From 197d045d23421d18e956fee34689a2d8e00215ef Mon Sep 17 00:00:00 2001
From: Ravi Lachhman <42775804+ravilach@users.noreply.github.com>
Date: Tue, 2 Nov 2021 07:21:30 -1000
Subject: [PATCH 1/2] First Commit After Make Prepare/Patch and Clean

---
 .../mongodb-replicaset/dependency.yaml        |  2 +
 .../generated-changes/overlay/app-readme.md   | 39 ++++++++++++++++
 .../generated-changes/overlay/questions.yaml  | 45 +++++++++++++++++++
 .../generated-changes/patch/Chart.yaml.patch  | 30 +++++++++++++
 packages/shipa/package.yaml                   |  2 +
 5 files changed, 118 insertions(+)
 create mode 100644 packages/shipa/generated-changes/dependencies/mongodb-replicaset/dependency.yaml
 create mode 100644 packages/shipa/generated-changes/overlay/app-readme.md
 create mode 100644 packages/shipa/generated-changes/overlay/questions.yaml
 create mode 100644 packages/shipa/generated-changes/patch/Chart.yaml.patch
 create mode 100644 packages/shipa/package.yaml

diff --git a/packages/shipa/generated-changes/dependencies/mongodb-replicaset/dependency.yaml b/packages/shipa/generated-changes/dependencies/mongodb-replicaset/dependency.yaml
new file mode 100644
index 000000000..19b739b77
--- /dev/null
+++ b/packages/shipa/generated-changes/dependencies/mongodb-replicaset/dependency.yaml
@@ -0,0 +1,2 @@
+workingDir: ""
+url: https://charts.helm.sh/stable/packages/mongodb-replicaset-3.11.3.tgz
diff --git a/packages/shipa/generated-changes/overlay/app-readme.md b/packages/shipa/generated-changes/overlay/app-readme.md
new file mode 100644
index 000000000..700df754a
--- /dev/null
+++ b/packages/shipa/generated-changes/overlay/app-readme.md
@@ -0,0 +1,39 @@
+# Shipa
+
+[Shipa](http://www.shipa.io/) is an Application-as-Code [AaC] provider that is designed for having a cleaner developer experience and allowing for guardrails to be easily created. The "platform engineering dilemma" is how do you allow for innovation yet have control. Shipa is application focused so allowing developers who are not experienced in Kubernetes run through several critical tasks such as deploying,  managing, and iterating on their applications without detailed Kubernetes knowledge. From the operator or admin standpoint, easily enforcing rules/convention without building multiple abstraction layers.
+
+## Install Shipa - Helm Chart
+
+The [Installation Requirements](https://learn.shipa.io/docs/installation-requirements) specify up to date cluster and ingress requirements. Installing the chart is pretty straight forward.
+
+Intially will need to set an intial Admin User and Admin Password/Secret to first access Shipa.
+
+```
+helm repo add shipa-charts https://shipa-charts.storage.googleapis.com
+
+helm repo update
+
+helm upgrade --install shipa shipa-charts/shipa \
+
+--set auth.adminUser=admin@acme.com --set auth.adminPassword=admin1234 \
+
+--namespace shipa-system --create-namespace --timeout=1000s --wait
+```
+
+## Install Shipa - ClusterIP
+Shipa by default will install Traefik as the loadbalencer. 
+Though if this creates a conflict or there is a cluster limitation, you can also leverage ClusterIP for routing which is the
+second set of optional prompts in the Rancher UI. 
+[Installing Shipa with ClusterIP on K3](https://shipa.io/2021/10/k3d-and-shipa-deploymnet/)
+
+```
+helm install shipa shipa-charts/shipa  -n shipa-system --create-namespace \
+--timeout=15m \
+--set=metrics.image=gcr.io/shipa-1000/metrics:30m \
+--set=auth.adminUser=admin@acme.com \
+--set=auth.adminPassword=admin1234 \
+--set=shipaCluster.serviceType=ClusterIP \
+--set=shipaCluster.ip=10.43.10.20 \
+--set=service.nginx.serviceType=ClusterIP \
+--set=service.nginx.clusterIP=10.43.10.10
+```
\ No newline at end of file
diff --git a/packages/shipa/generated-changes/overlay/questions.yaml b/packages/shipa/generated-changes/overlay/questions.yaml
new file mode 100644
index 000000000..868b0071b
--- /dev/null
+++ b/packages/shipa/generated-changes/overlay/questions.yaml
@@ -0,0 +1,45 @@
+questions:
+- variable: auth.adminUser
+  default: ""
+  required: true
+  type: string
+  label: Initial Admin User Name e.g acme@yourorg.com
+  group: "Initial Settings - Required"
+- variable: auth.adminPassword
+  default: ""
+  type: password
+  required: true
+  label: Initial Admin Password/Secret
+  group: "Initial Settings - Required"
+- variable: shipaCluster.serviceType
+  default: ""
+  type: enum
+  required: false
+  label: Cluster Service Type e.g ClusterIP [shipaCluster.serviceType]
+  group: "Shipa Cluster - Optional"
+  options:
+  - "ClusterIP"
+  - "NodePort"
+  - "LoadBalancer"
+- variable: shipaCluster.ip
+  default: ""
+  type: string
+  required: false
+  label: Cluster IP if using ClusterIP Service Type [shipaCluster.ip]
+  group: "Shipa Cluster - Optional"
+- variable: service.nginx.serviceType
+  default: ""
+  type: enum
+  required: false
+  label: Overide Nginx with a Service Type like ClusterIP [service.nginx.serviceType]
+  group: "Shipa Cluster - Optional"
+  options:
+  - "ClusterIP"
+  - "NodePort"
+  - "LoadBalancer"  
+- variable: service.nginx.clusterIP
+  default: ""
+  type: string
+  required: false
+  label: Cluster IP for Nginx [service.nginx.clusterIP]
+  group: "Shipa Cluster - Optional"
\ No newline at end of file
diff --git a/packages/shipa/generated-changes/patch/Chart.yaml.patch b/packages/shipa/generated-changes/patch/Chart.yaml.patch
new file mode 100644
index 000000000..b890d8e9e
--- /dev/null
+++ b/packages/shipa/generated-changes/patch/Chart.yaml.patch
@@ -0,0 +1,30 @@
+--- charts-original/Chart.yaml
++++ charts/Chart.yaml
+@@ -5,7 +5,25 @@
+   repository: file://./charts/mongodb-replicaset
+   tags:
+   - defaultDB
+-description: A Helm chart for Kubernetes to install Shipa
++description: A Helm chart for Kubernetes to install the Shipa Control Plane
++kubeVersion: '>= 1.16.0-0'
++annotations:
++  catalog.cattle.io/release-name: shipa
++  catalog.cattle.io/display-name: Shipa 
++  catalog.cattle.io/namespace: shipa-system
++  catalog.cattle.io/certified: partner
+ name: shipa
+ type: application
++home: https://www.shipa.io
++icon: https://cdn.opsmatters.com/sites/default/files/logos/shipa-logo.png
++maintainers:
++- email: rlachhman@shipa.io 
++  name: ravi
+ version: 1.4.0
++keywords:
++- shipa
++- deployment
++- aac
++sources:
++- https://github.com/shipa-corp
++- https://github.com/shipa-corp/helm-chart
+\ No newline at end of file
diff --git a/packages/shipa/package.yaml b/packages/shipa/package.yaml
new file mode 100644
index 000000000..9349dbcbf
--- /dev/null
+++ b/packages/shipa/package.yaml
@@ -0,0 +1,2 @@
+url: https://shipa-charts.storage.googleapis.com/shipa-1.4.0.tgz
+packageVersion: 00
\ No newline at end of file

From d645bf3e4b3b05da972c1aedd89f98de1507a5fe Mon Sep 17 00:00:00 2001
From: Ravi Lachhman <42775804+ravilach@users.noreply.github.com>
Date: Tue, 2 Nov 2021 07:28:45 -1000
Subject: [PATCH 2/2] Second Commit after Make Charts

---
 assets/shipa/shipa-1.4.0.tgz                  | Bin 0 -> 39415 bytes
 charts/shipa/shipa/1.4.0/Chart.lock           |   6 +
 charts/shipa/shipa/1.4.0/Chart.yaml           |  29 ++
 charts/shipa/shipa/1.4.0/LICENSE              |  25 +
 charts/shipa/shipa/1.4.0/README.md            | 122 +++++
 charts/shipa/shipa/1.4.0/app-readme.md        |  39 ++
 .../charts/mongodb-replicaset/.helmignore     |  22 +
 .../charts/mongodb-replicaset/Chart.yaml      |  16 +
 .../1.4.0/charts/mongodb-replicaset/OWNERS    |   6 +
 .../1.4.0/charts/mongodb-replicaset/README.md | 434 ++++++++++++++++++
 .../mongodb-replicaset/ci/default-values.yaml |   1 +
 .../mongodb-replicaset/ci/metrics-values.yaml |  10 +
 .../mongodb-replicaset/ci/tls-values.yaml     |  10 +
 .../mongodb-replicaset/init/on-start.sh       | 226 +++++++++
 .../mongodb-replicaset/templates/NOTES.txt    |  14 +
 .../mongodb-replicaset/templates/_helpers.tpl |  78 ++++
 .../templates/mongodb-admin-secret.yaml       |  18 +
 .../templates/mongodb-ca-secret.yaml          |  18 +
 .../templates/mongodb-init-configmap.yaml     |  20 +
 .../templates/mongodb-keyfile-secret.yaml     |  17 +
 .../templates/mongodb-metrics-secret.yaml     |  18 +
 .../templates/mongodb-mongodb-configmap.yaml  |  15 +
 .../mongodb-poddisruptionbudget.yaml          |  20 +
 .../templates/mongodb-service-client.yaml     |  32 ++
 .../templates/mongodb-service.yaml            |  25 +
 .../templates/mongodb-statefulset.yaml        | 354 ++++++++++++++
 .../tests/mongodb-up-test-configmap.yaml      |  12 +
 .../templates/tests/mongodb-up-test-pod.yaml  |  79 ++++
 .../1.4.0/charts/mongodb-replicaset/test.sh   |  48 ++
 .../tests/mongodb-up-test.sh                  | 120 +++++
 .../charts/mongodb-replicaset/values.yaml     | 167 +++++++
 charts/shipa/shipa/1.4.0/limits.yaml          |   9 +
 charts/shipa/shipa/1.4.0/questions.yaml       |  45 ++
 charts/shipa/shipa/1.4.0/scripts/bootstrap.sh | 146 ++++++
 .../shipa/1.4.0/scripts/create-root-user.sh   |   6 +
 .../shipa/1.4.0/scripts/csr-api-config.json   |  17 +
 .../shipa/1.4.0/scripts/csr-api-server.json   |  16 +
 .../shipa/1.4.0/scripts/csr-client-ca.json    |  12 +
 .../1.4.0/scripts/csr-docker-cluster.json     |  16 +
 .../shipa/1.4.0/scripts/csr-etcd-client.json  |  15 +
 .../shipa/shipa/1.4.0/scripts/csr-etcd.json   |  17 +
 .../shipa/1.4.0/scripts/csr-shipa-ca.json     |  12 +
 charts/shipa/shipa/1.4.0/scripts/init-job.sh  | 103 +++++
 charts/shipa/shipa/1.4.0/templates/NOTES.txt  |  34 ++
 .../shipa/shipa/1.4.0/templates/_helpers.tpl  |  77 ++++
 .../1.4.0/templates/clair-configmap.yaml      |  82 ++++
 .../1.4.0/templates/clair-deployment.yaml     |  55 +++
 .../shipa/1.4.0/templates/clair-service.yaml  |  18 +
 .../1.4.0/templates/etcd-deployment.yaml      |  63 +++
 .../shipa/shipa/1.4.0/templates/etcd-pvc.yaml |  18 +
 .../shipa/1.4.0/templates/etcd-service.yaml   |  14 +
 .../1.4.0/templates/metrics-configmap.yaml    |  36 ++
 .../1.4.0/templates/metrics-deployment.yaml   |  55 +++
 .../1.4.0/templates/metrics-service.yaml      |  18 +
 .../1.4.0/templates/nginx-configmap.yaml      |  18 +
 .../1.4.0/templates/nginx-deployment.yaml     |  84 ++++
 .../shipa/1.4.0/templates/nginx-rbac.yaml     | 131 ++++++
 .../shipa/1.4.0/templates/nginx-service.yaml  |  44 ++
 .../1.4.0/templates/nginx-serviceaccount.yaml |   6 +
 .../nginx-tcp-services-configmap.yaml         |   9 +
 .../1.4.0/templates/postgres-deployment.yaml  |  46 ++
 .../shipa/1.4.0/templates/postgres-pvc.yaml   |  18 +
 .../1.4.0/templates/postgres-service.yaml     |  14 +
 .../1.4.0/templates/shipa-api-configmap.yaml  | 143 ++++++
 .../1.4.0/templates/shipa-api-deployment.yaml | 206 +++++++++
 .../templates/shipa-api-init-configmap.yaml   |  43 ++
 .../1.4.0/templates/shipa-api-init-job.yaml   |  99 ++++
 .../templates/shipa-api-init-secrets.yaml     |  11 +
 .../shipa/1.4.0/templates/shipa-api-rbac.yaml |  84 ++++
 .../1.4.0/templates/shipa-api-service.yaml    |  19 +
 .../templates/shipa-certificates-secret.yaml  |  21 +
 .../templates/shipa-db-auth-secrets.yaml      |  14 +
 .../templates/shipa-defaults-configmap.yaml   |  10 +
 .../shipa/1.4.0/templates/shipa-ingress.yaml  |  36 ++
 .../shipa/1.4.0/templates/shipa-secret.yaml   |  13 +
 .../1.4.0/templates/shipa-uninstall-job.yaml  |  50 ++
 .../1.4.0/templates/shipa-uninstall-rbac.yaml |  52 +++
 charts/shipa/shipa/1.4.0/values.yaml          | 204 ++++++++
 index.yaml                                    |  34 ++
 79 files changed, 4294 insertions(+)
 create mode 100644 assets/shipa/shipa-1.4.0.tgz
 create mode 100644 charts/shipa/shipa/1.4.0/Chart.lock
 create mode 100644 charts/shipa/shipa/1.4.0/Chart.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/LICENSE
 create mode 100644 charts/shipa/shipa/1.4.0/README.md
 create mode 100644 charts/shipa/shipa/1.4.0/app-readme.md
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/.helmignore
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/Chart.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/OWNERS
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/README.md
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/default-values.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/metrics-values.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/tls-values.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/init/on-start.sh
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/NOTES.txt
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/_helpers.tpl
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service-client.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/test.sh
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/tests/mongodb-up-test.sh
 create mode 100644 charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/values.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/limits.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/questions.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/bootstrap.sh
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/create-root-user.sh
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-api-config.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-api-server.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-client-ca.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-docker-cluster.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-etcd-client.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-etcd.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/csr-shipa-ca.json
 create mode 100644 charts/shipa/shipa/1.4.0/scripts/init-job.sh
 create mode 100644 charts/shipa/shipa/1.4.0/templates/NOTES.txt
 create mode 100644 charts/shipa/shipa/1.4.0/templates/_helpers.tpl
 create mode 100644 charts/shipa/shipa/1.4.0/templates/clair-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/clair-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/clair-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/etcd-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/etcd-pvc.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/etcd-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/metrics-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/metrics-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/metrics-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-rbac.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-serviceaccount.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/nginx-tcp-services-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/postgres-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/postgres-pvc.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/postgres-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-deployment.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-init-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-init-job.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-init-secrets.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-rbac.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-api-service.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-certificates-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-db-auth-secrets.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-defaults-configmap.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-ingress.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-secret.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-uninstall-job.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/templates/shipa-uninstall-rbac.yaml
 create mode 100644 charts/shipa/shipa/1.4.0/values.yaml

diff --git a/assets/shipa/shipa-1.4.0.tgz b/assets/shipa/shipa-1.4.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..774102c793eee35e52c406eb15ef6b16bfd3edcc
GIT binary patch
literal 39415
zcmV)=K!m>^iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMZ%dK)*=FgSm|zKVJ&f3NL~nnxXM&S-XMl9m}uBtuem>?Dr@
zc7r6MW~0+UOJW>f!~Wl2dl`E@djoq5`{2+=HV-;jcIFl4nOH;vg~F*&RVY-k8Szl5
zIYT}#F3{Zh+ZRaXa=Co4w<rHCm&@6IE4BT~-zs~Ry>j)ia#-E_Te(uL9v=P;%3lJR
zYzi1h{@==XZY$flzeqx^OF80%x~y&hScoHsPKy@e+`&acOBVJynGkH(!9zZGv7cMa
zCd_lt!gSFb*I_7DRc<-)oq5Q@b&yNXWDCaeJh!Zm9gG;(FlBKAdE_1T8KG_+E~^Ie
zyy$18xK}J2HukV<W7i^>)eRF=<vDey)E=8Y_8ej%hPeUYV~;YzslTYhggCffDiuqX
z*b1zaTY;mg93>NMJVAlOTdxcoGs`C)mnbyg4R+=rVZem?@HQA@-^Cm=;1r0<IC31|
zGpvRPn$+b!b)fGc7aKDwaGi1Pv3jX=b#+ygoh}k;5KF)hKUub0q#m0i&auym7M+(E
z;h2>)UM0~TR&wZ+vXUBS@psX4r^W?dTv6YagQLb&bjNe(Vvb#In1GOFTm)kr4eZl@
z9YLj7IVhIR@>64uh|3Xiu`fa3IU-ISd<R*x*&Mn5j!*_Y_CC5KMsf}r4SY+@PS~L-
z;j>_@IwH}vsPAq1UYcQNZpy(n_`<_=K%Sf}F&V~XdR=_&jrNVEB>i`&b@3(I*g*fw
zwY}OB{Xf`$r2h|*Zb>d9LL{kWQEbE_o0S+xV+R`m(dMfaE0to+u*noNE(ids?jO|c
z{ewe<#*@R!%SyS5_scKK<3sz<vdZHZ_Tj{?Rq>0L`!Df+1zUSB4-dx&`?bBw-r;_&
za<KPu{KA-G7yF2dQ>jobS1V?vY?fb)$}j4ba=lh79=v>UP_FIo)jk#;cmBGh_Wvbv
z0?fV?1Gs+wS8A1m{p|kV->W_D|A$CB&{8Y|s5KzD7IlOhJ209N2802E4~^3kb3%Q|
za@dkx5(Qe=a*&VV68S`IeaYsGF?fhEYy)vQg#`_K;CSvih+|eX3>5I0V596{K3}w`
zU?}QPh!}^0VaPul9ucKH>hn6hD8DEh01R7!kNaU(#Q?zEvQ<X4cKFf&AagVgc@0J<
z{0jNFggjEeRGa{S7dTFzI>cJkq2XMi1ryldaWJjJ1UXDlFiUc(b@=HQ0{}S=y&7P#
zRCvdo`j|1zxjBLj0`3PmEOtt!zT`k!^vdN#kkjz9=QRROTZCEk68np`D~8P0-wlUY
z*k!m5g>VF#PQW<!#VG7Rz_7v*96Dt{T;M*!6LJAWVFXr$Qnou1z(vf9GVEUx3xnXA
z<czNd1<y_>vR@$wxfb?I8l_JExtt9NW+Zv9WHHsC=%i0<ybe0?0NJ+4l~ssWhf29v
zDU1IXD-~l!*9qf<=676vYTc;!tDvpxyR0+ZasXB~knO%G*I62a9q_0Zi0uPcgwMdH
z)&=%q7L3Kv_+q7seJ6%V>@Dna!31Mlel5ZfTR!Ft*o+2_Ew(4JZETAwmg*AFfHQ%p
zTy`*vgcxH-ZKr<VI2w#zpQ`6#X}VM5UW-2faC$|Hto0)=>qY~!X1F&jHqnldswPxy
zLE=u~yDqgQp$G}v6>%KV_dpOP>N*P`lO#|<=L%t^f`*Aa62V~}wuB_ipx}nZVsdFB
zkH`s^ypgJ&s9lFzwOTG~u!@Y`3Nlk56of{$fr@TG5XH^lMJZJwSzbY^hQk^y;`ChQ
zE@CmHglFcNFo>p7!L-7ksfAv?&lXb)M1pk^Iils-ez97v7GJz59#+DZJ7PufT_N5R
z7c-53McoOR28yZ!VxVOHu{_}9vYR6}Ku%pl37O+~;TN_1N@z*<#+0B-VuPB~fY`Vs
zGt5+5CG~5Lym*QG7{q~Vr%vr%;OGJa0*BHIKs-KfQ())FlRTcD1(_Ej4W3W07v`AS
z3zLyQ#4%K<zBnxyhK<;4Op$MkqUjyJ;;@Zt=p)w<>#M$e$a+FdU>v)Ok^t=NKtIgm
z@Qymc9K(=PA5Aed9mH5ztTWNGWbXn~1?2ax6kz_D%=%ZN4#Ql~y@FZDt5zuN!qtpe
zGq4F${EWSD(VSRfcrJ;MX^1;bzzbZB1w0cAK~Kwb5Sv#u<pz$k3oc!1PVP$}QI9~a
zJ!?iO6BH}~FK!+CMO{9umINzlv&cu5g&8}gw&>IVBm2EiIPSR?R^QbOSIWo4Fg(h*
zSd;a~3HdfA#BwC#o4d8dw{?81F~{5|7F!7*{C-(3mWzigfCz%nzUDs4&^}HD-4*|M
zKAmGe!vPB^$_`*rqaS@}Cac!rPgw@Q$8*Z@xsQ=u*I58yLf|_}uTU?Q9BLtFMj5Za
ztRB25iL&Y1S7P+Gtu6}-+O-Zp0ZT|NSJb!bFhjm=Q5%b9<E}RRshCmI)KgsK%pMng
zEcOPWZc%XiM-{tZ7~_B~1SwrP4dbzz0deXnUOzhBR@RZ3W_%242nQO1IKM}V(-t7a
z(NYIw&xtEINb}y3A(gp3eMrj{J_#IWDKq2|8<s@_m#f(tM!d+?Obn_IC_1~5DwyC?
zEguU$R)}NrujtqjqA8ZjDxed&F|$AvKU_5QvF=hX_djxN4NGtd0@^Mh1&A<+)JhOU
zJ3j1Nbf$)iZNu=#$XY%WjU8xG*ToiBqA$I2mFC~IB(_?)X5ecscz5Si{nk>R@4!4@
zTywH8<jA#=Z-*eoE*x@SAop5I<7s|G@CUJW&ZZVC>gJ^GT=6L-A5X9^XuM!BG*pvG
zsHGjITQrxxY58B``I^d^6Z-_)kr+XelP8GBd@iQfLuybR!nha#u{D|MFD_1tP>?vX
