name, $config := .ports }} + {{- if (index (default dict $config.expose) $.serviceName) }} + {{- $port := default $config.port $config.exposedPort }} + {{- if empty $port }} + {{- fail (print "ERROR: Cannot create " (trim $name) " port on Service without .port or .exposedPort") }} + {{- end }} + - port: {{ $port }} + name: {{ $name | quote }} + targetPort: {{ default $name $config.targetPort }} + protocol: {{ default "TCP" $config.protocol }} + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- if $config.appProtocol }} + appProtocol: {{ $config.appProtocol }} + {{- end }} + {{- if and ($config.http3).enabled ($config.single) }} + {{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }} + - port: {{ $http3Port }} + name: "{{ $name }}-http3" + targetPort: "{{ $name }}-http3" + protocol: UDP + {{- if $config.nodePort }} + nodePort: {{ $config.nodePort }} + {{- end }} + {{- if $config.appProtocol }} + appProtocol: {{ $config.appProtocol }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/daemonset.yaml b/charts/traefik/traefik/32.0.0/templates/daemonset.yaml new file mode 100644 index 000000000..b370c2269 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/daemonset.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "DaemonSet") -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "ACME functionality is not supported when running Traefik as a DaemonSet") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} + {{- with .Values.updateStrategy }} + {{- if and (eq (.type) "RollingUpdate") (.rollingUpdate) }} + {{- if not (contains "%" (toString .rollingUpdate.maxUnavailable)) }} + {{- if and ($.Values.hostNetwork) (lt (float64 .rollingUpdate.maxUnavailable) 1.0) }} + {{- fail "maxUnavailable should be greater than 1 when using hostNetwork." }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- with .Values.updateStrategy }} + updateStrategy: + type: {{ .type }} + {{- if (eq .type "RollingUpdate") }} + rollingUpdate: + maxUnavailable: {{ .rollingUpdate.maxUnavailable }} + maxSurge: {{ .rollingUpdate.maxSurge }} + {{- end }} + {{- end }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- if .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- end }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/deployment.yaml b/charts/traefik/traefik/32.0.0/templates/deployment.yaml new file mode 100644 index 000000000..4b3a1aeaa --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/deployment.yaml @@ -0,0 +1,58 @@ +{{/* check helm version */}} +{{- if (semverCompare "= 3.9.0 is required" -}} +{{- end -}} + +{{- if and .Values.deployment.enabled (eq .Values.deployment.kind "Deployment") -}} + {{- if gt (int .Values.deployment.replicas) 1 -}} + {{- with .Values.additionalArguments -}} + {{- range . -}} + {{- if contains ".acme." . -}} + {{- fail (printf "You can not enable acme if you set more than one traefik replica") -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if eq (default .Chart.AppVersion .Values.image.tag) "latest" }} + {{- fail "\n\n ERROR: latest tag should not be used" }} + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.deployment.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ default 1 .Values.deployment.replicas }} + {{- end }} + {{- if .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- with .Values.updateStrategy }} + strategy: + type: {{ .type }} + {{- if (eq .type "RollingUpdate") }} + rollingUpdate: + maxUnavailable: {{ .rollingUpdate.maxUnavailable }} + maxSurge: {{ .rollingUpdate.maxSurge }} + {{- end }} + {{- end }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + template: {{ template "traefik.podTemplate" . }} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/extra-objects.yaml b/charts/traefik/traefik/32.0.0/templates/extra-objects.yaml new file mode 100644 index 000000000..fb38e9773 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/extra-objects.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraObjects }} +--- +{{ include "traefik.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/gateway.yaml b/charts/traefik/traefik/32.0.0/templates/gateway.yaml new file mode 100644 index 000000000..13696dffc --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/gateway.yaml @@ -0,0 +1,58 @@ +{{- if and (.Values.gateway).enabled (.Values.providers.kubernetesGateway).enabled }} + {{- if not .Values.gateway.listeners }} + {{- fail "ERROR: gateway must have at least one listener or should be disabled" }} + {{- end }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ default "traefik-gateway" .Values.gateway.name }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.gateway.