From 9f5646c01f9638cbea24e20597a29d96557e9d34 Mon Sep 17 00:00:00 2001
From: actions <actions@github.com>
Date: Fri, 26 Feb 2021 18:58:10 +0000
Subject: [PATCH] Generated changes
---
.../artifactory-jcr-3.4.000.tgz | Bin 0 -> 154564 bytes
assets/index.yaml | 32 +-
charts/artifactory-jcr/CHANGELOG.md | 31 ++
charts/artifactory-jcr/Chart.yaml | 18 +-
charts/artifactory-jcr/README.md | 46 ++-
.../charts/artifactory/CHANGELOG.md | 150 ++++++++
.../charts/artifactory/Chart.yaml | 16 +-
.../charts/artifactory/README.md | 338 ++----------------
.../charts/artifactory/UPGRADE_NOTES.md | 6 +-
.../artifactory/charts/postgresql/Chart.yaml | 6 +-
.../artifactory/charts/postgresql/README.md | 136 ++++++-
.../postgresql/charts/common/.helmignore | 22 ++
.../postgresql/charts/common/Chart.yaml | 21 ++
.../charts/postgresql/charts/common/README.md | 274 ++++++++++++++
.../charts/common/templates/_capabilities.tpl | 22 ++
.../charts/common/templates/_errors.tpl | 20 ++
.../charts/common/templates/_images.tpl | 43 +++
.../charts/common/templates/_labels.tpl | 18 +
.../charts/common/templates/_names.tpl | 32 ++
.../charts/common/templates/_secrets.tpl | 49 +++
.../charts/common/templates/_storage.tpl | 23 ++
.../charts/common/templates/_tplvalues.tpl | 13 +
.../charts/common/templates/_utils.tpl | 26 ++
.../charts/common/templates/_validations.tpl | 219 ++++++++++++
.../charts/common/templates/_warnings.tpl | 14 +
.../postgresql/charts/common/values.yaml | 3 +
.../postgresql/ci/commonAnnotations.yaml | 3 +
.../charts/postgresql/requirements.lock | 6 +
.../charts/postgresql/requirements.yaml | 4 +
.../charts/postgresql/templates/NOTES.txt | 9 +-
.../charts/postgresql/templates/_helpers.tpl | 91 ++++-
.../postgresql/templates/configmap.yaml | 8 +-
.../templates/extended-config-configmap.yaml | 8 +-
.../templates/initialization-configmap.yaml | 8 +-
.../templates/metrics-configmap.yaml | 8 +-
.../postgresql/templates/metrics-svc.yaml | 13 +-
.../postgresql/templates/networkpolicy.yaml | 14 +-
.../templates/podsecuritypolicy.yaml | 37 ++
.../postgresql/templates/prometheusrule.yaml | 14 +-
.../charts/postgresql/templates/role.yaml | 19 +
.../postgresql/templates/rolebinding.yaml | 19 +
.../charts/postgresql/templates/secrets.yaml | 8 +-
.../postgresql/templates/serviceaccount.yaml | 10 +-
.../postgresql/templates/servicemonitor.yaml | 14 +-
.../templates/statefulset-slaves.yaml | 92 +++--
.../postgresql/templates/statefulset.yaml | 103 ++++--
.../postgresql/templates/svc-headless.yaml | 11 +-
.../charts/postgresql/templates/svc-read.yaml | 14 +-
.../charts/postgresql/templates/svc.yaml | 14 +-
.../charts/postgresql/values-production.yaml | 96 +++--
.../charts/postgresql/values.schema.json | 4 +-
.../artifactory/charts/postgresql/values.yaml | 100 ++++--
.../artifactory/ci/access-tls-values.yaml | 6 +-
.../charts/artifactory/ci/default-values.yaml | 4 +
.../artifactory/ci/derby-test-values.yaml | 4 +
.../charts/artifactory/ci/global-values.yaml | 47 +++
.../ci/migration-disabled-values.yaml | 3 +
.../charts/artifactory/requirements.lock | 6 +-
.../charts/artifactory/requirements.yaml | 2 +-
.../artifactory/security-mitigation.yaml | 19 +
.../charts/artifactory/templates/_helpers.tpl | 152 ++++++++
.../templates/additional-resources.yaml | 3 +
.../templates/artifactory-access-config.yaml | 2 +-
.../templates/artifactory-custom-secrets.yaml | 2 +-
.../artifactory-migration-scripts.yaml | 4 +-
.../templates/artifactory-secrets.yaml | 12 +-
.../templates/artifactory-service.yaml | 8 +-
.../templates/artifactory-statefulset.yaml | 121 ++++---
.../templates/artifactory-system-yaml.yaml | 2 +
.../charts/artifactory/templates/ingress.yaml | 8 +-
.../templates/nginx-certificate-secret.yaml | 2 +-
.../templates/nginx-deployment.yaml | 23 +-
.../artifactory/templates/nginx-pvc.yaml | 6 +-
.../artifactory/templates/nginx-service.yaml | 2 +-
.../charts/artifactory/values.yaml | 138 ++++++-
charts/artifactory-jcr/ci/default-values.yaml | 6 +
charts/artifactory-jcr/requirements.lock | 6 +-
charts/artifactory-jcr/requirements.yaml | 2 +-
charts/artifactory-jcr/values.yaml | 7 +-
index.yaml | 32 +-
sha256sum/artifactory-jcr/artifactory-jcr.sum | 4 +-
81 files changed, 2287 insertions(+), 651 deletions(-)
create mode 100644 assets/artifactory-jcr/artifactory-jcr-3.4.000.tgz
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/.helmignore
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/Chart.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/README.md
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_validations.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/values.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.lock
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/role.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/rolebinding.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/ci/derby-test-values.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/ci/global-values.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/security-mitigation.yaml
create mode 100644 charts/artifactory-jcr/charts/artifactory/templates/additional-resources.yaml
diff --git a/assets/artifactory-jcr/artifactory-jcr-3.4.000.tgz b/assets/artifactory-jcr/artifactory-jcr-3.4.000.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7335cf942c66ba9855d0e60a69a70ba9237726f2
GIT binary patch
literal 154564
zcmV)IK)k;niwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PKAUcpOKSuol7s!<h}oawU~ff~`c;Go#D)*iMio*_N#<lAHrO
z$Ti(HGadDGce=VIO&kH?2oTN%evXAC%ffOWVIjnJ4qyq(9tl^%vA}W!cF6(>n{Xc?
z|5vZ7x~qG7bQ%ZtbAS0_O?TD1>eZ`PRj*!Q&o?Vr_Z_d1yF~Z$12ydVS_9Xuwqy1b
z3WY*nPY?WCC=`<a77KknZN;8Kv9GJAtGiHaD-?UW`uf^X;n<PT`U$9yy|%)-aV44i
zGkLIWJ3jVJ$EKwWLOS-b<y18t`@Tgq)5+_EX^2UT5^}NU+r&#P<`IivN^&-?lM+g3
zRR+7}`NX59W0%leF@s$<{JBXhc4@sCgHYWwT_4`<+37h|G~n1iHf`deNm4bb?=><t
zhe5CTzDrB_{3R8S(cskcx-6RWMA3Z4)EOvQ*2D8!)%0sYIiSR2<%#V>U4W9;ncmZU
z9aEopdFtb`Me@ncVL4SNe~Iqp*dLl}S2MGuG4FT=EoE{l)0rFsu$deRNz3GrBrcOf
z2AOkQD$C`X8OYSJDc%8eQpcuMLN#L5pA#~kL5K?+x-A-wsvzuhF=o<RggSwz6M!s5
z#KqGjlgylKs&1`ED-;TuhgxS(Jjd=ys`wnX0z!}N0I-bx@9isgC+&Z4cj1KnKORpz
z8YC4QSU%z{k1CFrG!|N>9ZlCvicE?yx~PA2Bv)~~I`(~Hpo(b`Et6?SJIFlt2%4`E
z8|gJ{S53Prf!2seG<1;@AX;+*%RsZXGmqwL*hdW~K&+nOn0EE_Ogrk=bwVlfYed$b
zH~ktqbO>qZbLE^R4UGonS<*m@iy28ASSv<i8B<~)#|9A0imLpGVgQmlb%OMO`cB=v
zjE{kg)hR*{wk$*g*L6I`qwd%hvl@6%2F;QNMW(%+-OT$QA*~0LOs2gZ^;?!?lF1;j
z4dMaW8<dh85Dm(lZY`s{FJ&?aF(3+1c)=K`1eS#?llsW1D4Zx|kprVGMc6iw;pjn~
z*xVC9X(B7FmtTZpv?BzxO6~J;m9<^PbLt=f6+aEiInlbjQ9W{LV0wfR%uN+QGwZlY
zIA9bGwI#;dEb+9mY5N{-Xr>dEa2;v_F?<kC4)>y5JEIL`4FvDAb*IiS10@y5vYdIQ
z=^hb7Dl$mLv`sEs$3rgW+Fa+%vD!@HmT40S(|5p4@Ei+(>TUpyQYUrBegqj?mZM|V
zj^zfF+#8gMXA_@Lq+0=#e1@|ohj(;nkt0DMG(vq^k}r@zP(s<_E;Adw*4?0lvb}{u
zJ$z}Ibu+zcPfFEdR&q8SlhGbLha<J~2*`#QjDN<>CG4~7Ine*Tz_wW(MPoGyRWT%#
z_*}SH*B#GbH3YOsY^)3}J98uiFg!XjJ~`b#HeEuac$Od<cuED0bE^sYo8U|__tr<n
zU8wGO1o<^=qYLW`93mrp-1Q@Iqjt1Vr%V#nZ1iHGgtFby3&*b!uY|H$rdy^>eQa68
z<1%(F>@yo%Ld@M{PG79huw8LVXv3kb>p4cC`@=@IgtEJdRi8-?=*({NNu6-H(c)sZ
z6J;v|`+-MjwuJVhL*Z`@X+of9wGGijv$LVHWkXXOQlv?W8TiGE7dLQIG*&h3g=MW0
zlsf+Qhz(H-T;9ZH-;EOTy?}R1-=b4Q_lQ3R{&SW$8ztVHsfSj^Z@8p{MjUMHz!tW3
z;t88PY*#%(>9U-Qa>t){lOs-WU%?g)*_Y$XghTzRN2bmjiP&l8#O0;vrPlFhroEj_
z7L_4d@nx7Ph&Vt7afxjZTUUk^4#6XpR8q>OZ{xZti78u7SrQ{ZMZD)Hhx!LchqStp
zL5fJylq@3*q)C}a!K{oJ)(oIKaH}3R2xaEX^&Fq*K5{HW<pn6(KvCHvc$Qf{aJvX)
zM#;cFW{%K44rY>IgIVhap;@V-6*M+JjRFcbGcF|<XG5QAqatlBVoDSIYzM9B=;UCj
zOLVi+5Pnri2Qr9{O^dsNY*@4io+F6VUB3Z}qIxFtre&dkvd?8=7{ovZ@ycNT)4EfL
z<M=CHh`W>lhi(W&k`!m?zh&Yo5m$(Z#Q#qY7e1*oOHOEhY<zlXO7j=|b>moO{#Pg#
zx)Srh-c5Zc=6}cK8F1{XhyB13^B?f7YOHHs5>TI+OUr2xqvev^=_gi${;Z#-_5a=d
zW4ne%#&>CT<5=NXy8jo8-G$!d`cJX9c%uIwkEgw5&lYRS1K?9wPBqhSS<=JcbF9!o
zfbqIa!ZDW^p$8$ChuYD8SU$cO<<K5%qn=LGRp=^Y&O-ZK1N%gE%=(*_Ys3;XLt89r
zo3tLZQ7y#x5IQ89Zmr1B3=$m`*MX)t1x+!A2Dlk>=1^Dny6|+R;OPqSbZK1@&z5zd
z>Ct+d&=j;j1x+zzXI*HTrB+a+*2SeZuKTFCK6VNzcp|A4Ii4xvqVB>v@D!WzY|#oK
zngVYehNejgm`9I|I*G~_W!YlyI!G#L#Ux3aw9N`hA?L-Yo1Jymj`%d8bk<p@ADruh
zuyUr!C9{LzKl4K2M?t|sMuK?d<LW_}s_+#yzWzqn$WfD!H)-91qb{wN3vN$fp{}*-
zOo0imsjKzH@DwDT;@WkF;puKh)71g35H3BPbyh|;09e`qW;i{xn^<*aZIT&MKBtsK
zN+TNB>rm`1T3@rs`?O*xif$=#8x_}V4z{G(wq9+Mf+gf-&6b)WX=0@}v^ZT_m)6UW
zjN%6B+O&2oJ=&HemL5fSy0o4U%Q~8+N9$V}OSi;QSQjr%V*y|Rg+vEq>x>5x^*v@b
z_?}Nh2^hY9*F#;K*F#Cua1rOX7-Cr$zfB#oM^Sb$CNV6<H9IC-(uSntkEN*fg;>_?
zm26@CKZ&I~99<cfUWsKLjo+nhUK)w$Qr@~OT~~AC$FX!D8!XERtV?3)>RUUOVspoh
zV=0DM*6d+0EKQv<j-?P{S%-=hmu{DWRty_v?VjQm=AkudS(nmbm{SnqS%-}&XkAUF
zJAo%`oT4(?*$`dDAyVW9Wy{o&2&Yo&h9X}_e=BHRO|~OW;ueNwCn>K>Nef!BNlW8s
z3KGqFe2WyPu@HLZMX9B1vblEk+01Nf97~^8+!RAol+3KTFEA`U$C>UzG)e9TZ7gnC
z3z}}NH-cD@5V=`cE5vRNu^>l(n8<gn2VyaTScokRC;;PI5DI`kt=Oj(Bm^<?!8CdE
z+G*<2`XY!uA;dxw;-oTzEXc7cQFN!dfc6YbBFm{dDDbRQdVD8F5~H9?Y)XW{yIRvB
z;YWpwDTTp%jG{YXwirbeM|BG+b%$-!H?bv6A95<NjnZ;?s>UWtoPmdW5$(_TNv{8n
z3=a&AO${AW980hNcJ&pzlk30T-Mu|0)_;%3gO+>xU98s#8ZmWZi`ak`kBl$r(h8ky
z_zJMc=E8-ZmX&J0@0RlU`T2Pb0~*cos(Fi}qIrn9njV@QokIO%gJ@uUY;bsbczkRM
z?Hr#(`=*9E(d5v?<oMve0rt8RN(~NAO-~N**vH-gfTD&5qlhdmBdEy=j<Sf>uw|h-
z!92LkCtjUzA?uE9h&V3Tk*A~+c|?TVn2y~kK*4r1GfHMTfZb*+g1~s7))dh>kRtMH
zo)c7SXbZP)CJmR&lXN*=6JfgJHaxRh^N};pETQ8eV*94wKsfMgj%Qv5_+)5GN)5k;
zAwsh1VcVD6{z4840i=p8Gz6fVhzM-Pps>wY2Pl#X+d$Z|1Q>{J;-5@HIcgE))(Np+
z;)ex9cOnQol_8M2Q?EO=fFwiXAZ8QbaD*D#DdIcaz;hi+Xe8CJ!DSm|1(YnXLeWOE
zgI9ItiPwn?(}MsD51BUqyAz`Fa6n-<UqIoXKms1BV;ff?2$4s^=ruuDCz`JjV87hp
z)MJ3HN@m_<+T?g>qiJ^V=AkvyWsoXn#cv>&csc{UvA1w$2cUC2IVeg%flqyGL(m(o
zVUJJ=(d<BFVv~xgvk^50U7<5-@{61xi#9qQ{N-gk)K<qf$Yjnm0tU-Ns(uInWPy0P
z36Uf&@#-d}pzxq)GFs83&8jv90e4wgT1sk~>yZlaL^w<xdSIQeU)LSOte86Av6c;N
z+PW2hD9VA4Y{%y@i#)oJIu#$HlX-+6(j9|z#zRB|7+#=L_J1X&sA5_~F(2dQONj0_
zlaB2Mf9DYzSkONp?z2wx8n#Ux%MRju*rt3<O(+z+vBb{`!ib9pz;(tM6fhEO>Q3D?
zS%-3fIKgI>*u(<|H^#7Py>!PG-YIPD@xEIphKV7>O=0^2$D3_33iFOP3lxJLVwx6p
z0n?UjgdKp3POw$S20?fZn-)aQL?O^ZSvr|DWeOMuzT(g>Nb6=hzNwSYym3kKO-N=|
ze4mXiVVEhSR)E-uZA2Du-L(j-=z7kaX~^A6g8E(NKAQ`uOe|-<Ba*@(@yt2wn{xy)
zfzWJH0~n5U83^tLBrXF<co@0Px}w2wFzxr8I=58}6*L#?3-dKouPMfW7^d%d+<~4m
zp(&Xbho`$b5wURD@#HVZlg+I5rYJVrBb3-aNFSs5nqxtyK#pftO&eP&ZQg8;rJbt8
zx_>81icd(7X|rfM053)jkJPal_D|ws4>X0z1=y$)k5~<4nf5FQu58+%CpNB=4%z6Y
z?Gvwpbr>W%l`%3DY7<dRI>f0&t<EMPa*R)H@njzeyR3pQ6rh|Aim^1Lg8_@R3FxpP
zJP`@W;j)2Rj@Od-PNh@$%<4Nfwk&D3X;7}4zAzrr?*Q!r%BhH)3&|5v=Lxq$wlWNN
zOO6(*qr$8*plAACCN*qTkW*>xysT`rN7;}k5oayN`_L>q6+|qe`<`Q)dM9gzGPXdE
z<~>%=2InKNh4c~Y1**_VBq$~)pGKVp<WD=79Ew8QrQ&dGg(g(Tro}2-CiQ8jI%I{e
z5N%MO)TwI1O-cj8h7cXbNKt|}KO6bDw-WkVs?a+XGZNDRMcNQ&X;M9)Fv<hQI@n9$
zMqU6GFB+Q2f)qlWSE-M>V^i1E11F$X1J$uN%S@jac}LRaBGjzfSj3dDHUhz>Y9cdM
z*)hjQ7^!_#%Qko6gnu2fEqmayE{`feW*_Sbq^O1|DidNOkLUy}dASk86LmsLE)9t7
zTMVu4c&@{TYv%AO-H#ihE)DHsZWTj25V9{lD>N1G!ByyL>SRXgW~x;tSg#>PKoF{1
zZg4LS{DO;|0Ac3gxx^2!CDm`<@hoHBWWI*&*g0r<YR<t=h_J4*iIda7mfy%#JVH8=
z>3L+%(U~D{8qLN0k0F$^Ez-%{L6_-qlckHyIbS=s8cb1L3pYBWH!kt`P)p&Ba4gh$
zo9gC=wiuk{CX6Y=IoKB7K;23MO<-np{|~gzMzWw2*JmA!`dAI{qI^Qsfn3h3(t33~
zOFDTlDf99qK`@VYDi!AEIfxR=>J<Ms>#pPZykSB+ARJ}k6@r<OoIxx(w2{P$UDsmM
zO~<wxT*}OL3DR^6n{_J6D$JD|9Ed92&~Dm9CzN8(gx*>4OuHJMzcS_6r*`~}v;$$w
zv56QFb*El7?a-@-YRL+cAwI(uqpj}<CofK%KrzpnLXLGB8m_SR59dPEH+`nlVWaqF
zm6L$0n0*E#CnoM2qX8@Qtv!d*90-iDp*sQdpZIUnMi^Omo(87RShYx%4+7W^iI04O
zgjHP1z`>Zn38!MJ9l_C~#%V~lWP8-XQ}t_vyJB%olrEE;jEbHjCmK;76GNW#s`%)@
zx+rTssVkUDhYgm+h4O{c6%mgHHw8T!nk4GV5D%}e<3?oJl2%A}TvPfsF?+Oxmj_M4
z+(u%ULA{gf5%XwFzvhG^a(vp%hwv7btTUPlfj}bFsuPkt`54)*QYM^Nb#P7t>Z2;7
zmyyTk8y?Y3*CfnnsjhE0J7iB2qZr1A<V<2K45JcfS;5H{ZX#D&98{)!QO9E{<T-WI
zW_rSBk5oa=OkAka45kc*1I8JgIA&eJ>=7TEcBk~4l_@;T4(vt~a|+@RVWbe9a27cn
z9Xo|~cQUhR5au^^D$WF`s2_DV!CQ2$HbGC)q{clrZapOoAkJ{Wp>>JJ*kt15J<ju^
zfeQ%_KFMfYXhsJ!T4DQ(i63j~?AZA9@W4<O`DDQdd9!XOa4?r!!K3yr#RR1ElqShS
zdnusg)DuJ4Cd@G-r6Z|gm1#Rv@e88{mVq+@EOf3!t_qlR38%^xlr21>>e%Wky{HoP
zR@cICFj$a@C5@4+BMHT{iY`gRR@IotluYf{@dYSkRw6sYhRkX-0ye{Uyv}ARW9jQD
zt6XAkkRqi@qNjiZF-JV!Sboj)j2vUK5w?x(cy%^mW{w5Ho(2b+MfMolEM}#>!Fk|Q
z>2Q$`Tgv2>c_?vmMBf67)rhUlhr<Ro4EDFj<~yoJDo`ZpLP9I)37uT})HGtM1M?|t
zGo-{eg1U5DV;Un33!neV=1kf&5U^atz*c%^g4HTiCfpD3f~5X&!L-`9NEJ~us{pr^
zpWAo%_xK`9)D#Se;6o+Z@sMFMuQlf7rg-qt(q77z5eK8}6*-j@YC5BC1Nk`YMvJM4
zx;htjC4k3JE30`C0ZqGAu~9hmx^<_{U1_FAv1OTXrjnQm#2Ta*COcv$fX`JUFOX_z
zpKTFJq0z{KYni&qroRAD*&qqmHyTMVQd!JWma$qcT}7Tg!<byi;jUg;U4357)J(Wp
zK&GNF90Ye=4Y~Ws>yJ4;s}%0u!1z*j_@s<=+bT@&*f3HPsYr-Ni9z^A5bFj?lL$oI
zyWk6?K8dD8RgZARZ-^cOGcvM3bj8Gj;SB}ikt*iN6q@E9VlSXiL(|d$p&CENEd6N1
z0n6!gms{BpVuBYNYTSL1+Zeb`sN&JkPI=HCiJy*#gbwq<QfVc{ozbe3n5M=KQ+otc
zhab&_CWW)f*lPearj2;^v9f52aMEE`&F1x4*_&j$iP0cs2;h?1q@h8R!qka)tkebA
zV{&PPoggH&+~5;fn0d1)R%8aC6=Cuct%7w%4JP_NjY!?dXeC&$C8wxrY160i#_d23
z?D%E-r_k_J7VYSt8lIBEy<m8H_xQePbV2{*WdGRo@X!<*pH#Qy$9JOsv5U~&;jzI^
zL`=Q|yx{T-2a*#L?24f*lSVxV)=9CnQw=oFMFkTgui3;p6*N6OJu=jZ#>U5T!(%%q
zhsSmejSh`XccRgu$${PdW7GXRhDU~{F9H?XIXpc!G{wUQ`UQ-M{>ka#fqf(WlW1b!
z<iz;Y5Fc&%ZlOgiNWkJcHZ@__0d{8itT3)F*mXU}^-SiT1H%<@wjT5^vbf56DPL`*
zG^oQ|MVf1qf@P<UZidrjZq&s-E3C$<8?DWgS+0AVH8c{6lvNrraoMzB^L&_%yok&(
z-DPxe7`B5fSnTv`#PJ%+Qj6Tl@*U4tmkexDwahB9b<)up?sj*^mU6?DpJnxZBX<-i
zGKgiC!Jz}<s-8n>xNjj*`UvYjh28P={=uzhZ1`|IRF+L<nf$aqUlD+&#c+s8UBhR!
zWk^628~|w!qD3~-)=h&swtOprIWT-p*Tj|tDlN2L!%RfPL)hbc=4=!X$7&i_esZD<
z(hNcy6Yw{tEgDm?tLlou#wGW}B~^@V%i#)JbsS^fwA8i3Swwxub#aw+f=>`I!YkOc
z0-ndAj;%^yN6rllf+>+8kTuEEWAfmL3GL_vJ!B4gav@H@2p7|_F=xUiX+?x@P-+Sx
z$lwM6p7($)8YC2Rq2Ec%%P{vx1GUmAE~qirJ>FfDn}thmw@EKluQ?811%;K)*k(Jd
zxgv}z1nfyC!ayOmb)w`{>6F&50eVO3w&{ocG2FeiB<;v4TVfRo{FXd3JIwRtTP-Gq
zK}yW8Od8wnAsX84%(IygpGt-T19>WdBmN+w#kQ2)kkIEA+aj=tD_%208ktd`7d)M4
z7bUXj(Mpk`24YQ^&6&&!x6iD@^ZpL9sf4mINQKx2uTgU>BW39vdv&lx(zy<$7<K2s
z^P=4{v2u(lC6Me!ETVQcuN#*e!r6!zYA^{zG7X*ic|{u)w=txJEAY_RARAZH!r<V0
z|HQ=5*x>MmCDw$nTHv}?LxeA=p?mBbkTM_cB_V{SS6HD_gi*v-6Qo=1m=^IMZ-|)9
zbw)G!ib*VkB4X>7L%Go}dsv?(K1JC>i`i(BVqsm5b`7aaU{%GePnk(;Xyc$`ZwTWB
zls+nfpWcCBwhq%&ku9uDB09wEKpD1`y;;^*Xv6mLLbwqMlX^~ohAtooThu`w;ibho
zskGuymg^0r;IZ;)SCr%yMsTsUS|(A*3Qt=ow+30otm~PuaLsIRmW>tholg<`!pJ0;
zn&E!Dkeu9i4VP!4MGoxgHFHi{%4jq3P@~akETTg|w^K>(vMxe#p(KVfXNs#&ry3B7
zHnIX?%w@+`213q9m?7Z9msmcRZoFxWX(*V+P@_T@N163IWmql4u_ZgH$k><azFf$u
z2!GCXX$7dV5)ZwV?;&E&GU_U2OkR>alg0|P^1#>WeoMz2#5P4pj0CCVJbRO=BMaNr
z09OgBI&;LclaYO5wIuS_X)|BiiMaef{U;g!ALcJRhB%hX|FWqm|5JBg*NOa3$K_cf
z{|jUy7~m&_S{8zoz!m0-si%tw_hz`s9^~mE*Z>$$ZosDX!r9d_nX}H?O|U^x;Fi#M
z;3?>l;pjYHXkEk`IS7_anZ=Lid84LJc%+z0PI#Uj7M2LwKg?ew@{3-)Q6_|A!$T~)
ze8mdb3^y-!8}fU0PLA)&M_|rYz;tM5odrjoCOiTI2P2B2L7o6FlQ~OG+gj9$U1vjS
z&Z;amoye|ZIC0Ob#NZ4<cCOax^1~9?7P;}TC6aAY;>{5+y@ZmvZcwDR%bbPA-EhH`
zEP&q<Pub_!!fclN<sY%eiNqUa64gv6&svwsm<{<fFBbl2&L%!{JWacr7s)E~{P3dE
zcuXV%@(f!$96wtkmqsSDgH#-kNPU2mv>?0aEE(+tx5O3$IyU&G?|v0*Ee<x~3n1uF
zNHd*|(1GUQEt8+~IC$`28Pi%O1Or%f0bAZzKwL+Q!&52*a43&K;*1NC2w6-!l0)t)
zMj5YpUR-{@4!paAt*#$9Sc=mr(ov#ZPJ(V#6XkM{a5p_?Wc23*rgYx%jP2XxyBSx!
zItS(8A_?kZog}l73rXeEb2f(};c3L9CQj=fXN`?d50%b33k}P)IyFh8<M9l!;aarc
za0xo7W_vx@iA*2W!8i8tET7cRqq=EB3=8wBT4CQ1p7kD{V2V;^GYKUUUgK=Q@yjK-
z7-zn5LuT#6$R_jg1E*Z0b!>-?2ujIQ`_<*DKzehxY~+<S!W3U6Lm~?)8gqO?*_T+>
z@(>$rCiZCyOdgxG1+=l>b>%FgBh&9GXPLt?vaWE^*>L381o>v2u!a$bH$+xxEzDzY
zutGTS9X6lT!K$%hj)9mz;0G=;D_{kf!#wP>)`F!bzFa6zhHxi3Lc_2+fzsJxQ8LP5
z64ORx!S_g=ARSXe`Nnd%gC}z?N7L3Q>ol?92w4S|8SAb^)J?pQ6pb|k9J)<pU2jgp
zjz&ZJ#b}&t2q+hVmdTHsb0#AxfGMIown0m%yRT3HbvO&!zQlT(%=ph+E<7Mp<mkG!
z1-^b*cIHT2k!dG#x$QEDMR>#}A`2$vYgIn>NhPqD@nMteC?9c|Tm1-MWEG77+B2C!
zm$i=qfCgoeeqVMHHiGHCB?(b*Q?zY-WN>D3Xk@5=YG`Jxe{|@aTm(x9W2ZdOCDY>K
zGVCBW9U2eQ0K;i0w7*6?5)C-564$CpiklPH=J!qPn(QAOn&By4>qZCft%Ho2C2dV+
z+~$MXTvuXz5Q50%+`y~0wj10ugiyLeDCkf9iLtrF*w=d8dWh&gc<>-X8SYSWSCaDp
zgFs8aJ{ldgZDsEqWvql17Z~wiz_CchM`cnoZ3DTipYny~ImZg>gvKuYP&WFb4qT6q
zK8cRy&gn?gwC30FR*W-|mpZ*v!T{c(*eENm6p5z==Xq|+4QYHi-#ht!AM{airHGn=
zJ7(0GMdr7OggLckdgx9x;yANNM99iK)neN@T8!MUj*5{}x_pOUI#YFrCf!8tmNWZ0
zJu<}{#VYZ+o6JTvkMR9AnH^r9BLrz-RCB1$)Vou<#grg_-hrzuXz1($G;zzt+MUP)
z8I<Bkf<G3|JKmzC;2<o^#;9eAGWO{H!o}OO>Q^?#VjKR=wg901Eqq0d`HI`e9D_`-
z@s!tFk4ro4pgOh#a8x4iV|rw&6ID!)`l9jj9`QYsfFn3d8tB<b+~1~Shz2*KgFV<V
z7~2~O?SLV9-lR1p**th8cBm5!6{2t<f>hR!ol>T$`-*C!g3ksxg)8<umt&M|cd=i~
z`%d1ssK#EPTyB;$Vy|b37&eAQfF>+d0^|*RalJDcJ!lXL%e7KtX&8^Ib}-o;1Z&cd
z0xcHl>klgTVI73EY0m75Jge9p3o_?EQ^d|xGGrEAE;}QvmFjLqFw;PVd`HDb0}8Qq
z(HYlDSlpx%dJ-x0iBcGb*ZR6T&2Z}2w8f=#2(~(7Hw*G7KJ)i2n!`F=ufdqgF3l8c
zrkKHviu0Q~D38D{6Q!$gSvIL`l25qqBI1%NH-97)R|!c>2xsL2lH=As%A7_xxk@vs
zYftHK)fK6AF0v=rf3fT4c-Gouw+6i2{h!^Nipl)neVaC&SpPj9&kEOn_t_?!gkcL!