zauHvnx#wVkYrT3{t{m>FFO`*Fs>@#r5^yV!G7+P53=WwSeaRIrm!#fv7p^c^f$w9N
zI}5O>S}lR+3GP|Uh?KgXwz@+YVr;{S=tp8g)J!}Ti%pWDe}auT8Y6~fZE@U%IuD2>
zHc>2+-qeX0)1QAvf6GrhpmYVLmO2GtbTSkh$c1>4rlPyynu6A=Xw3<<xWkeXTD(#@
znli~yhSLsLXdxiYkZU_wUu7jnt7wGRU^_6xJiZDOwVq1O?y15}?V%(}Tn%k_4;CJ#
ztyg-VawVl9hlvvgUkaW>?p6V4i4S2#$x-U&<36<_u=@Bimi5_nrO+0?hL|g6!)N6<
zm(`&XX`ke}68oOoc!(Wraq6q_Oz`-GmME)(L)_pxHRBO^2-#lU|BfW`vWQv`7cW?G
zYWV_Eh_Nmz3vo29L%DdM)=J{o?o7Ir_kGN;%cH|10apTxK}f-XZ-NrBf?SREBR_bb
z{9sm&N^yWo`!%t4B1x_uDG6zi7R|z<@^c?8v?3KG-HkBd^a8v3*Obz!g9q3`9=B$w
zt`Xw+0xzNpOzMC1Pc}zB7t*FG>-qFIZ1J~IaR&viHESXN!dYl=_C@&lYb(7UQ<T*G
zPpmHJ_D1btkzezBY-7XyZ*8x(m%0DhE0-Vde;*`?o%!9?31Bos?uEJ~is+y;W%;ig
zfcfsb?*vIODn$r|Fl<MpR0=MJaTf7OpFTnHow}hEhiXyEG~zRS{%rIko+-Cj_*oP+
zszq@k@aR&@^Qj#u7EW`pyWmNiqe$+>iE|JxW41%eA0fs*wj4y}>L8V4qYowIIE%#5
zVCMjnYUdVqFvkTUofw)$R9qRdFA3AC`WbSkSg_clff#io#74-gz+B>an8O$g>A^y7
zr1BQbFwWvCPTB$Hh`354EVwd_SluxC@0#rB$uq&@Slj{AjI6hg#9$AUeO9p>=ECRC
zFvT3aOAAZ~wEfmnSy9ZSk~ev77_v8)77!Pnhz9=ww&GP39-=}L2N%{h{Y17+BVi3p
zGyL=D=TAR>DvC3`7=!-#^Ut53N1WWI7CgkQ8F-iQB!&Q{2Twm01l&UXQz6SX4U*$s
zsE4Ed`SVl5rY<&&S~1B+14q8-N38v~9D;@PY~X7tj||^*`i=89z2WFKQ^PJT(Y<JR
z3hLH16mkntgwLPNl#*Hu=WmR<9^$j3!lxqRhzG2g)TbA9g`dj56p8n_@Erd8zky8P
zr=P(51D?bv!!N)5L-0*5{6%^rSSA5V^ywckA)4vZ(_|vsURo^zxn!437FKfTl(_53
znJOsc3{yzU`Zw}C_0uqJL}l+W$%dhS(rygf@Tv{{#;DWoj_S}+5{ftos1JcR^^qN&
z3NS|t@bT{f@iEx?LR@Th>f6|tibU*Bs6US-=6QI3&WaE<{8f7Vwa?~<NLl{xe1;uC
z!iwCxH&dVu{NG;n@F2_o9hM*Me;y=#`c(Q3F3G$unS%*&Fkg81XfB4un&CQpSNi<f
z5T%UvwTE0=O1(+NtJDw`4PDOELVrk#6&W_;Z}N~UDuYu=EkjzE)E~p2LN0bKIH<`#
z$$S`0Cgd6lW(*9ww)|UR*HlVf6ty7^fd%{?AV-?73mPi%E*kH#f-cK*(T3;)gE6*H
zz_8L8CM>sQZzlvhwqnYpI#F>{l9zloUdWMXb%&y?Abx@ycwRI*laL8gKrAXvr<qo(
zDYY|Cn<gN^nF{1JwkrlUKI6jiAd_e;v-<d`%*p~=4Y<Q%NKYj4^`q_QG=XO{4hl;8
z_>6E(<=z-U&nGUQK;eHg^MA8K2AXR3CaY}K->KD?m{ze>v=ywFQaQDHov2a{8e?bW
z^vW`Ym7PhBwfb9I>%*T?fhl;T!ru!}I4|60FVXp&x(Y+K3Pbf(fe7t?CDu|BBd+BH
zcD6f$9W$1{GObcQ(I9m(wWL+|8qq@!@eO%iF|B!x42}hNwN&L#_&uN;L!!62Q0B-*
zQ*4{#MLosVX*(}bN$=-+9@{4%=Jh`2MRNu_)F*Ek?(7(uxgCfE=G7Q1R|+o*^82)M
zv1bp0{2RE{{YhR9c2`ldbg`nox)TM3%=YP1M1G!SdYq5}p09%DCc7BYjtty_{-dxJ
zkd*{NDjt+**X%Y<+xpT)Na_nI?+d0lVTQe{q$F`1$xBG$GhGuVKAjsPQ(mVb26IH*
z5I7^Q6+SK!vP-A}kOptm#i7NL-j>vzteT)>%uf+<M-p!S+-NJ^qOz5ZHmz&p>y?Gd
z(PmsrwV|+FZh3IOHuv<`Pg(xoauD$|=3;kkV*~%czqj=M^PqaT_sIW0L`uD<tQZ%>
zwd-0bdx|_`jyV#Nc|Cf~w^`kiTtf0DNE}$AqM1FFoans&6I?+yTn>AJjD$@pAjPmj
zxf<*6r>U;iwB@3Fq#z_0APnY$CM(`NwU$eHpg_wrE_gn*Fw;C*3A@~1c$B!j$YzPQ
zBtUhW1(Cuc{4I?RLM4XnlS^%QD(~8)(XuyXzdKPL^`cj|F@V0Z#T))`lC&>S<`=1g
z$w#800pIUVk@{0<^-<F13?;@9CsxTJWAFFSqN6zDb7$wI^Q!-Y+3a<@!_lDAJx+jE
z4>arY06E$`;bHs5)p}Fv^P~N}T2&r(M_~nE%$ZXgAL+|n5ZK~5cKJCcb4&w%bRafU
zWDIfiq~9BkjtA}GdA~6nzV8iMMrv5P!F-H;!I5A`0%CB1JszHVmXK*v71SvOf$NY9
z>?{(B_Gi*GB~nDP=kmms5bTr&i=j&#Su400+YV+7d>Xhm_ld`poQR_ZQ%oQr!Redd
zgW8L|bZ=@^b4)m#4NgpkCKyERgFU#wi%6x9UCUp196U57ZfK-;fnAmY)S0NWpGorz
zc_CqAdp9Y2My5~2RL#@C;ly*WTKkbr35)m$Db{N9AJO?ZS8_8+Xfci#cu^0#io)Az
z)!=0froLyD2JPW!5;)N4cO++t{lrTNUDLMxIuy!9`M>%>`Jh}d5}@8-<nY<5+KJaq
zE(ER~NNfw<LhgMr#sY(h;LRzrVXXDTOsx`ZT}VS2*$Q#Rq=zaIIaaFOcmPzvWuz-9
zq+1x-j$p&actU+4N6I1a@$Ug<db)hfJnGuYED6DWxfW9zwQuV1vRr0KxIIa3kOTd<
zowQY_ky<AU8o(7&>^nw`IE!d$fVzqR?GnHe41*-0%?8^A?k_S=FtkwsOHOajgKmrZ
zn6eV)mTg*SLs^Fg_Qa8vuoK2&YN`fX+2zHXOTOxleqZ24Izx0s<>;)yvypyq6(aFk
zj=XCvQhPX7*~l7tDlP*@jMSJogcHmpr=GGB5!E$yO)o^fTc8}<wTOBeAHXgrK6V!I
zVj?cb{v~qiP@P4Y+5$w^N*yhNyB`zerm})@;PN1q<<GE_%Ah{79GuERjz`>d77G{-
z2hpX{VMJ;aW4esEI88VU*SC}+sa{Wle2GIG`4>tPHbKNugl;UPC6~vWU&E<GEwz0@
zQ{`~`gdnnQ_?Y_y+fh{?%My#!z{Y!*b1!{TNBb!v7kq}I{b^xxneG>ZOM*ZgU*TR(
zlIRdf-N<ib^`?D@ZF|$rc(aY3zj>FpZ_WnJ*}|EDdovpKq3_e{MP1p|O2gDk<Pck&
ztD)K;H0NU04A1fN)Tt#a|EFFC<;#DuKal$n05{qHR4ZBgpM(AKqx|<EDJlOU&ts)X
z2yDeZVQwu2-ctMn$hai}V8q52@{96?tWsJEB2|Ziw00~Q%)`<apQX%m=ZIS~r7{hv
z#!WjA7SjL|Lm`rrf_-!7@+ix8cB>A{Lb}tk<t5u>SZkjwsV9wH`Ghq>A0SB#MOyJ3
zNl3(()nY}yB}$d;=e@Fzs4Df-C(P=GQ;4bus)E(el<<7YsYRVSjGFyixQhSY2)ME(
zU}XVxN&|OQM{cYtNhYbt=p#O>XA~LvV<x|u_R_#5!C-DFP^A>-ahZ?(vZS4cEE(3<
zKAqPyA3{svw|FtYljX15ZxRJ32Y@t74z&nos2$J+Gg|8G`*qMdepr6lzO)AtraG&^
zByN<FD<f}9<;{}dVizsq*WuIWJOpmHgsf17mmdE+FHFMmoMq?KR1=b?Vq2O#Pp-w>
zqF?(g{GXWe`9FQdbx#g~Hu?WLsATp3`-cbBNB-|2Qm+1AUw1z^-xsnoN?o3G8j<Ge
zZi-8S*)a8st^^06ZcdjNi@b9`%b+BnRq~-#HbT>E$yb{H?EaU+`TdH28}0wf)g}3_
zR;xVj|A$ClO#aipW&X0_pT_^oNPm&zoo`k6OCSib>{s|bKnv*<IM(FVFKfkGv05#p
zn9unfi8b`o(^9~E<&U8>Ca$dUbT@~iUt-%u$)a-l_4#vdg{P(|zpsIpV#}9mJMx`|
zeqdn+zQdmG!qZT38Q#!TYlkmaG$AlR90`X0sC0>Z*}am;T3rFzm)Pfo;k&h~D_hv-
zCJOj$b;&upHnqmt94|PQjaABfFZK@)%B!n!U!1<SX(4k$94snHU(lgHVG9*4pRYks
zV3w&V4;Otcwzl#GUaYHoffrBVmv#Dv%v<I#t<gF}Uc2Iy(G6(#g2}W>H?UHuZjYL+
z=IG?S(eLDm({(7+3OCX*h{d)><WDWiOgR>eRjJHoPspo@8-sP~2{}QVgx?GX*>_S+
z2a${_K|Y-7-hiZ<-lerHbmw<Mzh+J~sPek8t7>!Q2&|QZQPGnw&C^LqzRBH_Up=!+
zR=`<bDhJdBUTgtMl=|8{$zyuBl*|8nm)3py0^Y#?SIYZ`OYeX79`Ao1Bq?6MpGS<1
zjBenzQh=t)cTot$-qRv6KB1bGtYX4*T`?}6wEPF~aTIz0<dwg=hY!iPcGOW{3!9NY
zGEnmv*Hn#!|BqCSXZUyd2xF_7&sEhtmna&dw4+{CXl<9$2uAQi<~i}>YcJQwbk8Z5
z{@<_qcccDy?;uP6_YbP&NBaK|>E89fchLLXxB6G3lB4}ih;m7NZ9)cIqpuZ(zV@`;
zTgvW#?H=@AUw~}l{|?Jb?>`Rq9`Ao1Bz=MRAL%7@#}^<;KeIV+KUzKL_D0Zdbw)*K
zYHv5%BzL@6c4r^gojP<Jy6gsEmXADq9vgpF=E|T@e^7miI7JhFqvLZmAO$aAvnk^E
z3N2#Y&5XL#KM#8zIeAkcXLw2Dq~2*{+fi*P62<E9)6+`zP^t$j^_S(BwWq(NB>Jp2
zT0_>4ITC0ZdEL-K8oqcJHZLHJi798pMb651C1McvpZ=n{lVQX4DlD#Z`Wxzo!__36
zu!Qac@v{HpL}AgIFW-qgafpj|;fXTft{=fOV4g!b6n=IKH$&$+#P3fvyeK23%)UR4
zd=>q_&nv)9_MiK;a)$mNmJc59{~jcLvHL&0kp9Y7fN>YT%q?IHAHKPZz#Zr-za^nJ
zWD7YMG{$j_B6K*|6f^g!d@mKM9>Ag21w6}mN_VL#@+ZW>&zJP{>Cu4r)-j>F2&t(2
zlD^qnx&q3n7JIu**IjJ`Iq03XM{n9^!}G@Ac(~%q#x$?+xTqfAn9`e<4B3)&PO#Z$
z{PSgOQ-0^QVrCh~)Anf4X@0wAn&F9(vC@R~*Ku*@*I&xLEWf<DC2*1z+64Xn%z+Cx
zWt|Ia?%Xi9O7R%!*Ucec_w8E1-a>jvOwC;^T35ndahDg}p`|5|oK>za(K5xp_PM@o
zTE+j}rwVYR{bx0+|2wGdJ^KHBkaX|*zq|2$_pJhqvB}W_CeDte7BG>$S__ytpAsPR
z3_%mwYd|JWr3ah;?EcRS7k1Y+Hs1f1v+<t~YL!R*--Dztp#PIg=+<(d4qG7PlqmXP
z<iR%)`v?l$4{#w;6z2O4D@tUFYCXrdnObvmffq@|%{FyqCHVZgp4HJT-<U?%vCEP5
z_AAxXLiEMQ$TlO#4TV~{9Dma;TULE$*v+XLc#QiP&CLspJ>-x}yj&*6_iHb~$Mh9b
zKK*~t_uu=qCI7z%`}>dgzYmhWnEp>KBu%&<>@>KG-Y^~b>E5)6*@5^ny2NZNaBmvL
z9k@b-L*N0YP%8t&7IkeE0z~?@@ey%>P7<NWLIgPW=i1}bv5zd=$3CI<PywhzEo8Ho
zeSzM%%b~!kosZtLHZ)XUq?=5I9gma=N@*Fsl!)8Psa9GAuRcdY@JWD0{&Y#Lw6c1p
zoN3A-Ak;O9y@fwF2O~QNNF)>-J$csewa&YZ)Aq36Xttl1wr2{{Ai3p*6UXiWehS`F
zV_q<J2%CikZqrIClEhL2GtNCzy1Gkf%_9G&GTcSxF^Z@aO`n4pJ5p3GZ#S!rVg)|o
zizanBzRp;$BgdgveV<$s2TyUES;*0$S5tSla*ZP|@=}#meAzzr@|0nXlaov?vhBQr
z-S+7GRj1oJAGQbYI?Z;fh#$BOb|yoUR?3yFbntqTw%2P*SM4iw+VY#yp@yVadhlJ_
zv|Jxwwtab}y`5@YE|K+m>uuNHHp=p)*CBU#7$am67c<uP=@_TGH$lV+d_0=@n9ZnT
z*P)jBE_T;(_Qgi1eJ!b1w0~qjO8hG2>i%BVDneT@ycvzs-6k&K1UW72pha|2Rnm71
zUiuu%d}V<&KTdQceTSe$vHa>n79`*H2z|lcJ7j{bh2>;A?)iAgm#GrIj=7XLg^v$&
zHlGP4!ONIz7I2$hxqlfg{g+Gm@}ECO_xJ*2qx`q@{(HZA_$dE9NJ`3oa@JA6XVfQu
zNY<fv@j^vch%|#rBR`<d?QRD$9IJxnQ|VyxVI)L9a1_sD0`kbQPXjMu)~7?AW*&-&
zFA;ajqO8zqW1J)8jrf;G?f8efBv-#Lu|H0LmXW=}A6G)s+!8%$3m1Rgma{ikF`1jY
zoxxn0THbsx<8jIWoJu=_8$wHQ{J8+{IL?VL(#vyhODZ%)Jo#(k<7<vxvFlhN&U7)q
zqW%SOr+VM5#6nNny>|J&P%5d2dTW-8VVb6KL&9@U6z2}4<{k;hO2QCw-OA(my={;T
z3M<IR7WOHce#kK`Y+8G_B@XLJPPEN#x^Yv)ItT6BuF6-$wTU~ur^RWygduaRVcv43
zQU`1CGaRBdy)gh1TkK97iv{DzbFc|1TY^SHFL%2Zauj^gR#}c*6q<<NYFZOq&i&19
zg4y|slbmGW?t^Xn7N`7c^VEN(lrR51sQ<rOxwd5gRepT``7r6;?Z2`r@`sV?(spCX
z*Y0U!4*hGi@NnX#`%1f!WK`%*U!j)HTi4i9?cA63tBqDd>o-+4`nj&jWSynfZf8Q5
z6%%s|>GIUg@~Q&&Q%dKA{@PUE^@pUb+_u2-RLpuj@$Xwqf1yil39^tjWL`NR3W<hC
z!itHG>6|q7+tyw(pUz~2!@PxBfBA-B)6jZfcTmwShcma{wgZ_r4wzeZ-fB%;e<X)8
zap&>iV<u3#)u829TsLZ8`*?axUpTGh|1{%$S2l2y{eP{tpMC#XJA91){vc@`{}&2y
zcb9#a1i6Rd3cvQ?{smJ0{?E6|xh);o`2Hsw|Fv2^tR6n@|A$Cfga3Q*`Ic*n_0W$2
zHpmcKhRRbPm6oHYXF7;HQs3BukiG<yc&C=6gJl8bi_x;|{*QvH+@lHjhW%gNFIThY
ze|7(H|366jV)ozRLi#H^fJpS=%UEqE8h~%k1w`~(K8+;AM$X}vdZm{AcsFO<IZeW{
z-QoUTt(qxu``7tfIMQ~=xD?0QUh7gjrvs0HwjR#Sz!&y49uLT+^%oa1R-XU&=mUDg
z`CqA&m;HYpJf8m#lD@G2=hRO5l0KlrhQ5>^=v??4eL?5f+SVWR#@hGi6M7p&AN@lA
z2d0(u{~k>MHtB!%m;FEN*A5=(|3jpEzyH6Z+;`s&U=rx$TwEt4h~(v7B72RymJssS
zp29n&?Ea6{Z1?8_X8r!JR4aQ+`k(US`~QbYU%>xMym;>D`&ktepd!D|GAlw@Ffh#-
z@_A8bg`y#Mn2zpNhe8-oZ7Y>6z*hCVWQ`eR+Ic*ymrBDooqprIfA;F6(>(9=H#aL`
z1Pq%z<!4zIZaOrGp0X(qllHRxf-I#SP}+$xh!|QK+erqqio$h?Sy~Dor3*@_f4STR
z)}Euq1dS03U+HP~)ulW_i=!zkYVVh=SFyw%_)a>!%C&Owd`jIZwa3N4ccQXft(%o)
zxx;jyBlw>_B{<$xdrAGfbPT3|n4!}L%<I*|a^*1Dw$!f~`KpIyLz{pJ>_qO9)~oZg
zVSA8xwH#_r)W?*f#~~JWSz6lAd0}(ZpCVTq^oDav#5paOT5oXN=ypCfMx9>wywlP%
z#AaiP{N=Utq}3R{dDUwSTIcO<<JC#Kl~mHCzIRR=$L*;8WkS!Q8g8^sJ6+k+6!IwG
zv!Zl^D*b7v<fCNu=1K3YwP`W0tUYQBj@zT5tp6J&E);eP%Nxy-_QK1x`;8Chjeh6+
zO>a0_g@XLEj}`)s*y5|9jCya|-EF{ddV$>}oa0{a_@sS4Xg3@EQS(jXeApSa-?l%j
z0yd>|>fiykkjJeVDl)>ca!9oXWV<<Nuk7U#M5%R4_4Twd7@hQbZ_oRK-uLb1=zI-=
zY>s^HP<m1HeEJ)<_}esgCyldi^UZmyF?f6O;e6P7yAGIx0@s?gkbmJUip;)9z!Hlr
zT#w4-E}kRe+-M=%!F;|jZ8}H9U9Kp<w&cg<s&XPteC-h*n>JdoI)ohK46&JM$s=Je
zK^jaSPYL6G)+K}dhAd7lQ`=k7>XTuapA0L_!I}O2h`jpY-P!l2!?V-ru>9_$`c{5B
zI&;4N;lla-hqL|W$11-@$J`tI;nYss-@iILdw2Z9+3Wrf<=2B=`*nAC<}`n(+9%@o
z;OzCm=*P~LU7NK>7f#EXzx=*id)Iz<Vbjsnd;M|2-;GE1#Sed6)Vl9JdZ!hq(sjRo
zb9QDsR_)`}$I*xVQMEf8mET=|eDnJBq}=VkKYlkjeP5xYcdz-G>p4HT&h`8D_mv;2
z*F8M<X3gK6_V~AV)%T-U&O5i;`FJ)9-i^NB8(&;3-c{`3p!WT5XYI;-aQuBR_`_)p
z-R{R9=Jp%A)~Mo^<$riLs1APo*c`lm#fP;IzV(~kvli^_*^jeX_m5YvKejLSx}%RL
zr|*AQj7C3H&T50;<NM0Yn(tRc*-^_r9#`M7VdeGv?(v{)S7z5|)%NAP_Z4oxv3tGa
z?r_xZp8Zhn?sb3gdgF_C3sgPxNAGE6@cQ-dqxbuxGiUH-{M+m6Ui)PQ{o(Y^ejHqP
zTaG_|eR_3zHtYN_`u^2>cX05rea-Rc)E`~&9|!L~a#Z_RwvMOQP3L=t-@M`<-~F&J
z4vF!b&OUnGsh!nc5!)TS!S6o4J3Fp;;~(FBc>lVwXZ>jRtT!LgxLkRQYP0u)`Q9Jn
z_uav}H-pph#fxiH{{FXd#d`bk-RtiM?bm}J&N^@Px_Ldi_+fhX`dxF>c3Pb_fBjyq
z8Qz>89T{4@xg>&f!hSt*MHF6g`NWE-zT$Fj>eW1P@GUv2)<t%JDepAl{SHe<T>v_P
zIAQ{vY9Hk7Yr%v?erjTeoRO<vtV_h_mOkSo-i%K874mUuUCm3u0@gIwL#>M#n6|V|
z+|z|xL(N)5ALMT{;+evl(aoEqo%7Un3;Khm7Yj2PY=cD~J<15D{=!VWh)J>|J`DtV
zpo3|IBu`%In%3M-+-WHpP<;w(2d*p>bz&??WTu9YoZ?F(B~ce%ym;}Vkl>=C?>?p6
z^b!$cL+TxHYD)L=aoLDlNqMdjNW~Fap0s++x9!1s<80I$HXGu|JL{fzx})~sT|>F5
zQDYF{pob!EMkyK6BP8Zo9SB<d5GPT5i<-K_3*QuO8;q)+@stv?jAC$-7gq7EX^)z%
zyqiG_MJ)PKyjdL_I?2Y%xNa&x6A3mENjkT5EFH)j=<MjpOqut4fP-ibvx{DS)SE(_
zrP0-S;1bSEPaJ}t7ay6(^HgpieFeQxtTLU3)oj9~yM4A`A~(5Egeb+hjeS3nZ8?be
zX?aNPsCsD&zfY?6LHVGZZr)A`2{HMMU8i}}mZAa>Ch(F$i4dq~v=Dmb0zM<|6c7XC
z0ugdBnGozp9@ebD_l0mA>1Keqj3YO4801mg)S^emTT=K%6No2y9*r#O<Jj5{*|v`v
z3x$hFjt%7i8PM|vR`g;vJW8DyjdU;}AI~Yr;hVzHxGP>|kyEWYyeOw~na<wZi>(hl
zpK@$*9O783>>nJ)BwBUSR4ex+@jS;!Q*~3lU5>EW0m7d$Kv6&k<@lA)5SOMGV!oJ=
zfz$PYdRU!d3@qe=k0r?r-^xR5!4?||L=S3JS(7kRI`+zw`^AXMj{{Y>qv|$eu<`|L
zw4+Q(Yi+_TdWro-4!zB7!Sfmcr>(GBJJvI(a}ke&X@1pI{C=0(*v!!2<q#jTZkO74
zq)KLEeJFacu7W6$c+nD*(r&NSJ|7Jl?bn^RX_A@@^IeY)P|CBx%>~g-QCka{I^?(b
zH~B$RRZ$`QGeJtDJY79166sjfW>45St{<^@&f@`-HO2v3jH$g?T|X?59cd=G5w1^t
zKX6NmJt>NOjU$=5hzGvd(u}xM2g44`1BVmO!6lXR*H(}J$EVf$|NAol-Jt*9Kdff`
z{~p%LkNW=yNw>HE+-M{H;Fh1+M{}to@{~-~QQV?eE+_NIEW$?|Pc?Z|jKKhFCnIZK
z&*oT_=5#WwbCT290|oYGhNU-b<3&u(b8Sn-I53Xpp0Wm!JWHWkE+3RD<!WWWyjR{Y
z#Jcm58nrkq(Sw+#W@c5oxX4^}+|q+^qJi|SK^`>C`6cVPDFjw{W)&ql{eb39!q~<h
zri<rK8F2}3t})CVQ_98q^%BzD^6_ptBrjfCuA4*?O3d<!$5|-?USzW@{1su=L`$ne
ztZg>H)eWb<rEPHYN~D~k%4^3p05G@o0jFoPlnYB~pG=$h+rTQN6ap)3e7nb;?vJ?+
zaicJDck@21nvu$aJGQdq?==Lj1;XB7v=VgwJ!#Gz&NAFazjNM{qUlQL>YC^0!tT$7
z)mJ@RHI{c}mT58H;5rIIc6Xa=y#y2Q>vDie=|C-6>Q7B#!<t^5HacB>FShmMA7g%s
zh&z(jFA6h&{6@Z-H{=ijK@ZoGx@axjg5Iek-;`QPAwh0W_Tt6<m1y7X=~V(oLIPd`
zB_$2RGQ|tQWv;*VIILPE>z^^)#O_2akyWo5<X#F@t~og8KEL=DaL$RGc>|M+L~-QW
z@NA_$g}n6)#|NHoDj8xGN3Bi|=duyRgN&#>HU)aOT?AR{jBg0*70V#ShUR9jd)$?E
zCcieqKn^d<Rx+}cYEFROt;zMB2<}QY>@OTEH^bz8t36Qn1MARVt%d!Dx{=gXukTL2
zxm2nnsl^*vX63E=Jg{jitqkBoF63A|&JP*=KQpApH+*JpJ~ba?Pi#1aR-c}m&(CiN
z|68A<@J+>K$#J81gI4oA>gBhc__!u|%lg<O+1wiqMkd}!`pNflOq66C6L~8dcn^#3
zGD<JkhL1^hXkGZ1ha2K_See|2IQtvAynmCZFiY;bRmx#EqmpYF&CTNW*Ake&-3Rlz
zBZB81U$lr{hfkmL1&6G{^^P(6Q!hv2lpCMlOz6gnIeOo4V<ZYJ_d0(L)$x&TP~~-#
zUC*n$TA{OIXf*S2N^M++^5Opetp`r35%lP7fB(1o{x<>dj*q}L`u{mx^8Zz?Jih;Y
zko1M#e<c^=-5!DE=w<8hry=OyYvN#5JjNUfYqYop_!H9i%M!WY=y*M-M5$#E$=k6t
zFp|ZVfmqBpl}$}({#N{riHTU<z5E*apoJ*D4Zx_}YA~TK=$6ou#q)t`5{kBgm@1nO
zF1DZA0$#dsKEU`S+6H2#^lFg$A>EcB6Q!3y>Vw0a_-Kx=sDELG+ftHh0Ukm#ve#jm
z@a&2z$udjq*A%<hM^3`F9rGY{a80Oh;nWMc<Y~4Paa4w0wU)EjygpD#WOla*`H(oK
zr8+W+tG3l0T4*^GDzlK=cMzXYe|~}%*k_p{%7sW09P&K8e2=8hP5BauV>HkG%odE}
zx%&RK3BOJo&VNDw?(6|#!}))BaIob6;h?tnc>X^`N}m5?#I0Fu0QNl{=bZmrM2QMl
zj+xx91FW{XR!ZKJWmsW`oq3VXN;66?3Uw%WlyOs<$2*R;Kibx9;22pKbTT<1bHbH?
zyWTeIUdIEzs{6l9f!g!s*KgDmOIyx|7e`%unRslq`X+218VKe%I=s6%Rf3z$g1?0|
z)yfMlWeC#lw)(wJcZC(m7AqEcB>(0h4S$U>P+_Cjge>T<r}o}-3BQfr`|Byax5R$!
zC02MZdPmc-^wZCD6P@nypgoM5I3IoJuWl!NX7daR$yYiBc%FSGu7sduIE@VkU?Coz
z{x+?zY>{}|Hq>grIy>H`Ek(~)HK?A_Y-)2j>h#XP=updZXn2G1PN8(yQ5TJOHV*w?
z@lH136JsO3+xf{@hMx3#ag#=tJYn3ZHR&DWw#_Mz85`PL<wfHrjjr;napR_?w~afs
ztUPdR8sj{#95))}JWm}P8qM|Iag#>#JbG-kn6$f>m2GWw0kff%uV|O>A7P$!|2D4Q
z?q%6u=5l9?v_b!)gHzv42eirm=i%X!|G)j}qyFbX(hC2dk_z1E@+YDsUrf{E<FukD
zRl>BfgE=-mDLsqwV?3cgHswcoO+=_0M~sPGaeVqD9YPZy+fZoObK*uHfw1V?f592U
zV44i`qqL)`qhhgGSnY&re6WXIOZ75-oSxHaWGuF^)xIvds^#!|s&zI0tM|Xu?%az9
z_znBNcDNM(?V$X){~so8Q0e8ygS)$5_*;?%(=?YOv~M5W{oxSx0|)Dn=wWd7h>tLp
zcXst>B0`qRz}FnRETM%o*9LW0C6GtrdfAUI=2z6eAnr8##iEhrpeY}J$7sz|)U8BO
zdAk`Zq4R(*eUo@E<%*7AmlI3%Wa+zweQwT?i>5-}Pt>#LgozF&{pc<Ci2AlxWGBDH
zH=OWO;k&{wGV>Dq<3vVssuHEvRE?T-2;<R@DUScXLfo23*e-Pk8q(R|<PN~Z9@u)t
ztIZ;J$!!jE8R7p+?10Vl6b}bROz)4>gyqtLSH!i6JN+g}0u?g86wbl{S%aGauuSN-
zN09|%A<?tCVL~nmze#W1E$-jr+4#?#hMSGQ+BoqfNNdIXX}C#$x0{NaMdet{|J`2z
zhz<N-Mf|-K|KXAUdysVV_zySm`(i-8%aS`sf4HF=6fINc1c2DWLjLXn^s~=H);6B^
zFk=%6d381*5<VQs-~UP5W-ZCzfevic|5Wy}_P^D`NB>U`l5VE|$+dj{Ybbb>+ddr{
zD|XixW?-Kuex^T4lh!y^LQbyKj>oyN=hU3sxNJHE!*XU^GUY;WDK9K{oB7Y*|LKQx
zcU1pwJpZdX{@-eq$Nm2hX{$%EU;ZiVeXF6DUV=Udk=me4ZfS4G8}-R+hc>O`T|Wz3
zX`3UoHYuFf&f^wnd3kE+gt!v_`L%b&|D3df{xA8a`hxGjmgE0b%a!t@{P!T~3%viz
zb!_(6U=ov_)?`<MfY_IN@F)1#bC88)eAYq%lIA2|dkXKA^7p^?G<Z(|pf~LQYPq_%
zbpKa=eE<0%DZKw{A`gv;LpZ^#*ywjOQDDV4h(TfL4yklmDQR!>g)IM;S6CAkUFB9}
zMFs-U3-kU6O8Q+yxb7_nF;>^`l)ufe>G-`!bj1N+s!$S<d5?$qjHUhJ<+*7Pc_XRn
z>ic*?(mp-M$hug1Xcj$)xRcAdrMgldm1i~<%*T1|_LF+AM9jTSt6+>ddRz**OJV(N
zZ~2NQXKpos&FV`rjjj#mU;RLPOgBpT=l`8mzNxfH|5K@D-+%5OR3G&}50dU%@$wfl
z`^#E1r(dG@$h8}eH$&ZE4we1*QHrjXqtQs2nWvl~ZV6g?W7q&U3eum}=%hiesGIBA
za7*0e^d&>>ti|(dFYU*)MarlDfvdOJy*L2aK>znE)vW#JVWnDqr2h|*Zv6g#^AQj&
zo-cO_$XEV~)aRT5SC~v^ToC{LZH@?;DIL^d8>=@hTl);SCl3Ls{r2s;3HWmF|5J+w
zzOp9(%fZME?i5u8ekzp4#4WK|VHXOfrA<Bc1p3pZH&Ug5`6Y*1$dUELJXqWTwN}Aq
z@(M=H*3pw;`=s3*^#<@Hda`zY+G~MnlBp}W9hY)*LIc-6;(mbtk&y{Ev=zmDdbl<{
zYCl|Kq0RLJwum0Gcj{f+gEeURwlp3uhDPJ}1U9@p*n)Vdc&bV{b3d&|hL$S^@_xFg
z?Av_m;IXopWpJbBGV^)s)*r6XF!JexH5i6ye!wPO%suMdS9?n?Vmgy9<$WJB>?R-T
zu67Bd+s=DT9O^YC!@!iMJ&91hkAf7EE8v-p+ZiG~rmvDV$$$6p3UJf?-$7+b{;M85
z+J8Ps`a19bzPOCIjgYrWXsqN2jTxEq;U6OY)ko}sUqr5c^tkq|<d!cYH$Nx*YOmA&
z^6TUQpUEZ0>i!<gr6%D1-)r4>Qs@6kr`hff+h3@SP3Qk%CFB3SQmH+j{|}Rz)LZys
zf5J2CIaJHl@~)zFp!ORpLc?)D7GZ+$VgC}_MZ*|in=tN^aUk}iv<(lK5b!|JMwv4v
zF7g*Jq5hoh!WH2&puYT<2HcoaTRkHo)ZGQ-WALy)C!AwjxrVl}4Sa?;@EL{)bsTy{
z+$mVpwTYxpveF#$x{U4c9i)+BKqnzK7PT?V1IEF}91&N7L}Pj>KItJaT*`@scY)6c
zlkczvfMjc~ok7JW%yJN!W51Y>0dbRq5Mto@)DA3s??`~^m|;^Zm}6H_aZ#g0eV}}X
zeV8MTeS#bo53!sV0WyiY?oSsJSxtPFCgpS@|2}r;m=-NM2bacQ<%ko`q<U3CqCPX`
zXaQqs^=<>Fg4j`?VX+cCpUx@ApvHqUu(3}ru?-WS&eaGoI^kDhn!{DYJZy<&1D;RB
zV)Dg;an;h14g!jXF?!P(!m#&x^u94@LuUy6LGN9s)o#J74={SuhGwt-VbD2#GlDn0
zlU92$ghsao&0cpj=)5``^#((u&=^8zSdbqY-4D?Iu|H@JhtL~9=d^#)X}92gV=!oR
zN1gU?7dqYM$yuw@J>G>^XCvtLM#f3!v@>eAVAR`{jV@P%-fK8*51MZp-BIIJ=cF_G
zAlrN08FfWluX_Wd0sY2c)M=ibGzQQ=8}xg_Hi&MuI>Y8kqjTDB6`|9GZV%e;+T9Th
z-!x86(!Df#@4M}RKt0(-c-4lJPUF={TQnp)+3F11&5`I${8zKnYIjGClU-xjZ#O%Q
zlU->4*gox_GzK4bHOyiAhqHEf)M=bRt8v;mZV%zvh7suxdd;&z`&6LZdkw?0SHn?f
zbT(?kaj(~s<E$N64*vlsy`dbevtfJJXf;L+*>Hc*d)*lg{~`W<bvEqCG3#_k?ZM!z
zKkD?l&*4q)efwQ|0L{kPu-%e_+v|$18lyMu-r$1(D#k#L{Vu$J(;mHP55#!Nk!pw`
z7>)*=<|tXLH-J%ZFf!skLbrW<(m8H-n{Dy6C!oCV4BOA4G3X3MfsSkz-Zwr#?@V@C
zOwrk}ZOA_p3wBpdBy?UwqxG&M(AI_fz2UH<mx&y*<{LfS#oO`@>ii$H8?DoJac<x9
z>7vqx^Z&3`T{{0C{l7m@GQRt+OF6E8_Z^I880JW@(J=OrYt4W#N!jP(ytMHpcBm)s
zh1BOF^d&nh&wXF9w&K8J93wkCCo%wCpuR1R6ADwzfpIi;un?V;IA$0-&`O?NhLQRy
z4pA6N_QXQ2I8>w#6%dzJm#khYIT-nFbQd82b`(3V01VW-CIOKdMx_XEqZ?1C6f1jw
zH>yQ=gPl2C)+9FiF#{OJd#r=eK+;ieD6q<t?b@RZYXmu!13+9Z;nziD)!N}pF#jbD
zgFs}wD8DF+49#+R1n4F9WoPu~%8Jj-FkUSpo1H5)3--cAb8$4vcpK2^1H&A~3qW8w
zG_Xy5=KC-XBv<9jH)sev<fA#}YGwo^CI;LB;=waAfdvg<hAuG>{=9Dd`s=S_#AaZ~
zXJO$06y^0x(MgO=r+-x2FIHYwi<SLi<=_Q~s@W+qj5CIPCMQ%&PI?3->#_iRO&Aw^
zPGYL`<pn&`OGnIIxp*y^BNty`|M{-`TLE(LCHB!2Gc~i;4EdbNwWMZ9Hd-`{f5HFz
zfBoP8-~aP}inFR+53v+YQy&6v>LVe)YoLOw(XZsdrdKW}bDUb>9`+^AXNT|WVh{60
z!!TZ9hh9krRv^JR_TpD}qPiS!)s)5%+XDWA2L8G+sT)R9EmIWBpKvATTC}7<Mwg&$
zMgzwdTPbb@Ae>_(Qu!YxLzo!hm51ICaXaxvhMa4SiD>syX&A)<_KB_hio~pE>}XHU
zTVz-!+5aozI1vXKk$?zC3vu{YKKy_F6WYDkhLB~XN+I;aSBHP9ahxOKfEb&9g`fM8
zO`Ix%QqK7P1%?19`qr?+^)(Z#%Eum!P>ON@*>?DBUM;(jP$e^qj8m~dwJ%`g5hi$R
z*-R(7C(;ds+eMLwBtQinOgAwh0H!GxDGm5hrCcsEFekaArg!NMoJC8X#r>2G7->Y*
z-oUz8G1Cy3X0$+#68PM{c}UWvzE8m+7IqnyL|SI@D;kC|f-AIOFr!zBL}M%97*c4j
zfL1rY1F;$ag*h-Gj->Rd>R)m&M80l39-Qys6#G*gVReBQN@7|@G#94WVYvf=7z8Xp
zPHJl<n}<JP>SGTI;Sd$zU-?@vB=yZsso64&KC&**RLrGloRO(3{+=bsu{ehUPKA7G
zL%_u6W5Q>_7#fxe%V9KCNkKCMPaHIgQqBX16VJgg4y+5z83<}?i{m2_o9ptd|24Tq
zOdDVRx(mO00h|3Q!2GIsl~i7T0Mx@SwgF9%*ltlN!6&5Q$rJY1U4UOXn*JJE7>R!T
zsy-RDOcl|TEbCI9S6=rR!nfiUoeKs-FjsZs*G~>&{G6ldXY-Rq=X1i(XNb){|7sYo
zg}CpUo{#4dXSOSrIY(0gNVMnq*wo*4VUCe(nQ)jP1`N-UE6#s?yoyg+{)RylSTLE8
zYj}pQi%==nisfAiQT}QAR^|Dw-lieq)O8k+K={{PvDBnO;)*cAR)|szV^=UMiG7Y(
zit*Iw2<or{XADiTTxL6}feG;$2eH|5>9371bBV9`u!;cZ(s404`H(E-S$%t0)Rl8|
zlQY5C0Uu9%%w~Wt5pg63t*RuN2s|5cEDBpQY+WRZhRn7q%rNq;nX04D3^OXRrnWk{
zbLM6XxL}&HVhrEIzB)hi>&mIislTGMnxO5=>q*E*FnQ3fK6Pz;S;}-1D#h#KwK#&4
zoYPGY;ZWL<&Rz_oqfRP80Ub&&#J=QIkSJfUS*ol&2_)+xO;lixtQm3ft`HLB5hoRr
zL@Dc70(^ai5LL3N#Y%$56*QN)Q<Kkd7?x2ZwgXM-IA}~2hg)if3P9pc<*9sy9gEH}
zh>@FMY>$z3Ayt5Z<4C?2GtP?8NgTz3`Iq@}P9_*TF!8ZG)_jbt83as7e#D*7e@6n}
z*A}S%VoB+Lkms2`M)n+k2_4V|{ZH+%oYntS4=a!NKM#^LfiaAq<iEc>ldo4xrK_u}
zc>h0_%$W-f&vW#Bjft4qq&9}18mRdTM0y1&uMu%-3m#94Ycq5yIX`7tjs5W4z(SDq
zuurh7FN{!lry;6M1LWI2A`TN<evAPlMx2EfI_;v=SQR`Sz7w!JB`(Ikx)O2le2xkN
z6~X!2RMAZVUcx4>OD~m5Xo0z+H}cYgI>k`xW`N=j!-QH={$w=9GU^9|s~MGKSujFz
zr=-N5kkS3X1wQj>Fr5LDS_vUT6HWx7=7?P|V1YGLe2?eQ1#zdl0MZ|_{8J1P;ey;t
zwS>IxA$}537IA7e=7<P+K7qi6ORpSkPjL}mt2-8~j}O5zhSDzMNZU>BhJ%jX3H2?}
zs5Ip$S=7D6t{j=Ly>UPsDXv8fIT|zWBgwvlBg3l}rDT_qX~9%#nWhpf#iahUQfH?Y
z=&Cb{B&wNyqS|v%*G3BnJh7Mra}+6&<d|y1)MTY%QUfFgO3R*1@XnksKy*&toldBK
zg?zhc7#)`r<TwkZvv9GJP#ESQ)m!4D)^(hPx(@X-R6CT^<4aLX@v|xdts1JL6gBTl
zyO6^!rldjB+^Asq+0aVBOb7(|*T0c9$MTLaTP6xvAb(Y=wLJwX)+42OCeze$z2omo
zT$Fi*2#-_;*##E65>+|lgz8jGRM=7duu<$kG2w#W86!vRWWNZ;XeKwVkfUZo9Fs^f
zLD#4|afro1sT4!4YPi50GACSLa|<$LAs3LtXr!2o@sq^Kr;=}is~L&3@CK97IOS5J
z6QG^|ha7o@>T#xTeqn%IYleL|>lDHGDY1T4za`fmH%47}TZ^|;w3({qYNb>umo93y
ziCo(ZnOylY#KpYyJh2crE|Mi4IA=b8HWD+sKbOB5=11X6TWJP;G_`zzo&qK&zNEj`
zYvs7k`n9-RDt9%iLb9ctD1%4w80How-chAo+^ZEU<zlrQmr1G0H^57kwZiW)+)7!@
z!5z<k#sA3#dSC8-meL0PuUsu>{XbUsYx|G<-$SI__x~~k@&LKhJQvVvtwb*%)z8rP
zi6*K8CC|kV5-cyM!(KTIi?01Uhi~v6g|@Gj)c%j8>@PwBHrfAG4-PZ?zg9gweBA#J
zk)oNe8zx*LpP;dW>lt>=h(g(E-^1ZOWgWO5;K%@{Kv=(FJL5w53Js6z&~ZtY;q9V1
z23(wiIFJ9mpn*^QspLihrpns45LO#v&gG*xGZX>r!U`<=aYVv2rV6n{z``Zeb8*dZ
z<F`R>73;79MeGLi6ngUAc8s5f6xt<&jJ+!cGUgn9TGiw)3H%iw7(z3lrx{6siDD|X
znSLPxTu{He)Rumv^v_hZ;MF}R-ii)Ki)CY%JAJ`&t1F?nx2b{nDbwb5Jx(FLiZ#3C