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + gatewayClassName: {{ default "traefik" .Values.gatewayClass.name }} + listeners: + {{- range $name, $config := .Values.gateway.listeners }} + - name: {{ $name }} + {{ if not .port }} + {{- fail "ERROR: port needs to be specified" }} + {{- end -}} + {{ $found := false }} + {{- range $portName, $portConfig := $.Values.ports -}} + {{- if eq $portConfig.port $config.port -}} + {{ $found = true }} + {{- end -}} + {{- end -}} + {{ if not $found }} + {{- fail (printf "ERROR: port %0.f is not declared in ports" .port ) }} + {{- end -}} + port: {{ .port }} + protocol: {{ .protocol }} + {{- with .hostname }} + hostname: {{ . | toYaml }} + {{- end }} + {{- with .namespacePolicy }} + allowedRoutes: + namespaces: + from: {{ . }} + {{- end }} + {{ if and (eq .protocol "HTTPS") (not .certificateRefs) }} + {{- fail "ERROR: certificateRefs needs to be specified using HTTPS" }} + {{- end }} + {{ if or .certificateRefs .mode }} + tls: + {{ with .mode }} + mode: {{ . }} + {{- end }} + {{ with .certificateRefs }} + certificateRefs: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/gatewayclass.yaml b/charts/traefik/traefik/32.0.0/templates/gatewayclass.yaml new file mode 100644 index 000000000..7f98c1ed4 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/gatewayclass.yaml @@ -0,0 +1,14 @@ +{{- if and (.Values.gatewayClass).enabled (.Values.providers.kubernetesGateway).enabled }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{ default "traefik" .Values.gatewayClass.name }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.gatewayClass.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + controllerName: traefik.io/gateway-controller +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/hpa.yaml b/charts/traefik/traefik/32.0.0/templates/hpa.yaml new file mode 100644 index 000000000..cfa1e5a49 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/hpa.yaml @@ -0,0 +1,35 @@ +{{- if .Values.autoscaling.enabled }} + +{{- if not .Values.autoscaling.maxReplicas }} + {{- fail "ERROR: maxReplicas is required on HPA" }} +{{- end }} + +{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version }} +apiVersion: autoscaling/v2 +{{- else }} +apiVersion: autoscaling/v2beta2 +{{- end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "traefik.fullname" . }} +{{- if .Values.autoscaling.minReplicas }} + minReplicas: {{ .Values.autoscaling.minReplicas }} +{{- end }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} +{{- if .Values.autoscaling.metrics }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} +{{- if .Values.autoscaling.behavior }} + behavior: +{{ toYaml .Values.autoscaling.behavior | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/hub-admission-controller.yaml b/charts/traefik/traefik/32.0.0/templates/hub-admission-controller.yaml new file mode 100644 index 000000000..37b2314f5 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/hub-admission-controller.yaml @@ -0,0 +1,198 @@ +{{- if .Values.hub.token -}} +{{- if .Values.hub.apimanagement.enabled }} +{{- $cert := include "traefik-hub.webhook_cert" . | fromYaml }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: hub-agent-cert + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +data: + tls.crt: {{ $cert.Cert }} + tls.key: {{ $cert.Key }} + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: hub-acp + labels: + {{- include "traefik.labels" . | nindent 4 }} +webhooks: + - name: admission.traefik.svc + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /acp + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - accesscontrolpolicies + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: hub-api + labels: + {{- include "traefik.labels" . | nindent 4 }} +webhooks: + - name: hub-agent.traefik.portal + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-portal + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiportals + - name: hub-agent.traefik.api + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apis + - name: hub-agent.traefik.access + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-access + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiaccesses + - name: hub-agent.traefik.plan + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-plan + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiplans + - name: hub-agent.traefik.bundle + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-bundle + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apibundles + - name: hub-agent.traefik.version + clientConfig: + service: + name: admission + namespace: {{ template "traefik.namespace" . }} + path: /api-version + caBundle: {{ $cert.Cert }} + sideEffects: None + admissionReviewVersions: + - v1 + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - hub.traefik.io + apiVersions: + - v1alpha1 + resources: + - apiversions + +--- +apiVersion: v1 +kind: Service +metadata: + name: admission + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + ports: + - name: https + port: 443 + targetPort: admission + selector: + {{- include "traefik.labelselector" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/hub-apiportal.yaml b/charts/traefik/traefik/32.0.0/templates/hub-apiportal.yaml new file mode 100644 index 000000000..246b127ed --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/hub-apiportal.yaml @@ -0,0 +1,19 @@ +{{- if .Values.hub.apimanagement.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: apiportal + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + ports: + - name: apiportal + port: 9903 + protocol: TCP + targetPort: apiportal + selector: + {{- include "traefik.labelselector" . | nindent 4 }} +{{- end -}} + diff --git a/charts/traefik/traefik/32.0.0/templates/ingressclass.yaml b/charts/traefik/traefik/32.0.0/templates/ingressclass.yaml new file mode 100644 index 000000000..6a8ff8199 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/ingressclass.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: {{ .Values.ingressClass.isDefaultClass | quote }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + name: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }} +spec: + controller: traefik.io/ingress-controller +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/ingressroute.yaml b/charts/traefik/traefik/32.0.0/templates/ingressroute.yaml new file mode 100644 index 000000000..2f35abb2a --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/ingressroute.yaml @@ -0,0 +1,43 @@ +{{ range $name, $config := .Values.ingressRoute }} +{{ if $config.enabled }} +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: {{ $.Release.Name }}-{{ $name }} + namespace: {{ template "traefik.namespace" $ }} + annotations: + {{- if and $.Values.ingressClass.enabled $.Values.providers.kubernetesCRD.enabled $.Values.providers.kubernetesCRD.ingressClass }} + kubernetes.io/ingress.class: {{ $.Values.providers.kubernetesCRD.ingressClass }} + {{- end }} + {{- with $config.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "traefik.labels" $ | nindent 4 }} + {{- with $config.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + entryPoints: + {{- range $config.entryPoints }} + - {{ . }} + {{- end }} + routes: + - match: {{ $config.matchRule }} + kind: Rule + {{- with $config.services }} + services: + {{- toYaml . | nindent 6 }} + {{- end -}} + {{- with $config.middlewares }} + middlewares: + {{- toYaml . | nindent 6 }} + {{- end -}} + + {{- with $config.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} +{{ end }} diff --git a/charts/traefik/traefik/32.0.0/templates/poddisruptionbudget.yaml b/charts/traefik/traefik/32.0.0/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..f1716397c --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/poddisruptionbudget.yaml @@ -0,0 +1,23 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "traefik.labelselector" . | nindent 6 }} + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/prometheusrules.yaml b/charts/traefik/traefik/32.0.0/templates/prometheusrules.yaml new file mode 100644 index 000000000..3231aba6c --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/prometheusrules.yaml @@ -0,0 +1,28 @@ +{{- if .Values.metrics.prometheus }} +{{- if (.Values.metrics.prometheus.prometheusRule).enabled }} + {{- if (not (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1")) }} + {{- if (not (.Values.metrics.prometheus.disableAPICheck)) }} + {{- fail "ERROR: You have to deploy monitoring.coreos.com/v1 first" }} + {{- end }} + {{- end }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.prometheus.prometheusRule.rules }} + groups: + - name: {{ template "traefik.name" $ }} + rules: + {{- with .Values.metrics.prometheus.prometheusRule.rules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/traefik/traefik/32.0.0/templates/provider-file-cm.yaml b/charts/traefik/traefik/32.0.0/templates/provider-file-cm.yaml new file mode 100644 index 000000000..139a5a6ab --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/provider-file-cm.yaml @@ -0,0 +1,12 @@ +{{- if .Values.providers.file.