zMyY8>;Yg_`XN|CaVp*t;FM(^X^jTbu@`ln*R1QqbK)&Nx+yxmJ7R!)Sdni{x|1=gh
zo9w|3%c+*o{@uhg(6q-4+psM|mnX5U*NBHkaG9df!1B%9faL@Rn({sDld2#)b!|Jc
zB4x{|=4-?=az2BfGi~3=vC%K*arik4muapJ@O1`1M+N*GgP&99lzeTrU-!*9Hu3|R
zaVt)FgiD5R+>6yJvGaN^n&2~gO5gx4zwVT|Bl{&S+_1`>+UO3{i#M{OzEfJRAgsqS
zf7kT2%!$28{v_?cZsx`OCwI)Q0$uL@m!3_9g#GX9?KyG(!*O}q(Fk0`q{Lppl}x^a
zh)wwlC-#}C_5z!76HdcJq}<o$Yn4q4oQnQvNnbhrdaCeVEHv#vRzo-{?N}(6^GHC6
zP)U?S6a7<D7mQC1PNAX6$??e&k0oJ7Ql8upUc3j#HRQ$u<=2zSd8o1-l5$;F^HxPE
z1oVH#d@Os#^)bM)O#kmIY}%B(|Eah8ME<|y^1NbVY}ey5PiOl4xZ&M{lWlEnhuhlP
zZhq9m+uGVTp<O%M+S*R4_K)_rwSDxpkNG`*L|a=M(sxgewzXaM?6$TSzND?~w{2~0
zFTA_0Ehx0L{pes@Tj?!rZBKRIe)PO;ZEX*`ePU#KsI9GS?C99&k<pQ(Bcn(5jvZnD
zA7%d^89g#8{}>rP%Kn2gqhm)##*U6nd~#y)@UF3=d&dsL*CQh%@E<Gi(J@|^y@6W8
zpBUbCco+M0n3ov=AbTsfb*m^|_`(;C+zfvo-aB@~SV+Lc4HIKGj&Z_R#lvHqys?|c
zhCeaPXg<1k-~0EC9u?)s4(}bkarC^K&KrX&<A?X|{rFx^IR`#^WbX)&J#u8^IiGya
z*wH<sNB52%9vwYA%E*&&_TIFYLl`+a()M86-XnV%M~B%bh7R8E`{#XQM}e@TBRh}m
z90h>9%-9je_~>C?Wi)!jC}eN;-8eWR1rB&Y@`pz`($T{sqaPELi~!lZ@Cd8Ehr=8T
zr3WoIb_AN^$liUQ+&3l*Gt`2BQQ&d!-XnYWT)$`ZlcOBS$PJ9b2~OAzdj$$!{pg6G
z<ml*mN6s6)Q8cS;vQeosqkE3-0kTK;-pGKDLB;V;jC0{|z67WvBO^EPW*Qm0VQeq(
zHKM4{$dQrp8~2PI*)w{>=;+bWJvZ%PS_Gu-y%9*_ppK4?9%bz~c7*A}gAYDP9z}lN
z*4B29KRGtl_VgXbOWt+#_V4}gumA9q@BZ7z-}=I>Pkh?GSAX)qZoG2%aTDME@*8$O
z@~`y6zrFth2Oe?#?|$+34|~Sl^V&Oq{x_(2-S6LV#(Q7?)W=_S*<W7tKVR!V^^}>P
z4W9h|+m5{ZEw8)gJ&)?SV(RP*UVhJ)vgMzi`4^q`NAG?3j|Lt+_Q2d@K6cXcKJ~Xx
z{(S!Le)HjH-ucE)KjB-i{MXNZ<p<-H`#zKT#6M2EZ>rz2yYJBV|M`QLyvnq`^Vk>v
zzspbm@oP7pe{J_^PkPY}&#ATFJo)yk8?TxD;!OviviVp4@}J-Q(5+usC|o$w@z-y@
z<E+K6f8*l2-uA;Szx<C4+yDE#j|8LpbLaG)`|Lfh`1f7j^S@esU)Ru$KRfN@wzjsv
zDDT}hc<&c(`0}Q<wzfz5!=pow{QhH}^ypLjzWdU5zP+vOk#oa?{nHEIxaaBzW}Y<k
z%+Eb__xA>;OV26h&p2i8mM{Ha+v7j|#ECE6fAZ^Zd)akUSG@6wPk!m0|90!GUH|yM
zr%&yD^pj6{!{wivI=i>`j@w?gvG=sQKYh*YgD<=HO_vAVTjy_>|J~K!eB1MW_6Kw3
zRlj@d4WIeR&u&AHLMJ`qW#78v!;7`IeE7v1ulnB6*PMKHY5o<DJ#xVl-Z1vE_ul=M
z4?k<@ss1bPdHxLg#;*$gk(r+lE*$v6uOIpGzTn+od-2VuY<up5d#`=jsrSC)dgmF7
zk9**+{@-(Nz&|<d?eDt&`oiD+?m0jG;5T2sF!;?soU`$wOP~7b;^X>e-+guYzOOtt
z8@#;lN9O;$|Kra(<FSi({`4D9`^@F{p0WF7|9ac~ADRE9`>6UO+jsu<yshs!?Tw#!
z@ej`X!~Lf|@YnCU;Q{-*mwvML+Nb^aBJ$nC_nq?W|Nh3m9?JHO^?&5wt{(i()^l(B
z&_B8V{)RVP`%gWWy=&yHPv3g`J@y^fzWbhwzxe6kp6-8s%C_%&yMBDzMIRge@UL>O
zde8eWzVi-p`)5zNHh2HWfA{ty0|!n$^~^7v_jB#)AHM&q&%d(kr6>RFsfQ<L?!NEb
zd(Zx_SN==y-+DJ6oy&jty=VMz+xY)H@#24c<AqmiU;gnkZhkNM!N1@8nEd2@&ws`A
z1^?w;tDUx`@x6C_{LLM2dBe@QbFTg8`!D$Q=We>`s)^hG?Sknuo_oQ*Q?eI)GV|k$
z_ms4sb=~>W$1lA4iAVqP=iizfJp6&PF26YV;PqF!&wtuuJN|IxwsW8KgZs`rbH_C|
zJ>~OT2d_Ejq`Tj~^+%%@`Tx3q;@j8XKXZ5Kx}6>SH$LX4hfjL;(XU;$ZOf(Syyb?g
zcfa*FSKfj?{fzs*^^zm6`}T|e_Y=2We#+nnKltJeFZ|9Gx3qUZa^Z=+Z`*jo4KKd^
z@UP$Wq4#%x?)z{3y9a)!{q(NuZ+cJPr9Iaie)W|%9Q@CZxBbJ9=YlJKTl)R)M?d?F
zYkpPy>BPC)UNbQ9+M9oK%{%_{8R!4>Q!}5t_lwWneR{`Rel_-?m%j1K&-lf?JOAr%
zUiYvYulvhQwcNYj_~`fkYTJhv-}vR%UG=;l-SP3KO#WLTGjII?ec-R}>$~Tx&)waz
z^^1S`;B#hA`|MBpZ+i8??`-|i*)RO`{r~=@4?NIy-Cvqdy5iIK|0?^^@154we#;X&
ztS9{U=>BaFzo+9%x4nGR>7={uWuKdP%7c&U_~sLSIJ*Ct&w9^Eznpy4(S;{X8ZUX~
z?x72|J-y?(55N0?YZq>KdhavQD^DA|^$F*l?41APcW!v)JFEBg|K#QE-#_&O{h#~b
zc~9Q;+S@<#x^MfR{Zjk6S3c{~XJqYnYS-v<=y8wS{rbLdK5yIT>-%2(u6sW8<zJrs
zguCwE^`dv)`PtyhPq=Mt$Jm1(|Bv_Oa;M%ppS|lk{U`6es{PvD*Isei9Z!Dn>lgk0
zlq+vNH+afVZ++e7`zz%q4BS<!Ui!*iZ~oNDyRN+a%<eN@^Y+J`z3u2puUR<r19$B{
z?cC45|JT-)x3<6iv*U#`p8w^GE<b7Du8)5HuHdn+cu)HeKQlRZtNz6M-ujc5zw`UM
z?tJVkr=R_Yi{ABc^HukrVRldc_M;bl<6CFfuYLU|#t%L5+!w#xd8c;o!;SmCaPoa0
z{mIMUeEQce|N4eUAI-nyb*CIzc+<1)%M4!Lwe_yMCq9*b@5`^f;{)%wqVtx&KKZqO
zmwo&rUjMv1AK9_>3$Hr-!q*Hx`1)tvchT;Pp1k!gvxYO>cip}9^p9@Xde_w7?0D9<
zjFZ1{*Vn&z^Ub%t{4q~`-IqV|saqa?-cx5@_LNOm^lquY=!^aCzHj88`i>`A2kW2s
z>N!`vV%KMHD0Dq+{}VrW>3bXR{_2jaj=cP;XV8y7Wpd9~&%E=QzrN$7q0DvN|2_1f
zm%efG%G>|;LlyGwD_-~N-rr;{>HgvsAGJSq+nZ<W?|S3qmv?RYZrk9|1OI&Mt8cvf
z&Z*hYOl*D6)C(TbecIQb^O@iM_$eR!+sap_N^iSv@V>Ws3qN)4JM#yBHU7RQjDGI+
zFZ|*~zZ~2Dim#pg=-0jf%^y1HV~;v~`+t4=9f-c*BX9cdk-b+`25$K1ub+O+%;S2V
zyZEeAJFonUTfTA08$a>`_gNdi@!P9Ak3QXc$3HymH&>l`<lw7ce`)_yp67ig^EU@}
zUii%oPpNn}-ulaO;}7>0e?)J8#t)9{?SIe1zWRxOnZ58k@9hh&8oMU5c*Tvw7jD~d
z`Fr0#q<z7D<F2c|@|)|v{mZX*oIXwe^;d6w{qP4ekG>-J{ujK`v;XF{&wl-zxBSEP
zeQ)^kb6@nmoA3GWTYGnX<_(K)(JuPt+n#jh-@bR@G5>Vn{_J`0yXU5x+AldUaNEg0
zzU4jN&pqngC%u05NxvF8`*|Dx@y@v~5B<xVPBR;i*>Ur~f8~X*e8Q>w+@Z6c{?;FQ
z#lv4jmwo$1*WLJmyI;R|;050Ae*1#ke(^x?;a`niGjPW@zg>CT;3ogVOFwtr)nB}S
z_!l=k{xxS``Z4{I$6Z{1<mgNP{?KoK|MqhNI`{i8P0c;`1xJ4I<Ey`a$E#1Bd-RQa
zzO(;{Z~Dn8R}BC1jy;bU?!D%@Up)KWSD*ipcRlH63%|H!{(YPO{@b5>%)4Lmz6<6i
zzVf3B>RajayWjV<Tf9g8?>qX7H`3R>?~bpMe|k-AdTjbtSM|R5WzNGFUUL7_9(eUH
zZZRJ`_3wXi!*zfEwl_^XAA0ozFYZ6}`mg-e^>e{t@5i@(<`I8!fAw+CJm~>^-ktv$
zobrzkzxN{tjq6W+%ck3}{`vLiRv&osb=Q`k{(0k<=YI6Be!ThroxDN&+V8hNXLi#g
zj7R+EspjVT$Nocm`saJDsaA%b_V|~5=6mkuXU6~eTIazlK7Z1s-#O>x-#zVFPyOLt
z2euWych`Zpzw(hAAKY-?3)=qfIluYp@4xugTw7b)nf}m)zJYyG;@cl>U4`P7T(Owz
zDohu)l)4M0-k!4yg;JsLMC$I2Rp4jKTUWr^zx<p{8-|C*20y&x;ENvW>C1^{olkQ9
ze`!D{Kjz<9@3LR`ER+AgyU=|9bFtWUV*Y<Tp0K@3nRe7~%)t`<6!Cr2uF^~n&0!A?
zNtaqiJn*QKy`+&raxJigvOCxLWC2=uT&{$&>ShARiDrpN0#At^c&0DUUeZo9PZ0Gz
z$F9QpeR)W);RIo#py-TY1TDM`9}<-E5Eit-afwZ-g*<E<C|4s3sJm+eBhYWSq$IA#
z%OGUoGO<c1ozM(IRnH0B63R|VYNedBnM}K~do|22(o}^n1PfnOIg8NCxTN;cXjOJl
zxtlW^(a4GniXsvy=cep97QuD~AzE|hXJ}BCDl%hMN(f?Z6kd{4GaO1C*dAYr7Rf6}
z!&rTURCVH4jA~`m_C4ItOeZ~7CM&9`(rA5jg`tFy0A4N8nxU*(0sxND7_O65F)5;1
z6CA=#q-&tx$JKR_KaHzPP!BjJ0?QH+7Af>`FszIS!&sV}rs7QZr^MbUYzs#L_N*^1
zYl{+*UTW`<${Htlh;Q;@*A?A;1UHC>HUVNJL;F!q#_wcP`i5X;WuRL1CDC~!vyc!1
z3Z=kEkY`ZCdMoW_$@sQ};w_l2W;$t_w_8LJg`s`8`Aik;_NXl`LyzE96V0LIBy86D
zd_R8KhK>dQEo%gac)A~3+3R1bA$e&@2}B00qh(lYvlh-S6_N<rnO%lmHJ&gwz^cbk
zng`3Vrh_XH^TZD7X;ceQL^5Dir#aqqj^g2%49v5iy#kI`ELagI%auDjU<GV29iGVY
z-!i&V{EQ1^Wm2`2I>Qq&`8LaRLhLL~`PdJS?L@Jd5OD#*Ywa2gKxrXjm0$$e*Cyp=
zMcJ-`K9)_gv{ZeIPKAMUD;4I{h!_WuG&SoGX$0*d(%Gd2#Dhu||Bw?uirp1TOPA$S
zgvBKQB9p<Z@i=C?a&S2@GRPIj6R=cAmVbYUq?(CB{Ffgll*5Lr94n&0{<M*zmA!1L
ztZ>ytb#@tFV5MXFk|!z?1AN-huAE_zAr0yv?y8Vl58?`x815z6Z>2)b?Y3P81+PR3
z^5}_9G-_T(;xgze>@t^;Lh|SeVo;WLWmWd0>gV(7Q<8{3I=8;#;VK!hFr_PK`QZv=
z>fpE2IUceD%j!e{6}bcDym3l_s)bWU-+}URu|PpRL@$Ihm;wlFORS^(am3>herXET
znC=qlQ%!e+gmAhFh59mG!xUGN>TZApq!nv~yv}rBVjr61b&n^%by9DhMfVm8qvi^E
z<^a~r_9(A@{5XeHG->TzT!vxRxKMe;JhCQ*w2H@%t<>f$?pm%fMI)|`J<)V)=CBoi
zGUl&&E)#)jc6}Cn;@OZiP>dyT3V&l%r4!W~@Q>qRou}QZQ+lb@vEmueki-#=S7O$)
z{4l-}sf50cGM#}LOPp<Z1+0X>I7iV(3Llr1Z{S(W_>)6TQr$N>qRGSAR9x{8cvdH}
zAUu@K>cKUG<KYk@+S-?Fmgm07m3c+05a+T|U?i_v4082iHO%dfRy>X`hpa7D&7mu1
z%q!(?f+IP;oCOrtUslH%tF+p-+b8NA|F(<#<yE$y;;uJ2>#bWcDsxQvT-Bx#FKF=d
zHgx%g+Nqi|k7TWQd^uJ2GN4$$EH)4;w$g2l#8PYsP0+g5T@BYW>)30o%pvV<;gG7+
zZ~+k6jzL!Mo~n>01f($rDcxCJCx@%?S(fE-HSXxLY&JQktKsw#Jcq|!pK1&B<b11G
zT@`N(61uQXS1{FV$<iJPL(DhV)@Ci8=dM*Tv_e<9B{QmHy)H&lRj+52s<(3Ixg|ph
zS9*<Vwvc3GO=`Aq4Ag94HEPC?A3MueC-pMqr(dt(8|8r3Y4=(&m#TSP%WGa5duz3M
zX&kP}<N=fGvUe(5YczK%H*2wWiI!TssZ)7bgQZjXSgoN;=V7f@PGw|mMo#5r4K^;R
zSF1O0DSEY9`<9|t!n|eL(XcH%=v1#Z%qKc*R~*%k-EiR0fvmWwX4p88EujNhaaMab
zvFbC)Xgdh{IFRi`2eK7{{lFs>D(z=*#2X1`0(-tqynO$_K(0{O)Ya2>AbVi(z{Lj^
zH#ARpq$AtJ2iiEO-ZIva{XcV(@x-&1C#jKQjjT>=pK6w)&mIFD%box3?oOWn?%mXV
z;{5k<c?{wb+aR`X5?adSU|%_AxMAH?M&*@IEY&R)DQQe6pFuK9V+j?D+9s_hW0+M!
z{Su-z+|}Dx!aaI#SEXl5rP$k3CVf5KJ$MW5-qf?HhY-@++h>r?#+FUEXY-~q*<uiV
zOILTXs|WY>^z{}o);DLu8y;cvrmL7M6mx~1>0(c*x35&(r1kY}>D_#Gp|{jsIAPUR
z`YhT1*Pr?Up5^*~u_u}Tr*~6N_lf?0Jf3*}XYN~?1!(TvJTPDdcHyCB@Wiv^)0F>(
z=aW=3`#@Tz_1J>t@_!Y2dgJ}St57VQxc}j}JlHkQmtA|Vn8B_a{@kP$yR_a+Y!dcI
z&jVI-nDt4|dZ#L7#?%=-VY+-gukqZd0VSTelCwEYYU`B9koQFG3^M;oW|lM{bqw>4
zRI4ab{bh2<AajmOGj(i=7<(uS8LX7KqLPU!gM^jk8P7(eiU|8WU_aArhQ;ik!Io^x
z^AHiEV)B^>AUS2eo15^Q{G3VVmFg|B$!3zq{-IXV6VD&*S%LjucOI}M?SHYmyD9%q
zSE0N2#Qg8LJndnip2)2QS0XBFb(!|?&IF7u>K`4+aXSvzZSzZx+tCg(k3GVZYe5Qq
zX72^S8u3Uh4fw3>%%k}l_QRV149B#qr)T7)9T0pXYC}Bpp+iVJpKIYPX=pSk&yogO
zT+C!LRm&-3NZ8fR4@Al1O(oQHW-KbCoM_@znd4h;$hvz;BNoUmb5m;l;qVCeX_N_a
z=7?t+2C>BfAWn}w<3+W^g(8xT=2KxloWp8w7xyHLdj`KP+J(gb#Ma@SxMD{V1M2En
z8Y=4UXri8Df_8=L><H!88CJqOPfUJA>qZHh2Y81-JEHkMEulk;LWqehZ|&$3$F%nn
z@gqDb8v7PWI#DY5fk(9u+om5LW}`bu)wE0K@=VJTiH|%wH~sCX6WD(8)0Alt9eW9Y
z8B;|9XWCK}E{`qOv`ML(c~V8bu53c4JOL{X26Qo8<p;60%K&TwsfOEmmSMhVUqacw
zo>4O^-|B8qLfK-WF5d86g62xauFXxgx_Vi)Oz5nX<dSj*A=kn_>+>b$`><VcN@&BO
zXt6t6LfPaRcb;`zu6wfEEG}j{QMlNhEusDB5Q>(%8I%cukJXmp$k`~fYBp5&kQz;r
z$iOdNytsjh8qNhr9;qAf3!mVw5!d5cN=0&Jlh90>WmwuSWD<F*X@mNtei5!)U==*m
zAer{adV*n<aU}sIaPJE<nH~>aqG%r5J{2k0;kbuiBPKthtia|MzwjWJ#Fa%1-6S&?
ztvu+KH<>AXoIM4&&Sthg6WXKb`UuHebo0ta(MsutNFhC*6cXfT!TyAA&JnB8sj}H*
zU*}Am+QEh4B{JqobRT4yvuqRzEH>o`zs4?~BfhT5#IyW<l@tVFYWOm-oOy9&Fd_@M
z?y}Ku1r|G%>aGrj+wr7K#gVA)j_4|&mSSuMQ({zIBrkoU1Yt&0F1jj*LoYYPeV+|3
zKoxZcC0>-cF7qob_L7EjH<8S&E-xVx;8{U9R4<aSYa;I_3;>|2jz!Q8Oo<@}ez-~5
zv4kE+TAY$s85?!e&f~zZIi7hLM0@4EGS>4M_J3x#INC6_%X2IuZaiv7lYzyrtl)(-
zH0+Da(%k!Cg~Q8Gqh#|Qt0v=jv1{(~oWKoJz~|704dTzpiih81{^#%ou?^QTZ9jVB
zI)?l)N4&C9xk~)-?|JO&weXi^Qn>vtJh9oY>uelbxeNtiIm|249Dki@Z_kKN0%VF%
zg-)ogKNYJZuBO*A^8N$c@gcw%ZbIj`M3_|EihwyFlZHtej4&euL6yL=_^~%qhr6cb
zG&&>h0EqFg-an9u-$uX&){JsFLwK`76ov?WZU@$9iEZ#!NZxh@*}9GRwJ9<?xJPuy
z1AXUL1fcyFg8~LV@g}feE1`V+z6kL$w!qO$Gea70MR}|aPT!Qc>juSyyCy!zE5!mS
zbJR9nm-x)9;Xa(}ISUQAif^VyFtce$oQU2UD?y1L6+jo}_=<xxK{?j1bNf6i)W2=&
zRFhwZaL(2go>DG_SehRoCs%fiMvj`7v3i9tIy4fT@8L?t)N|rQfEW)_KACp-$+u+N
zt>KCZQ2E4N5-_{YiLpc6Ceg0mB+)K<bu4C>UmPK7ao@B*x-VYd)dRMPX-)VEj2tk)
zhgxpk#C4PWh^VNXkwX;k6U@UES?XQKGIimw3kcYXkg{G(IEdDJ2d-mG5sR=F(xTOw
z4IAMt6kec#UAMV1QSMO5@y1Nttdf&Wyw8?bw=*UgvB<HlMl5XsGqL>KY`q@X{8}8C
zV=C9ZZ8X*E<7CLQG*ca-T{*AH&2FM|#F=eRW4B#pxCw&79CtvO%c?3zDvBl0q{=p9
zIn^q6^uh5hi7lO_X3z00pK?GOWrxS^__$g^MXkHYr#Xr{naup1rXt*h;+e*y3%Jlc
z;m%7m>6QunW#*H7luKoeOf;vFaXntD9hl+@99Y%_?+9qPGUoUb9-+kc<5mV38IboS
zxt{4jk{>-h`Ix+a$aUZZCh%xS?zCg`@nvj$dI;svC|)q@L7gi!F}Ul;23ri%1|-jN
zh6tI{DYsS&Z2l%bz!6N&kQ~M3fQLBLQoJGztD$QuTO~~H(H@SzP;g&@jko|r4f%B<
zP80Au7+vaUlr`6LT;lo6O^3Afrj7b1r-yg;4@{3wUNp0Nd~_&Jd_5m43S&2eGPq+R
zd^v7U@hd%}1oQGV1t-3a7sg#;4>-2XU42?Yo0$N7r><jPh>U+#P1wS8%_G>LCDbM4
zh2U0C%+DZ{&<3pQ#PtW5Ke9brEEKXEIIC0go=wL?j!SG*C%$LuFi+$rOI`yDMO3BP
zq`}RoQKz6C(S4bkOrFne7C2f5(<WsM=_to3?b|`tyACo59Rw&akwm%G&Lo*6&laHJ
z%v*>k;YV@Z15`Ur>5V%sTs_d#(#Ww9!Fnw|;pWZCyi&()jN3zV#B0d5=Ju~0^_Qt*
z1#tP9U*j)xVvZR1xMs?Z<5S<mZoX{V*lSSV@rbrimv$LsV!>QBl}1_2$6l2=R7^V)
z9^INLQrpfl^<za5S4O_Vr7TNvYlY3^1?k9gs;p7@&=L7YIfP;UmcxNz`kLib<FCa6
zR`Um$x2;vhC{IiHL9x`lP>YXbj@W*SZ)TnKz8qPAtLM|pq|mH<Z6>VZ!KR~;QZfA0
zT&qre%#2Y=t?*NGEk2V-sUtqLtl@i@RLoiBgF(D<1AfDc5#F+@E`(FrsNpALYm}g5
z(Hf=DxoEjjoH=h#tWm-nxklMssks(kqFjN-PJ`J-8+Ghs%d~Na)LZ#tq)C6drO(L%
zih#ry%h9pL-1JCRsc5Q6ktJ|G)S_F-UC)V|o}2G^PQB$>xB)|K0EFcxFwZiLA{)P>
zd$M5}JX&G%qYLZz4DJ{}hG)(ZepBUWW9m{XKZ-pQ50>-ea3EUv60S$U*bm4=joJFF
zVR|U%qP*k!%^3pobJ)wL+SEL6<-BE<w<6tGPkr?4XQO%Mq~^xg111kA!E>S4k-G%X
z;asm))Ow2ACD;px<xBY8p_&>B0CiI#<T-@ppmSw`X=XH2jO|<?vOx4etc$|++O9{W
zE1D?FdcjhAH)06nGlMKInxn)I+)$0VcaO5lPGIv63|d@_SC~-zcC~8rK3U}9t3bkA
zY{R)!4sD>d4YA)jJ^tHw0zI~689UvjByOoQw{QacHMF>xmumtl_aWRlb$d!h7J_Ka
zUn`7Rb%NM5Da&z`t5E}7@rk#3EoiL(u&mv{b?eVp7o;IrwKn*Ap7Re&{Lva3o4V!#
z&pIa`iRVvIO=!~yEr!$SnsNoLP<ozyNbUetK&rp)$oxwiV;i;|OVy_}XPzQ2ux+@*
zKO9#uMV{mMXrpPMLPw~8sav{n9TfEEER*^<;_DBw@<~6Lp&<*t(zsq=_tSlpcqLSb
z-d5-?egLSjF7>4~l;^>JRQ#(cRUSHZYk{ko))a8kx<C>2GY!fdPFP!hjcw*gxhI{r
zm=D(7rMO@TH!OUcaNtnN9(@ypVnKRxvF;{r+YdEdiE@bPbt>~=QbC23wBoI>at%n}
zj$$d6Ct!tb*s6ilrP!L|%yP$bN#LTWESrj@xl96`M^=hWEt!rhQ6gOAm!fV?PY0MN
z%Ax+)QjyQ>qhmn*;R>R&raR#g7keafw@u1Z{5aszqfVah95(k^c@BeDlKx19U-ZGm
z=pMFyln8IaF}NxWSlFyb)17e3PL&q_%_sDujzN^w?`%%U3pRJepGs1>C_pHc+t@<W
zY9;FPJBNwwn_m3(@Fcg#k=0Do4e8>pTaC@o`JdsctoXf`z`8JFM!bQYdDBL&g-si=
zQAL9#Tw?k)HYH;!A@oUt7yJ5@A0_4IYD4fL#^DM|tX8R&O$zyHh|!5mKfLlDq(cmZ
zsf3cc)|-F}>z<Z_nJa*OHWb3lRLh7V6QULbymdz|sIdz?B9O22M=4oh8!4G`)vRiK
zwMkp3TR^ZJ%aiY!SVCeVsHPoVd5v7`;X3hof0IQbtpNSTb_0R}A~1FA!s=>&Y||yI
zA6e<R1=VP+gf7oXV@33ugR)U9C@ajDV1+@>CV&vzSP2NiWFi1?$&Lu>sn~K&E`h_g
zhie5@)21S@VB97$jj$Vj+`zXEpbV=s0dM1RpE-m*y=KmloMRc`h1OJlgrf>M-6GhA
zg=Tm;Ps)rz`E$deLt#h)%GMh>*yYt^xIz|bXmN2vO1Bkf?U*D2+q^U&>b(}cxD4V6
zFRgHFv0us5HN2uCn|4J-R$#Qlgc7VW6MO*sXfnd0+=x--*r;N9vTXyG?<qvFn`pgP
zdkC`Pkzb8vqm_8~;@uKk7BK`(Irb(V%9Ij98fQWcE#>6waZDRA<G^z&+eG(~1C~(6
z?KJlwX6!~M#wVxy$EHj2ggv*MVv|nnopHk(G9&_Dn;<AL(qrS(APQcO&vHaH9)X5L
z;3b=R8*s&ao!I{Az@`kkMMKLx$E+n7#*}twitts*OSVC5`Y3w7jGll_&H8dQhfDP0
zxO*u>*ud({GEv07@VGhgnVIzxIw$gddC?hObcUPBn3o<};bMt5bTRd7m-yPX1dUy-
ziR=>NN1V>fBUBJM3T8kR8tM|3T`2Z&g*!l<5Vs+31kfFuIu?P2aXt#$j*mQIm>$u2
z`~+AR$CgFKlDPOa;#3vKO4%<<TQcT^KvWsu#fH8lvrNkLb)owzH=20`X1IkhoFXlc
zhPB*|WK&~$Hnxqkd8}SLyuh}>f956$jPa&j^=m{Nh3IF9Svik?BoI|oH^q9m>B0nU
zlUC3Qn#e9Ia}SnK7E1EBlC@HkN0RU*S}mHdeqsE?viKi$SzK)`hx*OU#hg%x0gx}L
zSQw2~rJxS?Fc^$jW5x7=*mI`m*bvbqlh05dB_pDv0}+Dg2X;KPMBdn96JkgoDGHC`
zZm2l&gD{0+kS8BVABymvFVU97`WsjBsiDd9hbCt(937ca9d$O63Hv1CNwS*@n~T|%
z)E(`=aAtb<<WT?MR02d-q0kz_z`)Sd)Do3@m#C{?AG&aQvVUe^d~E0Nt^|bTaId9m
zSZ8dA;a{@a;EtJz@$nJhv43EC`23+n@nTXwYK`H+k>>L8;-eSMObrc84o%Mtjh#Pp
zet(Rdow3+6Zo>AG#w4kzLm~%MZ-}8QXJd7hjt_3p*ICkFdLG5C^I;7kTEiYOWPpw3
zRI8?4jp759u_t_|j5RHm8lzfhaZ!!Z*&`BA@xfm#C=SMQR`CD>-7<;oYjwP!=~0Z(
zb`>8l$nBIC+7B&?5sGjhI+WucR2s1|DOOaxi6+{xbxn6XGT}JZlzABeLev*=TxJDn
z3-vg}3+t3sioIrK*<388@<O8W0<XNVg36cF!)rm}Jn2qdqk*l};qW-KHLR>h>W)uV
zSPT*%1NRIIY-X<*h33`Gb=9ZT3ahf2S1RX_HaiBBH89}jC*C!gaGJsLT}!EUMnbw4
zC941x&PP?<iKe7U;H{bt2Y!v%K97@Kxp35K+rzMdl~m*%iMjfrboslTrnMRhr0W$2
zCEvz@rHgmv3`S9uEu@($UOu~2P%<JDFINmrIa(S^vmd@qiDwRB#G@fq8dp#`%tEb(
zG4m(ztP;vzVwCk#^tF_SQ-PBNj$LVN{)ZM9b4mflt}2LSOq1xQ`SeoJpJ94yzNsWQ
z1^>B(9IvX@8idyo-H|iD92S{BJccDrpSX}zc=2{hqcXL$m;yB6TS7|`5!g-5+afSD
zf>&1qIME8m+?4QA39X6PX6;Lh$8CWq6iaiR2!k5Ni_$`QQ6ikT1+o<l?<g4ryi#CF
zB?(Oi4oW&Hp)?H3LLv}r)U*Si#Hp4QHBmzo5nG}xx*S~^IFUu?7PhqJ2H{5gkKY!n
z@UoU{h8A#AT0jP2u30t`z)GaEM7Q*aYq7zGQ5o+~(HBWmbG)9?=hBYCA-OEXA*3JT
z;RY<cgHi6QBu-h+*G!-A-3Pnryn|eP+89t$2`t8|*h@k!Z!heSh^An<$m9o@!VQk$
z2{bS~IEg%LR|$<`5Mjl%gw*>Tr(h3%5(<{k{td-~#{cWhcXw^*MDU^*zPMNdgB(Vb
z@;J#FvFhP;-!g5|gc3@~MH@}iP%g)&+O6-MRO#Bj;ZTgM&KOOL{B-FOOmU)98d&Ur
zMLS7S@YqXSBZ!ef4Df4=@I0eazJ%!fw8CVlZnDiX%{th0pfYh{3n?c@;%6k&$QK=L
zg=Zf{*%cfZ3@R1ku?Z&1I+aRxWp$T0JSl1;q}Kv_mKZa>hizIR-VCvI$KXeMwn{r_
zsVuW<YdT;kD(9jTgdr769wJoAEqOjsE~Pi^RSZ|;?nWX9fhNySPB@+~j^+-IhZ`E;
zzFE#ZY%yaS6$@QG2-En!SYT6Fm2&JH#Bae_VNeTHHu*XmgF};mPUkCF5qh+_u(>OP
zP>d$|QkGOuhu@1zrB>eq(<q^0p}UYlsH*(!6R&RCpdh<Etdj}inT`<!OBaMRcZ4V1
zI-5-8l#hL8Bd7S5xl{qM^O6V$<4b~+DG!5lFpLR12$F+$A|mXd3~7kn4H}rnLB8A*
zozreO0VJeg6%3Q|a0tFd9>bk>uuY-9Q>^nd!;Py9n6wF$_*03nHg&ro)m+hLdj%)M
zAsWlp8*(4tGUtdb&!;laz=U6}=al(52JwA@y=WEX?(##~{OCj;yJmi_D8erDHG(a_
zCM+9lt_~6lH^N3PZsq~;6>M68N0@s;YmNm<k{UuUUb}H!5pQV#9*YVk17=q+_D5r5
z%W>dB2?Z3#@zfZqIqaox7i3$o+un})BiqR*??%e~oRE0X!e(98nv}coYHVUE{Nai`
zblHg}&L0RZw(O-Lb`cpb;)`UkOW6r*eotz29+C$RWfX6G)G<g2O%iNe;F&%dxAhRe
zxKcAp4PstKG&B`PwU{=egc81`mby_)MUV`fmxtR?C2%;#DYq0wNQLjjgLL@bLh~s(
zp1*2*dPvO|V^(b@1it$ydNEI>0%og@X9)`2RA`)v9nqHy>(*2}u4e%2wPPWPI$i)!