zeDyA|Pizcb`6yNL-6)N-LoRS?_Eur=<);r|%~)88FbsE|NFm;+A^B-VD_iyUYm?3Y
zn552s9nrKjrj#@8Bd^G2_t(by^S`pUzn}I0wYT@^|K(xQ&VOk?6^6ku2NMU^6g=YL
z2_lYR5OywC$T?BR9{B^?&z{34X>SiZkTyZn)<8OdwWN7??(qd=B1VXs(hNXaYRvFF
zG?vpf5d#E1W&*6XBUHLDKX66Hn9^{SDny!%qbJWon<QyiC;{a}GXayrZ;ZO|C;aw1
z6pBK&`RV6^iVpE};g`a53Gk%dJs!O|dh%(f+4!v5AQSir3QyFR0+>?{g-W?xfM5P0
zFmxlIBRue3D9fJ{VkGh^#%II8){H{oJt90*b1Sz6p#oBAx_yl7MZqw3U^F8PX4vtt
zFM1~R@SQ#&+m^+t53TMnGR^NEce+1@f&Y~yl`mhv6RA-w@wr#hJ}f;$&V01xP2GqY
zMt+jonWHCZkSXhxRM6~%O71|KxlD+IC5UvZh631VwFd3s@aV}i3-L5!&y6>|;b?sc
zV+T4D9T*3i0tsaoqU{}}AsKPQn^hsz?8;e^#*OiUk~PEE23S3}Kn#-YgRujQxK?<*
zDg)qa>r-iVKwTVa-;@H)qVB|y%jLho`~wP4R0#9aMyIRem>0lA`T75K1O-U1sq|nh
z)iEZ-2$xmg$DSO82#<ncd0<{b33Ds$+`SYRN_<V^8VuWD5-6~e4(NaO>ZH>=@AOMg
zk~o#7g|z^1452qTZge{z8>3FId){f4p5$k*1gN_i=hUGfZIo6NClkn{VA0?zaKj7Y
zL9`D%u`kEiLedO2x(RaRmV^Wp8QA5Ta45?uXtoEV&g)LIF=`Lb)$57g;DcKHf&wvP
zeqj?Ip5zyl#t<=~(#C6%(Q`;;Z8}H9l_Q%sFR8sH$1yzGE#`+;_NXW+;J;R(vRw9-
z?b+12z`m(jyKP#{sd3A;r60vDT8zrwvK{0R?dX1+)-t8<(58+Nv}K!#(qWtJQL`12
z_0p5nuW3Qv{g}$-{dS|be)&o|J4|=C(eIqA{E!YLa<)fd<C3|jc2+EudxD;wB;&W=
z;i)*6822%nKjT#W0e|XHc+VW{PWcRuj-VpAfZ|V;U*zdgc>et9O$QAAB@IT4eD1-2
z|2NDp<DWMj`Y(rfa!20=+js)M9FEI7^EQ|+Ee6Y5CT?LoG1<<hekThrL5m}aZG@FB
zY8cjpF~M=WV(){D{BNP{&lUI+Bn0`lITozT%DU(ljb(avgVw@|*)IO9E;=l9v>H(%
zO2h@t3%poUI1EG=R`7f(*2s~Xf1P{N?Yw<Q)3v|--o`{=`#vTj^?kJtss*)W2UA=7
zhW!i;G9S2~im6#$A%|1C?Gnh+*zE@>u4x$l9L&kelHV0A=5H*cXkfE(E=p)Qb;J1n
zDIX^s>^&FN-nKt%tQ8G(T+?WtblTm~`IZewG%(YC1Y`>|LKu12w0h0A?ZJ8T<ZL(+
z|87PpL$cEFGT=5Nmxh*yVZ_{Shh8$WXBtux&}PIEa8_a!&cc>hX~K|$l?JpWR(e8n
zuoB$s_CuA}i)lCsFq=_|q2ys??7-{JkEiW=q~+2<29_0mEGI&3r1ASXvPM{;`-4A^
z;OD{<y{&#O6xLJ;5lvNl+y1b&Rx*lfqGD<{ZwKH4FY*9vLO@5kjjQJD-E{z#I=#GE
z*HzC1(v87nH|VxNQp1qhoEu@pQF=2l5_@u6Aj^ov`*9tNbO_)WL}nLm2_l6>dIx49
zgnI{hp0g0AoEa+DnvHtFpdNMw|8TuueknNZO~;za@ihn2r8M9npq8Y|(X-?m0L?ic
z@)~G!%Ldi;n?TQ!_m!aatC*XDPSEHS=&ya%lbh1_f7&e5r<9uk!~XqT18%batL$at
z|LyM|KKlQ7kd(Op(|-^T*&tScx<t`;dQZ-V?SZ^3iCh?yi7DL>u<(`rlYV13eBT?i
z5`T&OuieMTv^r(>|FW2N4{dDP|Fy%V_+R^bkMF-8Bz-af3i>&Ip$?yvgHC<h6lDMu
z@U=&L8Bwcp@M5MMd4Aqi#kB~}lI7I_o5)GQcyV}8o)vcEPXR+y3E-!MU-1aB-DKtk
zUI2D2;?1x>$1YEQ)oKJ3@LBA{JdD1fLUoA$el{M1jQ?%r{!ge^?xBs1_Wy_F<@5j1
z{{KOe-2csPAvCs=o2f9PjK`a?khz}J8?KPO?h^a$7g_%TFJfYXoGBIXeTKrCjQoKM
zb*Ps2UKpB;6r^2A)Mi9SdWA4ZK_S|_zdUZ<`%26EKYeF%A8l;p{|~e8zxQkVkM{o$
zlJfWem*2mSLczC@miK?oec~P4*vS8vv+sWn_Vyn4|AVCL{s%jywfi>Nf#D-Na9?S8
z|7S0t@7~5n{=c@w{~wkg_y2>WrTs6aKX=z}*v{CpmpAnO!7camBYW^bDS!Xp8|yFA
z#`C|r{QjqQ@VNgUB5l9_SDgAu!{J+U0*|EQ>!s!WpEA(Amo{!8|5wY8`o9NBkMjTj
z?3CXB#3kJPjgIg2`R}Ive{i^;_5ZV1sXm_n50Vo1|I05^qp%YN!w6hX9C-4~3Va7l
zlLp)iIFxLBS#kqMhC3z>c2yvbdMSJi)9$wVy-s&j&-^~`_XeZq{{UM>R8(yj6^URD
z#vW7*o4VLAR6S)*bySFr6bi<Z<frg0D6(xZnRb1fX;gW%!&cy9Fins8{3s7CFio2<
zG<L8wBs4FPLu?hRBHg4zr^Jn{A3_U>jP*kXON{2xJ85~+O8+IM$lq90xlhY0JMqyR
zUs3-;_CMOs`X1MeKAU0iLgi!F*numoy%f%**G@;q>Qav%2?vfYFat*CSo+llP7^O6
zC9i1c*(w{xsQ0$r4WH{?BERGZZb=(v${^Xw2c`7jrk)rh6<x8!=>>M58_k9^IW63*
zva+Wv7>!nIaP;Ku*{k-T+a9%tAy<0-rZ*hb^FD~lmXAb#`U%WG;7MmV>h#V#-Qz)f
zI6Uw4;g|RwZhE{U*O3XY;Mz$=JlHy9Mm#s#;@z~6SXW0+RDYvvWZVAH6VZ(*OTP+_
zo@DcdhmQ(ec`2+v2~iC@H2TnQ7nUj$FQ-bUzg*D9<6xRow$*-hb{rR%vvu@DPPc)T
zr;o=0I$kcGMv5>_Xg#yYHY1i>Es0!eIwr)(kOmpxUrfUYqq*{KltVydsW^t-T`M5Z
zyHWY@{n1V8=+V7R9p%{6weZTpdL6DwRWDkiTeNn6Rb6Ut)4fcs=q=ZZu4#8VHy!xg
zYOC4^qvvj#s6^S0o{}3(RQM=fp84`v)Q&~t8Q)wjJ{y<Ea&ztQ)k$`QHrEV$m>sU|
zYldTEt{O#kwn5?gNvkn@^QzYvw9ebz#;cQdOL>~O=6-;a-X;_uHkx6u5u1%E@@?tO
zTd_k~mj~KlTnu^WA~~*xJTJ?lA<qjLnz&p@#x|b{VuFvdOjGz3gVs8=PCMOm!HXTm
zHmjL3&6D0)>*z`1N4A7=tr5A~&_A=K`i&1#%Ox0$uxK(bE`QwX9iOz%2kmB~KWe^d
zoDVyrwtN_~>Pw=n)5c(Q((AoF?+<$4x10KrPi}TNC)zt5cs{ul!;Rfb74R$?_w3wY
z_fk4fG11c8q&ud$yqrv3e7Q&M=Ab>w>#F>qtDQ8?y3IG|t;XQ($%pe{>#gc$ZZ?>n
zVKjSZ-BEjRR1Rg6rM0FU7N@&p5=iWZ&S~SgZKQ;dmZ}ujm?$Ue(w)(h|6>=fw1iYE
zgYwDDlxG?4FQk|IDI#uCkf|wOKn~^*qOAY@dnNWP^hD=L$3nGeOa3o~)N6$Ur(vIB
z^!QB1#2|Cbc411Sr~SYy82?Ld)Jo`wND5QS@}H9bwY%myb*I!Gn?9D_<Qe8A>6HDB
zUO_j=|CRD#*8cynwpV+U{~sb{{Qn})i+&br#e;%jV<k+=tS%k?Z~|d;X_NW{yBynb
zh(j6vfpO|%2Hy{RT~j(a3@fP61O`NLDw#FIbHsLmk-6uP$s#;Ph|94KmI!nr;RBKJ
zytruC_Q@r7Q&A6!#*EH!9KvQQV}}(jIuDn%`qv<q=t)@Y3Xc(En6siTC2O2pbbhY#
zOV&Kz7!I9M)1Qvb-wv*-hm~pN+AaR(O^rDs+Lf{Nqbj2c)**1G0kHxnVE>+q9PQ>*
zxlxWk#uXTwVLV&>dqRB7Eb8G@4aV^$c1=~rP<hKc)=&Y@B_12cBDaW#eT%v%EP9Tw
zJ?aZ)?=oB&wPK}GtUao5{{zw{`k!#1cI!4a(Er23N>=}Scu;xt|M(zjM>?vNo@%op
z{^g?B4TDg)Abl8GGvrP&TP_^>au>urj4g|~Rg{D(Y(x5uodk}vlxc)(t`0Rr(3?6`
z56hK98O<Z)W~Gi&#_M1g#FOpDOI3P1jGwHDlf(0=jGbZ!GAK~W#hW2ObV6MwQs<lU
zTN~ms#Jnr1tk24Z;ZeIqm><Za@Ks<>F|Wg?&j!E_%+d9k8wJU$ORj4N=EQBpc~v6{
zLyKK0O~rn4!*ITD@j^MA)(&>Vd@0T4emPa~FH+xjl5uXuh=|dS^Wy-w3Aflgpd)Fh
zTKY%w!-{Gbcu^Ps(MPkKuh31evxvg(AQzDDqlH*6GL}a_a2$m-E2=qG5BTQ+<1ofB
zM{Xb?=x9%&i^a(Oq^#xRNqm;4wZt+YkPN9*QqS1}ADbSv&1k8XyufixiH)fRCDX@K
z!nnUE89O^h7STHV^oy}010Bp4164AbGO<)-z&;OKad2t<2wFl)M4To(-Z6@4!ZH>*
zVKcqC^coa0nV}=BbOeyPbhPYIMmY5sNj@SX-(j>u0FI`0C>IY6ka70<)FIZQ4xLGt
z^1hFm4&Ao}$`<t&O*xDi?2Y(KE`H;HEynaZM5a=#zAV;mgwLtyR_m2QNX<#M5yj2u
zCThil4e%SbiVBMyA@&lVx+;RDc7Po^VHHG0ue!Lq_?r9Z9rBsn{5xQ3?rhXNZJeC+
zn&*vUsiN(?YoE8;&EDy0XC&8*JW1<NkSZ5}Mc=1$%x5@Ypm#B}LslycYm-MTq7ldp
zG~t4&j#fd$wuypzAymr6vT5TnL9Y4I^beJExN@if6eWIHt;iuod{&1-7;{IE8Yb2X
zA1S}Db*Kr7!4|F+<x~X!>P0=(TB;Ud7QMs*ZS95M$06UUXsW!WBV4R3j<0njk!UD%
zB>+Eg8=7QQ%H@ijT-T*sM?zEch-@7wI9y2{wV9yjiK4PuBd67Dn~4@*zI<r_OxUsV
zR<3@^?_KH+DCN46A$CkXr;|J!rI+QhICYX=ccREDJ7N5k{c?FOf6eh+PWgVNdP-zG
zSQS1qQMQsTTiri6C6YRKsg1RxJL+#kL@nxCSegfEI;ui^BF4znl_b@rHZJXm|3+}d
zkD>md1{X~xVjvdk7pIPP5UI$j+E^!Oj2%50o=>Qp3<oi$4r0M5ctQ$c;;eZ`onVgh
zCTV9UM>0}UWIw77sy+-=bTp9dsLGuQ*my!*Z0~{&o|eGkpUJF$MKzd;+Ey?Nd6f!<
zkd@NPR2E6WGI*j6vm8MST#W%dlX_L90e%kD4;yj=$Jqs!E;S|(T_CzIVlVMsux6C9
zNK32r$x+MLF9JN9dR3q<G~N$)RR}=j+d$nA&hgv!uJ{Q54LuLLLyoMA=klZ2un8nI
zAEF}Hor+Zv#s?Z;WWV<b$352)6UE3Mf?X;f6Hz|99oKGV<u6>_Ea-oi_A|%+oVYUQ
z*hd!bW1moasI+!<sFe+aI}*7aXv;Mu##c{JL@q`rLtud?Xki{bmi(ziXE;33!4w7e
zIT!ovS*SYyQwEJ34p08{d_2Lv_)7;&7!FUwFpBbZi1Q@qz6{VEx>Lm}t}nfEB~r}>
zj2DrsRTaMbk|5QeClI<VnPS&x2uvDqP`-mg%dKQ7AO8-f@^IqfE0BAdfhkJsN~Vn#
zOi-3`IRa++984CBe}h7)**%&sl!M};MdykYZA^H`;)J2^lxHWvt|dl@D9+tOjLRQ0
z?BlQp7K$(q9YTS5RhD1X9dTX%E!a@8VA?L1p^dZ5gCbqh{idP*o+B?@W#6Mqq_kWh
zQQ|ZTk565Yp@u_tOvW1~ycsiZWR62O?IdK~EIOZKS1i;kv=HF*tp{;!e2tla8q+1g
z|H3Qm&?_Bg6<?#d=V)bG7-TT4N~A+wJoRbd+Dqt#u{)7NT`X5r(Z~>ZLDEyoF2!k=
zc)+PokW-RjJWbu6DFbOr;HFfE89Q<S<ha_ysI5Bu`FDBV*kd>Xdt97iJ|ts@xYO3F
zXNCE~9v7bL0>$~_T!<yCs5;jXO+EXhm0*?6&yD;R3X*LSB!sv^tn++2#)cpM?u(yd
zJ!lJ+7Ix4g+UxuAc^l;k_Gf~K6Zm*E^D&!I#}@J@fR`o|6|v-4An946q~teF$R$po
z<LIC3v5|KIS#<XAjLyyF|4sUz&|Zj@y1h|*Smf9I#%*lU{~sJ=^gq=~dH>P>&x52&
zF{02|kPeO~fg=SU7D?U~737FxXR#}T9S9n(;`WESA$8}hBIA-d@)zP<@&i|JG<6j|
z<B256&z=!Dg7QCrz(3*BCn&yC`o(a?!ROEafWQBpJeQ_{k(V+-jgz4#WYqzdXJfG&
z<$nGwK7>ma3d`%c7%HC%P=wE)%_js*6W9z)3!cj2V4C<6IY$K<IO8`)-Df^45_T%i
zC;!>==Y^*NH5VI3wFo^u9K>bV=YT*QRm9coNjMnM0BL2J#w#h~Ck9M~r=U8<wBnpj
z8`8gC7;q!fk_ZUM3U4Q~O1Zhj87A_mh=N>rKE5P0V8A%`is9_se5kWHnI^0nL3>=}
znDL?-re~in@S;+Or&1)YJpKIqdBHGh@n}vkw^VN~@PeuPq(}i24l4Blxr?x?%t4p`
zKYQ=G);O{(3eImmMJ~ZvK&`ToY@iy}q4x%CgAEoSTQay;Pmz`qTUfV}WQ?g|zr_5V
zr<*64FE6@UzF?^8wf8~&ebrdXOJrn5WJF{{Bmz`sVFe=;0t?z$!X+b}jl$k!3W2Vp
zgC4?7d>bLpK>8cdH5*T!UnJmP4ma_#XSljIY<+X9c<*>ss0}tFWMW*sAN?=S|G(1v
zVf<p?zVaww0sr6G%jSP8iC=a;`2R0?zJK5T1Rf3RfG{B}9usFpOdL=fpabw}`{jkh
zrMT*oiv{)EV}c^b$`zR6oXdPE<1NGmi4t0*J_bZ{4fliO`2hHV)p}b4du8&cVYNp0
z_r?>}w4=t5t&_hgs3%n1hEX4w?N7kB5j2f^0}<yWGKeDAL9}&JKEQq80r~L_Fph<i
z7wD6r-y6u(>4ihYN)u|Nh7UFw8)3IHVcvn&@vS0PzXu*=473quQ}o%j^5mVt?j!FZ
zF!C{+K7a&x2JJFfj<>iFImUg2*zDm;RAy#@rLb@MaZBrDBnOAfPjCXx2r0Cc6f2Ek
zO}%|JfP|Ia1O9*ch5zOAnbv5(uUT@l{!T5$#2jNHVn^wCe#tzuMMF!GTN9U?Yf^!q
zIkF_;>EFz|1N;d0J;48i2mDulbt;P(La1{?=E13XXi3HZ<MS=r83`dvuUvB3YtDgK
zR6eY;bcNKyNVc%F1X*}_p{|H=d-)4t?&z)L8QyZ^PaXR$hk^Vm?}LN*xNr^@<}Vs7
zIKO7e48wD`<q#Gf(=CUr>EiE$s3DpV6VzLli{{ui(gMS=3-s#M5Ceqy(pQ-M^2zs8
zc%fEIKnIhoc^GjK*7w2o_Ik70mg^@i;#YeR{R-op{*y#o4IDo>z-(tT?8$Y!;78!J
zNW)tRXp)Fr)c32~4$(L@@WAxb<4&{8|L}eDFz`m`?}6!`#2Mtz(WGXW=y01jiR*?(
z<>aD^EK>4_e%0VM?m)x*I2=#zh!ef$l*?HVKU4l&Uj7e1QrBxns!RC=EwcZJLMH!9
zX{WUJA^-o9hmi=DNjCEs#1`1JonYafN(nIIOgc1d{eU@ka25)n4g+#HVbW7R!Udu0
z9xSxl#1<P;hb-5{wU}@eRU07B2w)!_q?GjVPHt9+iRcGYiaeMWrV~e&^eYIQTWFcN
z1%40{z8!!akf3kUEA=2)G@O)>L<U9g-@bI=w-Mq(<c`SMbi%flzRMr{0KL5(WNWl*
zH}dMqtr0r?q-y;t-t_VO{O9%jpBw}&&-|D1|DWRj<=x$n`2Sz>%n^|madgUk(*7cW
z>3?wgH*@;TA%zAb=8orwcw8p9HIX_Y)}KfhObE>>LT-Y~@bA~tKgkgi9icD71Qy5t
zh*|k>uk<1R{gNk_z^OZD6S^O?{NA*TsVAalqQOHiDEfl~@B>3q#JZ$kJVgQEanbEW
z5k3c)#IW*wCMckJUy2WY*yX(XGl%~n`2Ej#UeEuT3F{R?;9~i&Jk9?<<iB6?yhZ<y
zjHDmh|Ign?687%dy8jSOiosJbt;{nI$`2L(<4HfS=l|@i=N<XKxKo<q|GOXefBll@
zE&M-qqPP{;XDcLb;$wIC*}FsL2>G?v;Y94`()Qs@Sm?+0^561Vf&Yhg;H6DK3;4gV
zH)a3XEsG!dUw+B+VgLEH_8(Rv;>YxN5fc-$$7Fzs$SecOJI(*=>ECs9J<5a7BY6-O
zaDavK-)@%v_XP1H|NAd_GPIGC<YG#Cb4jT9_M_NC0SsBj)pW%V=JC$VgY#Xa9gyI7
z7FSKcw_u<RE)w`%4Z{oZkR55>T8Tzn`Va&ETRgAl|6%q~c174b=>NM@{C{V!{Bi%+
zFL~C$5f~t-o5=UWaC+jCOQ$!LVh;ok)*ol7@-!4b$@G%}{nPH4(?R?Bd?u${nz6>7
zljO(8R`VV{2W0xA9f#TySc2pF6$io$(DkbWAUQT-xniP352^HoY=5E2WD<4+{32)I
z8T(O)yQtBGvw2RVVePPST8!QfaYYJ;4WzJ?-cwguH*@Fq-*x|6ng72cCEz0dzf;bh
z|CP&oANl`&$&<_f<AfCzsYTLRcsffT9VTu9?#Oc;ANfU~_%xh@@r+a}G*ltAi>$nT
zfUxBvG~EF#W<1YmJ|R>X*&c%Wq=0PQbqqW3qnukGTf@6*AwPFd0KgrQe0Y)*$aq4J
zblpR~kNhah(@$pEe>G|Tl4k|}A18@eau1l#|I0#-{9pR=asKy9o+LAduIq2d9GT5?
z>%)@sKg*I6?W58vkOL5B>djB!g0}|NARAU<_29=$jd0a5{)*ZDZECg&yji(~E^DL>
z{gK6zBod$uTQf&G0yKFCSTDB2+t-evkFH=a0Q`b;HGT^e!4KdMU}<;HA6YRJc_;Ug
z?lUvt=DcJ21Zv|3$c1Z~2VInqqw)&PSHymRZzCr_v-_aQMf0j-G)+~Xnv`in_Cmu#
zrc8R)bGr%2cDlQ4uFANHoHUk6ac5S=OwU<o-%MuWxVx#G#fg!4(C(up+K7cU4Cxd$
zmVz*oN;Rv@&&co!(m7odh|0DXl}dsg<zk&vk(Eg?l2p#tMV+#OGbRc%zqv^#lVKV2
zN+zZ>nQ$<{a>7Z{9CyOlM)WOA6Abu7f0<Ox#W;O1czHRPQ!s#i@bbcETfa&q4xUpx
z&M%zD1_00;%YwFkka&d$$NPh1kI?J;Q$-3IpLz8o^&8MTjZogpCoc0=a{=StWb1*t
zW1Exh#0f3f#@kp_CiyAd)}p}ksa|2+9}Drx_QhT=QCahXyviEMUYdq6bmpG}drr21
zO#eeP(G4$#fjOaOVPLPb4Gb(t2YZ6BOz|mF!_Onh;@fmab}+R*D1D3_Z>Sqyre_P+
zxFWkw6xp9!eTuTOwWrq1oMz_3kwO7Cb57>0r>HkL4`7%FYA$wPu^Pgz>3W#ceP+Qd
z0wK<eowJ8y-dK!E#Cy0{%G=K3%=qDx!zGj1_Gh!mRH<qHn8&ROg>ao6=B>CXmO2xt
z1Vc^t`jcqk9cLiAgJZ!QEI|GYtk2j<;>;Z`LSEq>L+CA<tT6KGa621_HMI#bed_Ra
zs?^-=bQ&2mCmq?3`Ewm+9Bf@3om4Y3PEs${JjXi7d;m1LnT+nIzhG4@WxJg&Kq}Lf
z6smp2C^=#-lyddzqJDDpwN-8B!I-CIvWr<}F`#z6S-n(dw8m#b-ij;>Zw9GxYpwJ8
z)z`XIU!uL~D`jT3+P-LgZC+M#r)4U1mt+!uD_cHN+GjI{kXGwbm7?1;mtQ|LFyI_b
zW~?FFGXLsy7ko}zBo=z)qx_wlLLc46{_i`2#Em-Pv)q|zcEl_*)2rt>ncwM`<0;2^
z{q=L5%}ModJ&GCgohyC)dV!b3D9^4t_4z#{+_)87Vu?0VwcjkDXmix-6)cnQDbuVj
z8swQkRp|L?NQw9`!yZaX&yeVH*Jk3pFN?<XxnKB1h`&nQ`L^W5E)+Uv3WOAvh2lD0
zr-yU2{%j4s=fYrcn6pIbcf4#`C^&qDOj9Ueq#kB5LqGKlTmNdfheDD3x2l9tDB$l?
zFNa~~yG5$`GOFWTrL|D-eY5H4=y0Lv6BQ2=?=3cUunJez=A2x9i-t3Gu|xczr_d}M
zKe;Op#H%m!{xue(Xh5^xFOQj3urm`wadYSq<^jj+Jt`EPP~>cGxQ5-|*h=q{xff<6
zmPKkJiaDjTP-XAgnAujkV78g*t2t&ilr5TV%AIKvPPgOc8-(dIeF4bKcCtmY2A1p%
zD)IBNv@^~9)TN!Ci8rq8Ok;0Y+?keEU)`C8R$tzkhUTyD#RBsxGUt2Cy{{13zkgp+
zHOzOJ1^M!6*v<kuHC^m=CqwDFE1nBY8Q=<9=Ed)Y3>LS0hCO|sdAdv?Jb^EcJY%tY
z%5)Ou;xx;M+oTs|78ns8=HMiCmFC>0Cbl-Wq4@sIyk^FzR}7GeaPdijh^w<s-DlJ`
z$^D51NFDMH^A<<i`5Me2!aO&I#1^r&;sHnIBjy*EwmC^$9U6C^!|mUwNzdspW364m
zkoRG$`M0#y%u{`**e{q?eP>b8D-OfLdP^wAGt7$%y*9u+&kZosdt+Anxn3MUT>;DN
zARuoS0r@)#SaLT3KWRsy?FPsX77LbTVV+nf3U~#@SjIRfw}^#vmb}3?1|)T_Z*mRh
z_)q0{2&H-mZv;-b)`fQjzp>@S?ZOGioWzyGuWLWtzH*&!GTs4Nm^>l9^4^p!Alqri
z1UsWkcK=S3+$$@5+1-6RK&g(GQ|xj#Y|6*yfx9E5SFaykvcF3H+$6{u#<JuNJkz`3
z=ME*C_HE8UX3H$da)U|5@YuEEnR&_4UQ!jZu8x`ex6{a?baG-s!wQ{Uqxg@kA267q
zedYSs#{P@zLp1pe)`^q=4i0An2Gb6p@$kNXCyijmhR6!6t*q@lh2PlqlYp4L+8X4#
zSWbf!*Gq#`pstoVdQi?xCxn2wh4>Qq)LNt0a;JSxvrzfQGs<_doj32v8^5P&ZK7}F
z=BTA=r-b~xtJ4#0lZ#a57oR)SG|;J*v+l&~MP9G74F^-C!&>>P13hLu%g6s<nIkST
za)}VKR2Ha3`JZ<8rt-h+ls@ABf64Qg<bO)uOZW0ph~I>_)4f~F&x&FWS?ie`P0^aq
z&(@tw9ywXN|LO_PJa46c*U{ga|7}Oy`;yK7R{FUA``0|V^nc~(|0h#^Ug$YLK&Dmn
z2ipV38S)2!EPi(E5JmIl1!{zn0;zECK?`B|oCyrf3a{%U*YN^qZuel|9|*;r=qP{6
zictVPn6O`@>=x<h2O9bClz6j7LPY@Xgxpu_IHnKM;)~{jf(*7tzDF<K+cu3JdP3SZ
z*e1mZgxe{lIBV05MvTiRnoe3x!*5x?o0PLi8cA<-rO82Lazyx_BvOM^xf#5jl}VX&
z!x7Y!iwoj?o3w#P-kq<DxJ<X4=hB<-8_m0Xe5wuRblaM4g3k}?<nxt+McQ)4=``OF
zajvuJ3}f&-L-2dKXHFZj7dn>y)zD^))icakZ=u*s4I(JbsFC>gI#W?F8w%6U8(PXb
zmp7Uz3rOAoa?EINkRF#A^z?wU)};3_dl><;Qig#7T`qZk6EqNa`b(lpHV!SWLcgTu
z#zQ1-B0LS2&?EBx-K60EbDu@>e-X<)M&EWkv~nK{_5adtTK*Tm?0)3`|25AVxPn1|
zJeu8)PBa(~kPUhx!_*DC4_v4XVITQLZVj{th7bIaOAb4MKR~7l`li#PsVfY-{~1f=
zFfbkw;R=cO(AK#%V52?_jM;QObZ<N%ogUo$ZL0__ZF2$~o7BW00T+3|G;CDlij~&a
zR^WJuTLUMKWjQubPg+=Z^|@l-2)4<;6nw7Od-k@;zu}8Pe;fZ3{`4R1?YN;H)P^G$
z++$sy`&9JDF88U}gG269F|b_j(|>VmK!u*+jC@e9RDG`Kdd>sV0<LK22yWAIp7X$k
z;e~(oq`u-=ME{o^sVcYL*2g0H7t5LZKgGTB&d2>vzvO|g>p721|0;ly-5(j+$Q=3P
zryrn4WEcDaLW2qCp+^Iamn-{MkL%-E?pZ|ta`mXvtQIZ(4Smd~|Go0w?oO8ezlh=o
z{r`$*4Ujt@E63mrnHC_%IF4Ie16LmM(6^D{8v*h`1qIMBeUAGC&ZD%8KrHV6BmJg_
z0tk+->OKfH9S3jf#yz;pNf&+xjHn>@30$e6XaO9Xq?8=lI`Yg3mO>2s-h+PNjkI9o
zAp&9|Ls=5QK@hn9!S;4KKcwzx{<h}W8gc`F8}|IbgT&j0ybV0ZG?C|TC$ii5+f%)q
zz()jwckX4)G%SM|8%d9365<gNnTt>;Ff7+Z7P12$K%h@-Xc-zb%?a=|Xks*iKf>u`
zGz@$c{J9wdi@_^~PDz?$ZClVDL32A81&(Jxb6ZEQ=}bZfP{15uiyQfP0ur;FK#5O0
zH|w?$fY|a`B*UmvX$aTFbIF!g+X=HUkhgSPL<Gb?nMs$Z#o*4ukdPO52OM{IcZXGU
z-!Tz~wGuo;2S8m1en7@PJtYOo*uqoaV&8H4CW5ZvlhM;=LU0NN(rer)Yd422Vp!-@
z5tG4)dKKZRLg3ypO=nC-O`tLjKk(^T!@~Hr3q5F|0C_%e?#XA?4MPb=YcN2D7dn$r
z+Y-j@4{#M$2D6_Zpn`nOGYGxSDYwjn+oC|csuuSH6c#^VsZz^5tF=WSy$h%JZXO<_
zk<~*Up0da|YS?V)Mg+GcPVdTdx|)O2yL8B4ZX-VcUW;Twv*q<#_)?I1zVKRD38d2*
z5oSPJzXx}LH$ry+S4jbDq%$h$BM%c-lt{$Izg|0@duaM0;xL@Kn^U&dm7|0B>Kj1s
zzIi29A_%^}yn6C~P)NNg(56}sHv#HE{FdhjxFeCLuLG7qn$0hl)5H%z650TFWSY#>
z>AwNeKmJ?|r!zAC+~q(@DC*wv2uX!IM|6s{G^DZal(<))G&XYt(~t(RKL@7)?7tOI
z45?6j<=p2%8b|u%;grliy;Udyu@NM|4F)g(i0sFPKS2HzNBaTp>i3cpTzSYx_96;N
zK{`7t-dz^b)a;Y9RJx~U!CipU-pHTyoTt~|H5byH1&}xUD*}ok6^o_);_J4lTu5^k
zz`WUiEyQn_{p?Y4E=7g>)QDHXiq8*lM+kmZemaBbXF!Tq!5bhg7xz}9{W(NG1JdLw
zSOL;iXFr_+c7|+{OcEP7pog&1fpq+LywU2*Y+P^H_h&@rr1@!;yo>^L2-%>gRYZUv
zp*Z$-NLj+wG^8{KYrT>n`PXetNl5qi_g9lnXGJ63C0ZxZN$&yZyF<zn(cXovzu)tQ
z*^hkF=W!`4Nrwd^$91Ce5?jbCWWcvb(lY`X?vkxXddX)HmuLP4Kr^9X`2c!|-It=z
zhjdk(&h=uyW369JfyYW=F#Xqv)jz=9>lM=(kR}2iqIEhADJ=yo5*P70NdJ%#)H|LL
zpi5grODO;|aB4hfCMOrC#`8*hKbED0Q{!D`A5QI9xj0SiTCaq3Rf?LM&pKSE6=p31
zhK)BWlKKJjRoBshjgU@V6In|L^l?M?Bh#Fg3$TRpYO@4`H1@@r)j+hHhI@Sbq7~Vv
zX=Z=J?gKaq2FMQB?M5@(N?9CU3n`|HxmKwb3J4Bctqb6|EXa|N6WG)ZpN#V}fTrn;
zTdj-F!1d5Q^2ndW$nT+6>tc&R8oyZ@+z3()YG{sqf?B0cjsPxY++(C6F!GTe?XDKG
zddOQ&mbx5yz(?ji@QuEW^lZC}ARVGS!88l$5KUHvFbyegC~RXHsF@a>%w0D_K3%w*
zZsLB^dX&GF-`2{spUkB?qXmjnNc{PTRno9fiVHYk42^(bDKhWjxA%r^_=7B@`@(8A
z$xObKyfz}*zl!dt0GeaDFfj02)&c>PNd6et@#%n{g>+TgpOuj%Euo|>6CrG2T>5MJ
z1b00nu%Tr{MyarsdE93j(p()iYngZhpwuq4Ula;D>KV{3>=(S!V*KVnnyaJEvP`T3
z@f&p0WEO~-6m^Anqqm|ngmk|ozE<H+LkfezOh^^^0+1_j0*3(U6FR~muK?*b>+%)Q
zrXZceQh$IZL#6v>E#(dTbU{XryMG^je-@+(y+23a57+Cf)oCJ03*vi1n$Y{F_5GCr
zeHTcRNujdZ34Wd0G$F7ZyWk<;b!;M>(&|e=T7C^J<v|)}otm~u6G)+*kWJZ%zu^NP
z`96JPnsg{VbnkeW;)0Q96B*kE$nzYJ;naE?q_Z!_y88i+bh4etsuRX*LJG)MnTyj^
zDJmINGn1btEE7XCxi`#6jb@%E3Fn#xeXcH{5J=|=(%=U;XOgdB2gtLbxtz{41JYG3
z6BMUUh94Mq|2)j9ahGnreh+*Ud?pKy6=lbgi3OWF1j16i;ZqIaJs~CGK50{As`XGQ
zCFMwv((8MBM@X+&+|g7^SxCbGrN07F#sFquHHMU3W7~9WEN!oX+;@U>23BW6x&m_F
zi=vvzjB3d<zKEjqMI;rHQFh~H_<t`*kK#bOtfhBVNHawE21waWGV{))=AK7U;{uJ6
zUZ&60<<ltf$2=Pf5wMuDKZq@9>|~ehS<CjhI!+DS2uRO*D}c5RO~=k|b@A+{Lbyp@
zxlw?8Kpp9bu_9`N+SlF_(qwM6nftzkd!-Tip#cIw-#7ZUg;D*QK3AXpFi+cjUpYrd
z+XOsX+IXFD|9v1$Bz>E0>Af&~vPkg+06h0$fIPiZ{&kS9>V-6Q6=<GrdgbWRjiT&e
zXGM2}H>}h7$<FTp!znEUTwE$lFb#qzNAqhSUDZ=^VXpYQX-HWqpyOhZadK%$S3HrJ
zllc8EYCQufE%iDOV@Sn!fi#<XJAd|BsTF7cwJLNzr0E3c(aBi`((pR46_EM^-0iOH
z(K|Q8I<=w5VWBsZ)SG;d7p17bn}&3Cl6pU!=8@Diq^pzE8z^c)Hv9b9U!A1hKv8q=
z6bMgvvyiS%Qg47Xy1!_ieA+?*K=z~IIaGLhgq{I=Ch}t?1RC}-roT5xD2bcrXG<tY
zx^7@02AZMl7tq+3z=_jAF4yOZkaC}L#P?4ecVwEtahWzUfC12vi)@{QekDSDv}B|V
zahdT)u4@_yORr&eo`PxE2tcntqCrl9!`vnHyCOKAgrP8>lkF168=shLEH{`Wp(}!_
z9e7ymwBRJxlO7ESNDE0NCJi5nwJCC3%SD=TKLH48gE(Xd(1<9~M4{lL01VOOkkt9(
zbM)t*chN}5K$5{mcSVdiVh#(8M`TVu0|;)9nio_lB6##k-v)DbrqMsqx=e%*Y0$=F
zb3NzLz{494a1%y4`idZ{2x<;iYM|ws=yOg))$CBH!hINjG=Y}6C^G7I@aa?Aa6f%I
z0JqMFKsfRd0VIrO`XkZYpPPvvTO4<3YY0r75g5Qn1Ta8lBASy}8*gOWB%#2Bwd{@P
zI^&~^d$G1gbavhFh)Om2jB%q4sHxeoedGlIQWKudlxNp7Ea**$6+jyxZOBw=%()<0
zN_YmGQQ(e(B1?xrdt+`Bj0niuSeL68)uUFG<bk@&<urKanBoZ>Pe&f1>yWb(uNW3i
zca$=ka$K4mq7cD|9zaecATeZMR-CrL7Bh{rCB=o-<9NBpB#<^z7Xg_w_H&*^8bdL1
z34Wo?B`hbz#^O0nfal=RFi{`Rw;y`e73sl@<{=#e3Qc+v7k0!5Jfs<&O}aTLX6Y<r
z+lhEXNIym5rN9h7ITjvk<VSuK_!~Dw6Cd1-h*c4TbQhZ8?mpACkhB$3V3SSUvFp_C
zih%S?I*G?k@WS1XOcUIB#M{$Fo@J0T6Cd<O0WRwyKky7Kh>bvZ1mZiAptgqz7y}WV
z6S^bMb$sL(K|Kg3n^?30hxLnDWw_yBh<rLfmg7Z8){>AENn|I>VIKlP*aOQFLaJvB
z|Iu>6%mId*0PqdVFrgQ=5(iXn`lFs77{Q3lALEG72PBDs>lrXWTQpFV^vMlJJ-h~p
z83z=M08I0%f&dEa+A3g8^d2aT*kl*n*q%!7$BQAagjgj-qiE2ChZsQz9UmZ*hrc0P
z^CmQS43k0H3k`1(<UEH=3Yk=l5W1Dd^D=Qp9&pAsI5`5n3A0cccAt(r<mQfxY~MFQ
zAK9J{K>^de28(zFmV}+(qVFF11`1ER!agY2XbcLJ%NB4sR=l9Yi4R0U5QL~1%?m)m
zAN3vpzkMPdS`*#Da#B%qES@6c=spOec3kKOl=Wkb?d@PJICxB(cN&bK`VoFDjD@=`
z;t>_ncg&p0<<frI(+t`=mvHDRf+HQeK_cGPf^I~C@x0?@Ll>4$F*mVHE~;?A#hJ57
zrYpTSbq|ysrs;AsH&^<;8K&B@NCNoSp^m+#mzZU5h05Gw7GGMHxMgPQ*0MF~`{w|1
zf=8u6(i^Zw!3bv89jiq=0Z*a}C;SfG7EWS6G(WnyhT#mCJ78%y$sLw7Cz<C9Tzn%4
zOA$H>29C$#H4mZye+upzP;9!c3D}H8W&^tx9&+F<iYC;@>y>;PM);vw`J<aD$r@~@
zHd59Kks547q|+!gHsOEgW0E08KRt{z4Qu)+7`b?#zRQ`8JJuG5+e+&U4(&8-H>O|=
z!J`4wl)DZvRs7Bfw5Zwl;D7(`>g5IZhljrX$$9A8SM(GhoAUod@L2xpp>Lc{H?@)B
z50L(qNN<ODDSVy&Kw8Rq|0nkcYYqI#^`LKPCywn09yNy^f|H|z+R;U;iZ?vPhke|G
z?btGMN4i1g`ZLgtz7asPW%O+rj66gnfvT+;?f`js&N<9BkQN-7^t#hS@So5ONdG?f
zNA%~PTt#XXMQ{k#&n{bSEI*0UuSy(7%sR;9c64SUh8GtiERQfd{4p+;sHOQ{lD|d$
z@qpz!2Z`xPG));P>A<iPZT*WT`#U)T>&;8)^z!8BL~i5XxZm*AdG!{*V)7gE3}}WG
z6OdufOE_|QZ&v_?#8O~WhhGsPBMqWw#qh8-7PlB9;dc--m_(%*Q<y&y>bjzO0kVB+
zf`S2A<>*NpkSh?V032fOj_&_t=|hds`oQr6vQAm1gG6cZ?sMW->FzT?fmWoF5R9d{
zs0p8RJ%*H}5at$<zLPq6N@PnUnu$MfMy3vIXH3*X%!+Ue@n(-$3tX6;As)wFg7_00
zBu&m#vLLrmrY^7ychSuClu?uHrpY<?N`^uQb50rg(KS;XaSIDY_V5@r-tegYL(znH
zMxxv%wno>{Lnl2inC}A15mCl_#OyJE!N|vojBY#{I-cT0n}&VwcoyRli7f><uIcoB
zdh8kotRTBjvc8dh8CoXCdc)fb+fAbFiDm~5HzwvFdjNbNns9{tDNj~XGJyR9AQbnC
zBHh6gw-qM6HMwwe-!F-KT$tyQ51kKryz?a;v<^Vo$M0fSr~@G4oqD#*QDU17@ALrQ
zU+CmEv9O&$9B}M7ze|;kCr<9tH-f>4rgd?Vr#Uv9x}<6=UJZ}XAQ@w*a#=yh1-kKw
zIPMr}FjUq_Oa>t^=%LWCV@K(E2>EIQ$454G@L`sjSYl_k20v8)xm+Fij_JvSQ>2X)
zz@S?+OZbw=4rBP>&O*LFDGVmM2k$<U{d7#}8Bv+pXK@iRK+Lzy^&AZ$-LU&q-DBM`
zUET*hM0kkrk1Pbr)XCeiu{N0`Zbl(VE&nh9Qb?j};Dm_~X9$|XAk_xJ8<r{rAcE3A
zf$o5m+LE#%6mk@pbpvZK{s0s-uo1Ew%sUQw*E8(k!FTLUy;r1U+9FiCxwXY_;J$1W
z16hNHiPt2@UD}9fg|Pv|b4-%miR6Pc;RNYK`M`{WoSF6}2_r#-?W|<;YsTvNMZ<4m
zt;0)>lM5+_>Z6Zg*86gCuUO{7+t=_AoanOpgY9jx^o885E*?+`KWc??y-YLTIRJRP
zE%`h+0DsWb@rfl74N55Hye%?=PSJnVicIV*k~HkJbN=(}2F3Sou(VQx8~}gfMtPrV
z2pA2#=L>xJk|p}b@5|(!;ag;`@EgnvSwU)Wo8Y%ZwIQ#Wb&fRpzF6fMsPEh=apo`_
zyRPHbFNx?|*Ejhu_w*6ckH~LPVBpiS@7T0_%XlWRiF;qZd?|^0VTmU4u@sI!A5Q{A
zR@}~Sw4tyJ35-03fi{R*3BM9p@iv9u)?1eq7@$qQB#3(jVZR`j+k$u?3I}4Txc8gT
zjRETz9!gB&4t;OfnfJ64XGr?w*p5c*r6vmSegJ%gm_3$;RAG+JCb-CP7bw7muw)h>
zKZv7mH7YUQGj3G`HN*3R&tQzwCf!Yzmx;3SXg?XFkgem*O~9Sfa~?c_TUn0vI`)*X
zCFQbUVxXo#Zhjx4iFg1uh!soRc-h+G--|_k2fSS;y&$seM8MGB!3!ZafU-!oS!4D_
zHYgNe5MVCf>p4%LP$1G4l~NDN#XV3cu=L)CB(FCfw*7d>r*^~?+V}(mrw0|7=E+u&
zvpXPd;4HN(tZ#;B$ISO|i7LfKWft!&;0Ne?$PE|m)<1!7VmV5rI}ZJK<DVGs20?h}
zuEki#Hb!cRx$s5D8dQ$P>+%W_FaFOg5C!TJ#tXUnJ<)h{$KD7C9mU2|ENZ$~4)Z3!