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "traefik.fullname" . }}-file-provider + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +data: + config.yml: + {{ toYaml .Values.providers.file.content | nindent 4 }} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/pvc.yaml b/charts/traefik/traefik/32.0.0/templates/pvc.yaml new file mode 100644 index 000000000..7ab96f960 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "traefik.fullname" . }} + namespace: {{ template "traefik.namespace" . }} + annotations: + {{- with .Values.persistence.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + helm.sh/resource-policy: keep + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} + {{- if .Values.persistence.volumeName }} + volumeName: {{ .Values.persistence.volumeName | quote }} + {{- end }} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/rbac/clusterrole.yaml b/charts/traefik/traefik/32.0.0/templates/rbac/clusterrole.yaml new file mode 100644 index 000000000..9f0836225 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/rbac/clusterrole.yaml @@ -0,0 +1,256 @@ +{{- $version := include "imageVersion" $ }} +{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.clusterRoleName" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} + {{- range .Values.rbac.aggregateTo }} + rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true" + {{- end }} +rules: + {{- if semverCompare ">=v3.1.0-0" $version }} + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + {{- end }} + {{- if (semverCompare "=v3.1.0-0" $version) }} + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + {{- end }} + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + - tcproutes + - tlsroutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + verbs: + - update + {{- end }} + {{- if .Values.hub.token }} + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + {{- end }} + {{- if .Values.hub.token }} + {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }} + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + {{- end }} + - apiGroups: + - "" + resources: + - namespaces + {{- if .Values.hub.apimanagement.enabled }} + - pods + {{- end }} + verbs: + - get + - list + {{- if .Values.hub.apimanagement.enabled }} + - watch + {{- end }} + {{- if .Values.hub.apimanagement.enabled }} + - apiGroups: + - hub.traefik.io + resources: + - accesscontrolpolicies + - apiaccesses + - apiportals + - apiratelimits + - apis + - apiversions + - apibundles + - apiplans + verbs: + - list + - watch + - create + - update + - patch + - delete + - get + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch + {{- if (semverCompare "=1.25.0-0" .Capabilities.KubeVersion.Version }} + {{- fail "ERROR: PodSecurityPolicy has been removed in Kubernetes v1.25+" }} +{{- end }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + name: {{ template "traefik.fullname" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL +{{- if not .Values.securityContext.runAsNonRoot }} + allowedCapabilities: + - NET_BIND_SERVICE +{{- end }} + hostNetwork: {{ .Values.hostNetwork }} + hostIPC: false + hostPID: false + fsGroup: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} +{{- if .Values.hostNetwork }} + hostPorts: + - max: 65535 + min: 1 +{{- end }} + readOnlyRootFilesystem: true + runAsUser: +{{- if .Values.securityContext.runAsNonRoot }} + rule: MustRunAsNonRoot +{{- else }} + rule: RunAsAny +{{- end }} + seLinux: + rule: RunAsAny + supplementalGroups: +{{- if .Values.securityContext.runAsNonRoot }} + ranges: + - max: 65535 + min: 1 + rule: MustRunAs +{{- else }} + rule: RunAsAny +{{- end }} + volumes: + - configMap + - downwardAPI + - secret + - emptyDir + - projected +{{- if .Values.persistence.enabled }} + - persistentVolumeClaim +{{- end -}} +{{- end -}} diff --git a/charts/traefik/traefik/32.0.0/templates/rbac/role.yaml b/charts/traefik/traefik/32.0.0/templates/rbac/role.yaml new file mode 100644 index 000000000..e81aaa8a6 --- /dev/null +++ b/charts/traefik/traefik/32.0.0/templates/rbac/role.yaml @@ -0,0 +1,143 @@ +{{- $version := include "imageVersion" $ }} +{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}} + +{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}} +{{- range $allNamespaces }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} + labels: + {{- include "traefik.labels" $ | nindent 4 }} +rules: + {{- if (semverCompare "://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: # @schema type:[boolean, null] + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + +## Tracing +# -- https://doc.traefik.io/traefik/observability/tracing/overview/ +tracing: # @schema