zQy`Jv_%T?WeGzvsdxNG|;%_o>-;}7DBjdKfZ`KrXVAr)8P#R8aGvk(EJrQVt!fjxV
zi#yxI0LWkvLt#`*i-@@SC@GKpXjel2xav4nR+5t_-{N_iquudexw+`YWr0U>Wy>im
z^8p28OoPg?HdAvNg}T*3eLzxTdkaVFn2v{P*fVs;kl|Qy6p;%iW>MtQWdo04;U%lE
zkVUz00=ez<Tn-MVihT+mO2n|CTuyEnY~yVsQ=x6o&K0xgC^OJ)dJUVl`ew;lo=O};
z$1^c$ploR?Zvu%Bt%powdlm}kDl`i%r2KBCBDM_E8e&X99H{y#|Ho!8FR57p2ix*O
z;;oi4*GJEqM2*lk)w-Osl8|_%JX&1bmX85QLQk5fm0(EL0W3{`GD|l@Qxj|x^P_W?
zS*~7j=ZssbEQ)u}UGOzDwM+ENu4TLBnj5#dDjYoyuqCU8ztgHVSNDkTHDq1>qgBP`
z%1ME7D2ccEmV~tEYs-C2|I*wUMZ2-_vW^#!lqrncO7pFwHU6)4wU!cD#ws^a4hD`5
zUn`_Kb{@^ZKF)^&;I@1WSP~N(v)TK+Uw60V<*(K9w<1Mu*@cIVb3{?yasoqEh%gTu
zO?72Hwv|YS0~e0CCTl{=hG3HLAv9^+wi>HP5LN{Y5uhZBa-h%hwVc)Ci0T3o1ymA?
zX%O2t{Wb6*YXXK4Oj9TG2z<iU>M=xhc{htdHK_{rYpaLv@*c4*57pD<Kg1?=bgeDG
zYb$Laz%4lzAM=4XbpMlMZvO>SXsR2X-+f}ZHMVDIw=^vvDh?$6^2A{K=Qr3c8Kb45
z!}D~i`~2>uW(g}$k(42n`q2g<@Ev~zY$ZyiPQw(7yQCRkfn{znWt5m=mUkJGzCtVA
za+12uBULFF{wKf@Z<iSrS3b~%L&VZnKjt{Bz!!+Li>ZIwE_nz#UH}k;{YH7e(strl
zXX}(F^qevcGGyys18#TOOB%yzvR<lqMA4F^R!tv-n2L5yp(p$t!ymm}HNF8xt~2Tw
zBpqS&J%&+vy_&8PP%>;&AKN+^2vt9=`O^!Y<9h+wmT&Q~nUF*%($cVDduA2DQ@dwC
z$%IF!S+z~O3KEOG0rADlBq6Z(kQ07r!8JX(BLSe&KLN}ZwOX`0ObvE=j_nV^?x-*c
zO|~ngSfmB1UstDp5s1B{F@a4lwHv0C;<hxkwn|u3eywy(@O=4uN!mD)RxC|E%GcG=
z!I$Eu%&JX{eV#QbPboE%(xPNUO{)THA&5<mr~HORMDp@h<Rr=^iAjE5$s*_amg3em
zC1^1pSnXs0D$CV<<_~4#9x3`$n;`(}Yn>!SZr_RNz@OoCV95qu*E$l+AC~tSSGbA6
zp?Qu)S`20K)5=LxfNjf%)tlY%ibrUz*+)tFkYKBYcal<Z<uo_d6|;k7X-RcvXm|fS
z70Gs2PJ~*E`z9)w6-@Y6gk_bp!qu)qawIEVeN-l8D{QA#&fHc6bw$&=RduM9&Y@Qe
zEPbM#s)(zicQrHd)dOrbU2oliR=U#4k+qy_GXxOli_VxOjZSn1KfYSpzEZ$ZM)A}=
zboQ|U;g#F7hYkS}w78h%fpPp5$GEr{AH`Sbq#gS;+At!c$th!B&<@KfhrvSYbkHJP
z;pWSqy2F-2@){ku){s)ZoN(~|{2jbiHFy&r;v%IL4_gc*>#Lel5%^F6wLl{0+N;IE
zr}80+rb+o~{n!xx%JxFTYzV6tQmiU(?ijFR;97;aR^?u;%HqQtaeih=E3bs@4Ohf%
zSYtb<5az+&{K&ivf#KPEARe`b=Lo`KQdCxjpA+U`mnIc)re@h9sNCQooqNNx4icx%
z5Bwn8F^CA2Y;Q+ngy)?ABz`hd8%o)g@Hj#{8f6s0DH^OZJC24YkW*2Kf`ye0{H)AU
zGO;UEGu`cH92(m>H8VW1C@)+y-S9XG9>hL|{F5b=h0uj;_-O~$X9G9<ScaeSGb;+w
zoy&$DBgAViS2`C*pko*7rr&@ILzI}?WtBh;vt)ImXth!ZTCb6m1Dauuo|Pd=i42YH
zQAcOYc*ib@EI~|kqLSFu#;!@lUFRTrIcrc41tG*^XT$tw+*yyVm_aCV-%GKx?76BQ
zidA~ip)5lGRKDRc@M`@ink5^<#5dblEw^~Itk@Nl*yAQ6E`a4}=ToCniacU>Va(GQ
zuc@pi8&CX>Zzh#cue{7=sXd)iR3_YaQQk#6Bl2bXj)D?d4@IIafw-K~SN2P&JG^-(
zZ6UtY^etQqZ~hdmPsdMEHmw%NDN9|&U84epmOeUYHHv2mqRgG2>P81;)A5r%2f1z>
z<e}uJqbWkd1W1OXQ#SF@a2;Rf*pL8;=lrws%%!J(zUt*YY#T(Y`6B)r6t}eQzKQ2)
zwuP?6wOKAGm5ymoZeHk#X_;b*l($QDQg!L3g!(U->dEaM?H|ZZ?e6dD?UUk)-O8s-
zHbt&8aUhm<%TRcka3CtG9CvKzbVjLXa=O|@i_wJ}%d1vAa6j~Jq(~JnGw~|c72@p}
z^SPEcbnWf2TlgTsYV(;KIaeKsZVZc`wrNU+i?*q+&Qa=!49D4AHmzDV+ll6Dre2e0
z+bA*`Hm;jGZynasGRLj(yli=|!A2!XT?c}Luz<=AEUOdQP7^vviHOXQBRKokiS(M|
zgqNGj6D%Qi;%NwNth!xHar!TqVq9R`z@CA`WwZck*WRH{*n@dC8h433<zszT9{J$^
zq;a3iN(lYYVcYO1UvtAm2c=T(B#m9X81n_g#Ob^RO^!w$sP=25&QDb*4pg_diz9x%
z=U6<$p&Nj~<N47QxY)8BU1l+5B_j`3x~@%ks-tBt-PzTAd(N_#?sPR(DrVEpG48>0
z7&$H%1ontXhAdBIUcx@Ro}=>%J-O?yoCQ*{!iq$pB8y@jx~vC>aRsbMNO0Y5*_mUq
zl?kSx%eJG1I%Tw0v-0NxV}}1km(&-Uatf$s(S_5nTM9)v1lJrI8VE|Qq^oy9jo2ub
zQ7F3kH_GuNb0LR$dYG6*s$4_bCk03xO9UtyF(O#<D!(XKRtat9tV8A<NWPXqFxv^Q
z*c3<Tea9l6)cpMyLneg^Xmuk@qd;p*9DrAkAQ!v4xA2k+O|LU*+7CEg201*!({q_b
zA`qrzCS+tsb&=nLryS%4jvtWa5Rvc95?dtv6mz&Tkprd>Z#-8>32o>uY{+Dy93k!P
zXoz1gI6X4O`kh|Gc2ycO-=c`vzSlq-naT8Ghlb@{>K*bhyUei0GiAeFCu}$udhV(B
zSFbSP=P0%@Bj)Vsk*Tu>*tiNecoW(#zf6xzsqZ-|(9JM4H)A56CBGBF{l@a5a(<Lg
z_vJKP0f_qfo#cK4Z5-(5moqZ&70NM*=?Ze5!Li(c<B>29m=(A@-WT{LEbLbtuO3an
z<rz6*Gp|tOgM`EYjsa(*;os<fTc$cDMTTSZgv5*n28WA&AWUx?-7*pm=a%ZnuHi~~
ze$r1Bc03hum^K5IqKi|R>;*Kw+Hr6;C==bc<VD-!BP+K}$v1co%H^17x9eEbJs;(A
zv!ua(xZJPTW=VtJY`GL!G6N^*gGVUwd5aJ9?<EZy87x%~JQAko23_b^o0yMV@~Eev
z1<msG&&?Q=OURG$9i_c1zoJyldb1)jGVN##@^3)uj8dlgVD_wO8znRt9=i>10+x9@
zV%K$xgdzicokmHv&=cia*aQN6h%XKX>T_$oJ{UNVSK)H6m)`)u%`(^qQ$4JV%u0Cs
zQSxSAC6o3t_aj16Eq9lvas?vsJjeT^-Vxc?({yEFSMRbH9mej+NnUg~;#8^hv^Z5_
zJ(Btc@jP{Cw#Xc@N@yN?Hmh65CR6Z=JW||_MzLuNsm1cY$du#=%{$&K@n(eUMkqo(
zTlwVw&>?l>mZz3s#Auujxp4<Fp0S*&Bv4HvrPKmi(c<D(0bB%7<eI@W)o*#aiviAu
zjl6Qi(cYzN8b~~OzwYJ*LemI^&~p2l(pvJYE%SM%b|b#@ga%ZJix%_<uA@WJ)8yq2
zg^QmSaM{cUL#4W5Ava<czR;L~i3w{mTekwEW%^7FEiRT?>?8m~3#nK*drf)pc+1TZ
z+ovHHLZOsNKY|oDTLlPSiTOrh6-l#b2jc6z9rAUv&X)qHBt#g>8CV~Hlmx<4$UC}E
z{2Z6?R=GhICZC?EVOpE1<AoX6RE!8}D#O=?c(J~)5O1m(NMV$K)l=Bg*SeSruGqCX
z%%a4YN&xCA^rU@HCy2K?8zE<e+l#t-3WZQmeEnsnMzBG=C5x0Dqmf>K;}9(w7TMIB
zC_stbf(ZVd=c@`uFq`(3qMkzPM;exB1;8hDcZS)snR(CjiI8P)p&l>BG;T%=o~Wo5
z)1=T$sVHPQ)fwi@VxL=Cgf^VP6ROT&!|+fJ$)9k=%l<Q%IA-AL-HTE73^9IWk=*pz
za0d0UA5e4#$J_7;WpeaU_6#7@Bg~ohlp5j#gFl0-#P+kY>;fZg9(x8c*k9QVX=M9m
zosFOyOc!lOG1@~6K>BucAgl6nKp_G6ftKdQA|};RkOO!-Is^U<-wF{(`0zumCFHRk
zNy&s?Ksf9}QdAM)t}v_sT>b*?R21O{!9i5gBh+<lO8A!~&0+c2Z>1D86-TZ%o{D>4
zzw$k5!vjiVaqneKLty0iAkokvRMt6J=a8dCl*p~!*WDT0aRXWlzlcw>gt*u;=SbMC
zQD1NPwY_?o>Bh=S1Fo2E=5A<4{w$awi-O$vD?^UztRzNS&NfV;lcOx97V}qpM|UjB
zCWUiF{(nvW+a><(-Wpa=CpN1PFQr!Aw<w#JrNWw-C5^Sfn<b41o>&x_fvr%POMYr<
zq*SbLRX8SKoA?N$n{JI+&8R^Wj!k>JbT9N~H$?S2Qsu5X8@pK>L}6O3e3bvs-n(wM
zaU+Yu`K_lw7|mGHh|P;`wz8e`$&&17#+I~2Ihm}P9IM$4k{vZ0J&kTjOya%vgPikn
z`$@iq!o6>7QnDP+5!afDOag^Mp-`wQR29m)FvKhLy+szhdQjdxryA)|3sfoj=iIq3
zKJ{uXw`SIhO}a`Qte>x?prHR+`(N-Z?|05$*8k}=(;XYCm<BdH@KHZG%WG3Y)klLY
ziZH@9qp0ODQ0-hWDQdOQ?<k0Tb^vr4LWNm4C<m1hpj{|2-DX6S@@s_Fif1Xv81xc7
zd$w-q=oF`@sx4Zj-ULsvtv2)P3azRNM^oTQOI9>74gd(u2&I{B1!fqsUW$4JK^svu
z0F=EXJ0=(uC-lFqr)&P#D(a|rmA*9y#m>Q)ps!!DwJ<58;jG>Ce!uCjch;PZb!0(x
z<DkP`6deH5S?zUJ`)HV8_c~9tCe=uV_QrH*P!B+L>lzA>AbH2YvqW`9FS^|_i%RIv
z2nm}m-^L^4I=~+w@)x21+W6lcX9IOgZ8MXJOLq`w9buwDt@(S{aydKBK&ey!$@0FG
zhGaAfiR&ACNNV}1rUv?Z8@#;jGx1Pd`;|*^`+X8t?T!6T2Q)$(k$eutgATR7Dx_UZ
zk~F_2`7vHg7;PXKD(_noFg+I>NQMej>#_QtY0%b(gR$v24}sT&eYMJ)xxSyb7rxce
zq<XuUd)C-GS^{uQI7<TbUpc|SHvOt47)p1-qi%y-C0w>6Oq5r9-x|o8Cr-%*{v#o-
z(f*k8)Z}ZUi+GD^5CzxS5S!I)2|6V{X5cqrL*Bysd>O^atY;2Tc<sc(*II1kLMP@G
zS?8`v6P{6=`>A^R{i>%66h$~WVs>@lp&&-gFvcQI#e{ltZoWF4@C)qpmLONXD=qxe
z`{;lE`~QfN`v3Fa|5w-SgiE9U`S1VpmUwRXKmYxIdEl+&=F7w#jRH?zDF^_JSD9R^
zsso%aj16Dr3u6lyv>A}??X40h>|66Pe1V&9guX#X$LANvhX<F(NBg<p30Xil!BcX>
zuSQ%n%F+x11mHcH6<$==HYCKvzCn2lL;aBNLFL?veW;q?Q<3UFMv>}X{}HAk7JD#w
ztL~pCu71E=UgK+NEFa-dL-TgISYcm0CeCZ(9;#=*M<fwak8zQD_Et66ujyx+DHGQQ
zaA3QQ6s$$6a06bs`rFod^>1B(o7c?Vc@s!%fE-UDjemrY#)Sg?`a9ji{c*2Bs9#Ap
z86mh-+}JnYAoW<8<z=KRqMA0N=B*o~?GZ`Z{t(2VzJ7POb|+p|fN<mMAYNe|UXw(E
zmX9kip<&%&Lr$v^{K?-o8~o>6<l`7eJ{(yz8}euESMp(5;~<@6Lx{;51}WpW4m6~l
zVMvA@{^Yv)Nxz)dxi~&JdUxzh{T1Wwx01+_CF3)SBl5Gr9kUa|*>SpU9}fdJYWKSB
zq`$*tVBuM}{4+?p#kqXinLpQBe0Q$8>+xO6$m)aJo@<XFGY+^u$(XnGY~vXhu=(7K
zR&R$t_gWCxMM)_nRTo5+WybKx&7JM7KEyk)B@%Bx<rx^{p~<d5#2iZ_L__xm-w(t>
zdv~YTUuN%C#rCdnfyf`Jk@Cyf2@tIqP=0!&wc>k-{0+$UO$JB=z{xuIGJp#CICX=N
z@^{-wf<o-xV1%b}I)lT|toaW|6|)`jbclT)`^d-1aJFJbV}TX9qMi%1UT%?(t7l2L
zDF%XzL<p{B7BCFE!ry4L-+Y0v;xM?z=9HN>%cJi^I49G9galIZe#imIfZI)&Ksvz`
z3n8<@-&O>D!+0894-WZ+DyGng<)-3sBx6W_XrzZw7)->D+arpunyVxVzy;!+$Hb@Y
zT$Z1HmcQi>+pLrL)<S&|7_y`IMUs9YG?I{UD?Cgv#BN#)^;!{{stgl@7$s<Ghb{$N
z<eN+faX#oIMJ}b;6jQw<F8r3dbRvy&?DJQdq>1B;G?sAYtjG~9X)YDSf>>?K=6PAK
zWqC`8dmOqn4Lrvq9oB(%WLGXLZ)Aqfp7X-#i=Z!t^m}-SRQ_v!r@OrkQDS8l)*beA
zj*EDdU3!Pwh)#@uv_0b=zZ>qZZ@%tilpT6e2S+z($mrI_MguQPLey?Eiv{)idrsHs
zI=%g!?(S}dC9_py{?u7BdDCa7(j<G7c`IH_F-;N4(l|>WXU68)@(t%NdA5jG%Jm`9
z1qDxhZJsUP@WYy)EzP^F=!yTNUn&vLn>!-<Fo;G(nZoc|WaZPLbx{l*V>iv&YzX};
z!x?sHOh~wo{%gftAt#99Oui`B79L9;5?ZcoKqe){A21p1qt)LI-<}PQ_hHjZpDLS}
z@rEpFFEzgnM`JMxaOfK#rH+GIzl@T!WjN%=AH)N^g;Z|NgvOimTt;X#<@1E*YrKj|
zhJ-;MKem1bP2wO7$t`!a`ab)gObXOb2^tZzLdS2n+sLKxxLfQd@WA2_r?(hKXqts-
z5Qo_A1bKfE60U?z1c42xU8b0Gvppo^wi~(OEDb!`juSG)=>%uCqHgjEKSCiZV@1!x
z2<-iR<*TR9m;Eu<`xh^fwwrl7B8vdg>3Z@xV#%(#6K;cDvo(?d`9`lUlj|_IkT}
z+h6szyS?51c7Lne`>NaT?e@05Lfua_Y4elO)J?wX-g~V4<i3#4A&JI`n`R-m#T>}-
z0iExcjHV*>0Q)lgNwdY*D>XsgT$qS*v7#MQ7uO<^)_2gp(si^}Q3*>!Z@s?fr?n0N
z*ee@NKj_DUi_??SH>h!sjg<{XR9n^NQ($^M<e8-be;rTeZYt#+%Zss!4+CCGnwR&b
zi~#=0K7uSVj}>wVvAUy#YBc0FLNc?;=Qhv+z*iBz15@|i!Qk@v;=|vLe|ovPMq(UM
z8lr@;V|#+{&{ltaam-f{_9g_a{-%L{T!IMYz(3iC0Y4Y1*M_rPv0_U21*}<&r<}X2
zi9dTB%nw4iiA#eU9L{*9qxxh-@memMna535K7ls-27c7Q>t?HE(#zG~2FHgN$Cn>Y
z58fS%iO<FS6Mj~VP#QC%q((OXLW0Pa%oSo*Hf$Zw`LsTd3}yJ;UxF58sF?T5dDCvp
zxS#Cvcrx^_XD6o*CqZ*ER04k(3Hk?@p_03dX+L{3%s=6$N)q)P^hP+N&CUD%;w>7^
zRE-PnvlWgf%I{%wGEBxi+X3G5Vxwh<Aw<SNIGJPg)Io?VW+<f<KrN%XS{1>bkVD6T
zh|O|(c69vV{OscL<?5QuT_58VwcG0LesFzU@R$|nRDJvLBWe@$3nfwPrjwVg-y9la
z&w<D8|Iz)~i3BbmThiA7*^26wTq{J5qiF}qt>@7^InN;pbq1C~HAwLku;i&njw|o8
z*mvR|A6py)w(-T1tO`8#R~6klE7i+kM!B`noHb!!_<PhRDVn-7l)BeUTNvS6RVzbY
zd|KgiC+8vuTg7ZS+9M>(Al$mCsIMWCtwdmtz{2G3XC{g1jn|OCw~MXrGh=lJ#}_}G
z9F{C_<Ixuy+G2)hzeyf2<KpDbWb6>cAD<ODLE~J<0V3Y*<h=QgJU=@EjV(utnD|Xu
zJwz>!Ok)z^D1BMTC5d<`(pKe`kQEi6WyvPcmjDIW`PeiuGdT}7zqW`(ZZ?-yNsVGo
zOvzY9gvv5|asqXw??CK^CGvwvyc?g8TgpRTk3@)wQD8iGDFu#LxUoa7KMf#EL|wqC
zznH>Xsqc!4N6s(PJM-}P>$|_(S7Q58AC5?h*5*naD`?r^Jn$&U%TzZ4jg&_eAvPog
z!h-EWrg4_a(x<<8B%&k~6<m$tPOW+4y|nTB`s=S5G3Fe<Qbe7c@2`A%f$;#Mf^pP4
zH@4)fER|t?cXH173^FLW<9>x^K0$PX+8%1bmiuRmS#ff*pma9G{GToK-FF7?*2>D3
zgWkGX<mnaMUy*+`1zQ!pZgFnR<JL{x>LL7p3;BOPOmG<EggR*)E-=O%|L<;ZZzt#f
z?eBDVp8UU$@%iny&IY;(ru!glMnQ-{rc4=Gyb0b%8y#S}&c@2|UCc~AC^f})p3ruH
zW1JPyt}P-Pa~cEidRw;usqY*@SBNK6M~pkgGDQjfj?yHHJhZz7e+JV*HW~$YsMXfM
zWLjc5jyyI~ipx1js-wIis`}`EAna8QEIBNb6EpO$%ngH4fPLh~G0e+Z`4MyI&^~2j
zuyvqlh&?x>7*R5{iXj4;{Js>z)8Q6d79I>JS`)#`N2deU7QARN_SWanObaqOqg5Db
z|7G)4mObMnh|&>i{fV~!L|gV5Bfx$Fl8RDODM>yHbx%ezb%6s>Y6p+Ig71P{oH<+*
zvv~+?Ygb6muVk?*R3@X3w59<O*=><Njh0L%cjwqZ!VE~%viN8bK3IY$xYYPVZM3}2
z^}yS$a>tbjyQMc_{^XE4o2WL-NR&}rPY2QGK-VlT<z~B?BVreMLq)2!d6|XlRq%wp
zmuFrDxh4K+H3Be?Q4LYR4mVkS$E8-<32y~u^ycsqv}{$%U6X<M-?EC{?;tIiw%__o
z3$;G9mf(dqvQ*+=@YX7YS&#D=M^N378m#YzzyOr7KcqCS8FO*iT*_BiuWr$dS<eG;
z=#94=Acd#rG7QH!Iy|uJq<d})ZSC$DEpd{Hw!G^6A^T#jJOx%75bG!kLW3F%A{&!I
z6-8GdlnkId0P%M;+}*~JheQ*&7f?<9hG$lb;vx<pNf)h6(lq7|!mXpB%b1ZwvNY!9
z+kp%d>xhgLf6m?(slR2X6ED|b)+}|bYOO_PZlM-nHusnj4V#=C7nqXp1|xYj1`$&A
zlM+o!XEhGV&<)i^TmE>h_*r_y>hA37PU-@@xzp7F7Y!z?8rMx(L#&u|u|eImtHIT`
zYP{0=3V4Av*PR-yzA-{QACxp~z!5dzo3%ENxhAD+7UZnO2wc*w5x31Ja$VC#9N3W1
zbH{mbQbTP0c@~BPkxS8l&iOudL@vPp_;Drw9e1(X_jNVh5o(JNW_fRyzhum<$g(&r
zH~3tV^9-PqC`b=gt=w0597IiMU)i~C5voV5;P?3*>bSo7aEtX?j<m~Cby0#YLd&Je
zxG)75CLYgFUVv(%!+df{$hCCJH=0kNDzNigE=Ce~9&TZ}@Lo-cBgSYzp<K(RWU3gT
zVe_U06X|Em?7>3U`J^k3R!hI?=JSa-f2c+J)R8mIl1PTE#n`IeAZ&VGwH_|u<{8Q9
z32S>2jmWDR;Axo4J^|Y@h<tp994Pz8e}Hc;pxSEWVY5w7wUMdUr^4ODTQHb{9tAKh
zK)Z!nva5lLPVQR@p6qNuOx>~R1p`3bd2yg$0a#mLl++!!*3s`MC4)2xqOr-G1^~fv
zxl)*J<d-yZgy+WM9kfOgh;%PtVx}ssmp9>+IM&g+IX=+hW#jR4Q$!`@9xJEK6{ica
z!1;=i+QjbsiS9E)doF}LXTV%6wCp;dl>=G)Iv=XJKg|*D1^qrd-;HDG=&RrJZXC;X
zHMRp68T&60jl&>Ct^F2SEB9fQ%8WH|r#U$uG`GWgVe9cRoe#ZI7fUHoKKJG4(`T{!