z^^i|?Wn^RS#O1R2pT|{m+xoTLiNChH|2fE{4CCBjX&RHqVq?NZpbsFh(U@^g&_@AT
z<7CG}dT|C*(UFM)%6k{HQ;x&s^2f!qrgREvg|-Vx#2$;tG@10D$hHaMES#W6tb0ZP
zM(#prLBRw(blt;gFh4V`B*W(tt@Mdb4GIN<xdPTBI9w+0oL#OSRc^^&t@cq{X~pkb
z?IXF3e;=JzXRHPQgl&;kV9W!*iy9aFUtRIbG8OB#5gZ8Hr4?(6nVO|HRQ+wKfjWAW
z(=a>WvbanOGG+GZnx)w_#rZX73|L%sUf-!=?z}Evb82$lP<6(vh)d6FX=j-h@@A*B
zJG<tBd7Uxf(yG(*P8DA>uQ@fBot$N=&Y+pn^7A@lc1nxqb#Hdf#q-K>#bUld_8}py
z*d37rP9l?)>!C-(8Tsaf>4k`#CcjO?6Q?yi&oBBWd_<SS&8>feP|LeFY@O+N-~Y8v
zR4)Gjt2!?)Tg7|Ft3qwC8EF>ps{4I4GRB78FFo-$p(nyGWl_|H-|kDj``(`Th2Q!N
zcnl($3aW_mp{}^Lwgy@nG!47YaqN%qxTJ^mWgGUX6_7f%joiKmb#xc{SQ%lC&e(}z
z3@1g}aNX9?6QWXD6B>4aY-nqU<8Bi^T?8R{AvZKai$vyt27H9f0ZYT*96NQK0bq~`
z=^;r+sI4+TGN?$c6p$X3U^OdtzAzZvj-5*P5u2C)=n-25N&2oK{}q|n$#pvg)<J=U
zaYs4W{p~G^xHV9vc8mjXf+50PGF*~n{or$XV>$po{=osD_rM`upnVjy401qJIo{;0
ziQeP4$mgOp`AVF9igdiB>CNxRf`)kj#Fs5*#eoLZ3QVU@PS|wR8}&mCHbxTh;Gwu-
zsmxu^>0_Og`RGhL=!66~!@8m+^1>7fAi#hW?i212rqhod05HCqMxPwIM@A1h%AM^~
z$C5a&eW+GbuR}Yp4n649MxKZ4z$Br+G-W>0fintxLnlrJiCp<qW1=UMmh*_P!a@3l
zDVGGi=yeD9PTG{7n?U>Cg#9AN5xZA(#F1MvI$?>Ni!ePU9XT<0$$b3e76|4n+QwrY
z!wEguwRJFZ>G9{tj&gD%J)HxS;)i;qrlJyakXht72`>#eL_mWcqFL3$T^d)aNG+f_
zo`<x69FUnKdJc9^6urc>FjH0$)a@klL(JaCCrZ@U%m#PWCmM}TBCV(b$mQOK%Z}_)
zH{vF4Db;&|$lj3aHp9zH!%Ja<iHi<EvNsL@l=zuwr<io5BJR0dxG16NJHQ<Ul)WV{
zrC`?69vT?74j?ccsP~|W87lR9n#NOdttOpg*uk*xBu~RV(qrh1idPG+nW*+A<Q0T@
z$n#k=Bt76wDDuVhy&JBh7p9vfx0HpKLT25x00^MhN5NI<J)Nx!2kOTRg_M`zg-U4z
z66ZV<-4l}59kSEWslhl&Rt5E|*m>=48wJ`nIUBm8ZlIfv$JRTFR(oQV2LsO;^#=gj
zPB6fe11FRLi^Wp0T-;&OWIW*A;$HDf@wd!-k=cHU|0Q!`GL0dkPQ%%=f3}#&9*jYG
zj6p+o;7#y~A$2HBn0<sq_Av4T8j>(T#4<z~f<wI}BKpt7t^??^Gu{ap50HmwJGSFl
z(4=19MUK0?2bweTd=&d{VSb7^2lYR3h?Rx(6nVM&)FkBt&*%?=BB<K;j;A4=xS8QC
z9`qeY2ZoLyW{XqEDS{(R3W;7qFBiPMKN2t55yq;mlisO|qKC$iWV26oo^WcX$qX&J
zG3mfVWLv<M9pZ|jBOly*j+OCPEdG=`wHDp~q#4^x@-8H{jo0<D=>9ihCwu?9xF_y@
z-2e0|o;4sjVaN>i+$w?wCP2JRvYGdP&eHpM{tccb=%2X^{XF_F?d(p`fBDM?{r`#w
zZ(w<Dby5BydIP#m#nx1=pVV#RiQGB|k#k`5I=2eBPI`zY8ch<y&Gz#9tC93S_*sJf
z1M>~E|9>r}|1Z0xQkMSl=MVb-1y5iSdRq%qNje^238VA!Ugt21HNZT<r{f!NMH;2V
zzOnOG67zs-=6miZ<CM~+enPYo?jRAY6zVdmP$djAajhVcOhy2(ni7s+Mhp`N0F6*O
z0Q^Nu2rgRUiLB_2wsBmM)rQhix{Yh0rpV-*5S$FfMoW>N;83but8U|3kmPHzF2Wm0
zx;AC&`dL@5mEDtWDR_dXfh#|o<z}^UtlUVa*NS}HsfsQ2Mz86jSyj!NELY`Ybas8-
zRrQu`HEv}4*nn;I+wDVrtP2C@R@jx)(_p8q$~B~j)oyuk35Uv9Ee#&p!`<p_S(ngI
zEVmWeM%CSKa{KrO4r{k<wV~=`H`9-7s$!#bYwD-kX~UH|uF-rrE_X|M4JzVsv#M8=
za_vkJOrt5tvaB?Y6;(aHZp)49p<KSc(e19FUYrbTk1hO7k;Y9y@pRSgKzjgh%g48p
zQakBY0~wYyulrE5T6W`E78?yoz4n^V+N3$GKi=B%q^&wT&2nubxBDfzrdMxos^<aK
z7%JzIFcfdwx_Nn8Q`@IOsjIp^><A^;dGeLc?n(QsaiuDO+AYiCWv5%0%<e=tk4Me6
zSyn1FqgQP{DuUGMo;gp*l3Gf~Y;>;O%ciP!q>_3HJIb^EFfgPWRc@B#nx-CKsij)8
zDU3^!a4oh4v(giG%H5K9eNnm|tLicAJV<AHrEwv(yS{XD{Cq18b}mnE$0tL*-0kQs
z`P4O3yK8ABU1@c81-;tXYn=}EG@((Il&4Ec*xi8@eOK<NQ0weM-3mtSN`JRiYIK!q
z?MfN`R+7rnxndp<I%myur7{?)mBBY?)*A5Clv_%-BDK{Usoe0o;=s_wt_>gbaZead
zdXxQ|R;9Vqx#{k;PsK~sZcZ-SgIlH2wUnE|$+aMjn^x^X?z_Xwwt6i;bgf=ZZJ^G+
zES<`uOQp7}n63;3XRMoU^SYx;*TdSee4|$t)jV&N_F=0tDBTLX$BLphug%)Ae5%`c
zU9?K#&B?=UsbwDTs6ut8shYR#YB$i#nx|XMl2qNFXtl;o`>YX2XSHvzCRgQZ@TflD
zifU<JY(7hq%c`ng4}<6HQtkTkOzL!Q22QVbeGWT=Q>`+nBTM?$zHvM9L+zVV?iy`D
z+g0p=*E$vVy4CvQMY%R^R`j-7bA?t(7Pa;O>Lpp#?Sa@8Yd5W$^n7`Cv~#OUXUdT?
zmMZ43RXP5q*lx8uG$-n*yVEUqrAwt@b}Ywh5A|<tu{Kdo<;QFF_#Cy(Qv1vqcdgqA
z6#LKWLj&sVTBT!4cCR9Jl$)A=@*w-t^KltI*GB4aH)!A7?nt(|t0~<Z*s00w&S2EK
zsXd%OACGU929zHfwbrTRwyIB~Zbus<Rc&`wX-BU5o-!Qnw5t17yX>4xYRy&7+;6Q@
zU+k5&XT7vrk}8Aij@oEmR`iQ@rxD1{H378;6Zx$9q?qbyXV@K~)2B0C2zC@pwzOeT
zhG&gNPnD0`C22<;JG(t~aH5pE&$ngyp;-#*-L_m;Yr1@O?GXNUp{SSg$qe4tKRo0K
z!z3bMmS46Mq1sn!jfOhJb&fA&bx7O1cBPhL)_P^Vf!9|{knnms);jWza@Gh`bGW05
zgA3IN<ZIP!L&0q*r#riyGjkvb4NnpF)r<1AcX=b*-G_Sl_QpNy4tGi?c5O$g?%U0d
zHqma>-L|NU&2smwS8a;ziWGEAbF6pv#~o8W*TrTDSx=Q-)ok9{-CJ}L__u9+PimXi
zt#G}oKC80+aBTN#{qx&r^PwrIYO7<O$)|Ehwv=aBGe>$wdz2@E0fn7sWf*)z)>8o6
z=I(h}EuV|Bdwo-@cH8nfG=6*TR=d@vsSnXvV+e0lQ#*3a+fJh{KMbr^#XQl3!K18J
zh2}%eXg=!=`Nlk#N)7q8+!t=2^<$+Kw2`Im-HN7pc{-@~I<;}rs*5dq_^8yRpgEMw
z@@b%)*s3TAlB!l3z9d{fwjPciTkY%dwP1FkAe|^Ts;SyaNm9(y=ELB$qYORCs#V%{
z?Yi0N?_LOc^YUycLbGeM?XD%;j@NrQI&Z5rxm&Icd!5~r&S}?F&jx1iLG4@%;*+fG
z*E`0(-0lQ7s^V6<)$v3r>kYYDldqM=aZfN$uGLya?KI1%BOR;HwI-~(796`b+L_!!
z)?f$K^e4@3v`|$kca{3MD-23XN8Ib3)lQ%-kJU*a_Bw+}yX@Xvp6q{X*XqxzrA!pn
z?A{IoczN2Wqld=0*OrA7Q@v8#4IiG$ZD`hR+e3ZaRs2a)3BI)->SL*_mEl?K43=)k
z7sB;Ur@C);JA>W!sj>@)U8q@4*XXn>>7BX&D~bqD8<MX0=eKRW(yp5DvijT8MY-FR
zJMvhmbx+&R=Ebck-?oP0Nw3;%C{<a3wZ@}dl26*z+EA``rQWmVDR%d^Rg)F%MxS)>
z+Uv-bUf<nCre5w02lZ>EJJ758X-C<g^lr2#-RyR6%LC!^X1J>fHMLtg_SE+EGZc0o
z)HC%=7MkPc=|H?TyG^aL-{>m)R`XOWwJXQM$*?c91by$~`Pk4--5sgsIvrCwhtGPs
zJFNNF!qe%6DDB=ptBuQQ<EGP*PI|&_LlfjyucB8J%dM!2^K`39$C4`DO3&R=OLfj$
z=D?Oa)rndj9QOqM<XYJknu1%APlJi}Al=ATqpWqrR=3n0D5@$bRk5bpT~oCikJpy`
zt=m5Cs<oQbt4gNSR!i54IFhbis8?&}*KPH@Z9Sb!CABLL)hZMko~p==R;5;HmIr3{
zOzrfla<y~gR$I@qD+{XF8U8j_D^gXiNo6?nOIr2G@0J_Kl5jmavATAvv_I;p`l&YD
zZRqX#j?xjE(%Hb$9u%+B*>6dTBU}i(*LqFwTz1Ce?ogC2&#L2ATi<P|vUFK7{cgwn
zcHP-OyB^l0PRBWKpAE}uRTi5awV`%~-t|qRCbb*2W_37jtBotEBVDvggD3s;snN9E
zlkTu<cC6it+m1f&*@Kg2yZO{J_Q%?3U+7q3{nl<icdy;2%bVj?PmmjJVX&iFyV7N+
zb^^u5ar>-sCOsTC(M_$4lwC>chz(>7AFn4t<GduRm#4eC-JAMjSCu5WEd{z+d+u4T
zs#OQUi75x|2ia>1=8oJ6zRC9B1U{>_UXx78Jla(RWpY{5_mJ9kE>F#2_e_3}Dk`4a
z<J)I#+^HQu_BsvNtu)KZP=C^Hj=k$n^}M4DF68#$;Z_*9t!k~>tf+NmxVzJ<3@%Ye
zeuCD(ld9vfZXZ2sr)EWc?utm2_oOqot*S#&x6EU?w12L3q+3{ROga_msd?m<E=p#%
zRqLwKO;=D#;s~|n-FD@6SFOnAb$KYjPJg#mG0W$rK}E48LAFG-skowSA3wDewWJEN
zeEzIk*Bz;@4P~WQ-M3F3%-UtG@t|9~O{uhB>7D7vP1AMcj;Jb?WA(bEcdt9OfvyCn
zy-s7So%O}$X)wI3s&;GGaOAesZYkzdPi!d7j_RPBu5sBJpLgtfS*f{uz2UBK+Yxpy
zEAqK^HaKpUBv~@0UH!EBd@h<-x}b>Nsv^kGN6$Ug4dff`u_xS?Bt^bbYVJ<E>Oaf2
ze9<`-gVxyn)>KrrYwCMYQJ$Np&5~{ezTB=IcTek2t>?zAeAAHRnlwQjxprF$%+}43
z2+e_V{V=F%qTGd|^wc{wm0nf6YMZXFodoKMJvix_@`IuTCtX2yx@XRg`k;vIXI;_+
zeIl#oH98$Q=Yk^ihUP`Dd@O5%Y)Z!dwce3s)oe6nQyQzM?uFDb&$V`~B-{0K_)wcj
zmD-6^a|P|;_*OdA_nOZGucf%-?y2-BDYYl1wEL`9B@dkq?Ax0`S#C?us%3tYPB9NP
z160w<?bdHQ>aeT!D&6tL*d0ige%z}KN}aPBytQhN?Ng<UhRu?EqjozFwLp1poHkV*
z@Av2ObJvB#n$c9H`t^f)b$MFr=ry@~Vo*6nR(7lPTBCj4I=)thX6IU!YxQbS>!jqE
zzgnYz-LuI4W7tNp?brnp<WckotMoD7{v&?b*(+!4Kf=zJkMo~j@~r)Bd*plDJ;UBc
z_9N&)f535T;KXq!<lqvN1o1Z#BAallI3fu?$oZ&A&o@a5BIG?Hy~wR`Yv97rknJNK
zjBK5GAso3-8=&yZXTW>~K&dEzO_INhed4$N$*mDfj0Gpab^;bWZ20up96f1>X7|z@
z%QX#XYbean9kpNN)<}RqZo=u2j2w_&E6iLTSUCU#0x*6CLEs*2Z;!|0A|${T9k0J_
z(t`f>Mg62IwW@_uQ6N<m+eE$}=361IaL^@$(=!n;;TSj`fPIf0RvR`Ldn69%Gw_}J
zU<^IPtpVNe1JCG<f)uhs=t%amxPW5=XaoMJ1?nvx93Qpnt<T&V=+xV1mr5ISj%4{r
zYS*hRa4Cb6OQ}+C*Ds|OxU7LA=@y*VrOIc3403djo=A8Q2GX!dB0h|>7D6ciq8rP?
zoKGgS`y<##pzk~)dOb%nAr-WBZjIiL!!ndl4XVg-B)kd%*KpB2G)#_j9WOYfJ{XMo
zeDzUq$gj)QtBd-{(brbB&2!Yzk7NirT>mbtt$o^l;aXKZ(AJ^Au{@K9{QCEHy;;3f
z+6RSwL3rW0!1TXbj*iHui`LiXWu^MUbDVJx{`dp%>qkoaj0cB@fDgP8;=!MP{u4t?
zGtiJj58@Yh$gdw&nsw=`(yGdQ;$wKK5f!*PYPC9-awS<v^N{WzZWcy>Uys}5LBWk)
zgzXT2JOD!Qn$@;kKWWW`khpu$!;=tBRwV&xvQPrvuwWYEdn3x^^A&o1|8SG1Ik0%Z
z7YZ!z&S55h5zD^AZ*lhq$C*xla|?VY?GQ&@VEO$+eqH1fuke)l0kmA2mLdFgxW1{w
z0D(fm@SVbMdxCgq`xGZ6B#{4OJu3Sr_+ve>F#ZJVmfz<=>G!{j;0Fj00tGnjAqd3Z
z|6bx=IL<?XH~BiU1H;UKOCkyR_3z?K5@Hr-hd-23AJCIaBA@V=a=Hqgcz*qRVj=wT
zpMSpaTO7-AR3VXk#IGfp;f`GD6Q`adUYR6)rmX{)c$W~XwKpQUAxLi+>eS--j^DiS
z;PAh|{~eW>UOx=Tt#JCu{|Q=fGhuusON~aNEE8?>>)+!+;a|RQl66C06bj!)Mify=
zN>ePp@OX-d7pE<5k>$PqJw)USUFEtH!N|fZx#)#)4>tb>Tpw3+4P4{zzi;d4aoZl5
z=2m8ebVB-or(zE92ctlD#x@w)VVCBFPZdW`MgYX<6{Ct2b{YG@qwFL6f^ngj92$)v
zXd4!F7zL1=J;b$q0D}NoE_3xx_`6c57s1D+`jPSC#x2Dd#|tH#H=5eau@NSO5FKAh
zN3&?*pb)L0)EXyDVuScs(W9XaE`p*p7}3~3g6;5FX>%Rd*(w%`JQvU9qGgt)puEKv
zCC&+l)FQbWHoub|U$*%4${;XKm);^F=1Bhxd=@B!_ptb4THol~&<y8eXqYA_w5xJ6
zT8kkiy>P@So8ndf8hf)xIHrr~Z^V_E2;6y2+{FifdPPzE4h`3(p4U;1!=%$Z<&N>n
zp%-fbf$~$6_Fi}f{Q9QpgMxSzrMcV6S;Q$4%65`)jmCl-J2s?}OPB<lxf{=bCtSmH
zSrNH_$AZCcd}2XiWrSP|7Of`ID9H`rC!mTJ7lXGD=I_evT=a7h{|1GE-g99vI1G_M
zmR-0JrWPH|0g_sKBq0o50ge}t7d^w)zZ&kLK*BVHrS>K8cRDpRy^L$<hwFc%8zg1~
zX+j0nn|eD&O)}Ix#0?8DM^K+c2uW;vEENQ%v4aTkS$U_5&X5PZn3xPXa{D&|@DQcL
zbuw`qG4o23cm`ohk@#F9p`OBN9OaA<lchEJ8m16CT;B};+~UZ%jziAtCcRdZ$#ki&
z>;YI$w8L{8<GhgGz(+vybYR%-C?M#kX%FypfPx2sY0y*w=}jBIeIWwhCw~2VqJtOy
z(=<)8D}ShD%&+6hDLKwX$fFVn`71;#DYwPZ^f+taG(5p4zTJ={HRCk+Rr7+Zs28TH
z#PDLa#jn$HJOD}92r5qF!~aB@Gzy;vzYftPuk|6CFwm{TS?MpsRdKjEm0&FaQ6|S4
z;MZMbF$p_E#jK&GqvK+s*1*5AVQvjHNu-AzI5CBD?#LhLiQn8uqQ_LC$4w&I7i_?%
z2nzfFKGK1|UHC&N?Em>`eS3S0R4U<0iIU`H8NW=D19`gx4inNbezOY>K@>Yj(nvB%
zJWT}13n)WbBE@8~*ejDvUMh!-!H|5Dsp03PoJ@8#Kj|c3i6;}QmZqH~FNSEs&qz86
z-X-xQ-D{G$Cn?p>%09UslJ<<$lUO>)7p7um{(I}Ze)Y93)!Q#KHRfr#DGr<Bxk$7Y
zLQNL%SD0}gfRKZJ`tyb7W(gx~li;~Gi5-Ok%d~sQuP2Nmp_Fl$-ZYmLP*#*jm=H2k
z0O6LFKJq1xB_s~gLp=^WEAp7r2Hu2S5w8Qtl97<4dU&3IVT07B7j3kpF%m3H7Qj85
z*q1~SDxPr!8dB`}MW5x)1NSuY&cN~}xm2G8#Ts^$C`BVlQbsO~SfwGcdM}Ya2<Q&-
zN&23FGfwRNvovi2-O?&hTHj8<UbH48c8sUmwwNQ}rzR-wI0bz%&e}%FE3F>XoDoSy
zL~s!j%}ZQ}eL3W(zVti<hoR`Ar|Fv2!c<MhoZ#|VZJTP@1Cm9Z3Tz~#m#ji?CD)rr
z@-5Frx{sZ1KGoEMX^ASWIy0F1@w~7IM!b+|+^q!;e+O2P^mKR#HZmg)CE1NFHkXCz
z$s}kv(upK$O?+hDgUw7cTQtNkl4>IjfokOMH0o%yP}euJBiV>kX>DAO9B*W?%#&0B
z-<US!;Bn;@{R~ES7`FJ}7<MY(Z}o{XC)Yz3ky*@1aU;=a%9z3g=TIA^mZx&Gwl<QS
zF2r6GD@koaNAfL=SS%J<KN-r(EZ|%+1$-&iwKo30|M&k1qd93;NT2F#gQM%3P2If7
z2z!gr&)ak@uuMsK%Njr*^bo?R)R6Ir^py1^!IRk@h=rc)jU(~eOAdJ}t)0(>l<v?0
z+Wfxp)zCK%z(#UQ-1rPO82xM<fIq@A!e_97S1c)>?0Mtm&zCKJm6>I%W8S=GwzNe&
zGr<be>tX(^rvcgE(%R#Z(mtCl{KWfTm_s18F(=4Bt*Otmvr+L;@sYRreMBNaHbS<5
zf4*#d2JTo-ybaGE@E4L=7S9^~;{a@Uj)Nyu?;U^*Qku;cBS%b;YtdaW^e&uyF8=qw
z=bY@2my6C*=rIX_{j27T?BMX-*ne!BocIB<iZtB<%@z`&E_s&ovhlK2BtT#~W&20^
zc<B2Syln1;g%h81)%DC3@E)ViT`B3|#%m>eT9vn2(gVn>o6jIxR0!(fM?#>}i;5s7
z6k21mJ2_)U0pdBP5&SoE@L2FH^8a9WYQ3qC1@S*+u_UJbKg2!!zYqV9U+}E`4G`y#
zT*r^S566!W$B%b){E%8$&`D<5YF!<jR1XR))cl3#t}ZJyZ*ZpI0nG{Yl9L*U=eYP@
zmBVcfM)qm)`l{N@H6e$_>-Dfy%63g&9?7SzLw?%2oVv#)V+M|z<H^1fr8QpP^wBpU
zfYMfEg>W6>E)Wj+rLb<$Jt>_SsSxEy0qar=th>afl+J^{!LLUU^BYT~#gA03sSNB1
zX%eje2PhDzvvLIW!=Q>jt$siNi)DxAQL9~*5An-+>izto(njK}YspcDgWQ;%WSgfd
z4u1f6c3&?4vbD8=IbHj*a(O`QMizWBtdRxu@cPfd0b^*;oBK#|H=miYMs6W+3dA>s
zDmIWNz@b`1X~o%QCI&pMe>;rEJSDnOl!qrvBt-}TE{pi37S9}X&dF$(m%DBwHJ^X=
zhW7Ei>RCqqi$CDy|9XLNf&90(vzw9sN+ogUL;m|EPp<zjb<cd_II_Wgt<^88i48Q|
zTgjDWc^`*pGJoUcQhO`WXqhu6C?LS&M#5hB)W);6_(a(n>V^jjZsMSo967ll*({hI
zPPWt#O~CZH7#MlyyM)DmobfJu#vA)vEI8s#IA(+=yy>&toqy-E+~hFd>nJxS%fxYR
zOpZVINEggMzzqpMD?`VE#`JA?ATgpv;`EX>&RIQ&$!tKvlN%HY(M`V@|Lp}g|5A`#
zhtgceXYzhznxRL|_nLBXL8QL_sOH^(7Ja5}b13ax8A))srATSYZz=km+Y-sm8arWA
ziE=%Hw6IPJ6yrC=^{Dgd)XO||pr*n?G<w$Pcjmg^%7-)jngH{K<ET9S)phi!IV@3c
zZW`ba2>%2I_}^fCGwgEfpWq+=Ft)Z*PQo7YUB~uOWV21oKOf!?vl-4A;MWa)i+HsY
z;Wwov#TNUmDaYTio4HnYCiTZXrM|?<5QtBlB6nOAjNHtMBFC49)K4;U&BmZWeZmtx
zErFY?^E927<mm=8T7();4{46YPU?B^``=5kds)`+`n7ZNF7pzdjX6Ue{P;ms)vZ()
z({qDyBIeHvg$W~ceRGo@4F3a&Tj>@P9^YhQk~8$5<X$Sijo58UR7M7xY2bx!_$)^?
zUhO=aMwU5zKz?9I|AP<J>qLv}V&-g%B!Mt}<2t&}|5fynoQEu3{B2q6=X=&?P)lwv
zBbRvvPUMxrhCOc>(I{eevK5UWYa;j;4}03b_yh1SUPt%;;$OCk@$Fg3gO;VnmKYax
z{bobKT00p@thPrpxRz&Z2pvcghm@kgz59&MnDEqm&&qBeVlG15g5_}dU!eF&NB6}X
z57q^1B6P(u5wyX`1rX?tHX=I;jiA6_B}nYGi-BJB(}eaUZ$aR#>91DQKAw-~<N0{r
T`T73?00960ik7zJ073%*Om5fE

literal 0
HcmV?d00001

diff --git a/charts/shipa/shipa/1.4.0/Chart.lock b/charts/shipa/shipa/1.4.0/Chart.lock
new file mode 100644
index 000000000..fe960b5fc
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: mongodb-replicaset
+  repository: https://charts.helm.sh/stable
+  version: 3.11.3
+digest: sha256:d567aabf719102e5090b7d7cc0b8d7fd32e8959e51ec4977b6534147531649b8
+generated: "2021-10-08T08:10:33.698603543Z"
diff --git a/charts/shipa/shipa/1.4.0/Chart.yaml b/charts/shipa/shipa/1.4.0/Chart.yaml
new file mode 100644
index 000000000..e196f234e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/Chart.yaml
@@ -0,0 +1,29 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Shipa
+  catalog.cattle.io/namespace: shipa-system
+  catalog.cattle.io/release-name: shipa
+apiVersion: v2
+appVersion: 1.4.0
+dependencies:
+- name: mongodb-replicaset
+  repository: file://./charts/mongodb-replicaset
+  tags:
+  - defaultDB
+description: A Helm chart for Kubernetes to install the Shipa Control Plane
+home: https://www.shipa.io
+icon: https://cdn.opsmatters.com/sites/default/files/logos/shipa-logo.png
+keywords:
+- shipa
+- deployment
+- aac
+kubeVersion: '>= 1.16.0-0'
+maintainers:
+- email: rlachhman@shipa.io
+  name: ravi
+name: shipa
+sources:
+- https://github.com/shipa-corp
+- https://github.com/shipa-corp/helm-chart
+type: application
+version: 1.4.0
diff --git a/charts/shipa/shipa/1.4.0/LICENSE b/charts/shipa/shipa/1.4.0/LICENSE
new file mode 100644
index 000000000..dda518917
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/LICENSE
@@ -0,0 +1,25 @@
+Copyright (c) 2020, shipa authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+   * Neither the name of the Globo.com nor the names of its contributors
+may be used to endorse or promote products derived from this software without
+specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/charts/shipa/shipa/1.4.0/README.md b/charts/shipa/shipa/1.4.0/README.md
new file mode 100644
index 000000000..08e507b88
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/README.md
@@ -0,0 +1,122 @@
+
+**Note:** The master branch is the main development branch. Please use releases instead of the master branch in order to get stable versions.