additionalProperties: false + # -- Enables tracing for internal resources. Default: false. + addInternals: false + otlp: + # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/ + enabled: false + http: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP. + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector. + headers: {} + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + grpc: + # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC + enabled: false + # -- Format: ://:. Default: http://localhost:4318/v1/metrics + endpoint: "" + # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol. + insecure: false + ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector. + tls: + # -- The path to the certificate authority, it defaults to the system bundle. + ca: "" + # -- The path to the public certificate. When using this option, setting the key option is required. + cert: "" + # -- The path to the private key. When using this option, setting the cert option is required. + key: "" + # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers. + insecureSkipVerify: false + +# -- Global command arguments to be passed to all traefik's pods +globalArguments: +- "--global.checknewversion" +- "--global.sendanonymoususage" + +# -- Additional arguments to be passed at Traefik's binary +# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) +# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` +additionalArguments: [] +# - "--providers.kubernetesingress.ingressclass=traefik-internal" +# - "--log.level=DEBUG" + +# -- Environment variables to be passed to Traefik's binary +# @default -- See _values.yaml_ +env: +- name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + +# -- Environment variables to be passed to Traefik's binary from configMaps or secrets +envFrom: [] + +ports: + traefik: + port: 9000 + # -- Use hostPort if set. + hostPort: # @schema type:[integer, null]; minimum:0 + # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + hostIP: # @schema type:[string, null] + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # -- You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: + default: false + # -- The exposed port for this service + exposedPort: 9000 + # -- The port protocol (TCP/UDP) + protocol: TCP + web: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8000 + # hostPort: 8000 + # containerPort: 8000 + expose: + default: true + exposedPort: 80 + ## -- Different target traefik port on the cluster, useful for IP type LB + targetPort: # @schema type:[integer, null]; minimum:0 + # The port protocol (TCP/UDP) + protocol: TCP + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) + nodePort: # @schema type:[integer, null]; minimum:0 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + redirectTo: {} + forwardedHeaders: + # -- Trust forwarded headers information (X-Forwarded-*). + trustedIPs: [] + insecure: false + proxyProtocol: + # -- Enable the Proxy Protocol header parsing for the entry point + trustedIPs: [] + insecure: false + # -- Set transport settings for the entrypoint; see also + # https://doc.traefik.io/traefik/routing/entrypoints/#transport + transport: + respondingTimeouts: + readTimeout: # @schema type:[string, integer, null] + writeTimeout: # @schema type:[string, integer, null] + idleTimeout: # @schema type:[string, integer, null] + lifeCycle: + requestAcceptGraceTimeout: # @schema type:[string, integer, null] + graceTimeOut: # @schema type:[string, integer, null] + keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 + keepAliveMaxTime: # @schema type:[string, integer, null] + websecure: + ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint. + # asDefault: true + port: 8443 + hostPort: # @schema type:[integer, null]; minimum:0 + containerPort: # @schema type:[integer, null]; minimum:0 + expose: + default: true + exposedPort: 443 + ## -- Different target traefik port on the cluster, useful for IP type LB + targetPort: # @schema type:[integer, null]; minimum:0 + ## -- The port protocol (TCP/UDP) + protocol: TCP + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) + nodePort: # @schema type:[integer, null]; minimum:0 + # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol) + appProtocol: # @schema type:[string, null] + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass) + allowACMEByPass: false + http3: + ## -- Enable HTTP/3 on the entrypoint + ## Enabling it will also enable http3 experimental feature + ## https://doc.traefik.io/traefik/routing/entrypoints/#http3 + ## There are known limitations when trying to listen on same