zf1L!_R;h@P9#}s{{r!Kp+uQ2p?*DgsJKd-I|Ht^`;--pOo?HV!X&lzJDmWrO_r#t)
zjXn$R|7j4lhlHdwP29NcCD?Bu0OsufUayzW|J><sJ>`Es%I7yD<dJEuW!4QWyCagS
zsvG!j>i!MS)=_<M0dFiLH(6u;HW+ukt+;WZUfR9sSx=EEZ(Nh0x;&feC&qX|qByPr
zl`Fvxo1&(<xKLH?CpZaGcPw0o@@{Y-uDeAe5%#fPh^J%?<doGU9GC<&UekKj|Mw^Q
z67Fm(>70p5Ry9q6xWPKDm);24e|~OWe)=r_Sxo*Ljrmn<+jzONa*TQU-|lW+{_l48
zwx8txV|?b{v$LI@6UvsrUS2|5Ec9i`XI@R_EO!5u;S~xN@sXf`{iJQ|rryMv@v=Wc
zk6ug3Pwq6VBl<dW^aCB+pHR*&z5j<n<R&wCcfZY5gGwPVZ~yQ0wsQM_uixE!+W(L7
zG4#KArI@&r`;}hzzfZ+|=_gd;^k`p}fUsqPF%9PqWI?-NR98@aXwmz@#lq72pUbzY
z8_zcY=br!FeE!GIPOta0{~zO1oj2#n^5C>m15g#j@3F%*A1$=OOCHM7o7@ax{rIu1
zzmXR~4{WE^Y-NLr#@6i%ubOa{ea7`)e*eR1Addce88FZP)9vl%_5ZEyC;#uGd}<su
z;!;~jL>1$vYMZy)?T0rUR^^745%eWOqcuk@U@%&y$f)ih6a%A&OakY<R?8?Mv%!lp
zX0;$>en<bxNLngvR&8lxw5+i{7-_Ddx{ok8z%6Gg4Rtq@pPL(>K9BubTK>yQ<PA=M
zdGf#CFUbF$y{G)&NBI~5D|U58xxT{hPuK0AizV>aKb@mU@!A*Y$+u*+ucUOFmwhNu
zJ4-|?5ij=6QDwR%TGbwS>(KbktYcIInBqi3hJqRo1=_sJ0r0v&$09>K-6VX5&(iW=
zz5|f7gJ?wVqyKkzw)zGAzxSm7KguU>$Um6p&gPFVOJ>U%=Xm@V%BUjW*|$u7)$$}7
z5su2|UfE`!rT2drcsQbSeg9uI@&EPm@n5_B-6#F;Q9gxJ-P~DXjpctu)!0vC(~B{d
z5EQEm3X0WIK~Xf#=bPkJ>Rpb8B7>|<0n$3pXIlTI_y05)^Rj7e>Lo#3X8_Li{}t*#
z?RB@G;=dl{Q{(?rD{NNH`(*b31%CQ6RR%r{?9hqyzr7AZOr1A4MXeG0v!k1|a+i6s
zdqAS^aX3AZiuD{&`Q|lX2fWtaT<pxId2pXyW<7l#?z6P~k8pZRlIs{AA-`ArS8sc(
z;Q#CIJ;i@K%BOgzV=Zi6<clAJXzW}+r%pgR>JT{PKk--TALeq$X0pdr4eOP@M#>{X
zD>TNQsw(Tm#Fy`)av;VRaEENQ_#KHTF}tqPKciOhGKc4^6=0&@ET<a#k<syT7Go;C
zkPI<VuT2&`IN|>+^Z&8d*lK)S(zX<?_y?b;{H4hx`_?U$0p3Ie8^G~BV7J?C^Fr)%
z@6J#ESz7+bNkEbyowdEtrT4o3@9y*q_W#!QQ~d9vd}{Q6xx(<ux-6lWI}fNg!G0E&
zod@S;_ww^#i9&qU2+Du}C_qsCcBa(_+OkeO8CjGgmygx@n42On)0SC2TS7s={H-te
z>SF2rpO6qY$o>4PiT|&l|7~w=J^BA1<&)e0$<XyGwmSUeX6b|^!LQsekl*qbB*fNE
ze>4N$2+OJ1_)(Sawv@TQpm$>>$wJK4lU(dSP!;wPG<o!U(0lFwVG#LD^v@9k^X$J~
zx0{du-QC`O+W(L7dGP)Jiu1&i7$_41G#mbcy_D{+w2{0wG3x@)2Uu4Bm`fNE;tM=t
zL^gymqj&HoAz56rfD2FK%T;%tKDp1*^1n&oxA@HW{}tqa_euYIoX;l-*!!}sZYm@6
zf)OIgoJzu#Ws6Op8B|x82g)b}JHIBaDEOt{vxTXZn$bo*=JGq}5<g$w=~scftR!7g
zu(~M;ibaR#RX!HeXW!RPURB>-bn2gbUq0679`c{RsdIn%ztt<m|Lk;oPx}9(d@AHW
ztnHU^06f0VUlI##Mf||bMTVa=_X}6@r8g!uPyM-3L{iY&#g&KgMVVt^9*oK~Vt#3b
z5I+_xNSc3Yv%v(+_x%P?HSEHT##qdz>er@ItAt)TPXteA0*AKY&&tV~uVTu@OWkCQ
z)APD+<~y0PTbz)TcqH6Mmxt%@4c}LjG>zK{$x?V1vmri)M|w%rDj?KiX~0=2Jko3}
z4V~DJHP4wAv|o<Ytm`7=PQAEI>11w-gQZFsuQBFsM5`tl*UTbrh~_WTyIKv6svG3R
zC9R#yI5(BCRxEz*gY4<E)aSnXpLo0LUiZIy+lBkz?e0_khe!GR*5uu^>Y#7Sd8yUK
zf*{Soov+N8Ws=q*d#v&p|2Nh&mvsg=H)NOJ|EZheQ5MoU$shCff3Mr`_4D<gcJ}&D
z@gI-!G556_$5dbD48#Htz7$X3V{gxU8-Yaw5Gt_BaZc#_c$~OCu1UI<h{{}C(c=QU
zKKF_x_+MF&U>~*q8T~Wbke`1>C-2VBE-nvFFZa>=^EVd<N5^Pzd3Jt&e1uYh;soC?
zJfV0*NGSdKpV0-r3GgjC{Qltd&GFl_H_p`OF96d0PG=mXlWgdCWZL;<l#sC$B*Tyl
zJKP1?p((@Jk}W2%b@b2Zl%#kcT}}eZcqI%lMI;Jm=yrl5cp2YKFv@5UjnOcRd`1CH
z6tq?((91N*FoP^!<cI!1BnAT><9Ed~8}ePvwf{i9o^!X3(utd*iA#+k_;UqL>W&c^
zp%=~_A_?ksox4pmb+0j^SprYe$1bJ(Rn9C)7$HkRu;r#WEnPi89Q`voyI2hQ?_P53
zH_<N{P3MAd71FuQR^_Qm%0(c~pVNAYU~Oyhq%Yk^y%mJA*mqMrNE0{3;~AF`-0yHf
z!Z3)&@1a4#%$d5WH+gFamIXx%LJ0{Q<J{n&mQVzGhPY&((86?KTo)IGjRo8?q*zqa
zHu9+5*Q@qC4@jwpKyXvN)I`PJHO;1-d?^#_I)PVPMyt-HppNs(rTE-UC#W^QAWDlD
z@}v{Dzq3oTslBLTe51tQazj_t;%qcHozWCed6v;KWApxP24K#h%}UJ{5VWeqE{9{W
zR&hO+7Vmtb3hBjpLUDav=DXP}D=YFZI76NTvU-hYn`o7X#qPf>pGw|#lR%(16rN&#
za~QeuR)xXkNmA=bv}1PhT|m<y8e8$jdH}1jI+^YXw&dlZB?71G5d0*e(4{0VEPv68
zT*l<&uu_~%g9y0eP2zg^947(s2iPN#VCypMYkQe^+gH(rS34U#DGE@^NL+mC)Hq#s
zD~VTo@sSS16V-<#O7UH4(%kw%A4*9U9nkl(JWm<eEbz^JH=-iEtD^Zh@N2eyU_BwZ
zUqNU~)u?>Dv+>KK`bC*?Zm)Uy)LBP!)`ib&u1GN|?B-0VnqEE*af**#ox^)wX@Kcj
zG)Ubf&0<Yb`D$#7w{H8xcC6aB)Vcw`*^YN>G2l@y<$6~=7>Du{yXwmwurFfO(ALAm
zgFR*UYBn=Cs;#DXubWc?r*7nH=4F$AMkmkgFWO%2i)4!0qnk>xY%I-`2^l!*K7Q=r
z)a&>|M-x+ny)oXfw9(;fVJZW>t<eY}HB9wINEKGCa<QP8Ai+~|gWDmYX?sMn$p81|
zfZY1$R$r`rvc%#u0{#UExNujdb#<JOc-Qk7rV+b5G_z=N`(Wy2vuAg5oGO&$oG$tA
z&92P^)_0b$z}|$Q)_H<s7aq-AMvQS<cXF@$w7#{a(zPEXs2$&91RJ0iqxRcmggWUo
zu0Y`dXOkOyG9^CR?RG!O2%lU2=SC~tNtGkkEJw@gWIBoOEhWr-!9Fw_a(pTXP}^DA
zM^!*`^D1_(u}>sfpLry<{0-0Yvgz48+4Su3j=|0_h&r`rp($3lP&p*=4Dktq4UbZ?
z%yzNl$bF>9L&1^UeT`?dlO`EWv2Vi8UqS-~*ovIp;3NrrtgLhW-iYqa#M<bFOEor_
zfnW(F&B05}#8{pD42l~dkD0l&4?TF~+hcQ%x&Za_KHAoZgg#E#^1vF{ht&PGxo=l0
zm|%{3(AqK;PcALFeFV2Y*e)tLi}Q?8HGzBVwF;2mRy)b7mLS0trw4o;4*rH`w4Bi>
zPT3Acyd^q3K&<V<P*EKpd1+!oPf6xY9u9N|=KaBQKiC5`rW<!-95P#V6nJimsgdDO
z!ODz)ydUz6j>~Xz<-{IwN%DN2hSc$r^Z^&ia~Z&SV_xIg!;Tpz!Ht_@2Dk}lESEp?
zFu5|7Qd16dFWwS#fzwI&G#{G3N{0A0KcjYpR)0IVxIB4%aCmuk@zaODo}HY2_}lSM
zAJKOYJ9LMU?Vju2AbsrNQpGCQUk|qAIr*>)zS#P{I~ZIZUo5-A)`D_6%w19(-R%ES
z_q8;U%65Q3O1P7Iosj9iZKVOszu}q4A2&ZL+N&<TP9v2I6yP7o(381(U*N7Oqps$^
zPf6br#HuN*lR@if{4k!+g*II2C9u8D^G&|e8#dLeY`Jt~!-JWc1-A{iH|Lw1wxg)b
z*HUY$mRXurw~nPWsX*N@C`<7(ey_7P8>_@s)?ChWrd|ZDMZUtqDV<0~+fS#|=VyeI
zl+K%w(2h$dAbz_y{A)a`gkK{$=C~d?RnFz^PtS?}14xg<&<&>c%R$ZiIrKV+xuYE`
zciei()kVzP$Tta<6iS5*yU!)YAN2xaAk1xY%Z8o=l?oS+7uc^24?rYB=RX`)fta&Q
zR+5;S>V(`zsC`lC9BPEuatN8ao<gcJ<iZNN=r+DnxEHOeE(0EDzU8}DLcVo_^fgJ2
zM8INYFiUl~xv}>cu=a=~ZGZU3-DdNyrOgeNMQISC$V2U4QTrD4%R*M$M$ox2M}uH8
zFIl8{qCfwc?^_uqipcf1$S1a*7-AfwzG?jUB*Nd8pR$$L$W5bmngr}D6|2)EOs6hm
zy!7D#o9&+I=K_qLg$to7y?TsOV8N4UL|)ARg%(;11DYboYT2@4H6P+ayG9JTVMuPz
zli(%@@faUd&kbE(e3aKCtz&PvZW_9cxx5ki;{-!^(;*+Q)bE=`k>Rw=_YkPI?CXlk
z*OIG;W=7B4I}h=41e1g>TOAUoA{WKXIC0~c(W=~Mv1&jl_#lMWM4~811EuI9i}Ww8
zDtDxQ`N0~=_`bep{-K95DET&XA*y#CDxj&~AH>TOlCcSgaqPTtD|fLQ$BxK*;Z|`K
zHkz%{V2VkW>d;d39r|u9#miigjXM(@PW8hjPDsY<sQ=xcd*7BhjSLmq(uZ@WakF<e
z^`_?XaPYU2^AA5BoLqi*eRlET`0tm;7pDhrKODWvdnfi$D@`(`5m&{t8plZfAyEF3
zWZ_r+zNC%WUtfP1e1C9peDvYy;PT+r!QlAA`vJr5-SM)Xlbq}-N3h@{(Rqu8@G0%f
zm9#21OCt!^cxD4AGuta^mq&Q1H&P3Ti+4Y(ZQhbE=JA4xCo8ll{8Fb)*0Rg_!C>&?
z*~QVPVwYk}++r*v``?dk6qLnSrwQ^8#y)beTGZ;-Ifq+~VqJ!V{<Q*^IqW=Nwk0J?
zq~7G6%c}1$-hMKnmV`^ov?RQzNK3*+C0aeU4=2!)8XsQH+New|#CK`p9!EDpLZT^-
z(jVL;V2o>7Kc&Seo}+v*3bFFFPWG~=&g7@yxHDc0EA!jwpC4kF!b@V+L*|=4(D3@z
zvD%?kv!X-vF>f&Nzvcpg3TdrqL|diq;amb~1&taY8;$t(I|>rZu~IhD(Dkmf_<mz?
z81`soQE+m6Ge`B#x=yf|!5H#`zK1tDJ9iaqnQPPh5GcAcelWIgxtGLh(ac9;cHwz^
zrP<5Bl|G2hfAeygT63L|d2i#BTV#$~gyIynv1y?OBlHi{_L0SzaAJJ$NHjt}qd)(-
zq=n*L^z*kUo#3d%g)alXbX$Hu#Vb2h4VaROky@qE{x?;CIu&3#CYVuB6Q^tOxO@V1
zUUXZ2vb5kWffNOe&PEeFOWi>==rTj-Jj}*HWaNfcp&UcQ3PjoI#T#@ss&N${8lh}I
z$7d5co}ER<H#nIU(hg<sRZ(b=9b5Y^5hRa~Q0q^$^C#LutIf|mhXX1ZfoWw&K?3zS
zW^9lIkMZ5>Ao5Ym+32(^9PCSI!)=rUW4rexd6^{P&VJ$ESzrPmKSC(Dn#O(j<<UK%
zOZh+X9rjQMM`<#PNf4!ND==VUY08z_Ftf38a~1it>=Onf?9IFon-W@eu?-!DPCnkH
z<OUQ~ifZ+neIbfUE=8-?AwQk6g|L@HKLc4o=_jw=lUGj@`pK*J<kfrf>OFb&p1gYh
z=3YHjFJ5wtvd0&$18<UUlBV&}Kr1S^=i#?y`zp?~qPmSr=jBqp8IBg5xB@#}<Gf<M
z>uc=fYs@c(VO8DuJc2Z*JU4LnE^B-$f0@c27q;VK9y8IYW2%JJhGip+%GKi%XRa`Z
zt@gF5X^xzq#g)5|Q=_;@^&!i8UFNCiPafreGmml@csNq0Zfz6s-(1Ll8M#Hv#ipDa
zvenG<k;C7Px0+KkLiSxMk)fU{W^BLRsm@7KBW!|*rfwMGq#Z;fvKVDqkB$w%`Gu0G
zl&ebGHDaVc)YXKXRc+X=InbP#-5Lf=u<HjArt~}^!$P$-j)d95RLhy_^9JYKQgI#2
z=0=MPE=&Y(-q$5<@!xs<z$}i7PJr51aH`djAPUmJ4Ucf>&gNBA%uS=Ds|`DDRHrdd
zoU$^F{A0)2H3e9R&NCp6+#t*nd^t%losiIP3Nzm?FGL`JW?`uLe)H|qauIifYdPC$
za6iVj$NEzF+MdM&v2~6#_vUIF-h(i;4f26_+6KBHORs8`x}s2U)vZh;izFoDvB*E*
z&CQ!`^gGm%cRh?+A6lr@ZkgXW{F?{4_FhFTj){Hay?EV2Izb%~2h&O2AZ&+ZEMl8i
z^Kr#|j%Ky02TR&rElrJ*fFxpLoQR;EazJG>DN}XIelFD*N^kW93tY_C97^2Vr5co*
zx?vExZ}Yr0=hn5V+y6r>*-6RNbJHizEaQm9Ika9y7zH67VmGZ$e=-ERYFrWP(<*Dr
zBXJTO6B>xy_x<X2@@<i(wLNp)%L9JgWNa}^tBqUMKaZ_{GKI%_(?$RKFo~U#v=aGR
zk4`6}Nrz6{1b1Y6^@o*L&W)3^D4gvhhIJV)mUeucQnaY3V;0Rgg`d^3D)%yPjMc!i
zn^ps?F)<BTb8<qPSEes-S-E|iSnY$r$DW(a%e^c%Yi7R}`sI!Is`~Y{7bp?&@jyJg
zqi1h^yFceGmPJN$M<b@r8!|$E^N^#YB*aPn@e1S11;>)Yq!5o;<(uSQwEbqTH*@du
zg?^>M{(TyjRVbmV8bu?&cvG-te%QibjV=HU%9MNR?w1%`9d)jp`6l%jySyv{FYv=0
zcj5yeQ3`pv+ot(<O?Voo0Lnl$zq6wt*+;)MQ<fWyR(_9E+!=Z9%J*rkS5;LlDSHHB
zZaYyOh!-{~%&q3Q)>TQ2(hcT(J@!T8om+v(BJQV(>#ez$TlGx5z(@kwrZ*|V{#wdL
zt1%!RU{7+u_gR7xlucgZ?WS)0pz^E$^>OdEn%rzHbYRxrRn0#b>$>0jwrYu^vUtn4
zNHo-EeNAFc3H-`c{S>wB8?3wq{!=MFmCpe*UezUo1LlSXEO<0E4)kirH(m`6xuAhh
zfdwDJz@v(^RTau=9*Syo>MI4x<euPH{5F^d)t4pasH}CP4KD#bTrI_#N{VyUHT9sK
z&OmAZiME<NaM#k~wbmDyR&yn&t{P!|EyDR~Y7@3BgWVA6W(5dq%LC4x!%{<9_}8gC
zxmspsp};yvXG0hTKj;JK-OYxpBfxx@Zk6A088y$~v?ACg+*f?Qwecp4g_<;UP(6ff
z{)F<lX(Y1I+nN_BI}&l8A7oi|;(q5wbDMku7W_@^!aLKor;&bYRdXjzN#c&NdWy6l
zeAe*4;O45((ztud|Fn-<)!}<3jUmUch)DB@Q7)$55g*fi^bZbDf5$+fpG8x{nJia7
z!T-uIwQD>IbT~g$F8DIiE>{^9x>qga{VPm1dR}*45!S{$a(~zl%vBFE*$O_a<-!%!
zqvl$<9uotceIY7to9!s(0yfJq`V!<S+ZtazeZHKJd0717B^__#CMmTlCQ2QH*1r2*
zGe)=D?e1=G!+*QoZvMaB-QC_-z3pyqx4+%r>h`|s_IGx7dS9XLV-O&tshfP&z4uu8
z$$cT85*4eFq2<QG4?HYjAKmm;u7k+mNBrj%^E6w`A!!+!p*zH(kXCLSH_~^ZG4OCr
zbNJn8Kfy_mDk&&)7YDq8uWXd?uS@eASJGLG_t9DG{wu>PG);nNd?W~9l+fQtzpvD!
z{2Layp&4)Iw2cQ||AqE{&X}0G@w}}MpSk;gyPw<t+dDg3Py7EdJ`L>DcDr4^-4CT{
zy2y^NwM`#j%R7hcPnCJBzxhE$F*VrqIsK}7^BWB%0nB)wk}a=(mVf+Iv*FtxKYrTv
zUugda(Kx}BHrn*YXU_iL-RtM~e}AX9`?UWb<CEL}a)ssgZwp>r74__a=l5Th2d$ci
zdA=ir{Z|Bv<2xfYKy@@)44T8p=R+%SVrFsz$~`@QD(eO6fQjAKu__c#Z*X!*rm>q~
z)cWq_P0#6VJKc7-g`7h-c85V2qyeVR-?AYVg2;Ijq=rl~C2WM#TasJ{(b&0uPMv^s
zZhAwUy1f<C^fi01=|}8OYB%LN0~gmP9Q$%%ZP5p$-lM5swVG8U{j7qC`3!_(vf{_z
zWwh7tC{2RtARCQ>JJkAT)G`EeTTA5X(cCB^sTo>ke6e4Kf!U!N4OET?8$x<_Di9JZ
z{>t^Papc<`(jotnudcDTIWL%-U3!xA7PQ*vbRNqEkz^qc*eu0tLZ}Q3(ms+^_N}?S
zOIo)P`v*q=n&-~xNt!A@dF-YWE528yN3G^ZNJy6Aq*$)ZqLOl%G@w?lZ4K4tBWG-#
z$H1^c>{?6Qwl$QMlAue4z3&H%#oh2CvukfSX333yfrqO3It>Lkq+!KtF}j_tRTXDY
znR6P4f#;?q$t%Kemgt{P7CKc7u;m9#MdQM`qiFMZCy(uRopbhBE7|1qDW_=pIn<hS
z5b1Ig;v}l>AdVv4!#s;tD>ePXp|o0WKs4jDg%6Si;50v9tfl+nPMA3)X?E~52l4>t
zQAdx^`J6{j?vb28;T4cb{ms)|Iy6nNI}M`o<04#t{50o+c?U>??(@!-iZe#OmIZ+H
zky7z{&896GM*h8+{kM?)FXCqx^Zw1X|NDF0y}bXgzx(9>dz8<EhFm|Km#`|n`U|=f
zkTW$>P5067(C?eCq1Y{*tiV6tp1t{SbaL@>wWt1hdhqV}<!T@PeSUKEk~jPY{pbcM
z8j%ErWQ_bEK`CK$z%CCyznugjM*l!xqqdJ$e-nT|qMwbo2Kg(4d?=qpn1lAr_8P78
zi{sZPe}B2U2DNp03x?ZA^gE*1N6%=7G0AGDGk&%%k%UUn=>!9kDFF&7h_6rH9=}{&
z3n^;%Qsi_vOg_%X4F(MLzw7w;rW0i$6MYlx`l#JoFOWcvz>Xwq_U&I$i-To@eQZ@u
z|GpU6B;@6X-wKS7fdL9A<VDWDZpm4^!6^zN;$swL)1k;6I5|B#I{t8SB(Mog7;64}
zm`gVZgJ^8F;2JC=Hfq1NhX1qTqt&k^n74$)jEwjO0~b*YvF$F3@GX$_)}_cxu$yAv
zpl+IE*r4V&=x~C)>*7=pIz9gJLxTx17$+kO0Nbq582g(jodgt3u^Ul^Qo?jv>_hNW
zgs~5}r*4u8)D^Rd(*3Q~-y{|vTj=YT><be$&K_2U{_7wNQTqj2{q6kZ=%cy#s)?Fd
z0osac^9>r5<5jmv#zOIbjDpI2`w+K+3!VSbIEe1r`Mi|5TEM*fzrEg8{{DY^>*@ag
zQ9i#_)Gvpn7W$~+Q&)%idak8m`+YJkpq%}_OsycF1XglU$O-G(#IFerSZe*3*#Djm
z1aI@e@i`J;?*8u<;(zw~Py7E-KK1)Q4UJI${Fa}jX-wyCd=V4GBV?|#Ax<KkVsI^{
zVTC(z0cl_`<CiE1e*3M;S3JfMPut)gV%t;xaPdIP?EfZbzWJFO|FhH0?f<P_cl&Ao
zKgOrY`Tqwv^uOGLUJ$bGh@ZMaH0NypWI@$S?0+A}A(>5aH1FJ(pZfjZ+uJI{|7>q<
zKl%S2<&$$z+xz<SME{tg#EoOxQS!v_lygMc*KBtz5`PFCZ6WhzNfyMb{lz50QCdP2
znE+I}v{p<^?%u;{Q7MV|onSE|-B^*<Aazqb%EAFoMIL(oCTM}hDb@yxaOtQ=E}oJ|
zk16hMXbFwPPlqIn(n2~HRpqT1si$u0P2L*pu^@vqSj}eZiPU%kv0T!abxkaNN!|o|
z*EE|Nx|>yXlBZ{*RY#^4I<H)cA<(3i*Y{dHWs^?a{?0DVrsfS^Zk)W4zUY{xKBnsN
zLu+{!UZBNyaq~6fpGLdB5wDnOoMKZQcpl^9IeV+v*qBf88b}p*ly#hP$-jl)<@PK)
z8}f}?O^VYMu5~$S<0K$Z?y;DVSoo=AWs2QPUj(u62%;c8tbBX7MRA(Nxzd<+2BHN3
z3cEHgrpd9ctE5@^?rq~&Z<8r%C!?DZVpTn?84{ZQWkj;bH=j{7pZ9DGXl%TST2-2}
z{IQoh(1k@sDy^1F7%MNlvV^EnK(sJ$7FdP1NAyiXvbdz-I9T)z=W-!(uh*LaWb=2M
zmtZ?!GU)fr{;oaFec{7FjmT*9t^OtVy4E-7==l8N`0(KJ<m?oko?RaAqss|KBNB$>
zHi*V3peQAX8BdI$h-NXoF*PCyf1{0}IKimrY&kt<-x`o_gD^xxjJy!L5%y6QqaZ>q
zVnQ=PqTH=&Un+$rX=**bTiIyQ=c$aI3q2fG5L#Bio<YvzqXqCVQTRSL<@xW6)xYCq
zcoCbmTAq}&5iRK>6O&dVvJ5$`vwrbs(Kw2q@If>!=q#6x{Fv31aq4kBu%o>vMpIQe
zx#U-SjFP*elJQ#2k1Nnc{Z8>Qtdc_oRlZWT;K9{sM;LE3tFlcrH2vdMFUU2YJ*CD&
zS$f%xp=*mZOVevkrRLJ<e)?B{O2;XCCuJc~kILRfX(Z$IgDl@)UY-{)C>Euw9jHzM
z+9M5$L*?HYpZ8)*DJk#qSWEfREcH%HDX68NXeotukJnjB;Z;A(()^VD)GrN{jq<d2
zmft%M_Rdl1!rWu$JkZ-lWx(#eZ<@Ymw9t!2^+%%7-LCW_F#6J-jIpBB@=tU;YrnP}
z3S|$)(9VKS#57Wz${&ZRf3U?`fyJI^DP*$=d;F6>h#*3KKG{<UBC6w&9ziJ4^Gm83
zmL3VYi{~;kq_F*K`jiX(dt5|Uh>?cYM}Z18G$;$cTYwz(-5-uF6?2_KA#2;0dwc6@
zJT6__vjnzPPXBkE$yq9E3-?s(^)#(`Mq$3QyTb1=*TS<)yq1EtV!Lu@ZFxD^+J5D%
zv`lf_vcRrNiWSQ-e(oFfFYB{J{6~D_Emi?$PW)GIr;z{E-+QY6_Bfy4igov^1@BsU
zn8><uHD3}$Rw-toACK%Pt*x97D*J+>Jnmo9MBeij%8It@4>F_ht>sG06$H%}11&2A
zS_BUDJ`J#QkL<GIu@z-w=XVx|Y-wd!`}nD^2ipkERzB{e_Rr6~jhFr`A^$}nLGv?U
zj{M)=?G@sGcYAwJ^8YbDbL0Oig8G34z9fm<G+O8W@p+{rm78X6agWkFld|4(0`w5#
zDHp{nJ^>3}iqYs6BKfR#t+&MWU%8<hc{mYXDf^*iyHjX1KRFjw8tgA?P|Nj}qgB>>
zuzSmZ(#ymhjRMb%Tqymi29X+2)ki`jq72|LzHp<ltnXd*>wK=Lgj>lXMzqC4##wYl
zoJI2pi#f3s4X+E@wbukzfU(%Xshf;(x@ho4oRE}wB-}@rhx}H-3dHy=|0Y01yg((o
zCZ=YzMJ={fAsUM!TNjy83=b@GPn2^fr6C!O7>_nsELyr+wYw@0f7!*&J22)#v9E>7
zeWP`YKtBb`(4}~WE{$)~0F=rJK+8pUXjPa>75X}4r6$mOG4-RNIx$yM_{;`G1O4Bb
z;BXp@Ba-0d#+aA?x6{w(|97{#J5T!mV|>0r=Wfb25*+e;mC@}4M`)M@q0i3$*!8a6
zF{aMSH|TN_P^ke>L?<{5(KsYSo+S}P<4wl#ZW`QR2of;9XR5(BD8ggVU(s5e;8Adg
zeSSmr^}2)3qHu;t1U(r_D8>m2g9tk-&e7n*0N#xL1|5>=ltk!<!vXSxgswQ_Anm~a
zbM#l7;jc*t{$GAE8F$$K$$!$DsG|Y#Hv*w(3tic8=xw~R;SAmDl?^AI#w#2Dwek)6
z!A$~^QFL;2Ojn#ZA-`ZRU2y^*yB*#xA-}Ag{djtOG5Fj|y3nV={y+Tw;PlP$+p{;$
z)L&|h`u)Gx-`(BK@Bi-8{(qd$H|Vdg6Ea4|Jt2a6`RxCrF%HRi<sb}2NgfaqP?QJw
zM5*~c@v<q7QtUG|9~!Xj<gBcG^9}k(ujlMJ+drc=`l}nE?)E0?cl+Iy4fGoJ|2Xh1
zqk@X$F^W^8{}$_iggvy?Q~eKoe@=gBgD6f1c7#6~g)Y>la+#HrkN-!*ka*YZ=OIQ3
zo{}5vqftVpX4#GkJo^&Q{tJcY#>UB%q31^F{>BEn5D>4V+Azgw5_t3q-0<q#QJCQ<
z^{>#{YyKDfe4dagPA52{h-pCLL3+9_r)m%asy8tSu8Z&*6&SQf7`4$q5<J2Qn&1Tg
zyavkNey1}I(n&USJTmS4GD^s}6OwV;jofgS1|Dt43X{$-B*V_sr72FVM}oM02%bWQ
z;QQEz+D#_230sg6d(Y|hogIUgJw;2s=1pL188EsMM(_DTF#3wWuF4c#665F{UpA@e