+
+# Documentation
+
+Documentation for Shipa can be found at https://learn.shipa.io
+
+# Installation Requirements
+
+1. Kubernetes 1.14+
+2. Helm v3
+
+# Defaults 
+
+We create LoadBalancer service to expose Shipa to the internet:
+1. 2379 -> etcd 
+1. 8080 -> shipa api over http
+1. 8081 -> shipa api over https
+
+By default we use dynamic public IP set by a cloud-provider but there is a parameter to use static ip (if you have it):
+```bash 
+--set service.nginx.loadBalancerIP=35.192.15.168 
+```
+
+# Installation
+
+Users can install Shipa on any existing Kubernetes cluster (version 1.10.x and newer), and Shipa leverages Helm charts for the install.
+
+> ⚠️ NOTE: Installing or upgrading Shipa may require downtime in order to perform database migrations.
+
+
+Below are the steps required to have Shipa installed in your existing Kubernetes cluster:
+
+Create a namespace where the Shipa services should be installed   
+```bash
+NAMESPACE=shipa-system
+kubectl create namespace $NAMESPACE
+```
+Create the values.override.yaml with the Admin user and password that will be used for Shipa
+```bash
+cat > values.override.yaml << EOF
+auth:
+  adminUser: <your email here>
+  adminPassword: <your admin password> 
+EOF
+```
+Add Shipa helm repo
+```bash
+helm repo add shipa-charts https://shipa-charts.storage.googleapis.com
+```
+Install Shipa
+```bash
+helm install shipa shipa-charts/shipa -n $NAMESPACE  --timeout=1000s -f values.override.yaml
+```
+
+## Upgrading shipa helm chart
+
+```bash
+helm upgrade shipa . --timeout=1000 --namespace=$NAMESPACE -f values.override.yaml
+```
+
+## Upgrading shipa helm chart if you have Pro license
+
+We have two general ways how to execute helm upgrade if you have Pro license:
+* Pass a license file to helm upgrade 
+
+```bash
+helm upgrade shipa . --timeout=1000 --namespace=$NAMESPACE -f values.override.yaml -f license.yaml
+```
+* Merge license key from a license file to values.override.yaml and execute helm upgrade as usual
+```bash
+cat license.yaml | grep "license:" >> values.override.yaml
+```
+
+# CI/CD
+
+Packaging and signing helm charts is automated using Github Actions
+
+Charts are uploaded to multiple buckets based on condition:
+
+1. `shipa-charts-dev`, `push` to `master`, `push` to PR opened against `master`
+2. `shipa-charts-cloud`,  `tag` containing `cloud`
+3. `shipa-charts`, `tag` not containing `cloud`
+
+
+Chart name is composed of:
+`{last_tag}-{commit_hash}`
+
+For on-prem releases, if tag is not pre-release, meaning it has semantic versioning without RC suffix (ex. 1.3.0, not 1.3.0-rc1), chart name is only `{last_tag}`, as otherwise it is seen by helm chart as development version
+
+### Usage
+```
+# only first time
+helm repo add shipa-dev https://shipa-charts-dev.storage.googleapis.com
+helm repo add shipa-cloud https://shipa-charts-cloud.storage.googleapis.com
+helm repo add shipa-onprem https://shipa-charts.storage.googleapis.com
+
+# refresh available charts
+helm repo update
+
+# check available versions
+helm search repo shipa --versions
+
+# check available versions with development versions
+helm search repo shipa --versions --devel
+
+# check per repo
+helm search repo shipa-dev --versions --devel
+helm search repo shipa-cloud --versions --devel
+helm search repo shipa-onprem --versions --devel
+
+# helm install
+helm install shipa shipa-dev/shipa --version 1.x.x -n shipa-system  --timeout=1000s -f values.override.yaml
+```
+
+# Shipa client
+
+If you are looking to operate Shipa from your local machine, we have binaries of shipa client: https://learn.shipa.io/docs/downloading-the-shipa-client
+
+# Collaboration/Contributing
+
+We welcome all feedback or pull requests. If you have any questions feel free to reach us at info@shipa.io
diff --git a/charts/shipa/shipa/1.4.0/app-readme.md b/charts/shipa/shipa/1.4.0/app-readme.md
new file mode 100644
index 000000000..700df754a
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/app-readme.md
@@ -0,0 +1,39 @@
+# Shipa
+
+[Shipa](http://www.shipa.io/) is an Application-as-Code [AaC] provider that is designed for having a cleaner developer experience and allowing for guardrails to be easily created. The "platform engineering dilemma" is how do you allow for innovation yet have control. Shipa is application focused so allowing developers who are not experienced in Kubernetes run through several critical tasks such as deploying,  managing, and iterating on their applications without detailed Kubernetes knowledge. From the operator or admin standpoint, easily enforcing rules/convention without building multiple abstraction layers.
+
+## Install Shipa - Helm Chart
+
+The [Installation Requirements](https://learn.shipa.io/docs/installation-requirements) specify up to date cluster and ingress requirements. Installing the chart is pretty straight forward.
+
+Intially will need to set an intial Admin User and Admin Password/Secret to first access Shipa.
+
+```
+helm repo add shipa-charts https://shipa-charts.storage.googleapis.com
+
+helm repo update
+
+helm upgrade --install shipa shipa-charts/shipa \
+
+--set auth.adminUser=admin@acme.com --set auth.adminPassword=admin1234 \
+
+--namespace shipa-system --create-namespace --timeout=1000s --wait
+```
+
+## Install Shipa - ClusterIP
+Shipa by default will install Traefik as the loadbalencer. 
+Though if this creates a conflict or there is a cluster limitation, you can also leverage ClusterIP for routing which is the
+second set of optional prompts in the Rancher UI. 
+[Installing Shipa with ClusterIP on K3](https://shipa.io/2021/10/k3d-and-shipa-deploymnet/)
+
+```
+helm install shipa shipa-charts/shipa  -n shipa-system --create-namespace \
+--timeout=15m \
+--set=metrics.image=gcr.io/shipa-1000/metrics:30m \
+--set=auth.adminUser=admin@acme.com \
+--set=auth.adminPassword=admin1234 \
+--set=shipaCluster.serviceType=ClusterIP \
+--set=shipaCluster.ip=10.43.10.20 \
+--set=service.nginx.serviceType=ClusterIP \
+--set=service.nginx.clusterIP=10.43.10.10
+```
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/.helmignore b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/.helmignore
new file mode 100644
index 000000000..28b828e89
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+install
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/Chart.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/Chart.yaml
new file mode 100644
index 000000000..9620d643f
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/Chart.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+appVersion: "3.6"
+description: NoSQL document-oriented database that stores JSON-like documents with
+  dynamic schemas, simplifying the integration of data in content-driven applications.
+home: https://github.com/mongodb/mongo
+icon: https://webassets.mongodb.com/_com_assets/cms/mongodb-logo-rgb-j6w271g1xn.jpg
+maintainers:
+- email: unguiculus@gmail.com
+  name: unguiculus
+- email: ssheehy@firescope.com
+  name: steven-sheehy
+name: mongodb-replicaset
+sources:
+- https://github.com/mongodb/mongo
+- https://github.com/percona/mongodb_exporter
+version: 3.11.3
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/OWNERS b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/OWNERS
new file mode 100644
index 000000000..1e6a85097
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/OWNERS
@@ -0,0 +1,6 @@
+approvers:
+  - unguiculus
+  - steven-sheehy
+reviewers:
+  - unguiculus
+  - steven-sheehy
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/README.md b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/README.md
new file mode 100644
index 000000000..c9729c059
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/README.md
@@ -0,0 +1,434 @@
+# MongoDB Helm Chart
+
+## Prerequisites Details
+
+* Kubernetes 1.9+
+* Kubernetes beta APIs enabled only if `podDisruptionBudget` is enabled
+* PV support on the underlying infrastructure
+
+## StatefulSet Details
+
+* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/
+
+## StatefulSet Caveats
+
+* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations
+
+## Chart Details
+
+This chart implements a dynamically scalable [MongoDB replica set](https://docs.mongodb.com/manual/tutorial/deploy-replica-set/)
+using Kubernetes StatefulSets and Init Containers.
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+``` console
+helm repo add stable https://kubernetes-charts.storage.googleapis.com/
+helm install --name my-release stable/mongodb-replicaset
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the mongodb chart and their default values.
+
+| Parameter                           | Description                                                               | Default                                             |
+| ----------------------------------- | ------------------------------------------------------------------------- | --------------------------------------------------- |
+| `replicas`                          | Number of replicas in the replica set                                     | `3`                                                 |
+| `replicaSetName`                    | The name of the replica set                                               | `rs0`                                               |
+| `skipInitialization`                    | If `true` skip replica set initialization during bootstrapping                                              | `false`      
+| `podDisruptionBudget`               | Pod disruption budget                                                     | `{}`                                                |
+| `port`                              | MongoDB port                                                              | `27017`                                             |
+| `imagePullSecrets`                  | Image pull secrets                                                        | `[]`                                                |
+| `installImage.repository`           | Image name for the install container                                      | `unguiculus/mongodb-install`                        |
+| `installImage.tag`                  | Image tag for the install container                                       | `0.7`                                               |
+| `installImage.pullPolicy`           | Image pull policy for the init container that establishes the replica set | `IfNotPresent`                                      |
+| `copyConfigImage.repository`        | Image name for the copy config init container                             | `busybox`                                           |
+| `copyConfigImage.tag`               | Image tag for the copy config init container                              | `1.29.3`                                            |
+| `copyConfigImage.pullPolicy`        | Image pull policy for the copy config init container                      | `IfNotPresent`                                      |
+| `image.repository`                  | MongoDB image name                                                        | `mongo`                                             |
+| `image.tag`                         | MongoDB image tag                                                         | `3.6`                                               |
+| `image.pullPolicy`                  | MongoDB image pull policy                                                 | `IfNotPresent`                                      |
+| `podAnnotations`                    | Annotations to be added to MongoDB pods                                   | `{}`                                                |
+| `securityContext.enabled`           | Enable security context                                                   | `true`                                              |
+| `securityContext.fsGroup`           | Group ID for the container                                                | `999`                                               |
+| `securityContext.runAsUser`         | User ID for the container                                                 | `999`                                               |
+| `securityContext.runAsNonRoot`      |                                                                           | `true`                                              |
+| `resources`                         | Pod resource requests and limits                                          | `{}`                                                |
+| `persistentVolume.enabled`          | If `true`, persistent volume claims are created                           | `true`                                              |
+| `persistentVolume.storageClass`     | Persistent volume storage class                                           | ``                                                  |
+| `persistentVolume.accessModes`      | Persistent volume access modes                                            | `[ReadWriteOnce]`                                   |
+| `persistentVolume.size`             | Persistent volume size                                                    | `10Gi`                                              |
+| `persistentVolume.annotations`      | Persistent volume annotations                                             | `{}`                                                |
+| `terminationGracePeriodSeconds`     | Duration in seconds the pod needs to terminate gracefully                 | `30`                                                |
+| `tls.enabled`                       | Enable MongoDB TLS support including authentication                       | `false`                                             |
+| `tls.mode`                          | Set the SSL operation mode (disabled, allowSSL, preferSSL, requireSSL)    | `requireSSL`                                        |
+| `tls.cacert`                        | The CA certificate used for the members                                   | Our self signed CA certificate                      |
+| `tls.cakey`                         | The CA key used for the members                                           | Our key for the self signed CA certificate          |
+| `init.resources`                    | Pod resource requests and limits (for init containers)                    | `{}`                                                |
+| `init.timeout`                      | The amount of time in seconds to wait for bootstrap to finish             | `900`                                               |
+| `metrics.enabled`                   | Enable Prometheus compatible metrics for pods and replicasets             | `false`                                             |
+| `metrics.image.repository`          | Image name for metrics exporter                                           | `bitnami/mongodb-exporter`                          |
+| `metrics.image.tag`                 | Image tag for metrics exporter                                            | `0.9.0-debian-9-r2`                                 |
+| `metrics.image.pullPolicy`          | Image pull policy for metrics exporter                                    | `IfNotPresent`                                      |
+| `metrics.port`                      | Port for metrics exporter                                                 | `9216`                                              |
+| `metrics.path`                      | URL Path to expose metics                                                 | `/metrics`                                          |
+| `metrics.resources`                 | Metrics pod resource requests and limits                                  | `{}`                                                |
+| `metrics.securityContext.enabled`   | Enable security context                                                   | `true`                                              |
+| `metrics.securityContext.fsGroup`   | Group ID for the metrics container                                        | `1001`                                              |
+| `metrics.securityContext.runAsUser` | User ID for the metrics container                                         | `1001`                                              |
+| `metrics.socketTimeout`             | Time to wait for a non-responding socket                                  | `3s`                                                |
+| `metrics.syncTimeout`               | Time an operation with this session will wait before returning an error   | `1m`                                                |
+| `metrics.prometheusServiceDiscovery`| Adds annotations for Prometheus ServiceDiscovery                          | `true`                                              |
+| `auth.enabled`                      | If `true`, keyfile access control is enabled                              | `false`                                             |
+| `auth.key`                          | Key for internal authentication                                           | ``                                                  |
+| `auth.existingKeySecret`            | If set, an existing secret with this name for the key is used             | ``                                                  |
+| `auth.adminUser`                    | MongoDB admin user                                                        | ``                                                  |
+| `auth.adminPassword`                | MongoDB admin password                                                    | ``                                                  |
+| `auth.metricsUser`                  | MongoDB clusterMonitor user                                               | ``                                                  |
+| `auth.metricsPassword`              | MongoDB clusterMonitor password                                           | ``                                                  |
+| `auth.existingMetricsSecret`        | If set, and existing secret with this name is used for the metrics user   | ``                                                  |
+| `auth.existingAdminSecret`          | If set, and existing secret with this name is used for the admin user     | ``                                                  |
+| `serviceAnnotations`                | Annotations to be added to the service                                    | `{}`                                                |
+| `configmap`                         | Content of the MongoDB config file                                        | ``                                                  |
+| `initMongodStandalone`              | If set, initContainer executes script in standalone mode                  | ``                                                  |
+| `nodeSelector`                      | Node labels for pod assignment                                            | `{}`                                                |
+| `affinity`                          | Node/pod affinities                                                       | `{}`                                                |
+| `tolerations`                       | List of node taints to tolerate                                           | `[]`                                                |
+| `priorityClassName`                 | Pod priority class name                                                   | ``                                                  |
+| `livenessProbe.failureThreshold`    | Liveness probe failure threshold                                          | `3`                                                 |
+| `livenessProbe.initialDelaySeconds` | Liveness probe initial delay seconds                                      | `30`                                                |
+| `livenessProbe.periodSeconds`       | Liveness probe period seconds                                             | `10`                                                |
+| `livenessProbe.successThreshold`    | Liveness probe success threshold                                          | `1`                                                 |
+| `livenessProbe.timeoutSeconds`      | Liveness probe timeout seconds                                            | `5`                                                 |
+| `readinessProbe.failureThreshold`   | Readiness probe failure threshold                                         | `3`                                                 |
+| `readinessProbe.initialDelaySeconds`| Readiness probe initial delay seconds                                     | `5`                                                 |
+| `readinessProbe.periodSeconds`      | Readiness probe period seconds                                            | `10`                                                |
+| `readinessProbe.successThreshold`   | Readiness probe success threshold                                         | `1`                                                 |
+| `readinessProbe.timeoutSeconds`     | Readiness probe timeout seconds                                           | `1`                                                 |
+| `extraVars`                         | Set environment variables for the main container                          | `{}`                                                |
+| `extraLabels`                       | Additional labels to add to resources                                     | `{}`                                                |
+
+*MongoDB config file*
+
+All options that depended on the chart configuration are supplied as command-line arguments to `mongod`. By default, the chart creates an empty config file. Entries may be added via  the `configmap` configuration value.
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+``` console
+helm install --name my-release -f values.yaml stable/mongodb-replicaset
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+Once you have all 3 nodes in running, you can run the "test.sh" script in this directory, which will insert a key into the primary and check the secondaries for output. This script requires that the `$RELEASE_NAME` environment variable be set, in order to access the pods.
+
+## Authentication
+
+By default, this chart creates a MongoDB replica set without authentication. Authentication can be
+enabled using the parameter `auth.enabled`. Once enabled, keyfile access control is set up and an
+admin user with root privileges is created. User credentials and keyfile may be specified directly.
+Alternatively, existing secrets may be provided. The secret for the admin user must contain the
+keys `user` and `password`, that for the key file must contain `key.txt`.  The user is created with
+full `root` permissions but is restricted to the `admin` database for security purposes. It can be
+used to create additional users with more specific permissions.
+
+To connect to the mongo shell with authentication enabled, use a command similar to the following (substituting values as appropriate):
+
+```shell
+kubectl exec -it mongodb-replicaset-0 -- mongo mydb -u admin -p password --authenticationDatabase admin
+```
+
+## TLS support
+
+To enable full TLS encryption set `tls.enabled` to `true`. It is recommended to create your own CA by executing:
+
+```console
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com"
+```
+
+After that paste the base64 encoded (`cat ca.key | base64 -w0`) cert and key into the fields `tls.cacert` and
+`tls.cakey`. Adapt the configmap for the replicaset as follows:
+
+```yml
+configmap:
+  storage:
+    dbPath: /data/db
+  net:
+    port: 27017
+    ssl:
+      mode: requireSSL
+      CAFile: /data/configdb/tls.crt
+      PEMKeyFile: /work-dir/mongo.pem
+      # Set to false to require mutual TLS encryption
+      allowConnectionsWithoutCertificates: true
+  replication:
+    replSetName: rs0
+  security:
+    authorization: enabled
+    # # Uncomment to enable mutual TLS encryption
+    # clusterAuthMode: x509
+    keyFile: /keydir/key.txt
+```
+
+To access the cluster you need one of the certificates generated during cluster setup in `/work-dir/mongo.pem` of the
+certain container or you generate your own one via:
+
+```console
+$ cat >openssl.cnf <<EOL
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = $HOSTNAME1
+DNS.1 = $HOSTNAME2
+EOL
+$ openssl genrsa -out mongo.key 2048
+$ openssl req -new -key mongo.key -out mongo.csr -subj "/CN=$HOSTNAME" -config openssl.cnf
+$ openssl x509 -req -in mongo.csr \
+    -CA $MONGOCACRT -CAkey $MONGOCAKEY -CAcreateserial \
+    -out mongo.crt -days 3650 -extensions v3_req -extfile openssl.cnf
+$ rm mongo.csr
+$ cat mongo.crt mongo.key > mongo.pem
+$ rm mongo.key mongo.crt
+```
+
+Please ensure that you exchange the `$HOSTNAME` with your actual hostname and the `$HOSTNAME1`, `$HOSTNAME2`, etc. with
+alternative hostnames you want to allow access to the MongoDB replicaset. You should now be able to authenticate to the
+mongodb with your `mongo.pem` certificate:
+
+```console
+mongo --ssl --sslCAFile=ca.crt --sslPEMKeyFile=mongo.pem --eval "db.adminCommand('ping')"
+```
+
+## Promethus metrics
+
+Enabling the metrics as follows will allow for each replicaset pod to export Prometheus compatible metrics
+on server status, individual replicaset information, replication oplogs, and storage engine.
+
+```yaml
+metrics:
+  enabled: true
+  image:
+    repository: ssalaues/mongodb-exporter
+    tag: 0.6.1
+    pullPolicy: IfNotPresent
+  port: 9216
+  path: "/metrics"
+  socketTimeout: 3s
+  syncTimeout: 1m
+  prometheusServiceDiscovery: true
+  resources: {}
+```
+
+More information on [MongoDB Exporter](https://github.com/percona/mongodb_exporter) metrics available.
+
+## Deep dive
+
+Because the pod names are dependent on the name chosen for it, the following examples use the
+environment variable `RELEASENAME`. For example, if the helm release name is `messy-hydra`, one would need to set the following before proceeding. The example scripts below assume 3 pods only.
+
+```console
+export RELEASE_NAME=messy-hydra
+```
+
+### Cluster Health
+
+```console
+for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(db.serverStatus())"'; done
+```
+
+### Failover
+
+One can check the roles being played by each node by using the following:
+
+```console
+$ for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done
+
+MongoDB shell version: 3.6.3
+connecting to: mongodb://127.0.0.1:27017
+MongoDB server version: 3.6.3
+{
+  "hosts" : [
+    "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+    "messy-hydra-mongodb-1.messy-hydra-mongodb.default.svc.cluster.local:27017",
+    "messy-hydra-mongodb-2.messy-hydra-mongodb.default.svc.cluster.local:27017"
+  ],
+  "setName" : "rs0",
+  "setVersion" : 3,
+  "ismaster" : true,
+  "secondary" : false,
+  "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+  "me" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+  "electionId" : ObjectId("7fffffff0000000000000001"),
+  "maxBsonObjectSize" : 16777216,
+  "maxMessageSizeBytes" : 48000000,
+  "maxWriteBatchSize" : 1000,
+  "localTime" : ISODate("2016-09-13T01:10:12.680Z"),
+  "maxWireVersion" : 4,
+  "minWireVersion" : 0,
+  "ok" : 1
+}
+```
+
+This lets us see which member is primary.
+
+Let us now test persistence and failover. First, we insert a key (in the below example, we assume pod 0 is the master):
+
+```console
+$ kubectl exec $RELEASE_NAME-mongodb-replicaset-0 -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))"
+
+MongoDB shell version: 3.6.3
+connecting to: mongodb://127.0.0.1:27017
+{ "nInserted" : 1 }
+```
+
+Watch existing members:
+
+```console
+$ kubectl run --attach bbox --image=mongo:3.6 --restart=Never --env="RELEASE_NAME=$RELEASE_NAME" -- sh -c 'while true; do for i in 0 1 2; do echo $RELEASE_NAME-mongodb-replicaset-$i $(mongo --host=$RELEASE_NAME-mongodb-replicaset-$i.$RELEASE_NAME-mongodb-replicaset --eval="printjson(rs.isMaster())" | grep primary); sleep 1; done; done';
+
+Waiting for pod default/bbox2 to be running, status is Pending, pod ready: false
+If you don't see a command prompt, try pressing enter.
+messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+
+```
+
+Kill the primary and watch as a new master getting elected.
+
+```console
+$ kubectl delete pod $RELEASE_NAME-mongodb-replicaset-0
+
+pod "messy-hydra-mongodb-0" deleted
+```
+
+Delete all pods and let the statefulset controller bring it up.
+
+```console
+$ kubectl delete po -l "app=mongodb-replicaset,release=$RELEASE_NAME"
+$ kubectl get po --watch-only
+NAME                    READY     STATUS        RESTARTS   AGE
+messy-hydra-mongodb-0   0/1       Pending   0         0s
+messy-hydra-mongodb-0   0/1       Pending   0         0s
+messy-hydra-mongodb-0   0/1       Pending   0         7s
+messy-hydra-mongodb-0   0/1       Init:0/2   0         7s
+messy-hydra-mongodb-0   0/1       Init:1/2   0         27s
+messy-hydra-mongodb-0   0/1       Init:1/2   0         28s
+messy-hydra-mongodb-0   0/1       PodInitializing   0         31s
+messy-hydra-mongodb-0   0/1       Running   0         32s
+messy-hydra-mongodb-0   1/1       Running   0         37s
+messy-hydra-mongodb-1   0/1       Pending   0         0s
+messy-hydra-mongodb-1   0/1       Pending   0         0s
+messy-hydra-mongodb-1   0/1       Init:0/2   0         0s
+messy-hydra-mongodb-1   0/1       Init:1/2   0         20s
+messy-hydra-mongodb-1   0/1       Init:1/2   0         21s
+messy-hydra-mongodb-1   0/1       PodInitializing   0         24s
+messy-hydra-mongodb-1   0/1       Running   0         25s
+messy-hydra-mongodb-1   1/1       Running   0         30s
+messy-hydra-mongodb-2   0/1       Pending   0         0s
+messy-hydra-mongodb-2   0/1       Pending   0         0s
+messy-hydra-mongodb-2   0/1       Init:0/2   0         0s
+messy-hydra-mongodb-2   0/1       Init:1/2   0         21s
+messy-hydra-mongodb-2   0/1       Init:1/2   0         22s
+messy-hydra-mongodb-2   0/1       PodInitializing   0         25s
+messy-hydra-mongodb-2   0/1       Running   0         26s
+messy-hydra-mongodb-2   1/1       Running   0         30s
+
+
+...
+messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017",
+```
+
+Check the previously inserted key:
+
+```console
+$ kubectl exec $RELEASE_NAME-mongodb-replicaset-1 -- mongo --eval="rs.slaveOk(); db.test.find({key1:{\$exists:true}}).forEach(printjson)"
+
+MongoDB shell version: 3.6.3
+connecting to: mongodb://127.0.0.1:27017
+{ "_id" : ObjectId("57b180b1a7311d08f2bfb617"), "key1" : "value1" }
+```
+
+### Scaling
+
+Scaling should be managed by `helm upgrade`, which is the recommended way.
+
+### Indexes and Maintenance
+
+You can run Mongo in standalone mode and execute Javascript code on each replica at initContainer time using `initMongodStandalone`.
+This allows you to create indexes on replicasets following [best practices](https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/).
+
+#### Example: Creating Indexes
+
+```js
+initMongodStandalone: |+
+  db = db.getSiblingDB("mydb")
+  db.my_users.createIndex({email: 1})
+```
+
+Tail the logs to debug running indexes or to follow their progress
+
+```sh
+kubectl exec -it $RELEASE-mongodb-replicaset-0 -c bootstrap -- tail -f /work-dir/log.txt
+```
+
+### Migrate existing ReplicaSets into Kubernetes
+If you have an existing ReplicaSet that currently is deployed outside of Kubernetes and want to move it into a cluster you can do so by using the `skipInitialization` flag.
+
+First set the `skipInitialization` variable to `true` in values.yaml and install the Helm chart. That way you end up with uninitialized MongoDB pods that can be added to the existing ReplicaSet.
+
+Now take care of realizing the DNS correct resolution of all ReplicaSet members. In Kubernetes you can for example use an `ExternalName`.
+
+```
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb01
+  namespace: mongo
+spec:
+  type: ExternalName
+  externalName: mongodb01.mydomain.com
+``` 
+
+If you also put each StatefulSet member behind a loadbalancer the ReplicaSet members outside of the cluster will also be able to reach the pods inside the cluster.
+
+```
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-0
+  namespace: mongo
+spec:
+  selector:
+    statefulset.kubernetes.io/pod-name: mongodb-0
+  ports:
+    - port: 27017
+      targetPort: 27017
+  type: LoadBalancer
+```
+
+Now all that is left to do is to put the LoadBalancer IP into the `/etc/hosts` file (or realize the DNS resolution through another way)
+```
+1.2.3.4       mongodb-0
+5.6.7.8       mongodb-1
+```
+
+With a setup like this each replicaset member can resolve the DNS entry of each other and you can just add the new pods to your existing MongoDB cluster as if they where just normal nodes.
+
+Of course you need to make sure to get your security settings right. Enforced TLS is a good idea in a setup like this. Also make sure that you activate auth and get the firewall settings right.
+
+Once you fully migrated remove the old nodes from the replicaset.
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/default-values.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/default-values.yaml
new file mode 100644
index 000000000..a8bad27cd
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/default-values.yaml
@@ -0,0 +1 @@
+# No config change. Just use defaults.
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/metrics-values.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/metrics-values.yaml
new file mode 100644
index 000000000..df64aca1e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/metrics-values.yaml
@@ -0,0 +1,10 @@
+auth:
+  enabled: true
+  adminUser: username
+  adminPassword: password
+  metricsUser: metrics
+  metricsPassword: password
+  key: keycontent
+
+metrics:
+  enabled: true
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/tls-values.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/tls-values.yaml
new file mode 100644
index 000000000..043d7ac0c
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/ci/tls-values.yaml
@@ -0,0 +1,10 @@
+tls:
+  # Enable or disable MongoDB TLS support
+  enabled: true
+  # Please generate your own TLS CA by generating it via:
+  # $ openssl genrsa -out ca.key 2048
+  # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com"
+  # After that you can base64 encode it and paste it here:
+  # $ cat ca.key | base64 -w0
+  cacert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxakNDQVpJQ0NRQ1I1aXNNQlRmQzdUQU5CZ2txaGtpRzl3MEJBUXNGQURBWE1SVXdFd1lEVlFRRERBeHQKZVdSdmJXRnBiaTVqYjIwd0hoY05NVGt4TVRFeU1EZ3hOakUwV2hjTk5EY3dNek13TURneE5qRTBXakFYTVJVdwpFd1lEVlFRRERBeHRlV1J2YldGcGJpNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNwM0UrdVpWanhaY3BYNUFCbEtRa2crZjFmSnJzR1JJNVQrMzcyMkIvYnRyTVo4M3FyRTg2RFdEYXEKN0k1YTdlOGFVTGt2ZVpsaW02aWxsUW5CTHJPVUtVZ3R1OWZINlZydlBuMTl3UDFibEMvU0NWZHoxemNSUWlJWQpOMVVWN2VGaWUzdjhiNXVRM2RFcVBPV2FMM0w2N0Q1T0lDb043Z21QL2QwVVBaWjNHdDJLNTZsNXBzY1h4OGYwCkd3ZWdSRGpiVnZmc2dUSW50dEJ6SGh6c0JENUxON054aDd5RWVacW5admtuTDg5S2JZUEFPUk82N3NKUlBhWHMKUDhuVDhqalFJaGlRSUZDNTVXN3JrZ1hid1Znajdwb0kyby9XSDM4WXZ6TG1OVnMyOThYUDZmUXhCQ0NwMmFjRgpkOTVQRjZmbFVJeW9RNGRuOUF5UlpRa0owdlpMQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS21XCjY2SlB4V0E4MVlYTEZtclFrdmM2NE9ycFJXTHJtNHFqaFREREtvVzY1V291MzNyOEVVQktzQ2FQOHNWWXhobFQKaWhGcDhIemNqTXpWRjFqU3ZiT0c5UnhrSG16ZEIvL3FwMDdTVFp0S2R1cThad2RVdnh1Z1FXSFNzOHA4YVNHUAowNDlkSDBqUnpEZklyVGp4Z3ZNOUJlWmorTkdqT1FyUGRvQVBKeTl2THowZmYya1gzVjJadTFDWnNnbDNWUXFsCjRsNzB3azFuVk5tTXY4Nnl5cUZXaWFRTWhuSXFjKzBwYUJaRjJFSGNpSExuZWcweVVTZVN4REsrUkk4SE9mT3oKNVFpUHpqSGs1b3czd252NDhQWVJMODdLTWJtRzF0eThyRHMxUlVGWkZueGxHd0t4UmRmckt3aHJJbVRBT2N4Vwo5bVhCU3ZzY3RjM2tIZTRIVFdRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+  cakey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWR4UHJtVlk4V1hLVitRQVpTa0pJUG45WHlhN0JrU09VL3QrOXRnZjI3YXpHZk42CnF4UE9nMWcycXV5T1d1M3ZHbEM1TDNtWllwdW9wWlVKd1M2emxDbElMYnZYeCtsYTd6NTlmY0Q5VzVRdjBnbFgKYzljM0VVSWlHRGRWRmUzaFludDcvRytia04zUktqemxtaTl5K3V3K1RpQXFEZTRKai8zZEZEMldkeHJkaXVlcAplYWJIRjhmSDlCc0hvRVE0MjFiMzdJRXlKN2JRY3g0YzdBUStTemV6Y1llOGhIbWFwMmI1SnkvUFNtMkR3RGtUCnV1N0NVVDJsN0QvSjAvSTQwQ0lZa0NCUXVlVnU2NUlGMjhGWUkrNmFDTnFQMWg5L0dMOHk1alZiTnZmRnorbjAKTVFRZ3FkbW5CWGZlVHhlbjVWQ01xRU9IWi9RTWtXVUpDZEwyU3dJREFRQUJBb0lCQVFDVWM3eWNBVzFMaEpmawpXcHRSemh4eFdxcnJSeEU3ZUIwZ0h2UW16bHFCanRwVyt1bWhyT3pXOC9qTFIzVmUyUVlZYktaOGJIejJwbTR0ClVPVTJsaGRTalFYTkdwZUsyMUtqTjIwN3c3aHFHa2YwL0Q4WE9lZWh5TGU5akZacmxQeGZNdWI0aDU1aGJNdUsKYTdDTElaOE8xL3ZZRWRwUFZGTzlLYlRYSk1CbEZJUERUaFJvR2RCTEFkREZNbzcrUnZYSFRUcXdyWmxDbWRDbgp5eld3WkhIQUZhdEdGWU9ybXcxdlZZY3h0OXk5c0FVZDBrVTQza05jVHVHR0MwMGh1QlZMcW9JZU9mMG12TDB0Ckg0S0d6LzBicGp4NFpoWlNKazd3ZkFsQ0xGL1N5YzVJOEJXWWNCb05Jc0RSbDdDUmpDVUoxYVNBNVNYNzZ2SVoKSlhnRWEyV3hBb0dCQU50M0pDRGtycjNXRmJ3cW1SZ2ZhUVV0UE1FVnZlVnJvQmRqZTBZVFFNbENlNTV2QU1uNQpadEFKQTVKTmxKN2VZRkVEa0JrVURJSDFDM3hlZHVWbEREWXpESzRpR0V1Wk8wVDNERFN3aks2cExsZ3JBN0QyCmZnS29ubVdGck5JdTI4UW1MNHhmcjUrWW9SNUo0L05QdFdWOWwwZk1NOHEwSTd5SVRNODlsZWlqQW9HQkFNWWoKTHk3VER1MWVJVWkrQXJFNTJFMEkwTVJPNWNLS2hxdGxJMnpCZkZlWm5LYWdwbnhCMTMxbi9wcGg0Wm1IYnMzZQpxOXBSb0RJT0h4cm5NOWFCa1JBTHJHNjBMeXF3eU5NNW1JemkvQytJK2RVOG55ZXIvZVNNRTNtdlFzbmpVcEhtClRtTjRrM0l4RWtqRnhCazVndFNlNlA5U0UyOFd6eVZoOGlkZHRjNDVBb0dBYzcwWFBvbWJaZDM3UkdxcXBrQWEKWUhLRThjY0hpSEFEMDVIUk54bDhOeWRxamhrNEwwdnAzcGlDVzZ1eVR6NHpTVVk1dmlBR29KcWNYaEJyWDNxMAp2L2lZSFZVNXZ0U21ueTR5TDY5VDRlQ3k0aWg5SDl3K2hDUnN0Rm1VMUp1RnBxSUV2V0RRKzdmQWNIckRUbE9nCjlFOFJjdm5MN29DbHdBMlpoRW1VUDBVQ2dZQWFhdUtGbWJwcHg1MGtkOEVnSkJoRTNTSUlxb1JUMWVoeXZiOWwKWnI3UFp6bk50YW04ODRKcHhBM2NRNlN5dGEzK1lPd0U1ZEU0RzAzbVptRXcvb0Y2NURPUFp4TEszRnRLWG1tSwpqMUVVZld6aUUzMGM2ditsRTFBZGIxSzJYRXJNRFNyeWRFY2tlSXA1alhUQjhEc1RZa1NxbGlUbE1PTlpscCtVCnhCZlRjUUtCZ0RoZHo4VjU1TzdNc0dyRVlQeGhoK0U0bklLb3BRc0RlNi9QdWRRVlJMRlNwVGpLNWlKcTF2RnIKajFyNDFCNFp0cjBYNGd6MzhrSUpwZGNvNUFxU25zVENreHhnYXh3RTNzVmlqNGZZRWlteDc3TS84VkZVbDZwLwphNmdBbFh2WHFaYmFvTGU3ekM2RXVZWjFtUzJGMVd4UE9KRzZpakFiMVNIQjVPOGFWdFR3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/init/on-start.sh b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/init/on-start.sh
new file mode 100644
index 000000000..12ac89364
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/init/on-start.sh
@@ -0,0 +1,226 @@
+#!/usr/bin/env bash
+
+# Copyright 2018 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e pipefail
+
+port=27017
+replica_set="$REPLICA_SET"
+script_name=${0##*/}
+SECONDS=0
+timeout="${TIMEOUT:-900}"
+tls_mode="${TLS_MODE}"
+
+if [[ "$AUTH" == "true" ]]; then
+    admin_user="$ADMIN_USER"
+    admin_password="$ADMIN_PASSWORD"
+    admin_creds=(-u "$admin_user" -p "$admin_password")
+    if [[ "$METRICS" == "true" ]]; then
+        metrics_user="$METRICS_USER"
+        metrics_password="$METRICS_PASSWORD"
+    fi
+    auth_args=("--auth" "--keyFile=/data/configdb/key.txt")
+fi
+
+log() {
+    local msg="$1"
+    local timestamp
+    timestamp=$(date --iso-8601=ns)
+    echo "[$timestamp] [$script_name] $msg" 2>&1 | tee -a /work-dir/log.txt 1>&2
+}
+
+retry_until() {
+    local host="${1}"
+    local command="${2}"
+    local expected="${3}"
+    local creds=("${admin_creds[@]}")
+
+    # Don't need credentials for admin user creation and pings that run on localhost
+    if [[ "${host}" =~ ^localhost ]]; then
+        creds=()
+    fi
+
+    until [[ $(mongo admin --host "${host}" "${creds[@]}" "${ssl_args[@]}" --quiet --eval "${command}" | tail -n1) == "${expected}" ]]; do
+        sleep 1
+
+        if (! ps "${pid}" &>/dev/null); then
+            log "mongod shutdown unexpectedly"
+            exit 1
+        fi
+        if [[ "${SECONDS}" -ge "${timeout}" ]]; then
+            log "Timed out after ${timeout}s attempting to bootstrap mongod"
+            exit 1
+        fi
+
+        log "Retrying ${command} on ${host}"
+    done
+}
+
+shutdown_mongo() {
+    local host="${1:-localhost}"
+    local args='force: true'
+    log "Shutting down MongoDB ($args)..."