ports for + ## TCP & UDP (Http3). There is a workaround in this chart using dual Service. + ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741 + enabled: false + advertisedPort: # @schema type:[integer, null]; minimum:0 + forwardedHeaders: + # -- Trust forwarded headers information (X-Forwarded-*). + trustedIPs: [] + insecure: false + proxyProtocol: + # -- Enable the Proxy Protocol header parsing for the entry point + trustedIPs: [] + insecure: false + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport) + transport: + respondingTimeouts: + readTimeout: # @schema type:[string, integer, null] + writeTimeout: # @schema type:[string, integer, null] + idleTimeout: # @schema type:[string, integer, null] + lifeCycle: + requestAcceptGraceTimeout: # @schema type:[string, integer, null] + graceTimeOut: # @schema type:[string, integer, null] + keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0 + keepAliveMaxTime: # @schema type:[string, integer, null] + # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#tls) + tls: + enabled: true + options: "" + certResolver: "" + domains: [] + # -- One can apply Middlewares on an entrypoint + # https://doc.traefik.io/traefik/middlewares/overview/ + # https://doc.traefik.io/traefik/routing/entrypoints/#middlewares + # -- /!\ It introduces here a link between your static configuration and your dynamic configuration /!\ + # It follows the provider naming convention: https://doc.traefik.io/traefik/providers/overview/#provider-namespace + # - namespace-name1@kubernetescrd + # - namespace-name2@kubernetescrd + middlewares: [] + metrics: + # -- When using hostNetwork, use another port to avoid conflict with node exporter: + # https://github.com/prometheus/prometheus/wiki/Default-port-allocations + port: 9100 + # -- You may not want to expose the metrics port on production deployments. + # If you want to access it from outside your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: + default: false + # -- The exposed port for this service + exposedPort: 9100 + # -- The port protocol (TCP/UDP) + protocol: TCP + +# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) +# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. +# See EXAMPLE.md for details. +tlsOptions: {} + +# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. +tlsStore: {} + +service: + enabled: true + ## -- Single service is using `MixedProtocolLBService` feature gate. + ## -- When set to false, it will create two Service, one for TCP and one for UDP. + single: true + type: LoadBalancer + # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # -- Additional annotations for TCP service only + annotationsTCP: {} + # -- Additional annotations for UDP service only + annotationsUDP: {} + # -- Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # -- Additional entries here will be added to the service spec. + # -- Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + ## -- Class of the load balancer implementation + # loadBalancerClass: service.k8s.aws/nlb + externalIPs: [] + # - 1.2.3.4 + ## One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + ## List of IP families (e.g. IPv4 and/or IPv6). + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + ## + additionalServices: {} + ## -- An additional and optional internal Service. + ## Same parameters as external Service + # internal: + # type: ClusterIP + # # labels: {} + # # annotations: {} + # # spec: {} + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] + +autoscaling: + # -- Create HorizontalPodAutoscaler object. + # See EXAMPLES.md for more details. + enabled: false + +persistence: + # -- Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # It can be used to store TLS certificates, see `storage` in certResolvers + enabled: false + name: data + existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + storageClass: "" + volumeName: "" + path: /data + annotations: {} + # -- Only mount a subpath of the Volume into the pod + subPath: "" + +# -- Certificates resolvers configuration. +# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers +# See EXAMPLES.md for more details. +certResolvers: {} + +# -- If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the +# affinity is left as default. +hostNetwork: false + +# -- Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: # @schema additionalProperties: false + enabled: true + # When set to true: + # 1. Use `Role` and `RoleBinding` instead of `ClusterRole` and `ClusterRoleBinding`. + # 2. Set `disableIngressClassLookup` on Kubernetes Ingress providers with Traefik