zUa3)cHRioMxAMFHEMZ+VXpvMUkg$fjVq3}}q%n$~TQ@g16cd_`6HNaVqSPImv%6wM
zcDijJ4+A%9_qy$*zjLK_<5ktWhhsv<As%o~xq~A=CP9>5@qKY6Jm{j88wZr}%@qvj
z!8z-@saw&?SQ0K*q_Y7h6yd2G=t=K5J95(7)%%NS;Kst~mvuNo#qZ@yM_0x`+lsns
zpc8h^-(ZB3gd}K+DRsw8LZn#|F-?Z)O-y&0#<1_0;*7F*oVY%g(N@L)Akt3B4cf{t
zUma`qoE^4dg)M<jNs6i7v$wam4s2G~wv5@B?C@~M4`>{^v(8^%U!1+^7~uaRApHd(
zePjG0et_@W#`g?~bz>fVIgkF<Li6bVA?BfR1;H6XVOxqwB-1M?$laLuR38{jyaqH4
zh%z~mA5f3n;AFP4A<oWRb#9&_3-#)Rke(3A#{HX;$wG+B!^saQhzTypA!ACq-rtcZ
zNJ+w34g?UW>iTdHXUfV3I#2Koj#8+Xcur{gJt5bU8^sxi@35D_={<sG8N~_m10UW6
zqcQe^(G0n&6P)o_djFvQB8U$ZP?}+`(5E5)1&whe0?RnEWu7CZFSsGa22=GUQ}tdf
z##AdC=v6iz1$U^8<O9YabDaQ$gmX6y5fS?x9Y7288v7DSC7|J4H8AQbjP@47sHdf}
z8^%F|3le#Y9XLHLd$yfjHI^0)=Psq@b7JTwaFs_}MA`sjy8ewDdDv&m=($v~70zh~
z5Fds_Rb!KCQn6ur6L3Hrc-M@*ve?uEnLr=1t;>g|2KqY^{YBQU>+F7hfzWk!*Nus6
zE74{i<9x$G#`++gg;+3AoRAnN>5MPJEp5}S_RSU=29cZ0*snK%j}zrzGKSeI4%38Q
ze}IFa>+G2Hf}`NfOHp6X<Zwc6BQ(s$h_Tl#(=pN8Aj<BLCm$%7ArG#$kOytuFy!Vq
z^4yFv&I`#HJOSv|O(G_rg}`~8FpZtbF&>G|8m0Wwf@UU#dkV3xwUT*J8z-0v>o(sV
zZ5>}IVih5NU#HO-BXs2m3kj_5AK?`2I(@x}TY3?DI~J{^^k65LI1`H5^o;jG#3NlN
z$bhZZ;YBHEEtpQMocmXJ97F~fMeGGc@e7c|8yl|@?1DJsvW#hrjFqm;AP~?KJ(48Y
zOYL9SBr8?&zD7)w?)WYy6q|;dIGaI$ySWn`1bsqvX=4gR;ax!H^7B>Lglgy>A9{e}
zh1AIxPWQ9(-;4Fq14`ScK~%Nvx=ybrr`_Ml8$l^yM<A04wy-%oIR9|?{n?MFD2Ql^
zU7smd2_Y$h^UNL#l)f7hF!Or`@ML41%Fo)w?0CMw{=`j{KLNt5f&{ZoKux68TJ^P6
zI>2cv*fL?jN#X~QoAUWjgK@xb{*lFTUFSvh{N)RSma@Utynkf?c&-5CJu}0ET;oV+
zb#1P`QGw;vtsA7TNpd8#fPJpPT^WRfvdmeGXc~keV(mFEAH6b0-&3RO6XOEA{uHAO
zW?|B8x1=%KyG-f}G;3+KQ_){cw7TQA>X^6Zr$HKwbsw0Zx!c<4AMZ%Q@EVaC*9t7U
zhoclHmN&&G9_>hW(ql3C>rDN11H~<gqM@FaxEv^^j1|`2pRB7xGl-ZK&kxdR;3Y&@
zJ_huDC3LR!NKW?=IMBFRLE$v#g~O#oLfXUDc2K~#n@g@e=lN%sTzk%Qa|!gWHe3@W
z#|<|ReRP$ti*qGSs)S4te@B>2HVkO$Q~?uCDqgB1!Q+6Y$&9-aJ!>54UE)3v{#ELZ
zuYhHJ;$7o}=a`k-3*1E|jy+?6OkYh9ap}cR#fHwPE!!Ej*Sjk1$;G1C_l2|NY{OY>
zidk+Owb4IbICtp1aK7ZY!`ObqAY~@My!c2HjOE^wKWQYsdC~2zbBEKr^RtV~gVW26
zjg<{_GU86}fQoAGTK7RDK{JveH-r}e-~e$WZMP{aYVAsoBMsx1T&AvXGJBh1WqoaI
z_yjC7cQj%e%8X<i8(-%TiInS!@dDtGFw-8GYJydY%Q+u*@SktXaY&O4P+$;b#eF#J
z;soEot=J3auG8x}ch9J?V2<K27+=m)tOyhFGXO32PgiO%2iX|)7H}l(Ia{A!4y>zL
zbe-OgnnpJ#D>+FA!8pSH`y{-;egGOK+h5w$km1V^!KV#L#~g!Sr(~gd9U`@!2}T#k
z2S@LYnI6LZMiDv%oqRBOi&C6SnPMR*nBY;!aA4hBFU{N#{dDl|EfYVPmu3mJ#@$lm
z=I7>-h~F}p<`e@u4a6k{qFxfjDYXFhB|t+HIuh4O)}q4$5i$|d0?{i0Ar5Ev?vO+g
zrvhDq%-s^u!cWq%q+>>Lavo;mAd>aaKub3#ux9{%q2OA_DHMlINr`ljK9&vij`+bS
zU{alDo?jslhF0_q|G^mVxf*Y4@ny61VUs?43T*ua4Zl%jinQ;Gg^ZZy5KP@<CSrg=
ztPr1jTZICG$nY2J*&MU0#?%}*5Gx^kT89Vx_%k!(G=LomU=b;^3sUBBrOK|erBv~E
zGj;|lcKF3jczi_=p{qE-@Y2X3chAC!$OV8gYb7uYq4bX2U_{B(I%kCnk`m#nNhf&5
zG`TGFnNH_=9vCM4WuFN~G#kR%X^f?Wgk{`V#O0n@<b?s-iJq}ZC0KVVJj}?YLO4N}
zbixi&b3v5|*<EBk`z7Z%-x9#BhoFn2?{PRq362R307w~WmHg>i#sTuN56tIFC#zs*
z5EvKgVL8R@+Lw=g1H6zyQPHliRjin>wl%A*=U0tf(MGFbMrT8ESA_0t^&C*to>U=F
zg-X<(moJ=Mr}x~_ZJVe<FXYWGTl4+`&ct1(_ZehV&p5gmV^^PDVs<-H0!OCHVvv#;
zV&LVPaD|0GHHoIg&q9ob*mD`z1kBn;5xIp+sRWDP^$6P~BLMbJdY1~v0&2r?)NV)a
z6w}!CFpAy8o#IqFm|n<BS_a9u$(P3s6xSdldF&MC*;joR@ayk5dyl?~JI<cQx+k%I
zUha_LW#qu4z}Cu~2<SW{alH`xLk&@J^8#TUJ8--4$Yc=5Ek#2@Qko`itZOwe&2bul
z^F-V(G!erkGT=%QW}B;l@7!5V4a7dWBva2#nF4#s&pY&IH~`}mYF29y&lQNBocGSa
zN|*!O=)XeelFg}xv!~$Xy@2T~Ci>h%2_Cy#0ni$va3pDHyAoROMP4NrDPwGEXEBZp
z{akn7k=?s{mY?n_h-m7DAx=)B5xJ5sk`YO!t}#07{)0F%$vT(ewq@AR3wa?25O$4w
zEV$GsiH{Su>zR-$yQ=`BDvQt%j|kVFP)m`@ER@l*3ky4X_`Vu`+n#?_aE^OR2U|aE
zIT^(#j6{)#4-@R;C=J|@GL2APW+;8%4N*wOfd>}NG@i@EdlnP-%kMy5$g4Jne9xdA
zmyn`RjBwJ{nHMkQjT!)2z%97#^dy8Wg-TGO>`Q(InFWzLH(N5ofoc$41B9V}QKmG+
zIP!7i&A4w$xb3c_%;H}<!i!`&o32V|UUY9gclMmEa`)C!Yu4{oty!N7B1Y=G1)X3<
z5;jk*#p*0XeK)e*+u~7CR0Dlp1o{pF9}6A<ltpY)UBP|V72;kI0--eWtj!rYHVd8D
zH#RP{cZzE0<V_`w?4Cq+*V=KO>oH>__!XlyZ3OL%hvwDMPIo*+G>AMbIGmTAVLA$l
z!Wrs!$HR3;kF~29yP#5V*W=&t3^c`GND#r_G_PFrxs0@dFoY9vR8zSAx@u4G9omB3
zs?g<M_I8cgZ*zg0nC>JY@0k3$b!XfJGj`pTEFX5o=1FmiC}D~j#02w8fpEsPV;2oh
z-drAEykjW+;@-G=;4L|D-@Xv$+FwY<h{QZO7SYtl2`p|%#t>S>NCc4q_y!xy+*gya
zH>@%%g}M)C7-oh<K&OmizIs>IEfFu!0EZNFyI2H48MZGQyH_$FxS<l2;Ar4u&rN79
z%*c!iV@4B9kH`9;(4CPi6%U^Bw^>1B)q{2`1{K#@u0IVT9@CZAYsC0fcMFM(q%?OE
zx5Ez@(5r&$3C2>4)srW=b&xXDZgiOs`3i&?v%$J5p0qU^xy2yM3f5#e(>I;DD`Eym
zv)H!94u*kue3ycVJ0#JF--pO+PNCWxhM`3`v}W!r4e-!xbhWOLQM_r~Kn@H);$ZL=
z$#lj*dToV+V9iXzUT1uP69=6{X+r$WW6M;P8F__90S-l~&5)1~yAilO9gUgh+^w9r
zR!SFKVzMPS&JeNd1Bymj7|sO2f?t`ztbun+fX_Y3x17F&&~^GR6o_tR=!lk{X%bA4
z&n=W)=Z*usGqsKpe6M>16m9hplZ<P-+pw)&kEzJ(1`f|94n{EfN#rHWo{%ytPRQNt
z!!R3-_<sKt8vyncfW4fY^&#qs2GKagyub<%vLo40f1!?VnXQD%6+U$1CINVIZ(WLf
z?1gT^b2A28lC>!sW<0zPHj%ozL#O0ctmqI!)E~vZW6WW<WDfk~VTU;Dp~F;>cy7cj
zb6|i{(xI1k-C0~A&NSd&e3vF}i7G<DAtOY%*;!mg<CL8ogTa{!#53^NF2RHG*850s
z7Z@%)+8dNSX4G+>>N|I6O|g~9EK2V5>|g_~cREwwpqM54x=vq-iJoaPa~IYT@u)Dx
zjUK(S9udDO5b9~14a2~bDXB(ZwL5JY4Gv}|;LV(l59$cHDvRABOd5rubmD-J7PgXJ
zGhake!?WWlnsPJAjUf5YV|_GoJ+<$*E4Mwrwt%P<k3^J&_$?WOvU_F3%U<zFWepj2
z^J_fJ-5Z&4ZgE1u>C7+YUngXGC7oP}dmP;a35l3m{)5<W26OlJ6nLAgOsPZHcqT)3
zdBnNVakr!+BtPn|Ksk6=Rd?Gd={8r!_O-brue%rs!|vwUN)YERZWAG9@~X^>d4+B#
zfj0rE<AVK=5+3)CWV&`C5JV4OHu~HNbe%4T@LW1W7=+$dC9@0$-y=6mCrng&%8D`I
zYjA1>dj+l7#7Fw?W&QvbGH2o@e%m903}6>pdN}t#UzKErUuhf^GgJpmUZrt(CG}BI
zLP~6$=hCghU~O02oQdl{evn-UGF#=j^r--MS$OcI0Dhawlg-kJn~L+pG#*7Pp6Ty5
zlqwMIE{EZP(Qr!=F3V%kZiJ@*6cO_nc`ltbe|4kWoivbxTMs;%ldELd2rQK9KG)8T
zfIbbpFM%7oN~Qs+J>W3qTBPr(@8m45xSxeB5ceG!x;}_LMi+?F2LMy|nwu)Nq8TzV
zl;9YrK^oj(jbKkA*n5#Xj@1PdUts{pu;Agj#_#;6sT*sk-4dvC_TsM7+tZtIOI*}4
z5WD#>h&y*0huFR@;KjvcI)Z|t(!KcN_FjnT={Vy!Aw#y7ZU9FB+@ghU7I_nyTn+_g
z#ND>9L8}BWZWsXQS2#^^QkE!TnK@?hi7O3JC8=^X7a+cKlWSf87ERq)>TiJ8)o&k-
z&MI@1)61G^O2%WDU1S;ryo!&8ptBD93PN63G=tQ&a^C>Z{MFyptKZidEc|dS#f1w%
zSrZbSo5AE7l1e7w-rQ116<u}uM$hWXR1GB<KrC4nH#mLTBe6<sFS1|T;#Z!}LE%8Q
zb2*+%hXxGU&5_Qc9KTV~-TJlNWUr8niSDCQq-+w~a!;tcYNg$xM$W9*qHLmRHX5NY
zxW?)l#wQ+i+*|6nQ}<UAflm`((+-peOgl^pj<dkW9g!a(YX!E&pzVZ&*qNl$a9vNM
zTQZIL%(kPMttUc&bZ!>FIO6xha{jKm<>fXX)1w@80E%cJBUarkB{E};dlpO#nC=rK
zG?kIf1_Ip@1i*i2r0xk@j)pFsXgO@Unrx?xg8o7Q*Me$*Q-trB2oF-z^Wf+|&&2`s
zvemlMo?7YZ25+q%<GC86zrZReZ#x6AXJvg!c9fS5vPJ+Whh?p65V^cJa~qg0n7pr?
zsewJ=)`82Qu-ao|UKTx<9x66uxtzKxc|)_Z;u<#&ZYM#CLm|}cp!qUj=`6-CP1nwq
zMotN^-Ad8tMl&A4Mn(v0i$uEshBK*YR$47r$ffOo>T$Qq$Bl@OWzi&C{wk)^FqBB!
zsXmM*M&KRyX)v+6Da;7h_o>xBCO$ejc!!u6F|bv;UvG~e8QI0OJrd8(qT?H!%m#ep
zUTtzUi)P&N<k643<P^^Vkyj7_)5;Q&g3BZVztm$OrH#v7F$x(a3APs6M@pJ?^>j=n
zLSt)trx{7`U64}FY0QEa_I8}$HV7&vuEs(`(xa$MC4H>wP#)AquP%-c{&sTu2J!kY
zgReI>{$rSYx3aNuboS%v<;lBa^zP)%_m}9^F}gVZ&-W)6$4BV(*#$Z{MeonwTpS!7
zfBpYXM9?&&DZg}?U<I1lD@i8e+JXrEL(t{J>DlG+z?u3#ujRj4XNVeu(rhSet+>i$
z25U+((ABQ9<J?_2yf%~kHehs!Afw5<zI78HDwervFbwg=hE{Ay=&L?!S6%0YvvUPF
zoDvaAtP4SIY-q$bHh5^9NLJ#cUqNUCibu*6CR6TCTq+Y1zD5I#(LW3?^3Q8#sSqU_
z7`I&G83i9CK+oY2P{B>uM=o46>6gc$Jq%>fbE1&eG2)YK2sO?eI+1ArG-b<cME-M}
z+%QD$jT?kKEx#mFe9!4U=h73lmKI3HZCd^+)6ltuKB@dc08S^>_9`W5=?TLFYs>s}
zs=0V2M>N!9syxlYL0l)swxl`$Fzh7F#vr;1#Ga9`r73x)R9ku-#E@6k9+9N&5A&IO
zz~#@{ZHiNrOIPE<<C!s(O7ZF~V)OLn9R<KpIan_i0?{)-^kwouzi%m$upN}ihLaEA
zXyV6Ia3gNQV8X(Lb|!?T)PUSmko5$QBNgv`VC$irgwLpY84d)cdYVpH-3It>3HT<H
z*UP;t^ms^}*j@lg&)GGB=rod^MZy!|fKEup%OXWSL;%8x10D$j$_oi(CvQ-|TU6+Z
zUxUJ1rOGAlcnS9D70M!T*T9u4H-$itkgf#f--4Y8PT)0BLqMK{(gtC@5;yYAUctyT
zY<za+uk+(gx+)3?1yna*<EI?RRqfv3c&u;A40wK(pH3Kca@&gX2yG^-xY_IzOgTzC
zB*`G-b4f<Mp3-|}+R<E;LdDFUgAPe_gGIuC^mDVH`VJ3S7p^S(A`)6`Im)AH>Jg@|
z9MIB<3onf2jh>}K(KEK2a*k26eo1-d5`e7}6bx%En8sl+nyD?EW-(86n2;pJk$e^q
z#FTV<n)_>4r!5$QK^!WQu@BBqgdM97d%lPX_L#b5RR5Btri>A`OGaq2`L+xgD)hf+
zpH-Gnk}>|LHS!E-Ew79MD&yi=*9i_|KCL63wP?iWGkwV?Q#XjpjA=kor3-9X(m^=p
zuJMeAT(MbVew$k&9#qW#BEqg`NP08IJAXdbflyK_!CbkwFE2#xPJ93JUCI=&A;uA!
ziVPx!%Z|(sit;`-!<7WCP{wcCc_{WFmnUXS06!|=-iTx=CyPx{%Nt-Iva1lu9{|PD
zU`Dr{l5S#ia3+J~q995o>zO8$S$^1nsbk2u8o1Zo2%Vg3qZXujn@8TrT4^T2TNS{~
z>wT`NP2DiuL{sbs*_1~-F*CL7E(8Fpm~+FC$N)p=GBa*;_TQVt_3*j%7-&wUYOpFO
zytjyI({;8D7&;8xV0em639G&Ow((#vlyLgXTQ0k<+8#5d6*D*TiyFldrMOA5&=9@b
z^0bJ`v=TEmA>b#QUz!8KBz|6wY-@gBNbBrEW|(ZJ;&a+OKF9J&!zgNd>=p)j1Eu)T
zVMsC`iRylEki5Tm3uNbI;APN=0aWb|LqozL7Kf)lbVNO*K=3mnk$r7yI#B_l+7yep
zPP&E$zAfXcW{YW|T|+Q$%Sfo1$?NQdkXuOH7D6yRO5L&1wJW<WV)Aqi9e7Jca?EP{
zW~J7iOJ|YicqGB+goK0OSA1oHRjBF1U0m&F5f~4ue3b=NM2ifw$PckI!Y-r)+a)hy
zfSyWbu(fXf1ceB?GU~%kuz3Y3?p7oYCR`Opyw$BF$Y0<69Zh)w9n*H+5>XfsN^g-f
zSKQzVu6)i#WYAHNSTob{y3g&?1@d3cPfV|a6@-1$<Cnrl>c~jk=#||ndMf-74lNUf
z9XqJr;;f=){X(3z=Wx~@mMTJ9B8eP;*3$-1{lR#~*P@Qhl?Zd!j(IS{%)7?v@m)Yu
zdc}iCpss{jSJZ^7k{}Gxcp;ugzVfmpypr-%UZ>uUae9UP49inK!ndNN&ol?Tr;zSe
z-zxGWLb?Ra4IBm@jwt3nr(D(;A3!HBEZ{(SVaTB^6_g)}n#tuZbRq5ic`-=<@_E^`
zg`yPU^p+&oDCV!+Fuooq#1PP1DoEbKNaVwpX2BbM)h61`83z1922S}Q$x`9uEKMzQ
zvy`;;^_&VNlBTgS+>S<dE60^~Jgd=XyR?t25G`W0gkA==eGGG@BD@5i$5F3Ggl;s>
zY_3yTMcsZ5{3)lscwi_O8@?u-(MJ7IH<UN1T)1n*t6hW!#(9Hy%ZUE1Gyq_d@eH{t
z?~!Y%%mBH#Jb8U^czJg5(}(ZR-W@~r)ZFpDWds2iWmwIY(1&AR90oclT;X|mf>KP=
zT#W}0Zz`pZD!+iwbx0HJo*kB5HGS>FmG=XdqF-RczBoIIkn_UvKa6wWcR=qu=RcIU
z?RV*f`%b*z@1_%8qE3Wu3CFUVPN+^~m|!<dCwWgoUmPZYQ?Cvu>u7?320VK~=eltu
zxXVO3l6V_4n5rRke!`T&6nSIj9JWj50Jmgvy&-zlEPZA6*0H%-#RJz854?(JjJ@;8
z5<K)*TOMFUa96$wyI%sEDMI!W(|J>%FU}+#U0x$1g$<<H+ytYxnQ^NBDBVhB#uX^%
z;$oBA@_{*_7bWmO!AJ{r^W_yB&xL}@5w|$Os*ES-f95hiFM+KK34hby-a~6S@1u<K
z;#rpK1~465zku`jxwBUyD~;yu!(;gB@GpNc#?nFXTQ&pbNurMioS2D9yx6@RwA~cr
zT?2&L2hVGmjf*g&m*W4OMaJDWAoQ)U?9v0rb5l1AB9|FVI`he7RTWdZfVuSC@Hh5#
z%y8~J5PnuuQF4Q@h(ymoqFW;jp&Ce>FiA^us;VeJ0&&6%I7glvc57E-(OZZVviO3G
zs3aqFH8{Tb;rQai-`~CcaQyeni-Qk`XQ!vf>~Ow98MQH2<m)ZO2<k|Fq2rT#3mENt
zdJSLbsAR)@D5|;U>Vcao;JI)j>-PFNMQ$8us48CB4yG&yb_TyPX<|I)fv#$OWLJ8O
zEjh+cPF@?={v<*Zp6b9as*6f3o(?ha+YwHNGvzYU!}QCCdC;jS{#$4j`x<}>8163w
zL2=S^Q4@<nsMVB;dV`&QU!p$PCkWL;K35^idlf^Hk#xz*8w`F|u3_xiVb0<t$fDG6
zZ*Z^p8b5Z|#Vtn&X&fEh>H}DCA6P35UPn>e*A=$WZ>j}gw4uP)Fm_5{%w3yZ`4kI-
zpkD8JZYx{1r$|kgXBxdvLR}UV?j>?gAAPN(M^eH33!I3&P*x!=!bGkn^i9_Afmr;q
z2s&DtAi|K<kNt4EJXhJiBD3Tw#{+N^>ybEsn=B1TzjU*w05zC)PeV`<+u|5&2tn<?
zJ)sms(DwpJ>^QwG14cg=g8saQUCSIQ+)vK6McYW-6AH3^??wR^ZbcpPr$Wjh58r^G
zsI;R12q)-KK+_}`X8a8ZqjH=I;dL||6_C5N0I_$R7aD>Jw-p!A&#iYzbTKv!017(v
zG=#leSbReqo@)p?*jD3E@=k;*fFok%g;1^WG4gZG@?q}jI9s8e7xoI%T_WP+fe0|Y
z+C*2f-lNE^Nl7T4>Ck7_o(_^VAUB|d!M0nu;OFN?W|UQOB^S8`Wy-TC0#*~>2}24;
zX)@zij^GKQdNdUnyH^-YCln>2_A8>bqgNl^U%Xv6I9bJn>9rGnJdqD0Qy8Cjx4USK
z$85}abq0tF#Qc>r^=wfXqLddM5*7BC>hiq%ya$ny_-^86G{wGwgN`75o}+uQu!#|{
z2tkH2-hL>`IAmr*K4+#YS^7baD56PV#4U@5w4=7{Jrs2b=jjY-4RfyqCU?q#!_3MY
zD}N81jq#Sa{!qkkYuLL#ThC!woLN#$MQ*z_k?G8x+v{e4pf4jHc%5f-)7PWz<l+Py
z?gInD_RrQE76vUeh2sRbm3$Rc7P=J_)KJM4s;`?2gEVoInU!-wB2@qs(%zUFobckH
zG4Uw`r;SMBiRvq1FjYa$@=Xwrt+TkY<Tn72X9d?cjS#0M=EY0fQhrgvoxMEQ*PoIa
zf_`6P&y>69AckTyeWxprL)}NmWA^ewg9@6rMd%8YIT6!?5F=p^w8evnj4Vo>RgTQ7
zq3d1a$iEUhQ^wn<^lI$ej%d+fUE|m-!Lb2llnSz=`A@Uoe`X}rPCXSqB=^H@5c-~*
z_-09zJz2JoLE5%RY(xU<EYSRg`Hm5BYxTaG$ZDVvfdd8UP_En)uTmEfprctTbWfJn
zv*G3oqXJR3HM{H>Rps~Q^-`qV)}g4v*)Hec1)UVrv|SSBv8}887sXZO0&YPiRr#i+
zxJy3&;ZQ^E=0aMFdWNW&=28@q2p-pHGO`gnx>Y*JvEbp0R|ki3x0LEQ=ee9|w0235
zPi`Zq!y;pb(O-{V9m-m@Bw4qLe;6m;)V=#)RJ1KOV|f@MzwtekDpsR#0jK+buZ1^w
z|M%_5;qmF<c=<8v-~a9J_O^EH_kVkPz1_X1_kSPbgXVq2q4ZW9NHr~g5M0`Kx|_^`
z&)Cu4?{>E<J2BBIihH^+j6;%fN1T1Mv%)%F9$&m0po7yRba-}pbaHueb~=DGqxXa3
zO>}X5esOm6{*ZmW39XJ!2A3Bnuimq706@<{M;NRKcv*EtVAB#aY9Tsdy6+T9B0*Sl
zGUW%SDwU{id^ef!SM>-s1t_TLYnqQxb7vGpJcD!~D_i%NW=*p31ij!nS^-sdaUL&{
z6cF=BJWGP{Bt_&l!U^JD=^&j!ISY~mzruI|PFW9Lnt`Hm;zp?qYY=oW5Wr(MM8^QS
zfJ7DvQ%yV<0E&~qg4cBsU`RT_0>OZtu@h08D<R<~&!`inVgTt)HXF#mf<l1&#aIDJ
zG?ZaOZYl<J&}$KG8D~jMD5jdKYQg0iwFHzFOogJgV4Zg*w>a4p9yx|Y5b?h^LGyP-
zN|%5l!jl;V5;S!qcZ_)&+X&Ijn+U`<nU)IEAM#X+#0A(UWo`q;O(a2UL9ou3hfac+
z->Q$&8H#ZNA=_&^-9N3vaLlUYgqMJ_l%{S3$}OF^38oTau#Sc}!lS?o+|Y(@;Hj7V
zCz7?$8cE=<q_u9YI>i6`!A;<23|4|n{ty809ZtLev~nHlB>0SP0$7#;tMS~~7UbmS
zIW2}KsS|#eJrxPVP@j&+FLSQ}l?xn1UYG$XWLYb)7<j}uC8P9~u@_hQkVkyHnTtW@
zV0eQ~x&L#wq=xu7gHrBA)ZJ*tze_L`H3s2=LKGVGT)9Eg#Eq!F*k!EDz6q5x#6_Gu
z0B+Nspn#E^rbni607^TrGtZ}~<7KP~o6^gJgbOMw5%Rq|#eU#IYOyixA4zgu5DE}B
z#4rXq#5hfFfgqC8P#fS(Rl%QbqABEHs+>B${|&jc$)qV`Ku>1myGkxd=@yYR@URkZ
zoKn1|851jM>Ow6L5fsL-6(H7h>W`HoBdn-{IL475+@T>3$?dwP!Vyk_8yE5v7(r+&
z&jD<VavF%)3rL&>67eBuk|cty=(91zyYpODv7wN3JMj!@Eex;^!H;f;5_}WDQf`{|
z_9nuiJ0ywx7fIwYo4ZK>W2YRZI7&Bpgxl?egs>?PNrG{}jO5~)7v-^(QzL8pZ=yW;
z1oap<i?svr;?zj+)D6`B#IegCGGlasX-si~!x;*L=o$z&3?kqYW)ZH-MTdedBiDmN
zV$(Py6;TUFG3sD4(yM;RM7cQQOIJL<2h^4|##028O1(Hs6&?(jwI;yBB1m156lUe7
zycbC-k>4~nMarZ;iQF)hVw+~eX^;xxA@vUawl%|?ClW^*z2U4(t&pn>$6f7dVJa$M
z!?WQTzYp=m4M&KKs+E^!r#)(^Ikf~Ve%>pwOhyR&%L$1BZ<DRU&<%l)ZWGoo0_7u%
zWNk3E3rwP8O(;gEl<Lg_^rxG(N0E|U<`^V0a6(fN;1UKjrJLrFrBopvElo`k&hJ2&
zssU%DXu+4CoqSwdQM#5%^i4yISX^LG8|s$?)XR7XJd6n04pNQ$5hR{In(&<@f<0Hs
zj~<C=9C#VYXgEVtH@W7{CZ!!ol?&5g90`vptPv2lloOe-YMqi4xyanBPOG?ubNaQK
zw%mbpRUVUoOg>I?gX(mv1bY}H`EX{9qc<VN|H^QbhBIELJtq9PW(u#d{kS0NJLnBl
ztJtuIYWh;MLW7JSt|_TDW{hoSN@eVN6J!twF%dGHaV-w?f}co+T&Cg0IL+KpvfnL9
zLjN{kx<*8zHmp1iZs4D7Z{j9nW;l_V8>X}ND8YCW1xbQ$hzDVL`O{op1;X28+}grA
zEwv!&v^eLt&fyG+M<F)#H!)85QA^<)p;(x9o2lk2Sq#c@VZ@T-9Apb$pe<v8&RuwD
z?8{%BHGJpc7)q#uJ6WhmQ1}}RqIDGWxf-iCb+7Rznz%O@v^<Fr*wJJ(64j<~7;cLH
z=MVJrg;8=qD9S=B1TiCL26eb$jZ{2-9EZ%@gtF^EWhT1>YH%4$MO$NX!x;x+Qdh~%
z2z!`PHwj>Oj*=i6ON#~v^6WD={u*6JZU}W)gaJ4m%IEg@Ssx_%4st>=F$NeAUf^O%
zo{gLs;+8FiJnI~EGGgnmY$2KkDdTCiDC&_~ckHsCLC6WieN7)&O1Dl3rEOlt9`1lM
zray_Q_7QSX=-$#SNZC|FJXUodCGuJ)$VtUI0S9LSN1O^%Tf_16;>_f<<a$g&Q%&I-
zGn(Z%QL0SR7!^B38X9_!i6c*HRs3|2@l%plTq+edxaSnir>Gn7R5zcCf^7#~VAC_?