+    if (! mongo admin --host "${host}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.shutdownServer({$args})"); then
+      log "db.shutdownServer() failed, sending the terminate signal"
+      kill -TERM "${pid}"
+    fi
+}
+
+init_mongod_standalone() {
+    if [[ ! -f /init/initMongodStandalone.js ]]; then
+        log "Skipping init mongod standalone script"
+        return 0
+    elif [[ -z "$(ls -1A /data/db)" ]]; then
+        log "mongod standalone script currently not supported on initial install"
+        return 0
+    fi
+
+    local port="27018"
+    log "Starting a MongoDB instance as standalone..."
+    mongod --config /data/configdb/mongod.conf --dbpath=/data/db "${auth_args[@]}" "${ssl_server_args[@]}" --port "${port}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 &
+    export pid=$!
+    trap shutdown_mongo EXIT
+    log "Waiting for MongoDB to be ready..."
+    retry_until "localhost:${port}" "db.adminCommand('ping').ok" "1"
+    log "Running init js script on standalone mongod"
+    mongo admin --port "${port}" "${admin_creds[@]}" "${ssl_args[@]}" /init/initMongodStandalone.js
+    shutdown_mongo "localhost:${port}"
+}
+
+my_hostname=$(hostname)
+log "Bootstrapping MongoDB replica set member: $my_hostname"
+
+log "Reading standard input..."
+while read -ra line; do
+    if [[ "${line}" == *"${my_hostname}"* ]]; then
+        service_name="$line"
+    fi
+    peers=("${peers[@]}" "$line")
+done
+
+# Generate the ca cert
+ca_crt=/data/configdb/tls.crt
+if [ -f "$ca_crt"  ]; then
+    log "Generating certificate"
+    ca_key=/data/configdb/tls.key
+    pem=/work-dir/mongo.pem
+    ssl_args=(--ssl --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem")
+    ssl_server_args=(--sslMode "$tls_mode" --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem")
+
+# Move into /work-dir
+pushd /work-dir
+
+cat >openssl.cnf <<EOL
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = $(echo -n "$my_hostname" | sed s/-[0-9]*$//)
+DNS.2 = $my_hostname
+DNS.3 = $service_name
+DNS.4 = localhost
+DNS.5 = 127.0.0.1
+EOL
+
+    # Generate the certs
+    openssl genrsa -out mongo.key 2048
+    openssl req -new -key mongo.key -out mongo.csr -subj "/OU=MongoDB/CN=$my_hostname" -config openssl.cnf
+    openssl x509 -req -in mongo.csr \
+        -CA "$ca_crt" -CAkey "$ca_key" -CAcreateserial \
+        -out mongo.crt -days 3650 -extensions v3_req -extfile openssl.cnf
+
+    rm mongo.csr
+    cat mongo.crt mongo.key > $pem
+    rm mongo.key mongo.crt
+fi
+
+init_mongod_standalone
+
+if [[ "${SKIP_INIT}" == "true" ]]; then
+    log "Skipping initialization"
+    exit 0
+fi
+
+log "Peers: ${peers[*]}"
+log "Starting a MongoDB replica"
+mongod --config /data/configdb/mongod.conf --dbpath=/data/db --replSet="$replica_set" --port="${port}" "${auth_args[@]}" "${ssl_server_args[@]}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 &
+pid=$!
+trap shutdown_mongo EXIT
+
+log "Waiting for MongoDB to be ready..."
+retry_until "localhost" "db.adminCommand('ping').ok" "1"
+log "Initialized."
+
+# try to find a master
+for peer in "${peers[@]}"; do
+    log "Checking if ${peer} is primary"
+    # Check rs.status() first since it could be in primary catch up mode which db.isMaster() doesn't show
+    if [[ $(mongo admin --host "${peer}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.status().myState") == "1" ]]; then
+        retry_until "${peer}" "db.isMaster().ismaster" "true"
+        log "Found primary: ${peer}"
+        primary="${peer}"
+        break
+    fi
+done
+
+if [[ "${primary}" = "${service_name}" ]]; then
+    log "This replica is already PRIMARY"
+elif [[ -n "${primary}" ]]; then
+    if [[ $(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.conf().members.findIndex(m => m.host == '${service_name}:${port}')") == "-1" ]]; then
+      log "Adding myself (${service_name}) to replica set..."
+      if (mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "rs.add('${service_name}')" | grep 'Quorum check failed'); then
+          log 'Quorum check failed, unable to join replicaset. Exiting prematurely.'
+          exit 1
+      fi
+    fi
+
+    sleep 3
+    log 'Waiting for replica to reach SECONDARY state...'
+    retry_until "${service_name}" "rs.status().myState" "2"
+    log '✓ Replica reached SECONDARY state.'
+
+elif (mongo "${ssl_args[@]}" --eval "rs.status()" | grep "no replset config has been received"); then
+    log "Initiating a new replica set with myself ($service_name)..."
+    mongo "${ssl_args[@]}" --eval "rs.initiate({'_id': '$replica_set', 'members': [{'_id': 0, 'host': '$service_name'}]})"
+
+    sleep 3
+    log 'Waiting for replica to reach PRIMARY state...'
+    retry_until "localhost" "db.isMaster().ismaster" "true"
+    primary="${service_name}"
+    log '✓ Replica reached PRIMARY state.'
+
+    if [[ "${AUTH}" == "true" ]]; then
+        log "Creating admin user..."
+        mongo admin "${ssl_args[@]}" --eval "db.createUser({user: '${admin_user}', pwd: '${admin_password}', roles: [{role: 'root', db: 'admin'}]})"
+    fi
+fi
+
+# User creation
+if [[ -n "${primary}" && "$AUTH" == "true" && "$METRICS" == "true" ]]; then
+    metric_user_count=$(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.system.users.find({user: '${metrics_user}'}).count()" --quiet)
+    if [[ "${metric_user_count}" == "0" ]]; then
+        log "Creating clusterMonitor user..."
+        mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.createUser({user: '${metrics_user}', pwd: '${metrics_password}', roles: [{role: 'clusterMonitor', db: 'admin'}, {role: 'read', db: 'local'}]})"
+    fi
+fi
+
+log "MongoDB bootstrap complete"
+exit 0
+
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/NOTES.txt b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/NOTES.txt
new file mode 100644
index 000000000..2d942592e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/NOTES.txt
@@ -0,0 +1,14 @@
+1. After the statefulset is created completely, one can check which instance is primary by running:
+
+    $ for ((i = 0; i < {{ .Values.replicas }}; ++i)); do kubectl exec --namespace {{ .Release.Namespace }} {{ template "mongodb-replicaset.fullname" . }}-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done
+
+2. One can insert a key into the primary instance of the mongodb replica set by running the following:
+    MASTER_POD_NAME must be replaced with the name of the master found from the previous step.
+
+    $ kubectl exec --namespace {{ .Release.Namespace }} MASTER_POD_NAME -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))"
+
+3. One can fetch the keys stored in the primary or any of the slave nodes in the following manner.
+    POD_NAME must be replaced by the name of the pod being queried.
+
+    $ kubectl exec --namespace {{ .Release.Namespace }} POD_NAME -- mongo --eval="rs.slaveOk(); db.test.find().forEach(printjson)"
+
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/_helpers.tpl b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/_helpers.tpl
new file mode 100644
index 000000000..223ec6604
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/_helpers.tpl
@@ -0,0 +1,78 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mongodb-replicaset.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mongodb-replicaset.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mongodb-replicaset.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name for the admin secret.
+*/}}
+{{- define "mongodb-replicaset.adminSecret" -}}
+    {{- if .Values.auth.existingAdminSecret -}}
+        {{- .Values.auth.existingAdminSecret -}}
+    {{- else -}}
+        {{- template "mongodb-replicaset.fullname" . -}}-admin
+    {{- end -}}
+{{- end -}}
+
+{{- define "mongodb-replicaset.metricsSecret" -}}
+    {{- if .Values.auth.existingMetricsSecret -}}
+        {{- .Values.auth.existingMetricsSecret -}}
+    {{- else -}}
+        {{- template "mongodb-replicaset.fullname" . -}}-metrics
+    {{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name for the key secret.
+*/}}
+{{- define "mongodb-replicaset.keySecret" -}}
+    {{- if .Values.auth.existingKeySecret -}}
+        {{- .Values.auth.existingKeySecret -}}
+    {{- else -}}
+        {{- template "mongodb-replicaset.fullname" . -}}-keyfile
+    {{- end -}}
+{{- end -}}
+
+{{- define "mongodb-replicaset.connection-string" -}}
+  {{- $string := "" -}}
+  {{- if .Values.auth.enabled }}
+   {{- $string = printf "mongodb://$METRICS_USER:$METRICS_PASSWORD@localhost:%s" (.Values.port|toString) -}}
+  {{- else -}}
+   {{- $string = printf "mongodb://localhost:%s" (.Values.port|toString) -}}
+  {{- end -}}
+
+  {{- if .Values.tls.enabled }}
+  {{- printf "%s?ssl=true&tlsCertificateKeyFile=/work-dir/mongo.pem&tlsCAFile=/ca/tls.crt" $string -}}
+  {{- else -}}
+  {{- printf $string -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml
new file mode 100644
index 000000000..311f2e0e4
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml
@@ -0,0 +1,18 @@
+{{- if and (.Values.auth.enabled) (not .Values.auth.existingAdminSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.adminSecret" . }}
+type: Opaque
+data:
+  user: {{ .Values.auth.adminUser | b64enc }}
+  password: {{ .Values.auth.adminPassword | b64enc }}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml
new file mode 100644
index 000000000..03762529c
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.tls.enabled -}}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-ca
+data:
+  tls.key: {{ .Values.tls.cakey }}
+  tls.crt: {{ .Values.tls.cacert }}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml
new file mode 100644
index 000000000..8f5ba0db5
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-init
+data:
+  on-start.sh: |
+{{ .Files.Get "init/on-start.sh" | indent 4 }}
+{{- if .Values.initMongodStandalone }}
+  initMongodStandalone.js: |
+{{ .Values.initMongodStandalone | indent 4 }}
+{{- end }}
+
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml
new file mode 100644
index 000000000..5e0513ebb
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml
@@ -0,0 +1,17 @@
+{{- if and (.Values.auth.enabled) (not .Values.auth.existingKeySecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.keySecret" . }}
+type: Opaque
+data:
+  key.txt: {{ .Values.auth.key | b64enc }}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml
new file mode 100644
index 000000000..c1484481e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml
@@ -0,0 +1,18 @@
+{{- if and (.Values.auth.enabled) (not .Values.auth.existingMetricsSecret) (.Values.metrics.enabled) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.metricsSecret" . }}
+type: Opaque
+data:
+  user: {{ .Values.auth.metricsUser | b64enc }}
+  password: {{ .Values.auth.metricsPassword | b64enc }}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml
new file mode 100644
index 000000000..eec20b991
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-mongodb
+data:
+  mongod.conf: |
+{{ toYaml .Values.configmap | indent 4 }}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml
new file mode 100644
index 000000000..6768aa3b0
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.podDisruptionBudget -}}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "mongodb-replicaset.name" . }}
+      release: {{ .Release.Name }}
+{{ toYaml .Values.podDisruptionBudget | indent 2 }}
+{{- end -}}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service-client.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service-client.yaml
new file mode 100644
index 000000000..3982aae4c
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service-client.yaml
@@ -0,0 +1,32 @@
+# A headless service for client applications to use
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  {{- if .Values.serviceAnnotations }}
+{{ toYaml .Values.serviceAnnotations | indent 4 }}
+  {{- end }}
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-client
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - name: mongodb
+      port: {{ .Values.port }}
+{{- if .Values.metrics.enabled }}
+    - name: metrics
+      port: {{ .Values.metrics.port }}
+      targetPort: metrics
+{{- end }}
+  selector:
+    app: {{ template "mongodb-replicaset.name" . }}
+    release: {{ .Release.Name }}
+
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service.yaml
new file mode 100644
index 000000000..99748a668
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-service.yaml
@@ -0,0 +1,25 @@
+# A headless service to create DNS records for discovery purposes. Use the -client service to connect applications
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - name: mongodb
+      port: {{ .Values.port }}
+  publishNotReadyAddresses: true
+  selector:
+    app: {{ template "mongodb-replicaset.name" . }}
+    release: {{ .Release.Name }}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml
new file mode 100644
index 000000000..60c043aa6
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml
@@ -0,0 +1,354 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ template "mongodb-replicaset.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 4 }}
+{{- end }}
+  name: {{ template "mongodb-replicaset.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "mongodb-replicaset.name" . }}
+      release: {{ .Release.Name }}
+  serviceName: {{ template "mongodb-replicaset.fullname" . }}
+  replicas: {{ .Values.replicas }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "mongodb-replicaset.name" . }}
+        release: {{ .Release.Name }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels | indent 8 }}
+{{- end }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/mongodb-mongodb-configmap.yaml") . | sha256sum }}
+      {{- if and (.Values.metrics.prometheusServiceDiscovery) (.Values.metrics.enabled) }}
+        prometheus.io/scrape: "true"
+        prometheus.io/port: {{ .Values.metrics.port | quote }}
+        prometheus.io/path: {{ .Values.metrics.path | quote }}
+      {{- end }}
+      {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+      {{- end }}
+    spec:
+    {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+    {{- end }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- range .Values.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end}}
+    {{- end }}
+    {{- if .Values.securityContext.enabled }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+        runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+    {{- end }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+      initContainers:
+        - name: copy-config
+          image: "{{ .Values.copyConfigImage.repository }}:{{ .Values.copyConfigImage.tag }}"
+          imagePullPolicy: {{ .Values.copyConfigImage.pullPolicy | quote }}
+          command:
+            - "sh"
+          args:
+            - "-c"
+            - |
+              set -e
+              set -x
+
+              cp /configdb-readonly/mongod.conf /data/configdb/mongod.conf
+
+            {{- if .Values.tls.enabled }}
+              cp /ca-readonly/tls.key /data/configdb/tls.key
+              cp /ca-readonly/tls.crt /data/configdb/tls.crt
+            {{- end }}
+
+            {{- if .Values.auth.enabled }}
+              cp /keydir-readonly/key.txt /data/configdb/key.txt
+              chmod 600 /data/configdb/key.txt
+            {{- end }}
+          volumeMounts:
+            - name: workdir
+              mountPath: /work-dir
+            - name: config
+              mountPath: /configdb-readonly
+            - name: configdir
+              mountPath: /data/configdb
+          {{- if .Values.tls.enabled }}
+            - name: ca
+              mountPath: /ca-readonly
+          {{- end }}
+          {{- if .Values.auth.enabled }}
+            - name: keydir
+              mountPath: /keydir-readonly
+          {{- end }}
+          resources:
+{{ toYaml .Values.init.resources | indent 12 }}
+        - name: install
+          image: "{{ .Values.installImage.repository }}:{{ .Values.installImage.tag }}"
+          args:
+            - --work-dir=/work-dir
+          imagePullPolicy: "{{ .Values.installImage.pullPolicy }}"
+          volumeMounts:
+            - name: workdir
+              mountPath: /work-dir
+          resources:
+{{ toYaml .Values.init.resources | indent 12 }}
+        - name: bootstrap
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          command:
+            - /work-dir/peer-finder
+          args:
+            - -on-start=/init/on-start.sh
+            - "-service={{ template "mongodb-replicaset.fullname" . }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: REPLICA_SET
+              value: {{ .Values.replicaSetName }}
+            - name: TIMEOUT
+              value: "{{ .Values.init.timeout }}"
+            - name: SKIP_INIT
+              value: "{{ .Values.skipInitialization }}"
+            - name: TLS_MODE
+              value: {{ .Values.tls.mode }}
+          {{- if .Values.auth.enabled }}
+            - name: AUTH
+              value: "true"
+            - name: ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.adminSecret" . }}"
+                  key: user
+            - name: ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.adminSecret" . }}"
+                  key: password
+          {{- if .Values.metrics.enabled }}
+            - name: METRICS
+              value: "true"
+            - name: METRICS_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.metricsSecret" . }}"
+                  key: user
+            - name: METRICS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.metricsSecret" . }}"
+                  key: password
+          {{- end }}
+          {{- end }}
+          volumeMounts:
+            - name: workdir
+              mountPath: /work-dir
+            - name: init
+              mountPath: /init
+            - name: configdir
+              mountPath: /data/configdb
+            - name: datadir
+              mountPath: /data/db
+          resources:
+{{ toYaml .Values.init.resources | indent 12 }}
+      containers:
+        - name: {{ template "mongodb-replicaset.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+        {{- if .Values.extraVars }}
+          env:
+{{ toYaml .Values.extraVars | indent 12 }}
+        {{- end }}
+          ports:
+            - name: mongodb
+              containerPort: 27017
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+          command:
+            - mongod
+          args:
+            - --config=/data/configdb/mongod.conf
+            - --dbpath=/data/db
+            - --replSet={{ .Values.replicaSetName }}
+            - --port=27017
+            - --bind_ip=0.0.0.0
+          {{- if .Values.auth.enabled }}
+            - --auth
+            - --keyFile=/data/configdb/key.txt
+          {{- end }}
+          {{- if .Values.tls.enabled }}
+            - --sslMode={{ .Values.tls.mode }}
+            - --sslCAFile=/data/configdb/tls.crt
+            - --sslPEMKeyFile=/work-dir/mongo.pem
+          {{- end }}
+          livenessProbe:
+            exec:
+              command:
+                - mongo
+              {{- if .Values.tls.enabled }}
+                - --ssl
+                - --sslCAFile=/data/configdb/tls.crt
+                - --sslPEMKeyFile=/work-dir/mongo.pem
+              {{- end }}
+                - --eval
+                - "db.adminCommand('ping')"
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+            successThreshold: {{ .Values.livenessProbe.successThreshold }}
+          readinessProbe:
+            exec:
+              command:
+                - mongo
+              {{- if .Values.tls.enabled }}
+                - --ssl
+                - --sslCAFile=/data/configdb/tls.crt
+                - --sslPEMKeyFile=/work-dir/mongo.pem
+              {{- end }}
+                - --eval
+                - "db.adminCommand('ping')"
+            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+            successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          volumeMounts:
+            - name: datadir
+              mountPath: /data/db
+            - name: configdir
+              mountPath: /data/configdb
+            - name: workdir
+              mountPath: /work-dir
+{{ if .Values.metrics.enabled }}
+        - name: metrics
+          image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}"
+          imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+          command:
+            - sh
+            - -c
+            - >-
+              /bin/mongodb_exporter
+              --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }}
+              --mongodb.socket-timeout={{ .Values.metrics.socketTimeout }}
+              --mongodb.sync-timeout={{ .Values.metrics.syncTimeout }}
+              --web.telemetry-path={{ .Values.metrics.path }}
+              --web.listen-address=:{{ .Values.metrics.port }}
+          volumeMounts:
+          {{- if and (.Values.tls.enabled) }}
+            - name: ca
+              mountPath: /ca
+              readOnly: true
+          {{- end }}
+            - name: workdir
+              mountPath: /work-dir
+              readOnly: true
+          env:
+          {{- if .Values.auth.enabled }}
+            - name: METRICS_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.metricsSecret" . }}"
+                  key: user
+            - name: METRICS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ template "mongodb-replicaset.metricsSecret" . }}"
+                  key: password
+          {{- end }}
+          ports:
+            - name: metrics
+              containerPort: {{ .Values.metrics.port  }}
+          resources:
+{{ toYaml .Values.metrics.resources | indent 12 }}
+          {{- if .Values.metrics.securityContext.enabled }}
+          securityContext:
+            runAsUser: {{ .Values.metrics.securityContext.runAsUser }}
+          {{- end }}
+          livenessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - >-
+                  /bin/mongodb_exporter
+                  --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }}
+                  --test
+            initialDelaySeconds: 30
+            periodSeconds: 10
+{{ end }}
+   {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ template "mongodb-replicaset.fullname" . }}-mongodb
+        - name: init
+          configMap:
+            defaultMode: 0755
+            name: {{ template "mongodb-replicaset.fullname" . }}-init
+        {{- if .Values.tls.enabled }}
+        - name: ca
+          secret:
+            defaultMode: 0400
+            secretName: {{ template "mongodb-replicaset.fullname" . }}-ca
+        {{- end }}
+        {{- if .Values.auth.enabled }}
+        - name: keydir
+          secret:
+            defaultMode: 0400
+            secretName: {{ template "mongodb-replicaset.keySecret" . }}
+        {{- end }}
+        - name: workdir
+          emptyDir: {}
+        - name: configdir
+          emptyDir: {}
+{{- if .Values.persistentVolume.enabled }}
+  volumeClaimTemplates:
+    - metadata:
+        name: datadir
+        annotations:
+        {{- range $key, $value := .Values.persistentVolume.annotations }}
+          {{ $key }}: "{{ $value }}"
+        {{- end }}
+      spec:
+        accessModes:
+        {{- range .Values.persistentVolume.accessModes }}
+          - {{ . | quote }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistentVolume.size | quote }}
+      {{- if .Values.persistentVolume.storageClass }}
+      {{- if (eq "-" .Values.persistentVolume.storageClass) }}
+        storageClassName: ""
+      {{- else }}
+        storageClassName: "{{ .Values.persistentVolume.storageClass }}"
+      {{- end }}
+      {{- end }}
+{{- else }}
+        - name: datadir
+          emptyDir: {}
+{{- end }}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml
new file mode 100644
index 000000000..45854201a
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-tests
+data:
+  mongodb-up-test.sh: |
+{{ .Files.Get "tests/mongodb-up-test.sh" | indent 4 }}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml
new file mode 100644
index 000000000..3e213a680
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml
@@ -0,0 +1,79 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: {{ template "mongodb-replicaset.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "mongodb-replicaset.fullname" . }}-test
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  initContainers:
+    - name: test-framework
+      image: dduportal/bats:0.4.0
+      command:
+        - bash
+        - -c
+        - |
+          set -ex
+          # copy bats to tools dir
+          cp -R /usr/local/libexec/ /tools/bats/
+      volumeMounts:
+        - name: tools
+          mountPath: /tools
+  containers:
+    - name: mongo
+      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+      command:
+        - /tools/bats/bats
+        - -t
+        - /tests/mongodb-up-test.sh
+      env:
+        - name: FULL_NAME
+          value: {{ template "mongodb-replicaset.fullname" . }}
+        - name: NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: REPLICAS
+          value: "{{ .Values.replicas }}"
+      {{- if .Values.auth.enabled }}
+        - name: AUTH
+          value: "true"
+        - name: ADMIN_USER
+          valueFrom:
+            secretKeyRef:
+              name: "{{ template "mongodb-replicaset.adminSecret" . }}"
+              key: user
+        - name: ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: "{{ template "mongodb-replicaset.adminSecret" . }}"
+              key: password
+      {{- end }}
+      volumeMounts:
+        - name: tools
+          mountPath: /tools
+        - name: tests
+          mountPath: /tests
+      {{- if .Values.tls.enabled }}
+        - name: tls
+          mountPath: /tls
+      {{- end }}
+  volumes:
+    - name: tools
+      emptyDir: {}
+    - name: tests
+      configMap:
+        name: {{ template "mongodb-replicaset.fullname" . }}-tests
+  {{- if .Values.tls.enabled }}
+    - name: tls
+      secret:
+        secretName: {{ template "mongodb-replicaset.fullname" . }}-ca
+        items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+  {{- end }}
+  restartPolicy: Never
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/test.sh b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/test.sh
new file mode 100644
index 000000000..0b7fd767b
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/test.sh
@@ -0,0 +1,48 @@
+#! /bin/bash
+
+# Copyright 2016 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+NS="${RELEASE_NAMESPACE:-default}"
+POD_NAME="${RELEASE_NAME:-mongo}-mongodb-replicaset"
+
+MONGOCACRT=/ca/tls.crt
+MONGOPEM=/work-dir/mongo.pem
+if [ -f $MONGOPEM ]; then
+    MONGOARGS="--ssl --sslCAFile $MONGOCACRT --sslPEMKeyFile $MONGOPEM"
+fi
+
+for i in $(seq 0 2); do
+    pod="${POD_NAME}-$i"
+    kubectl exec --namespace $NS $pod -- sh -c 'mongo '"$MONGOARGS"' --eval="printjson(rs.isMaster())"' | grep '"ismaster" : true'
+
+    if [ $? -eq 0 ]; then
+        echo "Found master: $pod"
+        MASTER=$pod
+        break
+    fi
+done
+
+kubectl exec --namespace $NS $MASTER -- mongo "$MONGOARGS" --eval='printjson(db.test.insert({"status": "success"}))'
+
+# TODO: find maximum duration to wait for slaves to be up-to-date with master.
+sleep 2
+
+for i in $(seq 0 2); do
+    pod="${POD_NAME}-$i"
+    if [[ $pod != $MASTER ]]; then
+        echo "Reading from slave: $pod"
+        kubectl exec --namespace $NS $pod -- mongo "$MONGOARGS" --eval='rs.slaveOk(); db.test.find().forEach(printjson)'
+    fi
+done
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/tests/mongodb-up-test.sh b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/tests/mongodb-up-test.sh
new file mode 100644
index 000000000..9998719f4
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/tests/mongodb-up-test.sh
@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+
+set -ex
+
+CACRT_FILE=/work-dir/tls.crt
+CAKEY_FILE=/work-dir/tls.key
+MONGOPEM=/work-dir/mongo.pem
+
+MONGOARGS="--quiet"
+
+if [ -e "/tls/tls.crt" ]; then
+    # log "Generating certificate"
+    mkdir -p /work-dir
+    cp /tls/tls.crt /work-dir/tls.crt
+    cp /tls/tls.key /work-dir/tls.key
+
+    # Move into /work-dir
+    pushd /work-dir
+
+cat >openssl.cnf <<EOL
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = $(echo -n "$(hostname)" | sed s/-[0-9]*$//)
+DNS.2 = $(hostname)
+DNS.3 = localhost
+DNS.4 = 127.0.0.1
+EOL
+
+    # Generate the certs
+    openssl genrsa -out mongo.key 2048
+    openssl req -new -key mongo.key -out mongo.csr -subj "/OU=MongoDB/CN=$(hostname)" -config openssl.cnf
+    openssl x509 -req -in mongo.csr \
+        -CA "$CACRT_FILE" -CAkey "$CAKEY_FILE" -CAcreateserial \
+        -out mongo.crt -days 3650 -extensions v3_req -extfile openssl.cnf
+    cat mongo.crt mongo.key > $MONGOPEM
+    MONGOARGS="$MONGOARGS --ssl --sslCAFile $CACRT_FILE --sslPEMKeyFile $MONGOPEM"
+fi
+
+if [[ "${AUTH}" == "true" ]]; then
+    MONGOARGS="$MONGOARGS --username $ADMIN_USER --password $ADMIN_PASSWORD --authenticationDatabase admin"
+fi
+
+pod_name() {
+    local full_name="${FULL_NAME?Environment variable FULL_NAME not set}"
+    local namespace="${NAMESPACE?Environment variable NAMESPACE not set}"
+    local index="$1"
+    echo "$full_name-$index.$full_name.$namespace.svc.cluster.local"
+}
+
+replicas() {
+    echo "${REPLICAS?Environment variable REPLICAS not set}"
+}
+
+master_pod() {
+    for ((i = 0; i < $(replicas); ++i)); do
+        response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.isMaster().ismaster")
+        if [[ "$response" == "true" ]]; then
+            pod_name "$i"
+            break
+        fi
+    done
+}
+
+setup() {
+    local ready=0
+    until [[ "$ready" -eq $(replicas) ]]; do
+        echo "Waiting for application to become ready" >&2
+        sleep 1
+
+        for ((i = 0; i < $(replicas); ++i)); do
+            response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok" || true)
+            if [[ "$response" -eq 1 ]]; then
+                ready=$((ready + 1))
+            fi
+        done
+    done
+}
+
+@test "Testing mongodb client is executable" {
+    mongo -h
+    [ "$?" -eq 0 ]
+}
+
+@test "Connect mongodb client to mongodb pods" {
+    for ((i = 0; i < $(replicas); ++i)); do
+        response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok")
+        if [[ ! "$response" -eq 1 ]]; then
+            exit 1
+        fi
+    done
+}
+
+@test "Write key to primary" {
+    response=$(mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.insert({\"abc\": \"def\"}).nInserted")
+    if [[ ! "$response" -eq 1 ]]; then
+        exit 1
+    fi
+}
+
+@test "Read key from slaves" {
+    # wait for slaves to catch up
+    sleep 10
+
+    for ((i = 0; i < $(replicas); ++i)); do
+        response=$(mongo $MONGOARGS --host=$(pod_name "$i") "--eval=rs.slaveOk(); db.test.find({\"abc\":\"def\"})")
+        if [[ ! "$response" =~ .*def.* ]]; then
+            exit 1
+        fi
+    done
+
+    # Clean up a document after test
+    mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.deleteMany({\"abc\": \"def\"})"
+}
diff --git a/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/values.yaml b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/values.yaml
new file mode 100644
index 000000000..7e750af0e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/charts/mongodb-replicaset/values.yaml
@@ -0,0 +1,167 @@
+# Override the name of the chart, which in turn changes the name of the containers, services etc.
+nameOverride: ""
+fullnameOverride: ""
+
+replicas: 3
+port: 27017
+
+## Setting this will skip the replicaset and user creation process during bootstrapping
+skipInitialization: false
+
+replicaSetName: rs0
+
+podDisruptionBudget: {}
+  # maxUnavailable: 1
+  # minAvailable: 2
+
+auth:
+  enabled: false
+  existingKeySecret: ""
+  existingAdminSecret: ""
+  existingMetricsSecret: ""
+  # adminUser: username
+  # adminPassword: password
+  # metricsUser: metrics
+  # metricsPassword: password
+  # key: keycontent
+
+## Optionally specify an array of imagePullSecrets.
+## Secrets must be manually created in the namespace.