Proxy v3 until v3.1.1 + # 3. Set `disableClusterScopeResources` on Kubernetes Ingress and CRD providers with Traefik Proxy v3.1.2+ + # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC. + # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details. + namespaced: false + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateTo: [] + # List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. + secretResourceNames: [] + +# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +podSecurityPolicy: + enabled: false + +# -- The service account the pods will use to interact with the Kubernetes API +serviceAccount: # @schema additionalProperties: false + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + +# -- Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + +# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. +resources: {} + +# -- This example pod anti-affinity forces the scheduler to put traefik pods +# -- on nodes where no other traefik pods are scheduled. +# It should be used when hostNetwork: true to prevent port conflicts +affinity: {} +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchLabels: +# app.kubernetes.io/name: '{{ template "traefik.name" . }}' +# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' +# topologyKey: kubernetes.io/hostname + +# -- nodeSelector is the simplest recommended form of node selection constraint. +nodeSelector: {} +# -- Tolerations allow the scheduler to schedule pods with matching taints. +tolerations: [] +# -- You can use topology spread constraints to control +# how Pods are spread across your cluster among failure-domains. +topologySpreadConstraints: [] +# This example topologySpreadConstraints forces the scheduler to put traefik pods +# on nodes where no other traefik pods are scheduled. +# - labelSelector: +# matchLabels: +# app: '{{ template "traefik.name" . }}' +# maxSkew: 1 +# topologyKey: kubernetes.io/hostname +# whenUnsatisfiable: DoNotSchedule + +# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) +priorityClassName: "" + +# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) +# @default -- See _values.yaml_ +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + +# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) +# @default -- See _values.yaml_ +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + +# +# -- Extra objects to deploy (value evaluated as a template) +# +# In some cases, it can avoid the need for additional, extended or adhoc deployments. +# See #595 for more details and traefik/tests/values/extra.yaml for example. +extraObjects: [] + +# -- This field override the default Release Namespace for Helm. +# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` +namespaceOverride: "" + +## -- This field override the default app.kubernetes.io/instance label for all Objects. +instanceLabelOverride: "" + +# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ +hub: + # -- Name of `Secret` with key 'token' set to a valid license token. + # It enables API Gateway. + token: "" + apimanagement: + # -- Set to true in order to enable API Management. Requires a valid license token. + enabled: false + admission: + # -- WebHook admission server listen address. Default: "0.0.0.0:9943". + listenAddr: "" + # -- Certificate of the WebHook admission server. Default: "hub-agent-cert". + secretName: "" + + redis: + # -- Enable Redis Cluster. Default: true. + cluster: # @schema type:[boolean, null] + # -- Database used to store information. Default: "0". + database: # @schema type:[string, null] + # -- Endpoints of the Redis instances to connect to. Default: "". + endpoints: "" + # -- The username to use when connecting to Redis endpoints. Default: "". + username: "" + # -- The password to use when connecting to Redis endpoints. Default: "". + password: "" + sentinel: + # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "". + masterset: "" + # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "". + username: "" + # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "". + password: "" + # -- Timeout applied on connection with redis. Default: "0s". + timeout: "" + tls: + # -- Path to the certificate authority used for the secured connection. + ca: "" + # -- Path to the public certificate used for the secure connection. + cert: "" + # -- Path to the private key used for the secure connection. + key: "" + # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. + insecureSkipVerify: false + # Enable export of errors logs to the platform. Default: true. + sendlogs: # @schema type:[boolean, null] diff --git a/index.yaml b/index.yaml index 5324c5e68..768032f92 100644 --- a/index.yaml +++ b/index.yaml @@ -23600,6 +23600,38 @@ entries: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 + appVersion: edge-24.9.3 + created: "2024-09-28T00:53:52.786171586Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 6b55f7f968fb9f5184d239edca3c141b22a43a471f30d5caba000d0d5ee9a82c + home: https://linkerd.io + icon: file://assets/icons/linkerd-control-plane.