zz|d27rX^cm3PErPwGI7wS{^J3QyU>kbW=XV1OFxJM7GUlBpy*Hm1LXR6as>1)|z6R
z=E}lo*|oo-?5cG>(~PEQ%<yICaeE`dUJwVE2`y9gRn{T<6ejAbplox+zJ+5{jyW{O
z<c=GyN;5l3CM$Su!dNIF(;#Ae!mUSY3~!Y(WiaJKx~klhJ+fzvoZ!?AqD`qc8zwwh
z2hprBIb&copk|0oxS3a{<EG&5O(qt7%=D&BLzw^;P4#vYbK@?E5`6L^)z;j&^pr3F
zIZ;|E#tF}MA!5ftsGK#E;!$lA&0psQnZ)`F!;dX>>-6mM<nXw~pOWS;Jy1CYQ@M?C
z%-v;(fRde3pe(GH0ZN*lF68uz3O|zRa4A`3Orc4BA=E%J@QJ__Hk;7Z08>ukQn~`O
zxhV><OPM)kdg(<My;~uFj_yk|U5TTnwWg58RkRj|Z%tutF`2oqZ3h$zMq19WBXg`z
zz#@E-Y!<2PN?p$`+E_uQQEsPz0&xT7Ucr|VBz~Jsa;DZMf?|T<j42k_O&ng`3Z6>0
z*icZ#SZ`1sxGAlid~RqMuS`R+(eY({89x}!EZ@93HeBCle<#e|F*(wJB2gC<YO)hH
zIrVAaTdV{2lp8@M@5s-ls%(eJF;cK_`%f-sUZw$ojZFK}%>>>mUcCe&sPp{C2~%}%
zQA#3hRe;(G&U&r@<Q!kdQZOJT#Q`7?f@!UmmRq91Yu8@Mm63?2(6c9_5^Og0wvi<s
z%S{o}JEyi1z+*!j-aL&!;kL>;g_YLrkttWD86R108D**DECFjlcEH$?NzY)bYAujD
z=smBH#1>6fF%4%NqH#f@{2Q~p7HK%M3^!J#>q=|-Y{a}HhpT!+)BC)LX(rSxK+|9t
z4uY$$zPx?p{ZC2CI;q<mIA4Z@8)a<Uj={WR#|WTCvlu57`<Pz@v29>1i5Q4$7u-Rb
zVr>$Q6U-TZCUyu|WcUtyhKL8js|cds_$$~R;x1s<L6=eip`!Mn)T327C{Vf0<aZH4
z3P?lke<8BmDW---LpN2mV)0L12VSJ$3Z|79Z)&fTFjH0FImBpUmy$>Y8}bNNH{k^*
zg9!PUdPy)8OQDR8U>p?vvvN1dbrYvS$q~RQwdbItfP(47-wpiHO&DEfY7;0_hcj-#
zg5}LjEG-6L6~TDXUa(EQU}Eo6jp`c16}#RfZ=#y5gOu8fyN;mP3Thn;(8-{MUL6ch
z29mfxo?L!^_Wlz6cyMuXaC&)iJV0j`=C%CUYjkk>6Z+f9>Cq;_0lxvhi}};Xawbp-
z3;TwfRPP}0le$t)&Co3;6&OTGQN)rFx;(jjd%THG&raJXr>`$gPTw5AJ3hVKMDLC-
z4!=J*y*zkz^7iENCt#u1Czq$k10FtbAYhyyTwI<UzJGggfzIDwoSzMj`Dx2<3qu?-
zTaCsfqEJl>;z=>L3T<|A<2WI45-{}~CM+L#0RGbw*YKBeZzHAI6l@hKt^*2^of0ol
zW-=G*;+_?}vF1f<(U|4D_uN5m6-imAw}Cqh!vCMWcW-aoMjnOtZ+!}sRvXJPDPNLw
z>qOaCvE@XKZ$C+Co0D{9N`xfV6rm+3+p6o|XMZ2e03bk8ww$zS_nc~<XB$hv02mAg
zgSmq7ye)2CLN95IG0_MkW+Vb-XF8!QSs1DoWywmxLp4(w#B>~mV;T=>ZBtvjH!W4J
z*8JQ{@9QWia1zic9DqOvlN%?Db8WX!L#D(ZrW~x}<>v#rr*(a>gbdV{MVKI2Y6Q?#
zc<PUB9lq$TTmmxZ0Lbc>DcQn!7($v8G$jZD26eh2_>%%q#i4a+DdHz+GZ(kGzN`5>
zO7jn0z~)@@m^pqE#&R<azG`X=*6*~5t67O<M+^ye%vf+0MyBrYg7B2hX8xFNf=n<^
zWen~-!Q04>M)NomZr~Cu@dSZNAj#0e2M$bmZ4>BF2<Ul5oP?p3>3(n-f{|3_IA)xO
z5(&z=L4wB<@SR7RP&QX!L2+I&vXPnGI21olgy?P`*SxXtPIH@*LWdK^Pzws0PRrO1
zI#=S85e0s-DGU4h@sQ#oW~c_0+;0JNN2hU^>hq|rw~?AVVS`9&p+Ih_3$`O9Uo^Eq
zoOr6<S0T5|J=7y_*p+w*;Zss04De|H&ejJWEpcR6L$u5-%_5-0m0t@+nz2!sFGxC>
z6(!^7nWo4f1E~`hZ>DgB{8=1$Jnw*;k;Y9xM>Gzw$Am>eiR#=>rof4maILYJ9p`zH
zWY#jNIrcfHPzy{dQ8$Zv<H14-8`**u0s|RNwJ?8WP@^F>>bW2Rw@wbky;|l52fsJZ
z&RQo2?Vt9<7J{~5Hj5V0eZh3y6TiV!uCy(Q5Yk(*!=`kju(b(FtY%?E6HI%8uenXL
zbOwzAPG~%gn5@<~Nc`aiO*wIHZk_Cr68S@Q+bt9^0aul;KI0|rk#$VhDU~+H8CAf)
zsu6gt!!tE2-KysyUkApuZP;d^pwS{u{cCLqg-1P3z#~6W;zyii6^^9AKt0+Z-5Jmg
z=U5U7o?R5{-O9^YnN|lhb6EikshSBCD|Kc`2#RaLgB@{K*p^S}`~pGhJ`c4$USdw!
zUA1~9Q*!vpa1vfBPMH}KZx)Ni;+EW~;%zxA>n${wL=qTpCYyXVO@~mj4rQ>F&t>ho
z0HNL^vIZgEcz`-7#zPWMAua-I)D)#f9OKo`2B0nTEtQ=jWIt8pexJ*!^mTT@wVaTZ
zB=lvnhx9qCm|98;Uut?Gw;C*yz&}&`R)RO6txKsj1x4gCS@BS3FCt@hNs~D5*(bFn
znY_-6>+*g_H}$_if6!+I|9@St@>9pS)Bk__$=1_n&+`8NPo6yc+yDPdeAdYKhY7P&
ztwCXjeXMJ}vGE3CLFcnQayn0p-$=lQSQ}+3y?_`2MW*1xcDOeWQ;Pmu<}f-98>o9I
z`OwBMa+%+<It_wpV|dk&P3uDzkD|GFch;p1p#J?~=k#?w1M}DbQ}Z@9AX?}wp}@|?
zq&PXCsUJqXQrRGHv*g&@-uBMp%7!)FvxJcp94wV)?ZcRYxdoNr;svm5uI6zXC6u}V
zsE)C7h)p#S(4@(VA7K=cfY~C~UIp^3=2MBdX9=sDf471$1$W5PZnwVQ5@NH;h5>m?
zv1WTM1Lm8-aXJJttB6u4i6LjXKJ;Ty+M|uMMm9E1PJ6ArjSbjwqkLml6h$X4erTac
z&zP^O;pRtHB5_?I0(8Ul8bquBTtK70LedqLGW~=4hefg3K4uxyy^uluGeLMlI^lJx
zqvWp4oEXOAx(rm5TWe6XK;gcs6~Bf#>%^b?kXZ=NRhGxRQh9}8<Y5K@4{BDxgl~cb
z6-(K}m+9(0m|!P1*lb+@VF-=9kkz!TkKm(_#%ZN;ettgi`J`fpJq{&k2}ykK+2D*0
zvQF{&`8lpzVnm{%$J7E*sFh@|)5AjQS(Km6Y#!%(_S96p9oJRR%=F%_3o7H8KeW?+
z<8<qAO3f3RO}2|kY3=-}CMnH1mUVz|6<s~Bm|V@Z3lV!*mWGXFfW{KqTan-4EFZsb
z9v?lnruz6Wj3{Vy!<1v{C$G{rD*Xx3E(rrWqoG|g*;>qI2{%$3VIXj?LL@HU`_pKT
z{074Ji}$DRI{ohZZm)IR7nAMppPn4HU%%@#h4}h1LpvVu(gdK(awWZ5sQGW=GXhBo
zQ!eo$9J8#GO5gy`2W>u?v7qKv+UX-Ml}xB8T$03z&FxZAQm-I`pz?v`HC5mYIlM%?
zv`XnEez4b=(M2#Y-!6e@Rj+w^C)UV;tmA8LYsR-%J2RY`ee9ZBpLV2doJA4l#gLiP
z1)i5|t|vJrWZKM8MJ2mz+9{dBBQ=G@L}Wy-$TW<>nJkym?~$&B-af-{_aU1aQ7B&J
zkYR!HNv?<&o2RpRYIqqa<PEc0PGjjIWv&;;!DOK%Oy!aw);GVRQ}Nanj2+B$STW5i
zc!+F&2qnzG2@M#xQB(~qwxta6^Vwp1WHr8m;2f0W0(}y)oC`i?&%*Kxca*3k>wZ?>
z2C9e8Q>I-yYMYYd5UliOZpmI{+as?f%0X)vrx~chLgi=4IMvx{xA(f!>h{l?-R_U4
zor6YoU0n0SG=ja8IW63nywDhWNnT7B@;-X$8ZwZ}$S<75Ge4a)oEuNjtg$>-P2|=g
zzd?A<vnRxL13F{@tpP@NJYCq|yz>SNScH-sW(mCv(N#W|0~u$#<U%wiy>wrTXT79?
zX!WLmwOfmV3{)YZfE)|Q9QBJ}`LJ$Al`NFSNWnTcM@Gu>oOIFHq7ik%Qp&|IYt|uC
zs|IoWnFmEbzV)ujdUG~Y%BWhUndlBi8`W28dc>_RB>Oa+Qo&Z_lxGPOCs^9MA$&K+
zqOnsy4Tm6cie@ZO>5rjU6QuzSN-mQuv5eT`Y#1@BI7gWd)pWKrP#A)coY1K(Addb?
z+7U$Y{!IG`L8R$K2-h)0B4dW9=`5nAFNmHB+$xYGB6q*9kz+kwo!7v|dxd0h_CN%X
zm&hJTlR4@*<w|8f!acJ4Y-<bX2MZAHk@hGn&ZzT(!$AMUfws53Ycx0wpfr@pDfuRu
z;c*JG!W3Bw7$Z+28<`0lR4!aSU?!Z(<nn`rVl1j6;xIM=@c96mXP2^KFmfWs*qppL
zJv!)jT1TyBx79ys9=A*mlZizpsZZ&Y$;3JPXYaCHCY4_9;xUUfvZ>0HU(D|{PoS2G
z3^o#{0J3RAy&25BW9Puzly5H4z<8b!TM(m|(G4nx$e?e~t<yl<q~b(ip~^`(o<xg{
zjr>E9BVQL#Sav6l=5XO+D3tQfj3AGgu?TbWo+W(z;$Qj-gF43+_@ANI1Rj?fYWN2f
zXTiwSPo@2%Y%t6}WF`v}!<^1i?p;s0%wM+T=j(G*dTV95TveTq`!+^MATt(l)8wnJ
z4|BD8FYL{%ts)YBG@S9^gZGA=0a9YaQ}gtOvw6dLy0tZR9tJ?}8+6}!U|&5ruDaoD
zzYafbcm?3eiU7<lZ#diIhjzMdI8T;$!jv(~ki2~tlJi|H^gew+#{zD5o^Bm4N6wOQ
zRp+N$%Q}C8Y$}96xZeU)rHPwZF}M6<QX2n0{Rv+4DwSp=#NF{kDzVI)U93Ih4f3F(
z_n17u@JhY%7n{pfU{dgN2lFsWt;%4PRV#xjhXYx*U<%d$(X&r!e1vo&7{^G5IxT9O
z=z;@IapEP4y3IBHFn3K&<A^0L%%zS~slzl}OV3xk>t(MOV*$ujIBUn|Ei9{ZFE+^)
zl@Fx=qg4`0EmUoyh8C=&!-<U?D4Xt<j16)Ww*kTZrFY5C^1|eqG%w}SBP?~DSTjI*
zO^)IN>1ILyImz$Cr)r5>XQoP=#g8*Z_geM?i?gp?R4GYWSd7VQ=oKgK$WaL9ZaP(`
zXvh-u?FghqWbP1giCiEO3FwtJ)mMo0tZ1P88aDxRlNDqim4DqR@ecB=PS74HrxvT1
zN|xu7t568~a3;hZD-#F~{NV+malo^ca!Lyv<%0?IP*to~sVX0^EuG$BeLrJQkJAZ#
ztl`xvNbpLNg>QZ-4(W3LYU<**D_^<ySW<>jBf=BiWIZaMbNSqqhHd*@q2vS)<VpRE
zki&)M%mnWekj}*+aZ&Aeu9G~2x&q@gWz3w9%npB+nrq1Y5P%~BJnBvkyOo|c1DqUo
zrD|VrB{)OFXwFlpPAunSslqER>B<7DMrYI#h@;p(6M)W74!iyK*?Gk!`<N}<C+A{<
zQdSf6FrS@kO2)8K^zl9Hf?)xCfig-5>|Z5eN-bMCuCU?~@tTIdhR~TZnN?7-1v$7W
zkDY7T(DS@XQGUp8aU&ja^6{RA@rZljtWmu|EZmZh09`#c*2p_NSh^|{=&_}S+wkqt
zdu~=E0Rj~S%$a(bs%s8{$J9lsybdy(hPpfFGu&u_EvUE5bFXZr(UVJq!REt>8cey7
zB7125*d?vQE)ogoB-Hg<c2>kSh={aE8ax!`g%5KBhlgk(T_g0`Lr(l*I>)G?GW6l0
z0^c5V^;bd5Ms8D|aHu*ZPh3F38D4wG4ky%~ks#z3yrvHY7+zHm&LRwz$f-U(RLo#f
z3=GYo37Bv34JNAxVfj&Y36(6OZp}|HOHjLt_xxtXm;O+X#F`d}b<jWnlky1^+rvSS
zc4T8<eE}wRMNNuWB3U2#JjK<LD7>Jg+dUBSmr}w^*p)Fxrc?>jy^22C##O#VuaeR@
z1#M#2AV91<Bx`;vkqPEw@6A#@$=auZBgCqSq>Lyo7{m6+bm0OLUD4N7HzEqpnix~;
z3?*Rpw1^G9j3>*XxU<V4PFxm;7fn>o4_jk}`=}XUZqisP@F6n?w4C|rWRKLR3v7Xn
z;TN1$+b|d!j6?6KxzV5~2MP!(#5|>lj(pL_rNg2}A4)|Elh7hVtF7Bos$DhNf&uD|
znLfz4d52cF{0ZfbtO~yw!<U6%RUt-o|K`3YSjADhA?k~Gq(m2K+{|@*1;yTpLiX<^
zC#@O3q!X&YcVC-TC2?>yc1>Nyxhej^w=&kbR1|;j1#OkZ^w60zT{NmUulLXT?StC~
z0?1NXOAv2c?~9kdxG1~3(x|qvLEch26XM=9R35Iz9fkMj6?ggWdExdq?phhtsX{Hx
zg4xYuB~r~;fYq^V3w1t%EU&rB<bMGxfjCG#FuV(e^p$xob3Y7pQ)O|T0)wOL82yBn
zSxZ^Kl@ZC)caBkHR5Z)7UucZzLXhAj06%?C)9!A1PNHxC>CnMrG^LOp61YP1$F8ST
z-f&lH6c{TcawLs1bf1C|a0AH?{9Gkw5%;7PrRC47p5gB97eBY%-6e-rPW^KZ=^FVF
z^Xg-~shQq=Z<P~_JA3cJ^RIY!*HcB`8`YcUkKKNEx8FKBI6G~h^zJ{p2qB^4kj1ip
zr}eshda`O)gI$Qu&HepWw=0hPN}K~>SR4bE(Aw{`dIm7XKTPE2>aQr8{l5#nVnsrN
zQk_qa&~9Tg)XXsf3MFwNGj(^#xth47R-DB-8W-fT6QpiCP_me)euf(e8*(ur&!76g
zvKY=G+J&RKU_3mnkCS@h#{u;w=@bjbY9>#9*!={?fR;Ap#*m3JT8|2V4&H8R26C!?
z=^niO;@qSOnCb4SNpuh1_9R=bNnV~Ut;n#8tD48~07)mB&4<%jM6;cOdtfQY_bTsH
zoP!=MwAsD9tW16{?-}z-61-nm5nJ~;VY3-TwP*-f#xr-t)#aP7;EI#X1(AtImA?Bk
z1HQUPAv42t0C}yk95a;NlbLNf=IG5vSM%rS{Soj@e7$|Rm=EYq=ufllABX8=K7hR!
z>|1%ErwOHXEN)Sk?x(76O~xAH3z~=1F!B?xlDjQ_ur3UImQu6g3LGh^4HrLYoUdP5
z+C}xfhnp92q9&4sOh6SAe?cw<i3b!?$HrqN;MjChTkZBTtb)JC)#YBU$X<W=9QOFb
zu7`ZYV3FP3{;PNUZ(BXhCszaXJ6vQxJme|^Q8<V6&%V<B+Gsa&1bdG{fBI40C;k=x
z2q#i3_K^hGZXV-x*X*3!W*F<Kaxmn>0cKL)kJvoWPpbo2O5?%4tqAQgKzl5qJyy`x
z@K^Xz{-%C%w>@<y&~!o#erKrISAW1M1mhyR;W(zjyCmvR<iQQ`<}W;^j>BQXI2)y;
z`K!47Uqx(?e_j`VxnC+T>GQ?!RWSuI137_xoa{2uy*S}N_^s`W5#50p@!qqemg4zC
zNOP!;&;NPXX$cN-`tD?9u9b)NmM#jQB)3@=k}2o{oCnCc8i=laYAtU6^rY8ppR_s!
z;kB|swEibkCo1hFrh)W%rvD=;8)Je9e8v_weA9?<jux5y$;eAqLJ@b71X-VIx%yly
z4rR-{V(%O;dUeZ#?p@U#d<Y+~s%kf?H{jB~f7EOr-@hArj*U8-rFB#=3f$e-F~68%
zf1B^@W0=nX4kI#->uFSZuU(2&;Ebh>QPDvka{Ycci>CKtki4w)z!vBWar=rXtEn^u
zg}hSP_DCzh9M4+54P)}b&{_VxZv0VOrg$$XdyRGdltm>F^5QGk#k6jSfS-<!2#>?r
zjHbkOU#eE9`Bt8V4d-&(d1<(<yckX(Tc4Eb8;)T+a_SmN9l^Xr1#xA^Q?^GP@cy9-
z4!x^IAX!%1I=TYaYnh2R%!~{<9xMITHTEDb4iYS*ffaGll|>XoAra$uu1O!b0~cW&
z?8&wje-=tt+dXo*U76C<5B$^@dw>RjBA5yxSX3D|%Ad{l%)@}HdhsH#zvii+vI7Y`
zN49(9H}_B7;G86>?NF*NrFQTLBdWba(N)@w^BQ}vz6ALdv2nSbHaA-B^WNtKO5MYr
zU}mqZ(}lFqC{B8Xpev23c^v*{PRTJAlzdAUmJ_Gps4W|2l_yO%RKsg%BHqa{`g4Y{
zX$B$dmLV7+y`_tDd=al4$H>!!#bZbrRSalU^k>df>UyDk0o;trFs){vHAa04=Bc}+
z$%0J$1gpMi_b#)wpF);q@h4CHG2PgxY;3@r9$;~q$!f}U8j8&IRjKUfGEatYuHLAS
z{nf@s1@0BuO+_VSdjjt9HaEhIbyE4^rwWgCMVo0jrC!;|xuA;*dR>s?X1CYs2vMq0
zU1u{Ia~_dI4CGGeHQC*%Rp@ZSNcARbd8^L~Pz2iAOpK)rj?U`gQKcl)u*UqvD4S*k
z5o2k1Nuxy;?=#FX5u<o%Zuh5tEIknZLdehaz})oVK=kk*b{$j9tUSO-(7-5nsu`!m
zjBE~c7!JvF;i_OBS1?>R3R9Z+Q6q!UxSvEMh~I}ikTZf9ZqDu#h{T9|i&eIdq0i|i
z$pm9n+FlF228l4N`8=AZqUF$!qSfAFUlHkwISLcVv@M2AGp7<iy7CuXyPu!0d{)jq
z1(`!Q$frUrLoqId#vEONjl7LIm89GYtTsgEv5aTGF9b>6PjBgh1PI)SD#~JHAO`7D
z#UL4*Ct5>ZD{fcweM_aM!1gmDj@A0^PL?^2ql_n2#~{@UbYwkIXLVk7I?u`avnLj)
zFc!1eltmNt&RPRv1dg~5(2JR4b%bynvxEj7c_U<j%@P#o5Fl{XO_Ok14qjY7dI=YF
zp+aOsnTA%t;;HoA;xdJ3IL-J0(DX<Qt!K03QqSFTf~IJork+J%<-(b~a`EJQ7RD<G
zC%=ehzk_HZ;ADcy7r)OzviSY4l<!a5C#zg2s$DswRyh7VRxL5yFh={Lx42%#A9;s=
z62gD4`&+E=b8c_dzi}Ty{2n*AB!@rw-qu9%>9=<8A(v^%A^6Pe`3^jO_T`KkukcsV
zTNmqAq1P4V&2MG9kXAdv_wyady5z#kl}@!yGeA2`F%P>|VJhm+CkKeanEoD_OIC^4
z-rng?e%gKVpDUXD&(1xJN?`~esE}V6$kNcss`D&}5u%pt0QIRL%yJbItlCrYKM^e?
zJgA(;sI$1-$+<qtU|H9l%^_oIe%`v{Zh6NQa0!4iQ@0F-rqM#d0F_EU50n|9zOm6h
zK0EF7nkT(I%WMweqb3xHen1_%3^IXs5nR?0rU&^75oP3}QaZR?_AFJ9drf-l%Zy1X
zwi%UiYGY;AlDrpzP7yDt_k%Ge|7;zkS5f*z-zY7j{YBKss^(%C!zqe`>~<_n2L-Y)
zExFqS$YT3-NUg0{3V4<4fnho!Cy)Fj^`db2sCLh7WG2c}K;*q7U^TqDgk;@BMm4lg
zzk*ae6V9knGLy}+=7O9A50~@$+}ldtAL)bz7{U|LOFvF!&4my%U1v#1#AD(s0?ABr
zzLeOA1~R58lTa@xotaF9TXsU<#%L%morL<qLaX|PY-_uRW&uKwfOMf1X!6}s^C~(A
ziwQhSm;ebLE<@j1#Je_O3F)-DJ<>dDdzGBWCaeSMZR*+%C5O()tOhT0z^swmMJfV^
zY_>R!TbDFhbY)5jRk4^)AVY3!IFsX(0d&feGZ-gCQgp78kIdBtc@io)*YGmKikv^{
z>g6AA>B3aF%PguwY{)6XSD}B)LH%#4{eO&V;rc7-KBB%5c`IO0RFOgw%DG7ZF1=0@
z-xb%=xe=Tvt|CxyK!H774E(&=>9r4=`@Pf7`~I8L<5r!fL$lv}#!PjWOzYz1quVql
z(R@~{9IqYd9yGdmpM$brkK4Oq3Y9#oSa>COeh)0D0yG$1v^fmxktlOR-pDYZ6aO+~
z^JEjJpR=XqmIKrXsLa+=hNI02YH*BLGnFj`Ge2KYkjXL0j=~6z-Ia!<^Rls3K*0?2
z851*LAbUgMM#up{5W)5ZoR(#^TQzJ9f8JZhD~oizCxf9dRD6$^l-nOLmhv?5XZ5`C
z9vN%uCu5rK5t<IIl%g^<*QW(W{h_%OOT&$JJkpF8${bdbE>SBrtsF@P*et;FJYwU4
zKfDlFIyd%BT63rV%t$D2HMR%#D!<pBn>s@2Fq8K(EuCBu5BCKD%GJ2n)5yi%Q-7wD
z*o(i9{aF^Fc6X=yBlqqa&Wzkkr!$Km%YOCM&cm|a8zpDpzl`od9Mj}{f<d)sEDDE<
zO2zt9t0y?Qf_mvPNiFC}@Sh+_MC{5az^13@5lpN^;~|?TQ1%^fA4q1P9hR>qG=}nr
zX6BMG7Wjd@O~ZL2>#D$gFN2p=CXRC%6+D9(>v$v4+`QG5WPqbCh!1t`MJs#7464s^
zuTlYPI}5r{5}!dylKkqSmZPea7IL#%Erp_xDwnBCZf?&3SCaWlqk@XcXIFR^03@$c
zX<~Az^}#$vBRk}ZU^5!mv;YG)8P@3my~s}aO2~jhV6j1MKnfPxFqK+UOa%6`Y^PIJ
zhnKJU#;at<GVdv4pl(lBG)#w+Bg4gJshbTBsSf4ME&M~y$@*4LddT8f?EIx5mHa$0
zDV3G{QAPq_K_ZeS{s_tqP#=QO?RMre)h`cUqmfIkWHn;Ss)Jhwcq#BwB#MKcPgwH(
z@lUxN!W$b_ju8+fjp`=EAFz2Uv(;f-$MGwWqQHC3B@c4RGp6$R`{SP;BdAJ6hIfnE
zg>gQK=!3W;=5M+qv(+!tYn?$>`bvLtnx{;`CSA^DI8rV!6xhF5n-op6Jh(|p*1y}@
z-l}<OA5hkqP{S|MaH@eG1D!mLoS&EHaTALaZO_lowJ+9i!a}U-Bz~z_v90ptlt;9R
znZpu(8L}A4C#jsmGS-Epj72pg`Kn5zsfu)&Ia3Ykg{O3eNmGsex3WE9B1K3om?6PR
zr6X%I;+-O{hsBJNBjyLM{K$`oH2Ff*lkXuXhCbltd_I-lR2aXN1xJ#BczcN{ddW2O
zWQv&y<0)h-mq~FHrr^7E6*>fpVJ+?rl$3cFT?xSF=jS!A(uFEB_YsjzI)=tV$ej88
z1nsUs0oN18e8q(&AZ?<TA>%36#kqwz4x3(iVG3`uvm4G{0=G1NdLdO#uqCJ^+V#kh
zKaYpT%(W1wrr`&Hz8}Sr$|z0uSw70%i(jVKuIOfD8-Jx9U9)^%GC!DxanX*XUuiPl
zTeLbCZ|Wp7Az24XC7a7S7Dq7xx*i-P^N!PmKlbC`@#}=mXM7F5@Z$jgbUPG;5Delt
zKr(KMQAN81f21`so`(VTK!G41Ft|2X%#FK-P$!c}N!M|Rn>!=xhGWC_&bQu{x8-eT
zzQ_VCOW#Z|4&JQcY>zlE+GqVv^W=5wr9*T=%st|4IGNlg**=OK@dA=e0R*uVC^I+!
z7b}eEIS}Usq%b~s>15AQT>@?Sk_D;%;ctc|qvJ$(J<_3=G~F^tv4E_fzqJ$0&R9TR
z%vjI|!auLwN9)6!d}7(OmUqMCfjZ$D*gXuZlGgR%osy*_*dT)TkmSUcE;$>oBR23O
zTX_1!fP}0f0$;PfgRfj`iRpym$X3JJs<ZB@m(!mxZ#8yq=H{W+la{Y|N#7XJYg|C`
z*KjHrCg=gtNec(CzE?Xvpb@(=PPrWmfN=u*N;6Rs8!%nCiecwxSy3(ToT4r^Ayq8O
zkKkp6l+Ap3^IUj_R;LJJ&Mb|4h5XLagMUOyv8=AS%u_|fRTjbrF_=HbQn*<}@v%Qs
zJ{!w6=+mV6)6Va+;>-}$u*^?iaxE2QiI<v9OnxgM;^Bgf*_BFHNZ=s5<!K9AWxXmJ
z`pjlup3BnWdBU@R2`LY{Wb4T+)y4prX&tDsK#A&U@$mhT0{{~AX>a7_^Evo6YeOl2
zp9jThtXywO<vHM~pN2y%L|`egwKb!q5!nVNA({13CnHj3w)@8l!qEui@ys;|gm3DN
zJ#s!>xaP4A2Irfo_0kD2;fN?2G{7rO4U5UU&XG#XSprbKUR3>0mAO+EW5Eh#So8}F
zjU_tr%mP{xUAeTZjEaQRgTX`2&<Pb91W9;FlLkx1h7Xi?0N)l{&y%R}=$BwH+{+s8
z)$7%pgIE1Gr`_J|9{f{CKDYG(ULKVI<TPnOpLg9>=eF2jmKD$tfOYANvOF<R%5=`*
zg-OnrA?ZAO{;BktI&-GZYN^NHI5)P!gM0>To{|u=^A{}3UrDk)1^2ImSD482A(UN4
zy+Uk=nbc>g^1B-w8EI~8c$IEhu3a;Iw@HPc8I-DcMy>J^p7vRu7lRcYu;B$wuv#8h
z1$to?Wp(n95WUJvD0+wPbNWYtMP8PeOqOiZUI{sHq~I5jvgy!I>rpuP<a4-YBqS<0
zx0#Cur*r}Ccu}%cblG~yskQ<L6AA{Pee@A*IMa(DOo%%p5Zqkg|Mg2hsb}U<^Op=I
z&&e?Ooc`pSZ^+e{ro=t{95D6ig8v6hWHBg`-Cz7m-+k(Bdr!8#U;M0c-Y>FX-XM(A
z#9sgfL*G&eb%byqbY}?{g>Fk3=#Wi4XyFO=cqaozcGo#7;dcM`u|w%YwWNvwmZVcR
z`Dx-0ql`!C>{|H_4B7<)dGuuhZV*%ARMuY9DFS5<`zRdvA;S}y_agzq6D>T_j5y{`
zK04?hwO@6bo%j8-X73H5@g=$RlMt($WsgBspUbv&+sXj-nltXqijnUWwxOa{Eq)U8
zwkMZaA(CIHFOa|xS4d_RLgq=dM_wRZiKm(%B>6?R)e+xh>YEn^<-9CJ{o8zHkNo8r
zi`-}2W_RH8aOg&1Jiqp?pFMH6zw@4f=4>k%By;cAa7MCpZ<yM~lXw)|f~9d^)fuk?