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+##
+imagePullSecrets: []
+#   - myRegistrKeySecretName
+
+# Specs for the Docker image for the init container that establishes the replica set
+installImage:
+  repository: unguiculus/mongodb-install
+  tag: 0.7
+  pullPolicy: IfNotPresent
+
+# Specs for the Docker image for the copyConfig init container
+copyConfigImage:
+  repository: busybox
+  tag: 1.29.3
+  pullPolicy: IfNotPresent
+
+# Specs for the MongoDB image
+image:
+  repository: mongo
+  tag: 3.6
+  pullPolicy: IfNotPresent
+
+# Additional environment variables to be set in the container
+extraVars: {}
+# - name: TCMALLOC_AGGRESSIVE_DECOMMIT
+#   value: "true"
+
+# Prometheus Metrics Exporter
+metrics:
+  enabled: false
+  image:
+    repository: bitnami/mongodb-exporter
+    tag: 0.10.0-debian-9-r71
+    pullPolicy: IfNotPresent
+  port: 9216
+  path: "/metrics"
+  socketTimeout: 3s
+  syncTimeout: 1m
+  prometheusServiceDiscovery: true
+  resources: {}
+  securityContext:
+    enabled: true
+    runAsUser: 1001
+
+# Annotations to be added to MongoDB pods
+podAnnotations: {}
+
+securityContext:
+  enabled: true
+  runAsUser: 999
+  fsGroup: 999
+  runAsNonRoot: true
+
+init:
+  resources: {}
+  timeout: 900
+
+resources: {}
+# limits:
+#   cpu: 500m
+#   memory: 512Mi
+# requests:
+#   cpu: 100m
+#   memory: 256Mi
+
+## Node selector
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+nodeSelector: {}
+
+affinity: {}
+
+tolerations: []
+
+extraLabels: {}
+
+priorityClassName: ""
+
+persistentVolume:
+  enabled: true
+  ## mongodb-replicaset data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  storageClass: ""
+  accessModes:
+    - ReadWriteOnce
+  size: 10Gi
+  annotations: {}
+
+# Annotations to be added to the service
+serviceAnnotations: {}
+
+terminationGracePeriodSeconds: 30
+
+tls:
+  # Enable or disable MongoDB TLS support
+  enabled: false
+  # Set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL)
+  mode: requireSSL
+  # Please generate your own TLS CA by generating it via:
+  # $ openssl genrsa -out ca.key 2048
+  # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com"
+  # After that you can base64 encode it and paste it here:
+  # $ cat ca.key | base64 -w0
+  # cacert:
+  # cakey:
+
+# Entries for the MongoDB config file
+configmap: {}
+
+# Javascript code to execute on each replica at initContainer time
+# This is the recommended way to create indexes on replicasets.
+# Below is an example that creates indexes in foreground on each replica in standalone mode.
+# ref: https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/
+# initMongodStandalone: |+
+#   db = db.getSiblingDB("mydb")
+#   db.my_users.createIndex({email: 1})
+initMongodStandalone: ""
+
+# Readiness probe
+readinessProbe:
+  initialDelaySeconds: 5
+  timeoutSeconds: 1
+  failureThreshold: 3
+  periodSeconds: 10
+  successThreshold: 1
+
+# Liveness probe
+livenessProbe:
+  initialDelaySeconds: 30
+  timeoutSeconds: 5
+  failureThreshold: 3
+  periodSeconds: 10
+  successThreshold: 1
diff --git a/charts/shipa/shipa/1.4.0/limits.yaml b/charts/shipa/shipa/1.4.0/limits.yaml
new file mode 100644
index 000000000..28b736eaa
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/limits.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: limits
+spec:
+  limits:
+    - defaultRequest:
+        cpu: 40m
+      type: Container
diff --git a/charts/shipa/shipa/1.4.0/questions.yaml b/charts/shipa/shipa/1.4.0/questions.yaml
new file mode 100644
index 000000000..868b0071b
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/questions.yaml
@@ -0,0 +1,45 @@
+questions:
+- variable: auth.adminUser
+  default: ""
+  required: true
+  type: string
+  label: Initial Admin User Name e.g acme@yourorg.com
+  group: "Initial Settings - Required"
+- variable: auth.adminPassword
+  default: ""
+  type: password
+  required: true
+  label: Initial Admin Password/Secret
+  group: "Initial Settings - Required"
+- variable: shipaCluster.serviceType
+  default: ""
+  type: enum
+  required: false
+  label: Cluster Service Type e.g ClusterIP [shipaCluster.serviceType]
+  group: "Shipa Cluster - Optional"
+  options:
+  - "ClusterIP"
+  - "NodePort"
+  - "LoadBalancer"
+- variable: shipaCluster.ip
+  default: ""
+  type: string
+  required: false
+  label: Cluster IP if using ClusterIP Service Type [shipaCluster.ip]
+  group: "Shipa Cluster - Optional"
+- variable: service.nginx.serviceType
+  default: ""
+  type: enum
+  required: false
+  label: Overide Nginx with a Service Type like ClusterIP [service.nginx.serviceType]
+  group: "Shipa Cluster - Optional"
+  options:
+  - "ClusterIP"
+  - "NodePort"
+  - "LoadBalancer"  
+- variable: service.nginx.clusterIP
+  default: ""
+  type: string
+  required: false
+  label: Cluster IP for Nginx [service.nginx.clusterIP]
+  group: "Shipa Cluster - Optional"
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/scripts/bootstrap.sh b/charts/shipa/shipa/1.4.0/scripts/bootstrap.sh
new file mode 100644
index 000000000..292428315
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/bootstrap.sh
@@ -0,0 +1,146 @@
+#!/bin/sh
+
+set -euxo pipefail
+
+is_shipa_initialized() {
+
+    # By default we create secret with empty certificates
+    # and save them to the secret as a result of the first run of boostrap.sh
+
+    CA=$(kubectl get secret/shipa-certificates -o json | jq ".data[\"ca.pem\"]")
+    LENGTH=${#CA}
+
+    if [ "$LENGTH" -gt "100" ]; then
+      return 0
+    fi
+    return 1
+}
+
+echo "Waiting for nginx ingress to be ready"
+
+# This helper gets an IP address or DNS name of NGINX_SERVICE and prints it to /tmp/nginx-ip
+/bin/bootstrap-helper --service-name=$NGINX_SERVICE --namespace=$POD_NAMESPACE --timeout=600 --filename=/tmp/nginx-ip
+
+NGINX_ADDRESS=$(cat /tmp/nginx-ip)
+HOST_ADDRESS=$(cat /tmp/nginx-ip)
+
+# If target CNAMEs are set by user in values.yaml, then use the first CNAME from the list as HOST_ADDRESS 
+# since Shipa host can be only one in the shipa.conf
+if [ ! -z "$SHIPA_MAIN_TARGET" -a "$SHIPA_MAIN_TARGET" != " " ]; then
+    HOST_ADDRESS=$SHIPA_MAIN_TARGET
+fi
+
+
+echo "Prepare shipa.conf"
+cp -v /etc/shipa-default/shipa.conf /etc/shipa/shipa.conf
+sed -i "s/SHIPA_PUBLIC_IP/$HOST_ADDRESS/g" /etc/shipa/shipa.conf
+sed -ie "s/SHIPA_ORGANIZATION_ID/$SHIPA_ORGANIZATION_ID/g" /etc/shipa/shipa.conf
+
+echo "shipa.conf: "
+cat /etc/shipa/shipa.conf
+
+if is_shipa_initialized; then
+  echo "Skip bootstrapping because shipa is already initialized"
+  exit 0
+fi
+
+CERTIFICATES_DIRECTORY=/tmp/certs
+mkdir $CERTIFICATES_DIRECTORY
+
+# certificate generation for default domain
+sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-shipa-ca.json > $CERTIFICATES_DIRECTORY/csr-shipa-ca.json
+sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-docker-cluster.json > $CERTIFICATES_DIRECTORY/csr-docker-cluster.json
+sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-etcd.json > $CERTIFICATES_DIRECTORY/csr-etcd.json
+sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-api-config.json > $CERTIFICATES_DIRECTORY/csr-api-config.json
+sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-api-server.json > $CERTIFICATES_DIRECTORY/csr-api-server.json
+sed "s/ETCD_SERVICE/$ETCD_SERVICE/g" --in-place $CERTIFICATES_DIRECTORY/csr-etcd.json
+
+# certificate generation for CNAMES
+sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-docker-cluster.json
+sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-etcd.json
+sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-api-server.json
+
+jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-docker-cluster.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-docker-cluster.json
+jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-etcd.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-etcd.json
+jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-api-server.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-api-server.json
+
+cp /scripts/csr-etcd-client.json $CERTIFICATES_DIRECTORY/csr-etcd-client.json
+cp /scripts/csr-client-ca.json $CERTIFICATES_DIRECTORY/csr-client-ca.json
+
+cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-shipa-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/ca
+cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-client-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/client-ca
+
+cfssl gencert \
+    -ca=$CERTIFICATES_DIRECTORY/ca.pem \
+    -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \
+    -profile=server \
+    $CERTIFICATES_DIRECTORY/csr-docker-cluster.json | cfssljson -bare $CERTIFICATES_DIRECTORY/docker-cluster
+
+cfssl gencert \
+    -ca=$CERTIFICATES_DIRECTORY/ca.pem \
+    -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \
+    -profile=server \
+    $CERTIFICATES_DIRECTORY/csr-etcd.json | cfssljson -bare $CERTIFICATES_DIRECTORY/etcd-server
+
+cfssl gencert \
+    -ca=$CERTIFICATES_DIRECTORY/ca.pem \
+    -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \
+    -profile=client \
+    $CERTIFICATES_DIRECTORY/csr-etcd-client.json | cfssljson -bare $CERTIFICATES_DIRECTORY/etcd-client
+
+cfssl gencert \
+    -ca=$CERTIFICATES_DIRECTORY/ca.pem \
+    -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \
+    -config=$CERTIFICATES_DIRECTORY/csr-api-config.json \
+    -profile=server \
+    $CERTIFICATES_DIRECTORY/csr-api-server.json | cfssljson -bare $CERTIFICATES_DIRECTORY/api-server
+
+rm -f $CERTIFICATES_DIRECTORY/*.csr
+rm -f $CERTIFICATES_DIRECTORY/*.json
+
+CA_CERT=$(cat $CERTIFICATES_DIRECTORY/ca.pem | base64)
+CA_KEY=$(cat $CERTIFICATES_DIRECTORY/ca-key.pem | base64)
+
+CLIENT_CA_CERT=$(cat $CERTIFICATES_DIRECTORY/client-ca.pem | base64)
+CLIENT_CA_KEY=$(cat $CERTIFICATES_DIRECTORY/client-ca-key.pem | base64)
+
+DOCKER_CLUSTER_CERT=$(cat $CERTIFICATES_DIRECTORY/docker-cluster.pem | base64)
+DOCKER_CLUSTER_KEY=$(cat $CERTIFICATES_DIRECTORY/docker-cluster-key.pem | base64)
+
+ETCD_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/etcd-server.pem | base64)
+ETCD_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/etcd-server-key.pem | base64)
+
+ETCD_CLIENT_CERT=$(cat $CERTIFICATES_DIRECTORY/etcd-client.pem | base64)
+ETCD_CLIENT_KEY=$(cat $CERTIFICATES_DIRECTORY/etcd-client-key.pem | base64)
+
+API_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/api-server.pem | base64)
+API_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/api-server-key.pem | base64)
+
+
+# FIXME: name of secret
+kubectl get secrets shipa-certificates -o json \
+        | jq ".data[\"ca.pem\"] |= \"$CA_CERT\"" \
+        | jq ".data[\"ca-key.pem\"] |= \"$CA_KEY\"" \
+        | jq ".data[\"client-ca.crt\"] |= \"$CLIENT_CA_CERT\"" \
+        | jq ".data[\"client-ca.key\"] |= \"$CLIENT_CA_KEY\"" \
+        | jq ".data[\"cert.pem\"] |= \"$DOCKER_CLUSTER_CERT\"" \
+        | jq ".data[\"key.pem\"] |= \"$DOCKER_CLUSTER_KEY\"" \
+        | jq ".data[\"etcd-server.crt\"] |= \"$ETCD_SERVER_CERT\"" \
+        | jq ".data[\"etcd-server.key\"] |= \"$ETCD_SERVER_KEY\"" \
+        | jq ".data[\"etcd-client.crt\"] |= \"$ETCD_CLIENT_CERT\"" \
+        | jq ".data[\"etcd-client.key\"] |= \"$ETCD_CLIENT_KEY\"" \
+        | jq ".data[\"api-server.crt\"] |= \"$API_SERVER_CERT\"" \
+        | jq ".data[\"api-server.key\"] |= \"$API_SERVER_KEY\"" \
+        | kubectl apply -f -
+
+echo "CA:"
+openssl x509 -in $CERTIFICATES_DIRECTORY/ca.pem -text -noout
+
+echo "Docker cluster:"
+openssl x509 -in $CERTIFICATES_DIRECTORY/docker-cluster.pem -text -noout
+
+echo "Etcd server:"
+openssl x509 -in $CERTIFICATES_DIRECTORY/etcd-server.pem -text -noout
+
+echo "Etcd client:"
+openssl x509 -in $CERTIFICATES_DIRECTORY/etcd-client.pem -text -noout
diff --git a/charts/shipa/shipa/1.4.0/scripts/create-root-user.sh b/charts/shipa/shipa/1.4.0/scripts/create-root-user.sh
new file mode 100644
index 000000000..40bb8dfd0
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/create-root-user.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+/bin/shipad root user create $USERNAME --ignore-if-exists << EOF
+$PASSWORD
+$PASSWORD
+EOF
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-api-config.json b/charts/shipa/shipa/1.4.0/scripts/csr-api-config.json
new file mode 100644
index 000000000..d6a798638
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-api-config.json
@@ -0,0 +1,17 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "168h"
+    },
+    "profiles": {
+      "server": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth"
+        ]
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-api-server.json b/charts/shipa/shipa/1.4.0/scripts/csr-api-server.json
new file mode 100644
index 000000000..4fe754067
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-api-server.json
@@ -0,0 +1,16 @@
+{
+  "CN": "Shipa",
+  "hosts": [
+    "SHIPA_PUBLIC_IP",
+    "SHIPA_API_CNAMES"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "shipa"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-client-ca.json b/charts/shipa/shipa/1.4.0/scripts/csr-client-ca.json
new file mode 100644
index 000000000..e2d36c7f8
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-client-ca.json
@@ -0,0 +1,12 @@
+{
+  "CN": "Shipa",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "shipa"
+    }
+  ]
+}
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-docker-cluster.json b/charts/shipa/shipa/1.4.0/scripts/csr-docker-cluster.json
new file mode 100644
index 000000000..c2854ca22
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-docker-cluster.json
@@ -0,0 +1,16 @@
+{
+  "CN": "Shipa docker cluster",
+  "hosts": [
+    "SHIPA_PUBLIC_IP",
+    "SHIPA_API_CNAMES"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "Shipa"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-etcd-client.json b/charts/shipa/shipa/1.4.0/scripts/csr-etcd-client.json
new file mode 100644
index 000000000..c366103d3
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-etcd-client.json
@@ -0,0 +1,15 @@
+{
+  "CN": "Shipa etcd",
+  "hosts": [
+    ""
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "O": "Shipa"
+    }
+  ]
+}
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-etcd.json b/charts/shipa/shipa/1.4.0/scripts/csr-etcd.json
new file mode 100644
index 000000000..f5862289c
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-etcd.json
@@ -0,0 +1,17 @@
+{
+  "CN": "Shipa etcd",
+  "hosts": [
+    "SHIPA_PUBLIC_IP",
+    "ETCD_SERVICE",
+    "SHIPA_API_CNAMES"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+    {
+      "O": "Shipa"
+    }
+  ]
+}
diff --git a/charts/shipa/shipa/1.4.0/scripts/csr-shipa-ca.json b/charts/shipa/shipa/1.4.0/scripts/csr-shipa-ca.json
new file mode 100644
index 000000000..e2d36c7f8
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/csr-shipa-ca.json
@@ -0,0 +1,12 @@
+{
+  "CN": "Shipa",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "O": "shipa"
+    }
+  ]
+}
diff --git a/charts/shipa/shipa/1.4.0/scripts/init-job.sh b/charts/shipa/shipa/1.4.0/scripts/init-job.sh
new file mode 100644
index 000000000..3cde82703
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/scripts/init-job.sh
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+echo "Waiting for shipa api"
+
+until $(curl --output /dev/null --silent http://$SHIPA_ENDPOINT:$SHIPA_ENDPOINT_PORT); do
+    echo "."
+    sleep 1
+done
+
+SHIPA_CLIENT="/bin/shipa"
+$SHIPA_CLIENT target add -s local $SHIPA_ENDPOINT --insecure --port=$SHIPA_ENDPOINT_PORT --disable-cert-validation
+$SHIPA_CLIENT login << EOF
+$USERNAME
+$PASSWORD
+EOF
+$SHIPA_CLIENT team create shipa-admin-team
+$SHIPA_CLIENT team create shipa-system-team
+$SHIPA_CLIENT framework add /scripts/default-framework-template.yaml
+
+# we need this delay because it takes some time to initialize etcd
+sleep 10
+
+TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+ADDR=$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT
+
+if [[ -z $ISTIO_INGRESS_IP ]]; then
+  $SHIPA_CLIENT cluster add shipa-cluster --framework=shipa-framework \
+    --cacert=$CACERT \
+    --addr=$ADDR \
+    --ingress-service-type="traefik:$INGRESS_SERVICE_TYPE" \
+    --ingress-ip="traefik:$INGRESS_IP" \
+    --ingress-debug="traefik:$INGRESS_DEBUG" \
+    --token=$TOKEN
+else
+    $SHIPA_CLIENT cluster add shipa-cluster --framework=shipa-framework \
+    --cacert=$CACERT \
+    --addr=$ADDR \
+    --ingress-service-type="traefik:$INGRESS_SERVICE_TYPE" \
+    --ingress-ip="traefik:$INGRESS_IP" \
+    --ingress-debug="traefik:$INGRESS_DEBUG" \
+    --ingress-service-type="istio:$ISTIO_INGRESS_SERVICE_TYPE" \
+    --ingress-ip="istio:$ISTIO_INGRESS_IP" \
+    --token=$TOKEN
+fi
+
+$SHIPA_CLIENT role add TeamAdmin team
+$SHIPA_CLIENT role permission add TeamAdmin team
+$SHIPA_CLIENT role permission add TeamAdmin app
+$SHIPA_CLIENT role permission add TeamAdmin cluster
+$SHIPA_CLIENT role permission add TeamAdmin service
+$SHIPA_CLIENT role permission add TeamAdmin service-instance
+
+$SHIPA_CLIENT role add FrameworkAdmin framework
+$SHIPA_CLIENT role permission add FrameworkAdmin framework
+$SHIPA_CLIENT role permission add FrameworkAdmin node
+$SHIPA_CLIENT role permission add FrameworkAdmin cluster
+
+$SHIPA_CLIENT role add ClusterAdmin cluster
+$SHIPA_CLIENT role permission add ClusterAdmin cluster
+
+$SHIPA_CLIENT role add ServiceAdmin service
+$SHIPA_CLIENT role add ServiceInstanceAdmin service-instance
+
+$SHIPA_CLIENT role default add --team-create TeamAdmin
+$SHIPA_CLIENT role default add --framework-add FrameworkAdmin
+$SHIPA_CLIENT role default add --cluster-add ClusterAdmin
+$SHIPA_CLIENT role default add --service-add ServiceAdmin
+$SHIPA_CLIENT role default add --service-instance-add ServiceInstanceAdmin
+
+if [ "x$DASHBOARD_ENABLED" != "xtrue" ]; then
+  echo "The dashboard is disabled"
+  exit 0
+fi
+
+echo "Creating the dashboard app"
+$SHIPA_CLIENT app create dashboard \
+    --framework=shipa-framework \
+    --team=shipa-admin-team \
+    -e SHIPA_ADMIN_USER=$USERNAME \
+    -e SHIPA_CLOUD=$SHIPA_CLOUD \
+    -e SHIPA_TARGETS=$SHIPA_TARGETS \
+    -e SHIPA_PAY_API_HOST=$SHIPA_PAY_API_HOST \
+    -e GOOGLE_RECAPTCHA_SITEKEY=$GOOGLE_RECAPTCHA_SITEKEY \
+    -e SMARTLOOK_PROJECT_KEY=$SMARTLOOK_PROJECT_KEY
+
+echo "Setting private envs for dashboard"
+$SHIPA_CLIENT env set -a dashboard \
+    SHIPA_PAY_API_TOKEN=$SHIPA_PAY_API_TOKEN \
+    GOOGLE_RECAPTCHA_SECRET=$GOOGLE_RECAPTCHA_SECRET \
+    LAUNCH_DARKLY_SDK_KEY=$LAUNCH_DARKLY_SDK_KEY -p
+
+COUNTER=0
+until $SHIPA_CLIENT app deploy -a dashboard -i $DASHBOARD_IMAGE
+do
+    echo "Deploy dashboard failed with $?, waiting 30 seconds then trying again"
+    sleep 30
+    let COUNTER=COUNTER+1
+    if [ $COUNTER -gt 3 ]; then
+	echo "Failed to deploy dashboard three times, giving up"
+	exit 1
+    fi
+done
diff --git a/charts/shipa/shipa/1.4.0/templates/NOTES.txt b/charts/shipa/shipa/1.4.0/templates/NOTES.txt
new file mode 100644
index 000000000..ae7831cc1
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/NOTES.txt
@@ -0,0 +1,34 @@
+    ******************************************  Thanks for choosing Shipa! *********************************************
+   
+1. Configured default user:
+
+Username: {{ .Values.auth.adminUser }}
+Password: {{ .Values.auth.adminPassword }}
+
+2. If this is a production cluster, please configure persistent volumes.
+   The default reclaimPolicy for dynamically provisioned persistent volumes is "Delete" and
+   users are advised to change it for production
+
+   The code snippet below can be used to set reclaimPolicy to "Retain" for all volumes:
+
+PVCs=$(kubectl --namespace={{ .Release.Namespace }} get pvc -l release={{ .Release.Name }} -o name)
+
+for pvc in $PVCs; do
+    volumeName=$(kubectl -n {{ .Release.Namespace }} get $pvc -o template --template=\{\{.spec.volumeName\}\})
+    kubectl -n {{ .Release.Namespace }} patch pv $volumeName -p '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}'
+done
+
+3. Set default target for shipa-client:
+
+export SHIPA_HOST=$(kubectl --namespace={{ .Release.Namespace }} get svc {{ template "shipa.fullname" . }}-ingress-nginx -o jsonpath="{.status.loadBalancer.ingress[0].ip}") && if [[ -z $SHIPA_HOST ]]; then export SHIPA_HOST=$(kubectl --namespace={{ .Release.Namespace }} get svc {{ template "shipa.fullname" . }}-ingress-nginx -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") ; fi
+
+shipa target-add {{ .Release.Name }} $SHIPA_HOST -s
+
+shipa login {{ .Values.auth.adminUser }}
+shipa node-list
+shipa app-list
+
+
+************************************************************************************************************************
+**** PLEASE BE PATIENT: Installing or upgrading Shipa may require downtime in order to perform database migrations. ****
+************************************************************************************************************************
diff --git a/charts/shipa/shipa/1.4.0/templates/_helpers.tpl b/charts/shipa/shipa/1.4.0/templates/_helpers.tpl
new file mode 100644
index 000000000..b4acd4ec1
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/_helpers.tpl
@@ -0,0 +1,77 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "shipa.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "shipa.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "shipa.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "shipa.labels" -}}
+helm.sh/chart: {{ include "shipa.chart" . }}
+{{ include "shipa.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+release: {{ .Release.Name }}
+app: {{ include "shipa.name" . }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "shipa.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "shipa.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "shipa.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "shipa.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ If target CNAMEs are set by user in values.yaml, then use the first CNAME from
+the list as main target since Shipa host can be only one in the shipa.conf
+*/}}
+{{- define "shipa.GetMainTarget" -}}
+{{- if .Values.shipaApi.cnames }}
+{{- index .Values.shipaApi.cnames 0 | quote -}}
+{{- else -}}
+{{- printf " " | quote -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/templates/clair-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/clair-configmap.yaml
new file mode 100644
index 000000000..956aaa624
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/clair-configmap.yaml
@@ -0,0 +1,82 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-clair-config
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+data:
+  config.template.yaml: |-
+    #
+    # This file is mounted to /clair-config/config.template.yaml and then processed by /entrypoint.sh
+    #
+    clair:
+      database:
+        # Database driver
+        type: pgsql
+        options:
+          # PostgreSQL Connection string
+          # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+          source: host={{ template "shipa.fullname" . }}-postgres.{{ .Release.Namespace }} port=5432 user=postgres sslmode=disable statement_timeout=60000 password=$POSTGRES_PASSWORD
+
+          # Number of elements kept in the cache
+          # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+          cachesize: 16384
+
+          # 32-bit URL-safe base64 key used to encrypt pagination tokens
+          # If one is not provided, it will be generated.
+          # Multiple clair instances in the same cluster need the same value.
+          paginationkey:
+
+      api:
+        # v3 grpc/RESTful API server address
+        addr: "0.0.0.0:6060"
+
+        # Health server address
+        # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+        healthaddr: "0.0.0.0:6061"
+
+        # Deadline before an API request will respond with a 503
+        timeout: 900s
+
+        # Optional PKI configuration
+        # If you want to easily generate client certificates and CAs, try the following projects:
+        # https://github.com/coreos/etcd-ca
+        # https://github.com/cloudflare/cfssl
+        servername:
+        cafile:
+        keyfile:
+        certfile:
+
+      updater:
+        # Frequency the database will be updated with vulnerabilities from the default data sources
+        # The value 0 disables the updater entirely.
+        interval: 2h
+        enabledupdaters:
+          - debian
+          - ubuntu
+          - rhel
+          - oracle
+          - alpine
+          - suse
+
+      notifier:
+        # Number of attempts before the notification is marked as failed to be sent
+        attempts: 3
+
+        # Duration before a failed notification is retried
+        renotifyinterval: 2h
+
+        http:
+          # Optional endpoint that will receive notifications via POST requests
+          endpoint:
+
+          # Optional PKI configuration
+          # If you want to easily generate client certificates and CAs, try the following projects:
+          # https://github.com/cloudflare/cfssl
+          # https://github.com/coreos/etcd-ca
+          servername:
+          cafile:
+          keyfile:
+          certfile:
+
+          # Optional HTTP Proxy: must be a valid URL (including the scheme).