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.9.3.tgz + version: 2024.9.3 + - annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 appVersion: edge-24.9.2 created: "2024-09-13T01:21:22.752622567Z" dependencies: @@ -23608,7 +23640,7 @@ entries: version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: 12d65d95e9f45856d56b9c5f4c1574cc49b895dd7707acae0fa4580ec8778685 + digest: ace9319c0fbb9c14dabae7263a7928aeb95e05216febb665c8faf36d060126bc home: https://linkerd.io icon: file://assets/icons/linkerd-control-plane.png keywords: @@ -24767,6 +24799,36 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-09-28T00:53:52.869391595Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 2888969efacfa5066128f385c0e4c2c7a48369cc914723aca8b5f24dbe166d2f + home: https://linkerd.io + icon: file://assets/icons/linkerd-crds.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.9.3.tgz + version: 2024.9.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd CRDs @@ -27061,6 +27123,32 @@ entries: - assets/minio/minio-operator-5.0.6.tgz version: 5.0.6 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.10.21 + created: "2024-09-28T00:53:52.996442888Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: 1daf38d1c7e70b0e75a44e8f476064d696c87c292921b417c2bd2b413d4a4218 + home: http://github.com/nats-io/k8s + icon: file://assets/icons/nats.png + keywords: + - nats + - messaging + - cncf + kubeVersion: '>=1.16-0' + maintainers: + - email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io + name: nats + urls: + - assets/nats/nats-1.2.5.tgz + version: 1.2.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -33385,6 +33473,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.8.tgz version: 0.1.8 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.5 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.2.5 + created: "2024-09-28T00:53:54.227082585Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 8a6b9cb129ccfff7ccbb796228bf489af468a23ce7b3e89ad6d85541a5583764 + icon: file://assets/icons/redpanda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.9.5.tgz + version: 5.9.5 - annotations: artifacthub.io/images: | - name: redpanda @@ -36743,6 +36875,37 @@ entries: - assets/btp/sextant-2.2.21.tgz version: 2.2.21 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.2.476 + created: "2024-09-28T00:53:54.294616266Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 3d583e0e526747f19576c4e738813c2517575ee9f6e09057245b76d199eb629a + home: https://speedscale.com + icon: file://assets/icons/speedscale-operator.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.2.476.tgz + version: 2.2.476 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -41202,6 +41365,43 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 traefik: + - annotations: + artifacthub.io/changes: | + - "chore(release): :rocket: publish 32.0.0" + - "fix: replace `CLF` with `common` in `values.yaml`" + - "feat(Traefik Hub): add APIPlans and APIBundles CRDs" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: traefik + apiVersion: v2 + appVersion: v3.1.4 + created: "2024-09-28T00:53:54.643468123Z" + description: A Traefik based Kubernetes ingress controller + digest: 00d0bf74c2ca0e137884fd663f15647d7b0a466f097224f28d76db4302c24e29 + home: https://traefik.io/ + icon: file://assets/icons/traefik.png + keywords: + - traefik + - ingress + - networking + kubeVersion: '>=1.22.0-0' + maintainers: + - email: michel.loiseleur@traefik.io + name: mloiseleur + - email: charlie.haley@traefik.io + name: charlie-haley + - email: remi.buisson@traefik.io + name: darkweaver87 + - name: jnoordsij + name: traefik + sources: + - https://github.com/traefik/traefik + - https://github.com/traefik/traefik-helm-chart + type: application + urls: + - assets/traefik/traefik-32.0.0.tgz + version: 32.0.0 - annotations: artifacthub.io/changes: "- \"fix: \U0001F41B updateStrategy behavior\"\n- \"feat(deps): update traefik docker tag to v3.1.4\"\n- \"chore(release): \U0001F680 publish @@ -43501,4 +43701,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-09-27T00:54:26.250872961Z" +generated: "2024-09-28T00:53:49.648364522Z"