zl)44KzWv>^t*!cl$Nc6SGLOYS++X5{&)8Tk((QJC%iHy~x3}EgzCR6~J@EoMP^H*M
z>C77>;+xQqWko~r&-#q9s6O?>SfJ3aBdGda5Wo3`kYIK(cEum=^_`=8qV;el+SITA
z`K<r!2`<VV$MgCI@f<<~m0zcc-^wDSevoGf%z(-?nLBKtQGjE$_c=uKUywrBm87Uu
z8%Au)h+xT+WmVZABMdqbp65>OxvV8`hwtf<Wck)s!unZ4UF`*5@S;~fkC=-<JLQ8|
zV`$)2j9fXWbA)xiS@3OuK#0rGH*Or%#PD-CMbr<(d+OY}FlDq(;f^$l+};~{Rknyv
zjjqaH;<=xfT;ZSeypzZQG<dNcTXlEi3%Y=bE^nshxiVbcLBQ6AoaNI<qSdFIL^$Il
z%4O>*kBI3pvtXT-z5l-~SmsSrB{H)@wbVN!q2rLJvIG!T$ARaTI;X0(^=uwR_`Cfo
zL*oybCE=wYaRtsUjIAO{DrSUBegZ2*yre$A$iiKyJ7a;X6KmDQ6kV8>E2rZs;KhtQ
zmZsM@-Q}}_Fh3fQM+qI{H;<Ma?g0Ahfr;)wTvz^vmg>d}flb{|e)}?Ori^H^Ay|>J
zUo{iJUuWXq#?N%>hmrgZ{*C%{aI2R$6mF4$5(pkUf4H&{P<}R#WX>7hFxUL4O2#8L
z9@B*IFrY&}v5N9bt0&L-i@;?jn}byDhY?8JY|cr<#*$Xevkck%z|UUQ9ah)*-3hOt
z(3x_g(*&qP^kyt5D2K<umIDq&ZBLrVt?pTKzx9&5I6FPSij!6$+ebH^xYDw;as0!^
z&%o_&ACccknvh50e;?yVh_W9-dX>2qMr>S|0AS#b!H49<(dp}4MmobtFWE*IhpDmT
zC7LN8=i*13WFE`33h=@TQ&qv0f+GeNX2q<u!wDTiMNiJA6den-Q+rnVMm#a846)Pg
zWVuj23$c*+d?wSegmE@m>DZV~LJp731cO1e+oa%tR|#f5)7o2mz1oprDQ#HU1)!$3
zRdDkTm*r*<ln=_aZ*V&f(|!H5GMzz14y!{JoIYk$x~#3O74}k|mKC-Wi`@Ff9@!px
zpmtLpno|~sDTC*_KgKZPM35jEvMACv=!b7d$ppU0j+CHEZAuq^D&3cEq1%dEBV$za
zx3HDPO1id#q-+unON!IY#|MR6a?VwDA)q4^bghB;7ec*4#S&NiJkDg1-K8{-cT^s+
z;_}Fd3@@)Qk61amKMt`LNz1`pwcZ&`RM3N_ZETZy=UNE_Wr(x##J!-4+)wx{RlkG#
z05LQADVfPneVxVFB5`c6skaFbRyYF7OJqNUknUQXD)DYl{G_D4y$l?(Wd2qaDkB{9
zeu7)N*k#<vTATpq4*et(o8_7=&9IY|w%ZIifpn<Lcb?A&*zk@v3H5{1I9kZ^O?FlU
ztLBwLNy;E;K7`Iotigj+*LyczhHayaE}N-t5yh1?atX1@K+EbgMh~Bpgt3&YhXL8D
z8O|*N_4Ha2OEQm}{2l00x3G#82bVzcXI54`2<$LXv5K>3J`Q7*6Uj88m+`I-OZt~4
z_%Ddv@YZl=(1X|RVrh9T2&ln+&%wo>nKj{L?#%3^)-?v^VLXngbo>MWTHIZlLtr=w
zFR9C-K--qN<(nZ}oJN6K75ByoW0%&OykYq$-#07#z9hWtp4nc}!Gy63Yku-OHK)?w
zq`#ARO?Vt>c-h=BO;Ql3naUYJV|WzGjZt2w+>Fs&!imJnkpisy!!5_Y{7uf?KKL=a
z%F^(toI<%N!Q&w3F{3k|q$*QLQF&|Z56{-cALd{>BIaa%zbsW#A7Xn!1mR&iN16#$
zZLF-;A{Ikog_Ks%^Nmr}bK<A6B!(=as@~HwsZhuXAJSO7mp2Q(CkiN5e~cC+Sj7HR
z76Mf{$^uZlYWa3Fk3rJmn}jnRp06BvpeH7y(!k?KS!L2}Rw})rGArsVeN;$97=w?A
zh%we*j?Zy6LX0|3XVH1ajKscrd?J&mK%J9*8qRp%kAr@igu@G7UjsjTH=R&7okgx%
zOHHpzh)v;iW@b`P{3|(;ymDC1N&Ff4@p$f!WhS_kA(}z4mL-Q!HbJGa9xNbvd*K?(
zVqE-02!ZG2?$U)bO4i7UvAZUvB8kv=xUd~P_q1bo$;lSy_tDKww)f6-;UaO3=20Y;
z=n#+G-lDcb$i-PQdNb^5lgz*!kR)_O6IJ#66P)oMpUL|~Dm`WLc01zv*q`NtmhveX
zq=2USDPGew1EFOGF+WD3jZbJ45k5@98Ax#c9bwk%r9srI-N5JC(a_?AcU4wh8Y8c;
zp=4oWHb$CudjSC*%*PD}3=4LiZhr<elmKlvoc+_2?&(p>A;ZY$yx|Nd-hUYP)EGmS
zP;Vb2N1C#y1rK1-c*q3EJ7CBr-jTmx^YlmQk=?>?3lITn1WgrCmW(~ivz3j<VLbM*
zmG{aYUi1=wNYDIKFl-#B6fgjvVY8QC2V%oMeC<AkT7f^4kLzE%J6pq>-P^sdk3QDO
z*Hg;5Kc-*DFY2mO*=*}Lkpgb&a^==0)YUG$te9U%s8_|EF|VQ`%3-$1i5gD(<nT00
zvR>F~H=!eOXtUj}+q1!OUoM@Bz&#yC;fz!77n-K`&F9Bv=j8XB&kH+;mPDCgV)$U0
zF{qU5C#eep7N2Ct0`fFEsw(AFXH^h=Fu?^8eVoclA^xUdoE`8bG5%B4#+~{z0bh)1
zdtdw}bN5eKKptP0bgSRB%IDDg!JSsmGhjnC*iKol0hE@6SSQ$`Dt-s4Dh%0AW#N3N
zAeUpOpD4>|+uSBRGUrLWSJ}v<vz({7Qf^~DmMkM81nZdn?o4B0fdhHsyqt{AD;osJ
z4y&+cy;&?o{o;<C>tg8VMbZ_}x)hyCtxNApDmG}Kk}sX-2~+glXEPb`WhDhscWjtK
zR)HB!bfFlXZK!%r)*gB5x1eNQ$iYU?JL-ZFu!)k?kO~xqLm?_w+A(?4>z#F_oXMus
zc^t|yX9-K$kVP_`L$a8Og&|&gi63)_PCoJ%G|A$Q)_X@?OG~#2;}2+hMQKdFKTOz|
zoJD>rL?05f0L>vm$iZCik;;z~8bco#7QWq-{hAne2Txat;Qeehq&ZI~3}><5tPviL
zV{9a#naf5QR0x+ccSq(qTsA?hV@nlI?_JQIif@O83k>MiB5@>^l_m?aj;<#1nStn&
zO46FzaEvtcj5r>dPDzN8;Ik}*$W3zg`O@RD%)j-xchr4spp~zwUwTJf^ZS}vd@V)S
z6?|1}qT^&5aR^6;z-i@I0}DF8+s;_j@}j4o7UKX2L}bCg&`A>ctU{#{(9?*UnzbIP
zjpS7&W^EG2X2y8LPx*o=MpNWoUS(M@jLQETaq=RKxYYb<W43_Q82a8YNr?*yg@?W;
zjrZOKl{{5!azd3RPez?uglsqh35-KyJSF?hw{%g!zl5Q5@ptY5dJfP82-}w~9P&2t
zDjSf8p6p@9I_stp=b6QH^R79eTh53jgwF?@{%0-@p9H|kddi4@$->~C<?DP}=J>VG
zq!T5rn6%zC^xlR2tPoOIq)Bu6q#S~D2GmdUZ!T#fG;H<-rxsHkDq|wCvgi~PqHsqi
zew4E~63(JI`~$Qmt)sWAJ+#zB<umJ^<Wz;%mg;W#>`D}iHKsnFyaV@JC}wta`nua|
zcHbyZ+=QaUB;VSJAQGOvyr*;uPkLv2YwI|4RPw3W9KV`6GE3w%d`KTl3x_BHjg8Dt
z{Ht{9&S55HxDjlg&gNK4*SJ&kEe_b{Y&8t2-`*RsqFD6pUAK37+&^p|wO+NFz5e^-
zqnCfIglMhyGkjZ?`jbL<BG7Y>Cett$^w;ek3I2pXbukCSx|vy{<_T^d-jRY!GA}`#
z0va2QBIfI)2v(Mk2*emRl97^v^R}+{q-SUI$1Z8^AKSbqWh7u_aK*m|7F^Ftz5*%#
z{B%?4(NrjorQY&wQI_*)NlE}|w1E&uBy+s?)g#UJl}FA8xKu4TkK_V0>4}d~o7FV`
zVV08tO?}VyQ}eI53*}GM(qYa5V|&E$lX%a+;(PvZx_5o;USD5d?_JB!o`Kc+wfS*A
zZCoKy(>QRI{JKXRfs#*zCRPDzR|$qYf9zSiW7j|H<Yl?NdPiMxaK<!6J-MMok986-
z%p|7bLRE5^O+~DnV!%CQSVwz_IdKW4NU{dSTFJ2T%#UD_mrToQ$5KycehmLD)79qa
z8$&`)SU}HMlB%OpDLEWpY+p;z^ND+l5=5drT`@liC;mKTQwSTz^eZf`Cp1k$dg(`k
z$rT<%>k#4lL44;zB3`qSuW7`jDNp_3Mcr&!tL4<!@{t~};XEr(uM@`VqV4#u(zQl1
zV|VYUyQykC0cEP$%Tglb8%q?Q`C%4<CA0LbQ(lu%k9;Dljiz*%LP8~@5Q@M=W;s%N
z1lWeXRfKzUTgBf}w4eFuq@J>R8gWm2A%%SNYc1usjrdOKV~YtDH;Esyc$~>v0p$>|
zrH&)tRFgJuRCU(n(o|+dv$$rNy=2+Z6x?G3=W?@j7!|lCt(3A)$*ES*%7Ew<sYb`L
zY>Q5>7>;z~Ofg^%b_c@<*whbW$uCN;Hv1M30=_?lG(KYH&RsKyqhtlG$;Q%9qzlkw
zbS}-gd3rM!lSal;OsAV1z3Ds6TK%0ED7h0fI;0v;=gXFUwJ>c&Ik%9IGIGU|3pCwH
z5Au%k0MGJucj%1q5Hkk(=|raPRyD;9cs|cVd0@EpYkVv|29+BP9*d*%*vvxc^T+;U
z9OJPXqgKMHv~DGz7cmsCXGn*w4~%hK^7oijV!T3;WUuVjvG&d-(}noclUtzfxID$m
zA#>8ph$TY`QbQuk!&?+w-f5Pw>xDaD!NTR?uY%^c?r)w@KXB7<O4(eD@oZ~_KH`N`
z*2iwEAb@FV&$z5HwMY2?)&X>7h26|jk<hCoOey(yef@H$R!`Xljji<8b$=GtF@m5T
z&!eb*xr42qmqS?p@b8cHpEqjtb#J4#6jF7kUfr%&cc0%o|0R2%xqzGJZcdR*98)5A
zl&Fk(x#QLCo+_T2$Xg$-m+Qn|)Qmg<%EwCQr_5d_1~G18-4x8#Xr<pnhV#-$GL7G4
zZx+v6jTtW`h|eMkLICIena_EDLVbY_0?$mEJkPb^G|ifjpIp%Sx~H<Hll#i&)P0vk
zI$X945zkBbZsrM)%p=Mxl_d#5!AIA08^He1Ny%Eak_Zt(nz3f(s?0gawnK>5!}JXa
zn`=M8x}X9ggcJexr^H`;{>$}_SL;%~xf<gv<BMO8mpJSH3TuF{_4;qsnqUMDsaJQ%
zAff&Rm;$ps>xiw&ES}=%?vWSA?;-UI#+%4%JWY+X>0&2xm--BipqBY}U?M5|$aj!b
zTK?2&zVCNiogZ2q_)mMk)i+1Z^%8HTCB4p0JH3}>lM=}IOHM4GYWgAbv%GsukqT+Z
zcJsMw$~QN}`vDIFc2(IM#LsWibSC=iC#dwhz4w&~C-%;?j^$_33<C||85L;8B;Woc
zus+Np@heNzVjjw+BrwUQIt6&2z@@TD)itxSB31tYp0&({D4WYNMTYg5QrQN@*>9h`
z?zFmHi`a8w{1S1HEYr`ed~>cOj?70Rng}8!4jYY}mAc-0?GiGa%;O6h^wY$T`G_Wc
z@Z!O!x95g6#=t_!>!wr!GLN2Nu#p<`Zfn2O>b)%9!~;4B<AC@vCQkxou2KLhBaNR>
z?F{eRO*T=l5pwO@s5HXT_zchVQNrR>Ynb)e`z%fq7DWOKOH^HDF`6=bZEXDH9<t=h
zPXZda8yg!0g%O$7X&R0vskR|WbL_^(qdBMUNOzN6Ac^&(jSXe(!E{?!A*Z;j`ZYfa
zqX-Wi<5UfpX(FUC#(E)zDM{#%hL<Wj8k5M&6g3vcJkxZnG;MYb$NLx`=JZos#?+qK
zzewJgQK{CxLA$#37Y6pahBGT}jWWP5$0-mMOLC=8%NLQK`X>(gu%)R94((DinNPt=
zCcSKang68rkS)$rKR+>gpT?wo`#w9V$R9)v#Y!q!3Ig<S6OUS*nA|FG$;MhZkJy;_
z<8eaAaPw(p9AxO<Bm<vYN%T!;Q|0($SOc>_ang+aXpx3PE)$U)Mspgc2b<(9fe>Lj
zN0tBU#2@*w52r3uvz9j!lOFrP2&Xhn!eKFfoTQV4&BwT9;;Lq&Z0IsgFd#t9Rot0u
zuTohWBNMT)t6RG>J<Cd^hxJcpOgWl!;v=yvzrV5i7m5*zKg-aF3;~<U!bpxWfOpeE
ziKI^*IRLfd$U9C)^N2)Ye8DRZsEpA%%j>Bg(!0|;tV=_xfMEJ?uK=a;kH5^v+_7JV
ziHu0Flqns0NfS=bggj!UmG-8=N@HwoZEZb!@&x|7wY8P|@AlKJ?VW#YKiS%Tw)13X
zcWe6}TRXeoZf*aAZ2jS@|HnW6F&8Z4A6uV2R(^5+C7(6r)n_mkx#0wMoOJP&aH-0Y
zNsNKhSq&>2gb*2fn$vd$xwIzWO*Zx8z*h=v(aD150XP$mPQ2mgCTP(ld5!Tv;%zfb
zD9wc}2^J)zDjC~EK^7c^G{Q1PDwv2=tlWI|Z6M|898}1`t8%mf-%{5iDuJU#7WbJX
zl+PI6Sw^i#c_Srqb?^Wnva$#vL?Jk$exg+2W`fj{*X@&^g!tN=`NIj7Pe&7$z7A|v
zyEgBzn0!ETxC$@A&q%WBKbBkc7`CVeQ#afR&3!feMdqAxDVY~152eI2`4#GQ38ZYC
zu#|3W?8%Opx-<}k77pg(MGg1Hk`cvaB14{`9~x6}|E7M3;kMwV3V87#DI5|%ImC*j
zP@~=ik0(T|_)L+kT6eyfWjZ08MkDZ&r2+V{m^RfcwvEMv`ol@75gd=o8J3gH4I$Q%
zhZ@G@95T>lx#>XCGCY{|BKJ+N*|Ob384Z$&zvHD6t=LJ+`4*$g*hoHM1)2rz2+GB8
zjLS#-AY@if%L;)GGFNXY<LK$gIBDfTuD#H`ijgQ}ub2r_ioKX{-IifiC<Un<fO1Pv
zZ*R_{zVe6xtL5c3{=cXGyCeTA?G>VfxpzecmMSA052>dkG|263o%0AS-$_~utA9Zk
zp91fKE;4wWavrj{KLn1$Cw@YMy>9ntZ+rUOSh3(cedJ{QVK|$JXDrd0hP5@x<w|V0
z@`oF#Rfu3}#aV~3t;XZz_EwDj{DJ*MH`PaxKb4V=<lv;M118aBlPQN-^GH-Oy(3Ma
z{tEfu^?$t(67x&%aqXjbbEDHqTgpsZjY(E(_FM&6g(I?F6&$;N-PdnGq&CtZj~>-D
z5(!*<%i5AEA5Q3$Dm2_?=xEMR&jz=kk?x6SO%NY_@zwwy6DjUu1>H-JdeJHkr(rxc
za88qiCHDb<MxuYwHdwVyfmd|k&t`R^jIqTIX6t{g%MP`Ftq4b;omAmD^i_j64l(g;
zS}eDJ1Eb}gwn_m8%$3@LVedf+ybu4b|NIy%AJr9Ypk-i|cipb5UaP1KF-dHH>R<N<
zELik;_$wt_`V=Z3Tx&D~Uufz}s2}vDjhc|}wzl%Nz*X#pL&h#b+6UD%A^*Ga@4B}^
z>RBtbZ=gc!&y$e+Z;loar{;E=<I68(65G|z>Yl-W%vPomLa<tM7S-)+&bK9a$maHk
zPvt(7tic3J46{r4&0f7;1yfvAGRzrEQghh*M$NRcFlS=Ic|c#_eM{zeH<&k!r^Nao
z7_q9=Cm_TULaNxz4+3izBbL~#;8qtXYTLq~?TPsS@5oZSRY3~EVNo{Jb!@~{C<~<I
zqRb0Id>Bg^Pe@+mHBCzkOB%HXQQsr;X`Gw+4Eg1dxG|~fjDm=dtahE{tf~s<7&Ufs
z1;EKMODOqJ@{_K&zhX)ml?7Aws;3F1^{LNOn$#g;NnU7T5HF~qzySYunB@q{9Kebz
z$vR}OAN-T(^&5-L$7D)$_*{l{h1ci^mqlb=(1n*l?9f@{4|D20<KO4%C1dPf>R-?p
zb(TD(GqUYvlU7toq{t8iLR5o*Jgj(4W7MHRzWafA#B+2Fm8HN)nPe<JWzU)w1>rlp
z{uN~2Cr@@uB-(#&{o&&3l3gcDzW-Ywh0ost>E8mW)#i^8NbeK{mz>bOe{TJAJ11n?
z+q<Huxib8}CC9&z<Vf%e#`}0TlbDQz45Ko6LAlK1WiKvuNEG1}?)0T43H>B>voe6W
z#CP^^dX`T-LJo>a)KEIiG`Tnn6*KA&ClIIt(&Iqc4wM2?<rd2ptd@plYEz~QE`n~j
zX)E)f%RRyK%VatuGn}~cq{`7xNivTGgV`$}(@HFdHg!vGzi*<A9MX$1Omf6O+Y<Hn
z=g;`8VE=u0_PWzNX!TD{d#&!OHed5|xBYkP+0M>(&i=dgboc4s_TMk@DYO6XgK6xY
zR2PT`rmTPfZ%S3yo~tbTnM;*usj}btX(o|hVi9PL4jX1YpnrNl310Y}_Y;_^kpHgZ
z1Z3%GUaM4~o=_^2T=^uXSJHcAN@GZK2kv^2kkb~03ah#}&ie8ya<xqvP>W#{oNR0a
z42o9zqY)jZVt}tUHYyun;Wk&`tJRTN5;Cx^{?ofguRx5R)alb@x0De`5t-_qY$W=C
zrCcHx-s4M^4f2o<A~sNZ1;~p-t#iBorg`$Zb#(gLn+7UX$R05~DRDyLW|DgWwVAfJ
zy=!AL&`zp$P<s{`^=WjCB%b;y9nB+YRyXRl$_feDfLTJ#U=A1o@e{n=<OYPX34qTB
z@|w>_gUX2*V{`K2^yr}9X&tqiUFpW|X0Vj!sZEIAA|VQTERf&E#=+^2C%yJ@i?q9>
z)B2xx?M~}}9G-Sa^MpwDh}7|yAycD9DW4BiJ_esFDg=sD^mqQud+J@Edjw9o`ZnYM
zdEgH(gfI!^e*82Xm|lu33UvGR^DXZ?@9BB%E0veVHkR5IU(NKeay1n~HlQA>{MORJ
zO?)of1z%yz;&S0jg&~U#xS$Jk2?pr7IfPtp5GD)rNmr6l7gCLH;6Mg0GlA2{=sF*G
zDyyqJnesGd`-pP_ovSYPVy%x?HWWd^zz55Zg;?2ATy7Gd=u&C<;>||Q6YU!;c2F75
z1-+{3m1-}{QrQ_`Sw=-wivBQ~N0F+LLa!kw8MweerTqswlC+@{xRJ!c<JPtOt0wi4
zS&g|KBOF2?!YSQU!?HM9kSR@lu@a1ov*>6Y3cZl?)-~El_R+icTswJoaTPcV@(sZW
zoYx2s<6)s97p9<sa&jRj%6J~gxhfVTUQ60_e%m9jA~w9h9MDoDXGc$vb$P7$WS$1>
zDz3@CJ03Zc$)L`0Vg%=Vp6%#)Gnj_)IdNZ-^ZY8{OVvaC+XkZFoW4i)m*6RtSeN()
zh040mmmmfFG$dMxKTH_sS&Aq%+CYrP7^*0_ifYjtie-%yYOR4}X2SKnLyLJ2o@WCM
zJ+dE#xGcoSda9}@r%)A{O_82dpIwi1=8`fjuW}>jA-z&O&?Bc&V3%}9H<g4=*`@R=
z675+`HRmyru8ZD+zJ*@TqHq|d#K9{=@DMG0ME=;3KKpjrIZ1RK(WSAV{M;jlei+Fp
z8|mzY*Az|<h!MPqvFBHEMo&D<D+Ysa5;mi;T`8bV*0bOTCFUg51^;gJs0jlSg+m&1
zTJuQvBAfveWbuIc2}lB0;jiLyffHh4B0J^>EPj-dE0!b+<!$#UC0rKI68sBKI3O1@
z!jX20YZHSdniS=RNj`<lNoN3{*C}c><Sd>VM@=51&pT>15Ob}s5_W~ej}?y$>K9kG
zI1vvg`xn}q%U!U!ppcj6_L0MrfYZAFBs}v-M`E&+XGxZ4+4CllB|c_Xcm@Owr<n9c
zNEMKPoF!8~60{`^Ab<9Q=>M_L3h)16SjP=_)5uDfv+5Z4y#KeJJj=iTcfS4hZ~yNv
z@+rGCWZdMM5U>uzYXXs@EF!L(&^f1)1c*yi_17+Gbvmb=Jq(3|>r37;GT%)CDfm>?
zNNM8L?_rQK;aQohF%CYtC^n`3c#mxFc)Q+~i}j)1?JYO?c3bA1#!hFtO1K*9lhaQw
zOD6eeZ`kkrS?&Bw&)-iu{HvV*C%gIczx(vb-{=2JeAdVj^_8Ur^m}wVOBWc$%CYE`
zpOXDHN#-#pgLxPQocLoujCpE#g%?8R3}W#rckr3N0He8+gZ$ZB^oM>{J^#sI;ii;-
z5(~KR{BM1mzyEi)w!Z!Q{C|nhUFXt1Be}#cfA+-x{`@YV)z1GoVgo<=#OwdQ^S`^j
zwUxjBx1aqj|9_FsUt0dZ^IArl6wQ=z3dMM<)Y!M)_O`cEAq352Z|P!>9De4fLdY*H
zi~&~bp3mLIvsKw0M^`3I=PE@qzI}*e`00lxj5fq8-rkzc&*o8d#-ebzusfR0HPFzT
z>6RG?UG7q<h+OiBPaYY6xkK}>l+A||vSgH{QDoAo*)>-zp_UbaC9YX^XxW;Ujb`Mc
zDb_c_;qrBf?=I7uuSp9PXK)Y@n-9W7&zy(9(xY%1rh5bu-7gsl*LzoWraJ~TaZ|@1
zxKk*#{P61GnlNQwHwt;`(scNz5oc+ATXEW>h+Ul};bj=nF>Udok98T$T<e;$$p?o|
zoK43aI-3qu&U&P3q=#H37J5Wpz9b5nb%_8ky-uH#p`R}K<!S<TgOWLYP69@FMCpv|
zZas$@9L~=x6S%pF7Uh;~ey%h_Np%LZ*uw5kR%=0*TX?#a<!iEwG+1>ScK%t?7fUt#
z+4tAqpU?ZOCjV)}ud8ZAJwz6~@BO#?<lCJ5_vFdn`rj|}`R|qgaybAsiI%1*{j<^h
zm;J1E{y$aogP(iP|I=r=^S}M=_Rinu|4V%CIRCi=W(e73SvK!6-F)Xg^S1wKnQrbo
z;O5V*>l9p&Aejb0o%+}NERM0X0v9s&&i#}8v$6fx`>b&OF=Q3_EA{x~!DHNc{+~SC
z-F^BrfBtv=*8hB&&)Qe@K^WJ;rM9w04kLfeD~CtT*ZubmXW`&KPZ~~)|LpePi@&Pa
zg5ZBoRI}4wzj=0c)ZTBtI%+kX{z<d%R4V)LI-S-@um3}<(`}!gG^*Q`%8#Aq*;%X8
z@9uZnXT5&!{aLHuIXgaRy=pl4U#GOq!Rh|nR;RyzdVF@;Z8aSHTmI=(D&5vex7}<1
z(CWW!z3>0fJbEYQ(dRVgVH#dStZ#o31_6!xeKEN;(uDwC<rH*57rfGa--Z6&H_cA#
zpbw=v-*t`}4hH+83*);aa`G*^t^IeMcJF=v`_uNx+tz#CLp@(TsX1ES^SIgVwK}DJ
zwGK-x)b4(AdeG{(4|JcH1=I_J!Z6=Ae`vlrJ#J-7@h|;1Y)XqD51PH^t7f+ah}Z4a
zec`2x87+Xf`XKuIXQ$oX>rSiNa58qjyyHQq{X?r$94<)0OPVb2XKs(~G%wkrtVg%i
zIcXl3EN#wd0+}+F_Emy!v9G$liui0DHM_m`ez(=^?7y+*OCz7B;gC~58BR(ko$H&Q
zc@Ds`>Dy2WYp|hY3%L`@{?R)@uiaMf-PsaIvMg2?m7903?4-Tl?Dh`ZM@ttMheMyI
zhhcQz`plUrPVm0fg)@IZM`0|D-XVB12lJs3u!3q9k95(2O=`~24^`$mpT}V;W`Y&f
z)`*yqE@>Rb9DE{WB!9{X#y9H<VMD=;RORJ(#H8ze<}T_39Bb{BwN-JamTM4Ur}^qt
zyLbFQ{pLQfM_?Eh5hea$5T?if@o;j;LToxJ1=2pd8$>t*lneY|aVeOg7`oqm-|e-I
z`|q2_;xGUMhUbN2v=N-N0Bk^$zYpwCuuktnaKG$V<d*n5vd4Uj_DQ$bJUVK1<S;Un
zk|uJb${KkMmISfOJoV#LW)Kf!GMMu)rks<Ajl*FDmJ6J%+iRX2G>=YC1o~1x4*ZD4
z)G=B}>H`!t9DxY)SH(ygj$#}zk(P`FSw|&HO}q4RQptFa=BMgkPWGck5)H@t(`cqP
zvf-$IIhBe6*FS2$Y8^G4%#GQp*rX;Kv`p%BDw;av&mEwK>3^I`#VnXEe>MC>oyzxz
z$NTDs;}FtosGRIh<)Gc|b=t4q_1dQ=s?mYU?-;V!sX!eH`O8m<zc3fGe|pkuwok;J
zqVAvka*QT)$&!pFiC$Kxb<nm3NN5mpv6HgOyHEHO%A(5D0Wu8A$McQ;HJpTyh7yW%
zg)D}2qluj{6f>Dt%rpdzE$^uynNvt1&q+cfU*<uCz=tfYsLF9rIqRGrpY?$D`UmY!