+          proxy:
diff --git a/charts/shipa/shipa/1.4.0/templates/clair-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/clair-deployment.yaml
new file mode 100644
index 000000000..b6825725d
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/clair-deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "shipa.fullname" . }}-clair
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+  selector:
+    matchLabels:
+      name: {{ template "shipa.fullname" . }}-clair
+  template:
+    metadata:
+      labels:
+        name: {{ template "shipa.fullname" . }}-clair
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: clair
+          image: shipasoftware/clair:v2.1.7
+          imagePullPolicy: Always
+          ports:
+            - name: clair
+              containerPort: 6060
+              protocol: TCP
+            - name: health
+              containerPort: 6061
+              protocol: TCP
+          volumeMounts:
+            - name: {{ template "shipa.fullname" . }}-clair-config
+              mountPath: /clair-config/
+            - name: config-dir
+              mountPath: /etc/clair/
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: postgres-password
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: config-dir
+          emptyDir: {}
+        - name: {{ template "shipa.fullname" . }}-clair-config
+          configMap:
+            name: {{ template "shipa.fullname" . }}-clair-config
+            items:
+              - key: config.template.yaml
+                path: config.template.yaml
diff --git a/charts/shipa/shipa/1.4.0/templates/clair-service.yaml b/charts/shipa/shipa/1.4.0/templates/clair-service.yaml
new file mode 100644
index 000000000..a0bbd8faa
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/clair-service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "shipa.fullname" . }}-clair
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    name: {{ template "shipa.fullname" . }}-clair
+  ports:
+    - port: 6060
+      targetPort: 6060
+      protocol: TCP
+      name: clair
+    - port: 6061
+      targetPort: 6061
+      protocol: TCP
+      name: health
diff --git a/charts/shipa/shipa/1.4.0/templates/etcd-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/etcd-deployment.yaml
new file mode 100644
index 000000000..c54ca681c
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/etcd-deployment.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "shipa.fullname" . }}-etcd
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+  selector:
+    matchLabels:
+      name: {{ template "shipa.fullname" . }}-etcd
+  template:
+    metadata:
+      labels:
+        name: {{ template "shipa.fullname" . }}-etcd
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: etcd
+          image: "quay.io/coreos/etcd:v3.3.22"
+          command: ['/usr/local/bin/etcd',
+                    {{- if .Values.etcd.debug }}
+                    '--debug',
+                    {{- end }}
+                    '--listen-client-urls', 'https://0.0.0.0:2379',
+                    '--data-dir=/var/etcd/data',
+                    '--advertise-client-urls', 'https://0.0.0.0:2379',
+                    '--client-cert-auth',
+                    '--max-request-bytes', '10485760',
+                    '--trusted-ca-file', '/certs/shipa-ca.crt',
+                    '--cert-file', '/certs/etcd-server.crt',
+                    '--key-file', '/certs/etcd-server.key' ]
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 2379
+              protocol: TCP
+          env:
+            - name: ETCDCTL_API
+              value: "3"
+          volumeMounts:
+            - name: data
+              mountPath: /var/etcd/data
+              subPath: etcd
+            - name: certificates
+              mountPath: /certs/
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ template "shipa.fullname" . }}-etcd-pvc
+        - name: certificates
+          secret:
+            secretName: shipa-certificates
+            items:
+              - key: ca.pem
+                path: shipa-ca.crt
+              - key: etcd-server.crt
+                path: etcd-server.crt
+              - key: etcd-server.key
+                path: etcd-server.key
diff --git a/charts/shipa/shipa/1.4.0/templates/etcd-pvc.yaml b/charts/shipa/shipa/1.4.0/templates/etcd-pvc.yaml
new file mode 100644
index 000000000..5a8d56450
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/etcd-pvc.yaml
@@ -0,0 +1,18 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-etcd-pvc
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.etcd.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.etcd.persistence.size | quote }}
+  {{- if .Values.etcd.persistence.storageClass }}
+  {{- if (eq "-" .Values.etcd.persistence.storageClass) }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: "{{ .Values.etcd.persistence.storageClass }}"
+  {{- end }}
+  {{- end }}
diff --git a/charts/shipa/shipa/1.4.0/templates/etcd-service.yaml b/charts/shipa/shipa/1.4.0/templates/etcd-service.yaml
new file mode 100644
index 000000000..9888ad125
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/etcd-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "shipa.fullname" . }}-etcd
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    name: {{ template "shipa.fullname" . }}-etcd
+  ports:
+    - port: 2379
+      targetPort: http
+      protocol: TCP
+      name: http
diff --git a/charts/shipa/shipa/1.4.0/templates/metrics-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/metrics-configmap.yaml
new file mode 100644
index 000000000..b7cd013f5
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/metrics-configmap.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-metrics-config
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+data:
+  prometheus.yml: |-
+    #
+    # DO NOT EDIT. Can be updated by shipa helm chart
+    #
+    global:
+      scrape_interval: 1m
+
+    scrape_configs:
+      - job_name: "pushgateway"
+        honor_labels: true
+        scheme: http
+        static_configs:
+          - targets: ['127.0.0.1:9093']
+            labels:
+              source: pushgateway
+
+      - job_name: "traefik"
+        honor_labels: true
+        scheme: http
+        static_configs:
+          - targets: ['{{ template "shipa.fullname" . }}-traefik-internal.{{ .Release.Namespace }}:9095']
+
+    {{- if .Values.metrics.extraPrometheusConfiguration }}
+    #
+    # User defined extra configuration
+    #
+    {{- range $line, $value := ( split "\n" .Values.metrics.extraPrometheusConfiguration ) }}
+    {{ $value }}
+    {{- end }}
+    {{- end }}
diff --git a/charts/shipa/shipa/1.4.0/templates/metrics-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/metrics-deployment.yaml
new file mode 100644
index 000000000..c4fdfd072
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/metrics-deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "shipa.fullname" . }}-metrics
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+  selector:
+    matchLabels:
+      name: {{ template "shipa.fullname" . }}-metrics
+  template:
+    metadata:
+      labels:
+        name: {{ template "shipa.fullname" . }}-metrics
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        # Please do not scale metrics container. It doesn't use storage lock (--storage.tsdb.no-lockfile)
+        - name: metrics
+          image: {{ .Values.metrics.image }}
+          imagePullPolicy: {{ .Values.metrics.pullPolicy }}
+          env:
+            - name: PROMETHEUS_ARGS
+              value: "--web.enable-admin-api {{ default ("--storage.tsdb.retention.time=1d") .Values.metrics.prometheusArgs }}"
+            - name: METRICS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: metrics-password
+          ports:
+            - name: prometheus
+              containerPort: 9090
+              protocol: TCP
+            - name: pushgateway
+              containerPort: 9091
+              protocol: TCP
+          volumeMounts:
+            - name: "{{ template "shipa.fullname" . }}-metrics-config"
+              mountPath: /etc/prometheus/config
+
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: {{ template "shipa.fullname" . }}-metrics-config
+          configMap:
+            name: {{ template "shipa.fullname" . }}-metrics-config
+            items:
+                - key: prometheus.yml
+                  path: prometheus.yml
diff --git a/charts/shipa/shipa/1.4.0/templates/metrics-service.yaml b/charts/shipa/shipa/1.4.0/templates/metrics-service.yaml
new file mode 100644
index 000000000..2371f76bb
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/metrics-service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "shipa.fullname" . }}-metrics
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    name: {{ template "shipa.fullname" . }}-metrics
+  ports:
+    - port: 9090
+      targetPort: 9090
+      protocol: TCP
+      name: prometheus
+    - port: 9091
+      targetPort: 9091
+      protocol: TCP
+      name: pushgateway
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-configmap.yaml
new file mode 100644
index 000000000..32cad3152
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-configmap.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
+data:
+  {{- if .Values.service.nginx.config }}
+  {{- range $key, $value := .Values.service.nginx.config }}
+  {{ $key }}: {{ $value }}
+  {{- end }}
+  {{- else }}
+  proxy-body-size: "512M"
+  proxy-read-timeout: "300"
+  proxy-connect-timeout: "300"
+  proxy-send-timeout: "300"
+  upstream-keepalive-timeout: "300"
+  {{- end }}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-deployment.yaml
new file mode 100644
index 000000000..c0df755ac
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-deployment.yaml
@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: {{ template "shipa.fullname" . }}-nginx-ingress
+  template:
+    metadata:
+      labels:
+        name: {{ template "shipa.fullname" . }}-nginx-ingress
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      # wait up to 30 seconds for the drain of connections
+      terminationGracePeriodSeconds: 30
+      serviceAccountName: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: nginx-ingress-controller
+          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:master
+          args:
+            - /nginx-ingress-controller
+            - --election-id={{ template "shipa.fullname" . }}-leader
+            - --configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx
+            - --tcp-services-configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx-tcp-services
+            - --publish-service=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-ingress-nginx
+            - --http-port={{ .Values.shipaApi.port }}
+            - --ingress-class=shipa-nginx-ingress
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            runAsUser: 101
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: shipa
+              containerPort: {{ .Values.shipaApi.port }}
+              protocol: TCP
+            - name: etcd
+              containerPort: 2379
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 10
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 10
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /wait-shutdown
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-rbac.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-rbac.yaml
new file mode 100644
index 000000000..f685a0b44
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-rbac.yaml
@@ -0,0 +1,131 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resourceNames:
+      - {{ template "shipa.fullname" . }}-leader-shipa-nginx-ingress
+    resources:
+      - configmaps
+    verbs:
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+      - "networking.k8s.io"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-role
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - "{{ template "shipa.fullname" . }}-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-role-nisa-binding
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount
+    namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole-nisa-binding
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount
+    namespace: {{ .Release.Namespace }}
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-service.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-service.yaml
new file mode 100644
index 000000000..befbc93be
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-service.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "shipa.fullname" . }}-ingress-nginx
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
+spec:
+  type: "{{ .Values.service.nginx.serviceType }}"
+  {{- if .Values.service.nginx.loadBalancerIP }}
+  loadBalancerIP: "{{ .Values.service.nginx.loadBalancerIP }}"
+  {{- end }}
+  {{- if .Values.service.nginx.clusterIP }}
+  clusterIP: "{{ .Values.service.nginx.clusterIP }}"
+  {{- end }}
+  selector:
+    name: {{ template "shipa.fullname" . }}-nginx-ingress
+  ports:
+    - port: {{ .Values.shipaApi.securePort }}
+      name: shipa-secure
+      targetPort: {{ .Values.shipaApi.securePort }}
+      protocol: TCP
+      {{- if eq .Values.service.nginx.serviceType "NodePort" }}
+      {{- if .Values.service.nginx.secureApiNodePort }}
+      nodePort: {{ .Values.service.nginx.secureApiNodePort }}
+      {{- end }}
+      {{- end }}
+    - port:  {{ .Values.shipaApi.port }}
+      name: shipa
+      targetPort: {{ .Values.shipaApi.port }}
+      protocol: TCP
+      {{- if eq .Values.service.nginx.serviceType "NodePort" }}
+      {{- if .Values.service.nginx.apiNodePort }}
+      nodePort: {{ .Values.service.nginx.apiNodePort }}
+      {{- end }}
+      {{- end }}
+    - port: {{ .Values.shipaApi.etcdPort }}
+      name: etcd
+      targetPort: 2379
+      protocol: TCP
+      {{- if eq .Values.service.nginx.serviceType "NodePort" }}
+      {{- if .Values.service.nginx.etcdNodePort }}
+      nodePort: {{ .Values.service.nginx.etcdNodePort }}
+      {{- end }}
+      {{- end }}
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-serviceaccount.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-serviceaccount.yaml
new file mode 100644
index 000000000..943700b54
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-serviceaccount.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
diff --git a/charts/shipa/shipa/1.4.0/templates/nginx-tcp-services-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/nginx-tcp-services-configmap.yaml
new file mode 100644
index 000000000..62076c480
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/nginx-tcp-services-configmap.yaml
@@ -0,0 +1,9 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-nginx-tcp-services
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+    shipa.io/shipa-api-ingress-controller: "true"
+data:
+  {{ .Values.shipaApi.securePort }}: "{{ .Release.Namespace }}/{{ include "shipa.fullname" . }}-api:{{ .Values.shipaApi.securePort }}"
+  2379: "{{ .Release.Namespace }}/{{ include "shipa.fullname" . }}-etcd:2379"
diff --git a/charts/shipa/shipa/1.4.0/templates/postgres-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/postgres-deployment.yaml
new file mode 100644
index 000000000..19f3d7e1e
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/postgres-deployment.yaml
@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "shipa.fullname" . }}-postgres
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+  selector:
+    matchLabels:
+      name: {{ template "shipa.fullname" . }}-postgres
+  template:
+    metadata:
+      labels:
+        name: {{ template "shipa.fullname" . }}-postgres
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: postgres
+          image: postgres:13
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: postgres
+              containerPort: 5432
+              protocol: TCP
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+              subPath: postgres
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: postgres-password
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: {{ template "shipa.fullname" . }}-postgres-pvc
diff --git a/charts/shipa/shipa/1.4.0/templates/postgres-pvc.yaml b/charts/shipa/shipa/1.4.0/templates/postgres-pvc.yaml
new file mode 100644
index 000000000..85e8d0a50
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/postgres-pvc.yaml
@@ -0,0 +1,18 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-postgres-pvc
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.postgres.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.postgres.persistence.size | quote }}
+  {{- if .Values.postgres.persistence.storageClass }}
+  {{- if (eq "-" .Values.postgres.persistence.storageClass) }}
+  storageClassName: ""
+  {{- else }}
+  storageClassName: "{{ .Values.postgres.persistence.storageClass }}"
+  {{- end }}
+  {{- end }}
diff --git a/charts/shipa/shipa/1.4.0/templates/postgres-service.yaml b/charts/shipa/shipa/1.4.0/templates/postgres-service.yaml
new file mode 100644
index 000000000..df481f351
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/postgres-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "shipa.fullname" . }}-postgres
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    name: {{ template "shipa.fullname" . }}-postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+      protocol: TCP
+      name: postgres
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-configmap.yaml
new file mode 100644
index 000000000..062421be5
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-configmap.yaml
@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-api-config
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+data:
+  shipa.conf: |-
+    shipaVersion: {{ .Chart.Version }}
+    tls-listen: "0.0.0.0:{{ .Values.shipaApi.securePort }}"
+    listen: "0.0.0.0:{{ .Values.shipaApi.port }}"
+    host: https://SHIPA_PUBLIC_IP:{{ .Values.shipaApi.securePort }}
+    use-tls: true
+    shipaCloud:
+      enabled: {{ .Values.shipaCloud.enabled }}
+    tls:
+      server-cert: /certs/api-server.crt
+      server-key: /certs/api-server.key
+
+    database:
+     {{- if not .Values.tags.defaultDB }}
+      url: {{ .Values.externalMongodb.url}}
+      tls: {{ .Values.externalMongodb.tls.enable }}
+     {{ else }}
+      url: {{ .Release.Name }}-mongodb-replicaset:27017
+      tls: false
+     {{- end }}
+      name: shipa
+      username: $DB_USERNAME
+      password: $DB_PASSWORD
+    license: {{ .Values.license }}
+    organization:
+      id: SHIPA_ORGANIZATION_ID
+    dashboard:
+      enabled: $DASHBOARD_ENABLED
+      image: $DASHBOARD_IMAGE
+      envs:
+        SHIPA_ADMIN_USER: {{ .Values.auth.adminUser | quote }}
+        SHIPA_CLOUD: {{ .Values.shipaCloud.enabled | quote }}
+        SHIPA_TARGETS: {{ join "," .Values.shipaApi.cnames }}
+        SHIPA_PAY_API_HOST: {{ .Values.shipaCloud.shipaPayApi.host }}
+        SHIPA_PAY_API_TOKEN: {{ .Values.shipaCloud.shipaPayApi.token }}
+        GOOGLE_RECAPTCHA_SITEKEY: {{ .Values.shipaCloud.googleRecaptcha.sitekey }}
+        GOOGLE_RECAPTCHA_SECRET: {{ .Values.shipaCloud.googleRecaptcha.secret }}
+        SMARTLOOK_PROJECT_KEY: {{ .Values.shipaCloud.smartlook.projectKey }}
+        LAUNCH_DARKLY_SDK_KEY: {{ .Values.shipaCloud.launchDarkly.sdkKey }}
+    auth:
+      admin-email: {{ .Values.auth.adminUser | quote }}
+      dummy-domain: {{ .Values.auth.dummyDomain | quote }}
+      token-expire-days: 2
+      hash-cost: 4
+      user-registration: true
+    user-activation:
+      cert: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6TXIwd3hETklDcm9JN3VEVkdoTgpFZytVbTdkQzk3NVZpM1l1NnJHUUdlc3ZwZTY5T2NhT0VxZHFML0NNWGVRMW1oTVFtUnplQnlxWEJ1Q2xOemphCjlEbjV2WTBlVnNIZUhuVTJ4bkkyV1dSR3JjUE1mRGJuRzlDSnNZQmdHd3A2eDcrYVR2RXZCRFBtS3YrcjdOcysKUXhhNzBFZEk4NTZLMWQyTTQ1U3RuZW1hcm51cjdOTDdGb2VsS1FWNGREd1hxU2EvVW1tdHdOOGNSTENUQ0N4NQpObkVya2UrTWo1RFFqTW5TUlRHbjFxOE91azlOUXRxNDlrbFMwMUhIQTJBWnR6ZExteTMrTktXRVZta3Z0cGgxClJseHBtZVQ5SERNbHI5aFI3U3BidnRHeVZVUG1pbXVYWFA4cXdOcHZab01Ka3hWRm4zbWNRVHRMbk8xa0Jjb1cKZVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
+    provisioner: kubernetes
+    metrics:
+      host: {{ template "shipa.fullname" . }}-metrics
+      password: $METRICS_PASSWORD
+
+      # section contains configuration of Prometheus Metrics Exporter
+      prometheus-metrics-exporter:
+        image: shipasoftware/prometheus-metrics-exporter:v0.0.3
+
+    docker:
+      cluster:
+        storage: mongodb
+        mongo-database: cluster
+      collection: docker
+      registry-scheme: https
+      repository-namespace: shipa
+      router: traefik
+      deploy-cmd: /var/lib/shipa/deploy
+      run-cmd:
+        bin: /var/lib/shipa/start
+        port: "8888"
+      tls:
+        root-path: /certs
+      auto-scale:
+        enabled: true
+        run-interval: $DOCKER_AUTOSCALE_RUN_INTERVAL
+    routers:
+      traefik:
+        type: traefik
+        domain: shipa.cloud
+        kv:
+          endpoint: {{ template "shipa.fullname" . }}-etcd:2379
+          username: root
+          password: $ETCD_PASSWORD
+          ca: /certs/ca.pem
+          client-key: /certs/etcd-client.key
+          client-cert: /certs/etcd-client.crt
+      istio:
+        type: istio
+    queue:
+      mongo-database: queuedb
+    quota:
+      units-per-app: 4
+      apps-per-user: 8
+    log:
+      disable-syslog: true
+      use-stderr: true
+    clair:
+      server: http://{{ template "shipa.fullname" . }}-clair:6060
+      disabled: false
+    kubernetes:
+      # pod name is used by a leader election thing as an identifier for the current shipa-api instance
+      pod-name: $POD_NAME
+      pod-namespace: $POD_NAMESPACE
+      core-services-address: SHIPA_PUBLIC_IP
+      etcd-port: {{ .Values.shipaApi.etcdPort }}
+      use-pool-namespaces: true
+      remote-cluster-ingress:
+        http-port: 80
+        https-port: 443
+        protected-port: 31567
+        service-type: LoadBalancer
+
+      cluster-update:
+       # it's a default value that specifies if cluster-update operations can restart ingress controllers
+        ingress-restart-is-allowed: {{ .Values.shipaApi.allowRestartIngressControllers }}
+
+      app-auto-discovery:
+        enabled: {{ .Values.shipaApi.appAutoDiscoveryEnabled }}
+
+    debug: {{ .Values.shipaApi.debug }}
+    node-traefik:
+      image: {{ .Values.shipaNodeTraefik.image }}
+      user: {{ .Values.shipaNodeTraefik.user }}
+      password: $NODE_TRAEFIK_PASSWORD
+    certificates:
+      root: /certs/
+      ca: ca.pem
+      ca-key: ca-key.pem
+      client-ca: client-ca.crt
+      client-ca-key: client-ca.key
+
+    shipa-controller:
+      image: {{ .Values.shipaController.image }}
+
+    busybody:
+      image: {{ .Values.busybody.image }}
+      socket: /var/run/docker.sock
+
+    signatures: single # multiple/single
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-deployment.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-deployment.yaml
new file mode 100644
index 000000000..ef1d469d6
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-deployment.yaml
@@ -0,0 +1,206 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "shipa.fullname" . }}-api
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    sidecar.istio.io/inject: "false"
+spec:
+{{- if .Values.shipaApi.allowMigrationDowntime }}
+  strategy:
+    type: Recreate
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "shipa.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "shipa.selectorLabels" . | nindent 8 }}
+      annotations:
+        timestamp: "{{ date "20060102150405" .Release.Time }}"
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "shipa.fullname" . }}
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: bootstrap
+          image: {{ .Values.cli.image }}
+          command:
+            - /scripts/bootstrap.sh
+          imagePullPolicy: {{ .Values.cli.pullPolicy }}
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: shipa-conf
+              mountPath: /etc/shipa-default/
+            - name: config-dir
+              mountPath: /etc/shipa/
+          env:
+            - name: NGINX_SERVICE
+              value: {{ template "shipa.fullname" . }}-ingress-nginx
+            - name: ETCD_SERVICE
+              value: {{ template "shipa.fullname" . }}-etcd
+            - name: SHIPA_PORT
+              value: {{ .Values.shipaApi.port | quote }}
+            - name: SHIPA_API_CNAMES
+              value: {{ join "\",\"" .Values.shipaApi.cnames | quote }}
+            - name: SHIPA_ORGANIZATION_ID
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "shipa.fullname" . }}-defaults-configmap
+                  key: shipa-org-id 
+            - name: SHIPA_MAIN_TARGET
+              value: {{ template "shipa.GetMainTarget" . }}   
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+        - name: init
+          image: {{ .Values.shipaApi.image }}
+          command:
+            - /scripts/create-root-user.sh
+          imagePullPolicy: {{ .Values.shipaApi.pullPolicy }}
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: config-dir
+              mountPath: /etc/shipa/
+            - name: certificates
+              mountPath: /certs/
+          env:
+          - name: USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "shipa.fullname" . }}-api-init-secret
+                key: username
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "shipa.fullname" . }}-api-init-secret
+                key: password
+          {{- if not .Values.tags.defaultDB }}
+          {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }}
+          - name: DB_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "shipa.fullname" . }}-db-auth-secret
+                key: username
+          - name: DB_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "shipa.fullname" . }}-db-auth-secret
+                key: password
+          {{- end }}
+          {{- end }}
+      containers:
+        - name: shipa
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: {{ .Values.shipaApi.image }}
+          imagePullPolicy: {{ .Values.shipaApi.pullPolicy }}
+          env:
+            - name: METRICS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: metrics-password
+            - name: ETCD_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: etcd-password
+            - name: NODE_TRAEFIK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: node-traefik-password
+            - name: DASHBOARD_IMAGE
+              value: {{ .Values.dashboard.image }}
+            - name: DASHBOARD_ENABLED
+              value: "{{ .Values.dashboard.enabled }}"
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          {{- if not .Values.tags.defaultDB }}
+          {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }}
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-db-auth-secret
+                  key: username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-db-auth-secret
+                  key: password
+          {{- end }}
+          {{- end }}
+          ports:
+            - name: shipa
+              containerPort: {{ .Values.shipaApi.port }}
+              protocol: TCP
+            - name: shipa-secure
+              containerPort: {{ .Values.shipaApi.securePort }}
+              protocol: TCP
+
+          livenessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.shipaApi.port }}
+            periodSeconds: 2
+            failureThreshold: 4
+          startupProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.shipaApi.port }}
+            failureThreshold: 90
+            periodSeconds: 2
+          readinessProbe:
+            httpGet:
+              path: /
+              port: {{ .Values.shipaApi.port }}
+            periodSeconds: 3
+            initialDelaySeconds: 5
+            failureThreshold: 50
+            successThreshold: 1
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config-dir
+              mountPath: /etc/shipa/
+            - name: certificates
+              mountPath: /certs/
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: config-dir
+          emptyDir: {}
+        - name: shipa-conf
+          configMap:
+            name: {{ template "shipa.fullname" . }}-api-config
+            items:
+              - key: shipa.conf
+                path: shipa.conf
+
+        - name: certificates
+          secret:
+            secretName: shipa-certificates
+        - name: scripts
+          configMap:
+            defaultMode: 0755
+            name: {{ template "shipa.fullname" . }}-api-init-config
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-init-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-configmap.yaml
new file mode 100644
index 000000000..e518fb217
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-configmap.yaml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-api-init-config
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+data:
+  create-root-user.sh: |
+{{ .Files.Get "scripts/create-root-user.sh" | indent 4 }}
+  init-job.sh: |
+{{ .Files.Get "scripts/init-job.sh" | indent 4 }}
+  bootstrap.sh: |
+{{ .Files.Get "scripts/bootstrap.sh" | indent 4 }}
+  csr-docker-cluster.json: |
+{{ .Files.Get "scripts/csr-docker-cluster.json" | indent 4 }}
+  csr-etcd.json: |
+{{ .Files.Get "scripts/csr-etcd.json" | indent 4 }}
+  csr-etcd-client.json: |
+{{ .Files.Get "scripts/csr-etcd-client.json" | indent 4 }}
+  csr-shipa-ca.json: |
+{{ .Files.Get "scripts/csr-shipa-ca.json" | indent 4 }}
+  csr-client-ca.json: |
+{{ .Files.Get "scripts/csr-client-ca.json" | indent 4 }}
+  csr-api-config.json: |
+{{ .Files.Get "scripts/csr-api-config.json" | indent 4 }}
+  csr-api-server.json: |
+{{ .Files.Get "scripts/csr-api-server.json" | indent 4 }}
+  default-framework-template.yaml: |
+    shipaFramework: shipa-framework
+    resources:
+      general:
+        setup:
+          force: false
+          default: true
+          public: true
+          provisioner: kubernetes
+          kubeNamespace: {{ .Release.Namespace }}
+        security:
+          disableScan: true
+          scanPlatformLayers: true
+        access:
+          append:
+            - shipa-admin-team
+            - shipa-system-team
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-init-job.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-job.yaml
new file mode 100644
index 000000000..8c17e09da
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-job.yaml
@@ -0,0 +1,99 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}"
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "post-install"
+    sidecar.istio.io/inject: "false"
+spec:
+  backoffLimit: 5
+  template:
+    metadata:
+      name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}"
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      terminationGracePeriodSeconds: 3
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "shipa.fullname" . }}
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: migrations
+          image: {{ .Values.cli.image }}
+          command:
+            - /scripts/init-job.sh
+          imagePullPolicy: {{ .Values.cli.pullPolicy }}
+          env:
+            - name: SHIPA_ENDPOINT
+              value: "{{ template "shipa.fullname" . }}-api"
+            - name: SHIPA_ENDPOINT_PORT
+              value: "{{ .Values.shipaApi.port }}"
+            - name: USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-api-init-secret
+                  key: username
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-api-init-secret
+                  key: password
+            - name: METRICS_SERVICE
+              value: {{ template "shipa.fullname" . }}-metrics
+            - name: INGRESS_SERVICE_TYPE
+              value: {{ default ( "LoadBalancer" ) .Values.shipaCluster.serviceType | quote }}
+            - name: INGRESS_IP
+              value: {{ default ( "" ) .Values.shipaCluster.ip | quote }}
+            - name: INGRESS_DEBUG
+              value: {{ default ( "false" ) .Values.shipaCluster.debug | quote }}
+            - name: ISTIO_INGRESS_SERVICE_TYPE
+              value: {{ default ( "LoadBalancer" ) .Values.shipaCluster.istioServiceType | quote }}
+            - name: ISTIO_INGRESS_IP
+              value: {{ default ( "" ) .Values.shipaCluster.istioIp | quote }}
+            - name: DASHBOARD_IMAGE
+              value: {{ .Values.dashboard.image }}
+            - name: DASHBOARD_ENABLED
+              value: "{{ .Values.dashboard.enabled }}"
+            - name: SHIPA_CLOUD
+              value: {{ .Values.shipaCloud.enabled | quote }}
+            - name: SHIPA_PAY_API_HOST
+              value: {{ .Values.shipaCloud.shipaPayApi.host | quote }}
+            - name: SHIPA_PAY_API_TOKEN
+              value: {{ .Values.shipaCloud.shipaPayApi.token | quote }}
+            - name: GOOGLE_RECAPTCHA_SITEKEY
+              value: {{ .Values.shipaCloud.googleRecaptcha.sitekey | quote }}
+            - name: GOOGLE_RECAPTCHA_SECRET
+              value: {{ .Values.shipaCloud.googleRecaptcha.secret | quote }}
+            - name: SMARTLOOK_PROJECT_KEY
+              value: {{ .Values.shipaCloud.smartlook.projectKey | quote }}
+            - name: LAUNCH_DARKLY_SDK_KEY
+              value: {{ .Values.shipaCloud.launchDarkly.sdkKey | quote }}
+            - name: SHIPA_TARGETS
+              value: {{ join "," .Values.shipaApi.cnames | quote }}
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: METRICS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "shipa.fullname" . }}-secret
+                  key: metrics-password
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+      {{- end }}
+      volumes:
+        - name: scripts
+          configMap:
+            defaultMode: 0755
+            name: {{ template "shipa.fullname" . }}-api-init-config
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-init-secrets.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-secrets.yaml
new file mode 100644
index 000000000..01824756a
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-init-secrets.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "shipa.fullname" . }}-api-init-secret
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  username: {{ required "Admin username is required! Use --set=auth.adminUser=..." .Values.auth.adminUser | b64enc }}
+  password: {{ required "Admin password is required! Use --set=auth.adminPassword=..." .Values.auth.adminPassword | b64enc }}
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-rbac.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-rbac.yaml
new file mode 100644
index 000000000..6d5abe927
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-rbac.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.rbac.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "shipa.fullname" . }}
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "shipa.fullname" . }}
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+      - services
+      - extensions
+      - rbac.authorization.k8s.io
+      - apiextensions.k8s.io
+      - networking.k8s.io
+      - core
+      - apps
+      - shipa.io
+      - config.istio.io
+      - networking.istio.io
+      - rbac.istio.io
+      - authentication.istio.io
+      - cert-manager.io
+      - admissionregistration.k8s.io
+      - coordination.k8s.io
+    resources: ["*"]
+    verbs: ["*"]
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs:
+      - list
+      - get
+      - watch
+  - nonResourceURLs: ["*"]
+    verbs:
+      - list
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "shipa.fullname" . }}-role
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "shipa.fullname" . }}
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "shipa.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "shipa.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "shipa.fullname" . }}
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "shipa.fullname" . }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "shipa.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-api-service.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-api-service.yaml
new file mode 100644
index 000000000..4806a790f
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-api-service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "shipa.fullname" . }}-api
+  labels:
+    {{- include "shipa.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+    {{- include "shipa.selectorLabels" . | nindent 4 }}
+  ports:
+    - port:  {{ .Values.shipaApi.port }}
+      targetPort: {{ .Values.shipaApi.port }}
+      protocol: TCP
+      name: shipa
+    - port:  {{ .Values.shipaApi.securePort }}
+      targetPort: {{ .Values.shipaApi.securePort }}
+      protocol: TCP
+      name: shipa-secure
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-certificates-secret.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-certificates-secret.yaml
new file mode 100644
index 000000000..6517a18b5
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-certificates-secret.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: shipa-certificates
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  ca.pem: ""
+  ca-key.pem: ""
+  cert.pem: ""
+  key.pem: ""
+  etcd-server.crt: ""
+  etcd-server.key: ""
+  etcd-client.crt: ""
+  etcd-client.key: ""
+  api-server.crt: ""
+  api-server.key: ""
+  client-ca.crt: ""
+  client-ca.key: ""
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-db-auth-secrets.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-db-auth-secrets.yaml
new file mode 100644
index 000000000..032e5c8a7
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-db-auth-secrets.yaml
@@ -0,0 +1,14 @@
+{{- if not .Values.tags.defaultDB }}
+{{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "shipa.fullname" . }}-db-auth-secret
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+data:
+  username: {{ required "Database username is required! Use --set=externalMongodb.auth.username=..." .Values.externalMongodb.auth.username | b64enc }}
+  password: {{ required "Database password is required! Use --set=externalMongodb.auth.password=..." .Values.externalMongodb.auth.password | b64enc }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-defaults-configmap.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-defaults-configmap.yaml
new file mode 100644
index 000000000..55245b93f
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-defaults-configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "shipa.fullname" . }}-defaults-configmap
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  shipa-org-id: {{ uuidv4 | replace "-" ""  | quote }}
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-ingress.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-ingress.yaml
new file mode 100644
index 000000000..1ed0e697b
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-ingress.yaml
@@ -0,0 +1,36 @@
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "shipa.fullname" . }}-http-ingress
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/ingress.class: "shipa-nginx-ingress"
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ template "shipa.fullname" . }}-api
+                port:
+                  number: {{ .Values.shipaApi.port }}
+{{ else }}
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "shipa.fullname" . }}-http-ingress
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/ingress.class: "shipa-nginx-ingress"
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /
+            backend:
+              serviceName: {{ template "shipa.fullname" . }}-api
+              servicePort: {{ .Values.shipaApi.port }}
+{{ end -}}
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-secret.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-secret.yaml
new file mode 100644
index 000000000..c47dab27b
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-secret.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "shipa.fullname" . }}-secret
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+  metrics-password: {{ default (randAlphaNum 15) .Values.metrics.password | b64enc | quote }}
+  etcd-password: {{ default (randAlphaNum 15) .Values.etcd.password | b64enc | quote }}
+  postgres-password: {{ randAlphaNum 15 | b64enc | quote }}
+  node-traefik-password: {{ default (randAlphaNum 15) .Values.shipaNodeTraefik.password | b64enc | quote }}
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-job.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-job.yaml
new file mode 100644
index 000000000..4c53d04e9
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-job.yaml
@@ -0,0 +1,50 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "shipa.fullname" . }}-uninstall
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+    sidecar.istio.io/inject: "false"
+spec:
+  template:
+    metadata:
+      name: "{{ template "shipa.fullname" . }}-uninstall-job-{{ .Release.Revision }}"
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      nodeSelector:
+        kubernetes.io/os: linux
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "shipa.fullname" . }}-uninstall
+      {{- else }}
+      serviceAccountName: default
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: cleanup
+          image: {{ .Values.cli.image }}
+          command: ["/bin/sh", "-c"]
+          args:
+            - /usr/local/bin/kubectl delete ds --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete deployment --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete pod --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete services --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete sa --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete secrets --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true;
+              /usr/local/bin/kubectl delete crd apps.shipa.io --ignore-not-found=true;
+              /usr/local/bin/kubectl delete configmap {{ template "shipa.fullname" . }}-leader-nginx --ignore-not-found=true;
+              /usr/local/bin/kubectl delete namespaces --selector=$SELECTOR --ignore-not-found=true;
+              /usr/local/bin/kubectl delete clusterrolebindings  --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD;
+              /usr/local/bin/kubectl delete clusterrole --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD;
+              /usr/local/bin/kubectl delete ingress --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD;
+              /usr/local/bin/kubectl delete endpoints --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD;
+              /usr/local/bin/kubectl delete netpol --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD;
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: SELECTOR
+              value: "shipa.io/is-shipa=true"
+            - name: NAMESPACE_MOD
+              value: "-A"
diff --git a/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-rbac.yaml b/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-rbac.yaml
new file mode 100644
index 000000000..563469050
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/templates/shipa-uninstall-rbac.yaml
@@ -0,0 +1,52 @@
+{{- if .Values.rbac.enabled }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-uninstall
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook": post-delete
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-uninstall
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook": post-delete
+rules:
+  - apiGroups:
+      - ""
+      - services
+      - extensions
+      - rbac.authorization.k8s.io
+      - networking.k8s.io
+      - apiextensions.k8s.io
+      - core
+      - apps
+      - shipa.io
+    resources: ["*"]
+    verbs: ["*"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "shipa.fullname" . }}-uninstall
+  labels: {{- include "shipa.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook": post-delete
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "shipa.fullname" . }}-uninstall
+subjects:
+- kind: ServiceAccount
+  name: {{ template "shipa.fullname" . }}-uninstall
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/shipa/shipa/1.4.0/values.yaml b/charts/shipa/shipa/1.4.0/values.yaml
new file mode 100644
index 000000000..ec694f3e6
--- /dev/null
+++ b/charts/shipa/shipa/1.4.0/values.yaml
@@ -0,0 +1,204 @@
+# Default values for shipa.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+auth:
+  dummyDomain: "@shipa.io"
+
+shipaApi:
+  port: 8080
+  securePort: 8081
+  etcdPort: 2379
+  image: shipasoftware/api:v1.4.0
+  pullPolicy: Always
+  debug: false
+  cnames: []
+  allowRestartIngressControllers: true
+  allowMigrationDowntime: true
+  appAutoDiscoveryEnabled: true
+
+license: ""
+
+shipaCluster:
+  # use debug logs in traefik ingress controller
+  debug: false
+
+  # kubernetes service type for traefik ingress controller (LoadBalancer/ClusterIP)
+  serviceType: LoadBalancer
+
+  # override traefik ingress controller ip address
+  # ip: 10.100.10.11
+
+  # use debug logs in istio ingress controller
+  istioDebug: false
+
+  # kubernetes service type for istio ingress controller (LoadBalancer/ClusterIP)
+  istioServiceType: LoadBalancer
+
+  # override istio ingress controller ip address
+  # istioIp: 10.100.10.11
+
+# populate with docker hub username to use authenticated user. Secrets should be added to cluster outside shipa helm chart
+# imagePullSecrets: ""
+
+service:
+  nginx:
+    enabled: true
+
+    # kubernetes service type for nginx ingress (LoadBalancer/ClusterIP)
+    serviceType: LoadBalancer
+
+    # the following *NodePort values will be used only if serviceType is "NodePort"
+    # apiNodePort specifies "nodePort" for shipa-api over http
+    #apiNodePort: 32200
+    # secureNodePort specifies "nodePort" for shipa-api over https
+    #secureApiNodePort: 32201
+    # etcdNodePort specifies "nodePort" for etcd
+    #etcdNodePort: 32202
+
+    # override nginx ingress controller ip address if its service type is ClusterIP
+    #clusterIP: 10.100.10.10
+
+    # override nginx ingress controller ip address if its service type is LoadBalancer
+    #loadBalancerIP: 35.202.88.71
+
+    # If set, defines nginx configuration as described in the manual:
+    # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap
+    # there are default values, take a look at templates/nginx-configmap.yaml
+    #config:
+    #  proxy-body-size: "128M"
+
+dashboard:
+  enabled: true
+  image: shipasoftware/dashboard:v1.4.0
+
+etcd:
+  debug: false
+  persistence:
+    ## Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.
+    ##
+    ## storageClass: ""
+    accessMode: "ReadWriteOnce"
+    size: 10Gi
+
+postgres:
+  persistence:
+    ## Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.
+    ##
+    ## storageClass: ""
+    accessMode: "ReadWriteOnce"
+    size: 10Gi
+
+cli:
+  image: shipasoftware/cli:v1.4.0
+  pullPolicy: Always
+
+metrics:
+  image: shipasoftware/metrics:v0.0.7
+  pullPolicy: Always
+
+  # Extra configuration to add to prometheus.yaml
+  # extraPrometheusConfiguration: |
+  #   remote_read:
+  #      - url: http://localhost:9268/read
+  #   remote_write:
+  #      - url: http://localhost:9268/write
+  extraPrometheusConfiguration:
+  #password: hardcoded
+  prometheusArgs: "--storage.tsdb.retention.time=1d"
+
+busybody:
+  image: shipasoftware/bb:v0.0.10
+
+shipaController:
+  image: shipasoftware/image-controller:v0.0.16
+
+shipaNodeTraefik:
+  user: admin
+
+# --------------------------------------------------------------------------
+
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+rbac:
+  enabled: true
+
+# Connect your own instance of mongodb
+externalMongodb:
+  # url must follow Standard Connection String Format as described here: https://docs.mongodb.com/manual/reference/connection-string/#standard-connection-string-format
+  # For a sharded cluster it should be a comma separated list of hosts:
+  # e.g. "mongos0.example.com:27017,mongos1.example.com:27017,mongos2.example.com:27017"
+  # Due to some limitations of the dependencies, we currently do not support url with 'DNS Seed List Connection Format'.
+  url: < database url >
+  auth:
+    username: < username >
+    password: < password >
+  # Enable/Disable TLS when connectiong to external DB instance.
+  tls:
+    enable: true
+
+# tags are standard way to handle chart dependencies.
+tags:
+  # Set defaultDB to 'false' when using external DB to not install default DB.
+  # It will also prevent creating Persistent Volumes.
+  defaultDB: true
+
+# Default DB config
+mongodb-replicaset:
+  replicaSetName: rs0
+  replicas: 1
+  port: 27017
+  nodeSelector:
+    kubernetes.io/os: linux
+  auth:
+    enabled: false
+  installImage:
+    name: k8s.gcr.io/mongodb-install
+    tag: 0.6
+    pullPolicy: IfNotPresent
+  image:
+    name: mongo
+    tag: latest
+    pullPolicy: IfNotPresent
+  persistentVolume:
+    ## Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.
+    ##
+    ## storageClass: ""
+    enabled: true
+    size: 10Gi
+  tls:
+    enabled: false
+  configmap:
+
+shipaCloud:
+  enabled: false
+  shipaPayApi:
+    host: ""
+    token: ""
+  googleRecaptcha:
+    sitekey: ""
+    secret: ""
+  smartlook:
+    projectKey: ""
+  launchDarkly:
+    sdkKey: ""
diff --git a/index.yaml b/index.yaml
index 2c42cf543..2d9f4e068 100755
--- a/index.yaml
+++ b/index.yaml
@@ -1857,6 +1857,40 @@ entries:
     urls:
     - assets/portworx/portworx-2.8.0.tgz
     version: 2.8.0
+  shipa:
+  - annotations:
+      catalog.cattle.io/certified: partner
+      catalog.cattle.io/display-name: Shipa
+      catalog.cattle.io/namespace: shipa-system
+      catalog.cattle.io/release-name: shipa
+    apiVersion: v2
+    appVersion: 1.4.0
+    created: "2021-11-02T07:22:28.305068-10:00"
+    dependencies:
+    - name: mongodb-replicaset
+      repository: file://./charts/mongodb-replicaset
+      tags:
+      - defaultDB
+    description: A Helm chart for Kubernetes to install the Shipa Control Plane
+    digest: f47c64376ac5972b4d324beb0ef3b96f10e06b00abe5f322e98bfafe9d64cf2c
+    home: https://www.shipa.io
+    icon: https://cdn.opsmatters.com/sites/default/files/logos/shipa-logo.png
+    keywords:
+    - shipa
+    - deployment
+    - aac
+    kubeVersion: '>= 1.16.0-0'
+    maintainers:
+    - email: rlachhman@shipa.io
+      name: ravi
+    name: shipa
+    sources:
+    - https://github.com/shipa-corp
+    - https://github.com/shipa-corp/helm-chart
+    type: application
+    urls:
+    - assets/shipa/shipa-1.4.0.tgz
+    version: 1.4.0
   sysdig:
   - annotations:
       catalog.cattle.io/certified: partner