z|LAnTDRA0w+GauH1J%>1h%;Z(JUc>SsD2P8O9YZP&DMz!1#@!A#K+R?furWsJUHn0
zPSv3i#DQ5$e2K@{ENUTOKrWLw3q4aDTr${y;oS3Jvx!f9r}9JdsC|H}vRi0c)zYq0
zsT{Yu-RA4;=qaYsaC#F;G*ob&*145P)jm-AFmI|zFwuO7Z`k~Lj99B>U_Qp{Mk~!J
z_Et|~jV0&NAN_F$lif~fobomN&iu+X|2X#3B)qQa?JMHtfLTSg6;g6*k=s=4o^6!;
zSKpK!t&J;owzh6fMPqP<YC+=xP5m(9mCo65|Dg3M10rPO{z2=o`R=IKaB|-D8UIlI
z6k%ldK?X`3oQ9L%y$PGjpcts$qJxyel-nM3*&q_h%g5*~W?5Ov(g76@$biC8T?#S7
zzY&T!!DoV6vn_g`>97(b+^mRk$K*n)_j(O8nuu9uaggsiQ45X54fqu*(Kyw!&gsFs
z{T^KI4hdr`7fQ8o(bTNp#is<m^Gh%o?imWKdi_QFOz?zGtJ{6K_X3I<nMx7I0{i^A
zJ&Wu*TW$DzN1lc<<rLnD|KdEFvVb<EHRkTw6z|X96Dfgl6F+QT*{%IBEG?PHb>c6A
z!OByh+#kXp;fQ=7?ytnD76*06&(9&Vch+q<VZ@C|;b6b(964l-95OJpOC_YNtgc>U
zaMBI^CVmo{&J!GA6jtsWWS&GGk#pN4A4+EYvs1aPbXu=lKmFy8n73h`C~xBrJX79A
z{s`SS-0yd2ybbG&+&A!NoC<G49)df@&}6S^?B69+^sy?)2#k9Da(>^AF}Sbn7-+dM
zYhJxWZ{t+fAk>evK@i5UJSjLxQ3dOl_yZbwq^rYlr<8L{+P)BvW>o8m^Zc%JBp_YH
z>?$r^I9hvBI9*zCVlN=;aGx&e3oj*8;pCT+X>Y8h7#;3YZ8?>8x1Xs~%RrzK*boT}
zfx>=attKy*JTfy`;$brLU7)lKa{qLfiLoW%r7U|t%%W_Ydvsdj?fvj_;;!{5FOzxI
zX4&8lTD@lbsA~&yrD(iEs4G!%mV(esqO8MxYE$vJFC8vBre$N=hkI$)l@zbbreK_n
zvMJbya%tC<w6?k9xfGZ_qibYeDj$`q0DQ$D^@Jh`rL;1&Y9>9%*EJMx0Z@=9wyi5W
zjo3WaCDn6k2$_mPro<6X_<0=Agw$y|tSb{o-PGYp6qilv7>5T_h(J|Yn>-$i7M2_i
zOMw)4T&9l{yzF}x#sUi}5e8N~gl|-tD+<X#LOvmBf>r3#D@<t%>2h^S56r`K7WwIj
zB~$NXy#8MEyBS^^Fxp$XkhQ>qX&952q$`mJ|HN87+0#6muIh{!%f4TVCuzgVVae#I
zaD(Dz_QStF`0lSw_y26U-~D{E{cQ7Ah!eIjku_F=L^i$38d0i4O{+?AZj?IIJ939=
zTM;j$1O%0P^~P3H-Xbju&X8q#P+9suK+Q{#++9w7CQwjCld`^elo}uH1GXkg#k;4I
zFyoVV%(yr|!&X2t26h*Sdv*RR<Cv_+bSOj<ae(6pGf>F%*5bNloYwAKRQv3{C55v)
z76jezu|Ak*QyOa3YX@aqO7N({`4aLJ_zZJWy)hp;w_>ME$s%_kG0}QFq~#}517G22
z-s;1t4a>T}Je~T7{OMG`=u@X#{u}gu|AKeG-p$tL?FTr2TbobH&Y$k4&tEnJu!>8X
z6{wKLex_aa1V@l*uf+DE@&6X63d~po8nJi`M?yT?$Y7o-26=jN^d7RGKv-!^X#fgv
z&d3F&Gsu#e5=ep}NG)bp9@)psW$FuRiD7G|G@UTarou2?tQ40uxoVm?es|PspB=UO
zXRrI+{WmRO3z)+Uf)5HW7))<EoY1MiG$Y%Js#T*xptNc{)>e&5e@xS3SjXu+oz2tJ
z<Oe?q{Xs;*F@9a;`JKm{rlfUv*g~?G3p1Yc7j)5MT@d&h)otSk3Q57jOL~mYi-z%A
zLis#O8_pI!71v0_#@#TA7Q{hNkQa_664!g=L)94PXY6&f-xo6IK1mldN*uF=Ltc`4
zKrid@Jc`K9%Wt;HZ@=kLtN(Je^5p|@s`$M_8V%xXIppWO+QppSAxIgL1jG!>W+pxb
zoHd;4y4kko+@*xM^rI3GAFDSeh}%qu^c8B63SEjyq~c)a`VPV%ew30?n5~i}<Wdqx
z>56aR%ywFbnnI@`A9|yRjYG~xDUj*F=aYIG&iX?Zv4r>i7}5hzePB$L;eJH@q~Uy|
zAGW4WW%w$ZQ}}E5pU<B@fA*dDu0w-^c@)9d+s}8m#dq(iV5jP<UD@na5{@Tn)_?oE
zZviNa0&F@Je5N0<@t7vBX?n~8+VQV6)gzG}gY~q!?PThys`ySRrP?Qlr!^x{au}y0
z;$Um3^f+j}diT26=4<W{=R@^IK)d~!SY3W>c20^tsyAx+w_o$GdG!Vnb}QgG;%5Nm
z5GMx>81FK0h^B`D1QpJ00eim->Z&)e?_xsk)4M0N5|-U>Ej&LM%@3NyikN;7Ooi+<
zvhUBr)Q>_=x$%;TXewkTDH2LGj=3}VO>T2o5{|>zj}%{as#0TzKLhCfiJvs8>mb88
z)tg+Gy{*0NTZjBc{HqJ{=mr-{QZ}E>XtG}2s*&4AHJjbj^mLRBSOB;!L#^b1dJa{)
ztAp4O5*44(A@L*52=^CU)u~olp9Yjfbd<Vj5>BTy03kr-#*A5-UDe`Zg)jl1Q;+;e
zNdO7I5-4~G+OlvOrk;V+Zt4#&dWk>G@S2_Luif1(j>lW<>-JuC2Y2<>JTbjVLj9nm
zyXZId!#LkTmL~2kX61uE&Bo*t8bx}{HJB)AAE<@<ShPa$@{~zeBW_Mjv~M3QnHvI)
z*x2NjxMz;lTpfM&8}<?m*b<NPy>5U<-&VJ?6OspmyC3)|C4(>)J9x#C3r>P?G@=QO
z(`b>E)4rNeC}WLY4zEw%)n9cFDk1NS{(U~5%~+Dsps`f}fUc|3iI#~E#cta|7JYs4
zPMwr$p-Ii!_HZiR<I|Z&9bDZ`^#;M*W+KQE!%uY`=Q$^jzdr1J-SfWQJ^4R)(x?tN
zysQ1z)|PBP3K5&8R0*^r-Oup4=5;;`<CrG(N?-hIy;i}Q%dZ<w{kM-FUHCuTDhx(M
z|M!65P%I%KRQ}}jKV*x1dv5+pESuAf1iV)bHB-o1(3m(Mx3;&k?=jeMTLO$}_K(|2
zg-_U37vX7?uMw!Y4QE^ahLeT$k#A(9WB-B@AF@gd{u-v7oXNDK?E|uY);_3Vx9(Z{
zq<_{vXjH$FUEhXLg!&i+uU_sv9LIjNDGQ`QrI2|-*cE7zWetHe@n^)j5D?t&NL2xM
z6zaC0o|A7(;smi)2y|o%R-Cd~e#MgO4>1yINO_~WKI6otBk~&=Cv-;KtD!)>8tvAR
z%$ugfG5S4jXn7r;ZGI|WQqqY?@ai}v>pMDIX~>Dx1&1lrn#H>L6Lv-BGo`dZ@tfDO
z6Hzq=CGI#S+l3QRKoR-oWjR(<k1Ib+Wplf=aU8_6sFi!S*w)KTnBR8t0#Eg3$905g
z<J?wq*4_QnlV0nmUh!nh9~#y5A?W4x;Y6A&J^^xok4|6rU$x#ee`ud}z>ny-)oT`q
zDFNhE*9#IbN@+Fg7ik=-%6{_MVzC><LATZUp}ntNwt<Z}xi-B{b02-h3%|VSw3-JE
zM_hl|Z@ESiTm7T<Nh=diG;)<dg7QdpTS*~B0N~`i41jy+)SV2>$)O2nWt3`eUnAz%
z##L_rAhtl_-}+wO$T=ul2q9H-P1#=pML9qqb<~JUR@h(pG*sk?cST#96kRDN4Z(UA
zFT@K{zlt$IX~^Xl9{CYHi-!!n5J(u0!Z=JRi5Q!C<Q=ET-cv>bI+%~)%IvYjFe-gl
zRByKRG0T2R{bWqRHM>!ADmtx$c1P^i>4{=t?L#R^N0fwIEN13&PJ>P24_K1s&RGV2
zwHGx&&*aSk75qM#V{S5<3>c?m$^!JtfPX+b@WFg6-rEtoqDf&QPW9%8R_E1ex7C;L
zg|8Y!Yr@IT<eP7nwn~#Zy{8F`UR<3VS~NuY1fE+0)^ES%e(AQ4j@}m`<Zxu*N%6Tg
zRR$>A5pm~|fKk{P&~{tO4v-eJO}V{uS8xc-8Di{Ysgx%(FdADag@F)W1%VKq<qyNj
zlm+D3ldaW&%3eootX?ZTCt`n$#iOCfSRC^5WsU|FP!z1k#&s|Et8fHPT0a6)z^%%t
zrcBgyEGAHPD-x&r|J`{3uDCKBK%aL-PI6rbf+W=iY?5rlreN2BNNYK4`JKAt2-(O`
zG+ow89icm#=p$sI6gLPSMe6jF-Jyj><mETdmN8?cvHRnZ!^JRPYE7*qVHqix&((qo
zY8R&f3MwMDuEUgkE-+Y>0JJUOUinG<Ado*cJ152I!L#BaU`|eZts<C#F9dyf&uCz2
zm_}4-;>BUk9?&iouczJJ58Kn~4Ya$3KUE$UXq|yYKZ{iXZ`|`CYDjWl%hJir2cI>c
zJ4Y`YP_Q{ebM~2wckJeBGR~($fu|l#J2W6U2`P+c^R!{>UtCH)!bb0kjfWPuALY(h
zZUvy%38nGFK<z96g&O&X!P+f@CGWMq9|T8XOraPFv6W5&X|C&jjGb)bw2WH5cQ~B^
zS_1GanAcd$_F2T{iTu$z8M!SKFmBgY{E+tX*=eWOJn4~DyHsz~Wb$+($5vEyZ^Knb
z{De>G*x6>Z;!MlA);m2o#nKW!?g<u1@uT5960%=J<8eA6!6Npjq2PoI!Wk+UIH+ty
za~cQY*>FMpD7>I0n{)3edeEnAQRRdsMY=|H2mUlz^V0KPm3<7oCdB%I3HypnXf)$w
z&UKMpt>nI<j{;e|AX<<~h#^TS_6PY{7SLXkGUtyJBR)92qzObDf{zI&SCeo!A;V}6
zh6Hp!i8)hMmKYd^0r4D5txJIC!)ahjy642j_l}w?H+@+iaRn)5L^Ss#82O(!>`F`w
z>PuN3AXk+9GUusSBANP&0R*{@<`JkArIJ-VAazwQ@sOJNVllBb({G-gll3s>DfI)W
zFglzDFUd<|{#f0rIOC8jhge;BL!n5HFqo%$*;Lmv3eB)KwJmDdm9+zzxEk`>h#5T-
zBf(-pCq=L6kUV>7XsOf?M{LY<k7HA2U(;qBq)qvywh-Tp<a5bVl387a;2kE7>Ut1j
z<bYEZot&C#W<A12#pl-=NPi!Q8;Ax7P7OJ|2*QN8GopVG-+naut;_WY(W!m%n(UE%
zS;-?+Rb6L3<aEj${MI$J8kT{{P7G|7*nmBvC;MEloYdsV*;91w859kfu`o_~{$R;A
zYI`I^)f4Kj(|Aa=T74de*B(#(;RU_MGFo5`*Y1z??I%y4J>9NDNm*Bbb^SPSQ%c>G
zxoRD5#Kv5F!P9`vQ)uFgFQI;|8^&%rp)U8Q)J?;wHA#4az9cW#Q%Z^JXFFDtmPM$v
z6pn~b#^EIe??D-I&QWcx(pM0kCJ+$G1^!c1i&xgjD`joTl)3UOWscSX9SSZLrd(3I
zblQ|ID-^s8VkW>5(uFVpGKY8O9trtdy6EazIMtgAy0~@7H{Yo4;Iq<@oFCrC)(_Pi
z81uGbL$VdS7j$9E2zuRb>4G;L<v;rydRhK<K^MQJ?1D;VWlmirr&z9&kmiaK6)Na`
zhCUZ#8s=97CSLsH(T6>-vhMx-Nc<Z*h=1>7oFdazf_KY}2~@o4{+Cp5ti|1upFuIC
z&qT%<w$)qhwo)0>^h`YHwU^N8=q+93f_qH7=di1#zYI+mbWuc-^y3OS@rUUgt~gK{
z%E)9%7i?te7=Z~(J>(cGJ4F#0`r^u($MkxJyjfkK((-@=YO6lnm^jNkbBqODBFR;E
z<dRmU(P~MOm?FhGieycRAtqI`5!fq`AMPWUJ7QW_Vo>7uhkfO0_~!Jub+@KWzRF8f
zss%U@pBk}oUGi8jVq=`HX7P9Qax7h2cA;2Gy~0dCO@;SBJsq$`bc>T!R?%iI`1K=5
z$H1Y2=`5V7>)z0Hw^IT|{)CikSEbNSRG{ZhX)+CCP;{2~E{LZOz^<%mv4q9MKsDY*
z>Vl9~g`8|)>}A2@Zm9S^s9fhU233q{is9ElVyJgTEv4;kmuvSa-gaLt@wNjMivw4_
z_C(7Hr@i;5(Hk1gXo3~pz-v>WLtz2}jdT2V%R0chxvT5|Lw$%)-_q~4diKn3-Zzhr
z@W@Kt7%J9^Yf!qIPBtk5wos6Oq1QvE|J<7Y-Dg{?CyT#{85d7K;yc$`%yu5@a-pA$
z>(65(@P7p!hmg_F0CHKl35miOk{|2YNY(SBuldLL5!`}dEF`~|FD)iu$iQSx75kF`
zS7N1pyhy<r)s=+?&8L#gj6n>KgS9nsAVckFd>JMzhU&ZO=yQC@;supX$oGeR;zvyV
zsl_7!=LhvN$OJGbC#%x*WTKPL)vMR3tgVT@Qi4)b*^^&4mVCr--yf1z*^KY$hh1}-
zz)1142c$4zJhgksIFHgExF#H=BA45WFLSD;?+;t?Wuv+dJ5J+E<<#(Rf!u;vl!+sS
z%e>@twc^Wr?@PR5{FJ<SL0Tt2^t-)gr>7mID@$>=6yZyIlt3ray@tjq`m(86TZiGo
zk|v?;ZD#C#)OfVSW{!ASvFDEHsk`1G5M36e^-Eh!S1|I2+4&fM?e0onHwDmvcbzFM
zX*VD-?dKpS`9W~R#vPU-BgrmhgO<?PL>zRBC)Jz7cPINN&EwXGt)FkztvU7Mz=szn
z=qtHFMB=iSEY5NbiP%_vz2m4SrW_+H#~j9_AF@+bh?0AJQgZ8ttj}rs{(qptK>3|3
zrFJA`qxqd97p~UQ(O0_j&GDro0usZ=!$rdh{4iRWxB*xHOM1wnfF=z`{uwwG3$N2z
zLODM|Jo3g}m$(%Fy+mwv$YM|RcBK98o(o;t`0^*dFb7A&T}8Ag%xdai1007q%9%~+
zpHD}x{NcrXCdaYo_~22x;ji>~;1Fl$sW}V}f2F62TFnuTHR{!IklCanHU_x4%Hc8~
zK+^cn;@bRBRVU$RP47?;!s;i)Af-;p&d<J5qOMDZdUX1_bJ}b6TKlIbhZQxBJhN3z
zTKMb;IS=D8yMVvsY^ynpV#oY`!nZL?!x2={fInFjh-XaIqETcpeoE;z`XkWmR4_Rf
z6M=vIGpaC&`}KSG>#6%S=G%a3)zzB}`L~tZioL=bF%){$8v`dob|Lr;zKzV|CU~5#
zV%z4g7F~Zz-|>PIAWA;shdh^(Y0||{?Sn>jJq(CDua!4A@uyTZiEGBSS+$^u169pN
zRHA7$2dU6(S<;gQ<(ZAyydHFmm^p^NLU8^4gvH;p!68eI6ahbs<tqXnK(*$PaSoJ2
zwc@1EQgD^^koBb+xdrbh@@SZ_IQ0jQYWVCCD?wiz6u!mJ1$d63lF@41JMJGD`}u}V
z3s;bFHSJj6BX&-&z>~MStIz9?R7=5gPQg!AI$MV$GGm;F@F-}fDrdx$B~YzjNHXcf
zNA(JesnWEZcI_Jxarg>gHk_(4_qsou)ze9s1n$gF(nVdj&i>_8a#{nYnuA#s+6sdj
z&{UfxyQf<&+rQ;RVQ(VIYgmTUpi!8+b;@0rBOfzSBpysO9hRX6n>%C;eAx$#OTQyH
ztfXr0c<Bv(BbNk6(QY0vimL;yfQM(|j=RBH`*U(@o~I6!q_-oP#S0BtH~gpsHo;ph
z3K7DeIWZ^iVbz((#+*RtAbv`AcK4n>B@;GJc<v0e<CG?se$;TDJ|#Q5WCQ+J9ZqdY
zBuln=%mTpy%Xw~odfIH#9%-Mz3=}y3ZIUZci3{wC1Lw}co(ATwMAZhu&NJzSE)Je(
zKJg_UvyhgVsz}7MW8zfp*`v4<v*JNnm&}T|QITYf_tbNBOPLsSYUDSf0pxqTMZLE<
z+QWbwoPKSMD5;(rJ1=AtU-3oJ=+F-%(PYSCOz6nP%UJA->J);KO<9`;Dohv5jcf|~
z2F_y9>C8|3DNSjDFsj>oV8B%o__05QSA2EH{(i#n`vW?oali?SiL50@V)1TSTO;pg
zLW1Ch?>lgm_#QcFRx0YGna5=Hn{DOW1g`pm;=XG9x<sGU{{Pu~6ZlAu>R?<3Z1^TI
zd~pIH1e<beb|tN)8EJRDHnImiD~)z#OB#7**7jN}Yg^MjQd=|K<L(|EXb0ARzJw6K
zjv){OwsQa>+&07}3D@#*7y<@91Hs^!KnUS7hJ;`f%<=!#*;UomGd()iM=bbxrS9ri
zuU@@+_3G6-M00%#WChY7LCF}lg7cQ40WljB8C0YMjokWntC59oJ4Y5}FsvZmZ<9DH
zkA&+SaxDyD_`s6vZ9v-fVJ}?WU9s#Iw#Nw$Az4jd)TvvtX|qw7MhXbQ={4O(*DujF
zK4~5rSbId8gfIp8MSSX$_FG2q1=nfRp<cVbcX)tc(-bEJ3lOXdCD+g8nn_D)BmxJZ
zdstl0kS}NZalc?DN&27d52E6cAOnZ+2V(!TnoL;a&d9<ix$E$-)MIlfybG{osc>)-
zKgJTlWUCd&FsDXnASw6}6EVo?2k-R`R1h1k2M3RDOR(t-nRiDmxNi!bz<nN568=U=
zsPRfla-AnkQ>k!7f`?-`30>gJu9MPDn%Pgbq`%G2AY~H`oCE?0?5N=*0k^0+>WvH?
zaxxA_2(IRw6&t77SEy$u;7TN7Y>88QpwVl@C5A(-Dc}}zc99G&5Fl@32_qhD?o?vJ
z{@DBsMI5<RE4u@VwCfq3_3L`WGjpqExglsmE&SRe!d<w16nToeroJ@oST^Uq3Z$eP
zK^t}Ki=5wJKWvZOi&&U5nBkz%lneBSckkjhUKQwR7oH7F8>I!X%OsJxi!aL7NR}br
zvKyupVU2fp-2ej~C@(rzSqdiBc*{!n#*b*B4?8o*bf^dsfK!eStXjQ_5{R2PZwvk`
z)mpb{Z&?v7D1vombH~L^Z@@tCN{WB}i+TKGvBS&Qk+nkNk~%v5sSkhcK?}Tylb)71
zXCP*&z)lXtXH&F3dnWR|aK#&Xrf#MZfg2LKSH$`MQ}D335@d<MANK>_sg-pf`-b3)
z;ssOo3f0LuB29|6AkSvesM3#Ime^*3ojPdjwC|vX=mt4~H1rbcm2)!aY%wtwBNywP
zUCxK^<<a!6)*aUeBiT}RVtgt)mp@d>U|~;MH8m2v(5M&DW;x+3cpDx<M}AJcKmbzn
z6ggg7_Cl+?OhTZd?2SW$7O4%eie)YdizlCls3tfpb%Sn@LzOwGGn)r`@qsQ)qodMr
zQ|!a3Pr^(l;l-e0AL$_dD{^i?p7>_1uDcFAU|Fld;Q_g-vLtN$NYS=3K2<CY?0)_b
z9Bjo}H4T39TSeb?#$!<cCv&L00nGu4!~ijmfWz3SDUb%Zx;83{WSH113l|DcSY83^
zZsX`(mX#0}^@o89(9$WKdC;_%Tjgb^7=<LA)MScorvM_)lE57*<_ekTKmYlOsRQFv
zSKvQ~2KSOb4;1o;rZYo>=Ot*<p~1mHQVE8AI+>q3kPrT3i3`~iNKI6tXgXJz9514>
zc>DGaCZ@+n70>q~Ct;_)hVSdjPJIpgm+|*XxE8qRKZ~z)XgmadhLYna*Y^w$ILoGs
z%2M&ia9l6*GHkcThjlK)AK#MLw#Taa0;)76t7Pi}s3srzEWbekptzI63ZWtNG_Wk*
z_hNPAY|smmm;|sFa+wACqI}zmxT$U%gh-G@16v$gZ-m|<^<+rVKOYR;R478|uDgae
zeV{SQYsBrh7nJKDxy}u=i9zBaX)N*>X>mbhrFO`s?u-oIewMy;7(zu3ofu3L1Ss|i
zLQm8PPBJQjCc)U;3l6$flJIuHS~hLM=v?3d^5yh=%f^ZYdqLF)B7;_}D#mQS;bRZ3
zseB2rsX$fX0w~nQ3-1*M-dE)7M!FKcDJM_iNUPE<i%Sw>DlSN2F~H$N`MhU%fGvoo
zCU6>BTb^6S2Q>UAgsNgYg_{%>r$zvTEz91j2L`eLKkrlR-Pnt@s{7V5I#o~W{$e<d
zNZ{K?-v`Gg$0gge4U)acuM~F&29SSCMer5_f(I4eMn_H8S~eLLxEvqkFx~fcl;lR{
z2MGYFZ~%to7x)KGSlV3mU40JgtIAer7NzPye92tXFDt)85kUg@H2x>GTB|C*2$8!@
zdx`k1ag6Fb)F}>FN#nUnH-*MhkAxYM>oSmLLimigBymwrA~dZ}JciQ+#|1qJIVey+
z8a!0ZaWYokao{53&fLsdtzyCdVmSl=wz>_2%g3ii^OqOF3*pldcABZ_tH7z7HW5}R
z6)pUeTn?Jp)tH3jVDGL3Itv||uxe10NPZzT%bwI%^L5k4Zb!-Wq2Yl&y9Wmco61(x
zw4Y3JefRLd(BSU9d_&LlY2?kG;Q=V<`L}QrwCsgRZ(+=FX@7eoTkw6I8(8Df9S5Qa
z%A_R{BcKCH-{*-&ZR~#{4!F00T7m&vjJ_Yijb(~k9`j@2;c$nN<htU06S)sGY}A)&
zaPm(D3=C9#xO0n>6Pcl9oswOl#lRmnLfBRU+SIsUNahTH)s;zo71)j1JkB)95kZAC
zq)gRWIa^#hbms_9J#|^9mOfRBK#Arx1@s`$06N05A7zAg9Ed8)@eH?Cmn2~4!adFo
z8QsKtB@r~osf?W(ZP+Q`)G$jicp7iViE0y*wYU#t_TpY`lEoS#i!s2D1e@`lN3$B&
zYD?LT!QB+gH4_Q8WqFe9*6a0A-PcjXt{A_FtVh^ckJtII70SzK^T;g{%sY<np~Qoz
zYKG~TvEgCGahHhTq=XInLd1j|#?d5e^8?|O<k0a3+fd*}gu3*6w^8;RuBidxWWW^8
zU?@~)<hx~tGU{2N>WsDtbx3{$A0nhGl1qOZB-aVa@E*mfh4^_!AWWJzhrjWdhwcuL
z9!%P**Ao*Pa11ynIznm~1Rn|?@S%4MvUpS))2%AD6%ooPKoQQPQ7sAI^!$RU8<#_!
zX4-T~J+qJ=VOZ{*@5~`pL&^pZ5y+s(C&p4x|K`7F;`Pbl+9NgSVaBz9yM(<RB07gd
z-^DM}@XbIyK%KcdqT1NZ7ul+iTy&=ABZpfCu?dD`hq+MTDhB2?%4O3uOd|zKCiZP}
zP2EVPQalTkbzcO}L02VEtC8?X_CXstm0`<>n^DmwB{mZdY2?nW2{IY9E;<NhmM>Cp
zatlb$Kq4&a9->JamnP@t1^aoBZL;B+E@D1b7kC?)Z}Z&On6nI(@3dvidA^&`EZ8Y*
z)YL>hma<7eAQ`zf1Vb0m$#vWjcV<5uL@r&a2ic_Af;Z@eEH<7gxr5z+`EyX<W|F<|
zcQ7zf1{#~oVX(vQ=Z7*3cIf@+hTR<oI}Q>5nPITwfF`5MC-%fN+(Z@|Ed)#^|7bo}
zL?#>LZdrGoy6Lu^gfLJ>5XIX`r-3df10JZM)F=9~*~!dr3t6~DG1`(v=XE0%hU|V7
zBRMU7B7@dl6D&B6K}`LJe5-2tYt*<FY-N1SFJzqI&3Gupvb^Z5*q~zSKDuP_5|Lh^
zaJU|1_(ot`4E2&wI)WA)hZlCpez=0_%Ag`m5HXVff>`*dr|5*`p}ZP_n@xGqss=n^
zp_4tjMaE7jUR^I^Khr(Kn9wVW4)s=nBSpo~C?+XVv0bmCPxcNI2er80M0>49IIRjk
ztKF~}%J!e=CIc_faUxR;U+o&-brT=0KtrYXtk%2+G&tTlRFw*7Xdw8HL>RVc7j+%S
z52?#=R-kq*>dLT-OmYwR1a(9l3D@E4CU3c@G^$l(iK6=qy^kP$suS-Bj!i*JjdXy1
zL;W^287@Uz4Va-5fDIH}s3{`tmcbBAp4_+eSE$h%5C&}{AkJDvU=H{==~!!cTNbBa
zyT>2V<=5!~+H-OjP;ds6ldia;pEh+{v22>&Ib%Ci;F3Z=%1d=%*~`w7X<%77lO&Ld
zLn=Lvk*D-1#@YF4A2fE*_sv=zX*T?EgME*h^GB8da^&?624Vy{#7ywntR^j8<cush
z<piF<dt?`16bNu=d^CLkyB^bY(0I#0PP0J_Ab;6N{pN_pg*;_Gbm9CqIo+*VINzD&
zp|}^Yf|!SF_K=>Y0fvY}K?R-IQeetifq$YTVJo_8dnv#HReGyL_5^jAc@x(;!8c67
z0GaCo@=1X`bKT&w!4|p2(yJ@D`by1YnNUzKI?dXFd^~8F7<H9Io(HyL4?wAeW~yJf
zvPZDlIDu8+5b$s<J5kNht*QrlJqJQ2elj}pv_^guEX1f%bymDUb;JSE$UDhfwCYoi
z%{C37QRa{KjFkN~k<A^sIyn_?@!+6X3}TqMf(v?3H_KZ@Yccx{sj5To0O2BG_1qD8
z5hRYatIh&l?Rb0Q1wc?LjO2t`2;3<%ETk<emY@hvw4Mhg{2GrD5v2SQOaYL`3j7S-
z1ja|3!(<Z}A8pR^H?G(ju;^6$3Cmu}+QtamPr_$Am56J-##tOfh(20!FMcCpAc&yw
z&KyW5jSVf>;piVcX`{9}+%3?7=Tx9JV=qaxXghv#A3Gt*<50pRbUOthW|F;dQNzB7
z!vOm%e3nAtdCU!Mt%knhXBlV5BZ7T~-h#n?np_P$Y_kXvm0h=^`>fzVftD#NWvcs&
z_|9t7a!Dj+m?*?3fUbHWY4AQp@0f)KP3rH!Tyb!)Kip~P6P(Y7RJ3cMp%4!~rE;Ru
zIncE;r*3SC9uRiJf!)Z<r1gG3lce7SdpyhP7~bTGQ3t2t5?e)Ne|XgH!jkMKIWAiZ
zd___`%EjnnSYY4^xe`ur$$tmHXnv}v1hS)}U?P9u!1&YwDS;Sfc?eC-^A+aVAh0`|
zv(7o4j({8q*f~>30@;f%H&E8qdA?cSMus<Pxg@JWoHfmFT*ysiNVT?)ft4~CsP<{7
zV9;P#6pF-9SVJY!gy)!6Z3yO>KWcPL1wsP#JQI()V3rvLLKM`PUz64+6#Iyz05?K4
z2?7#P3KUGwsgg)znyRS7L7U5Zl~$RRhl`W#%G*258cq}EpsJ`^avisBYMCR+b&aMD
zC;ow`4H^i3N!vEbUW^P7)Q+i2)zEOOJ$<}V)Zs8?kkUxWyOM*0RXAC_sC$bzFh*?A
z)Og1v-j3mCk}u@VvMw%SJ4l6{m^<SFoH&EemT>`_Uj<znZWWI}$a=5=YA`^7TdhoX
z4K~6XujR}w>fWU8mlt_o@K)Ox&od<L;GlFAC80s~0+_+fp(TfoXf)E`h?d-aBy=}D
z%Vpn0Wf(|n$dIagY|`}*(JawkLDC&Y+C2Cyj3mD<-tj<h!z0O0X=QNBu|dPF_5l<x
z>(w2oK`?sj<wcZF5(NvWl@l<9l?jE0Li%PX=?hTy`yHt&<Hfm&{781<V7^$wXBC|5
z7jjP8b~IUyv7EUD(;xRH;KVIDp5NJg^W9}cziLi=6w$y0jfk+swC*CO_?aZva8{U=
z6%(1B4O6eOoP7#vYb@Uu<y@fgKsBIM=@?P;+B&as6LfH8Y1WPlNB}d$ubfk@Rf9jw
zMaJQjktj=0(8Z{Q530DjGs3fis!dVccq0y^AbdDJok8+o!Stsa^Hr;S5IyW`JLDw(
zy3K$|tCKifikEV*qpHD<#vSZvtig_+^udlQ2TSufNyCMY!vj{280*XJ#|+z@>`^1!
z@VFzkIA3?SWQSvLT5NE>?h<voL*UZ7lhlcP5!YL!A(6cOm-{Ls+}@Ipi0Ov~P|7Ey
zdePVYh6h=sf}M4NX%Dhp&_i#fs*5-cBm+S@q@YNTI?8|$5iHANt?t>fO`nSqgn#an
zYd;ETv~uKvJ%RCQG3$$qwOu3ZjAd5UM4Yhf#%g#((r6%CA}6H*OAL4<Co^qm_j#$o
z)L?2z>*MW%5*V5uj(^;YE`P~Y*A>6O{D`VE5_JWsA&ZXdBLRUOs(KrB8d-+RjvJ2O
z>9J2GW29O>5I>GUUS9-y6-Y21JCDSv=^m&x%8RHz0ZCD|Sv0vq*a{^3BJF#`v#yn)
z2;GSCniy{|h|szE<JpHSXKtQlJnT%T3R{puwLYkYp;d4t%`OsrFdLAiReU8JTggJ(
z5-Klzjz%*m4(vEMuw!yyN0F?I!0(>m8yKTfxSv#Voq{8yTQfay3>?AHK%&8CU4+Mu
z6xbd*hLbJ?UCg4fm<F6=FED_z&u3XsqFfLJ)dF#rO}A2YR-{@Wdk1&#Ie*V!deK=K
z@STCOQ>*K)IpD8216V)z1}uBPaQp$!tn0`LfL1IYz!@ju`+414grLqH+;?s_`8Q#C
zbJ$&#@k3enOrRzAXNw2tF3S~)<M}BKSiywuNe!iT^$B8gI$J8`3R9V$BUc@n860^2
zk=b*OBzuG=7hJ&pjQaR0`04C9>JLp%FEg_iI&@`T43gwqFgpv$iZ@qCn#=IuJt1Cm
z1|+-TcD@@nN30UAZ%K54nq|+?lJC^#tY+C(tx;=P10oCgZD_}i)Gop(`{9G#<bhzX
z$&xCqLr9g;lKaWuyUE{K5`nm1Q=%IlD`eK8?p-N-+prt`7B=Nr6~Lw(_p)=R@MM25
zz|bDd;XYtqLy=Q#)&W5WrIZy_9>#(n3&v0@7}a<%1|%R{t_;DQy3?h(XW#SBJNJCL
zGJV&o4Xi9$zKI-g1}d&o8_?0p8{n*CP*<)4y;=oTQ%7lZ(Y2_nTj)56zV$YsZn{=Y
zQUjNDE~6_=&%t^PFa_mB-POx*!$D2)ck9c#+l~L(v18`!nPJp+cy@MIQ)@~v8TN62
z?jW$cckxge&|ptpX4<iD*6NOn5`NL56f_*trMFU+53<GVbfTM9mq+>eNOdCH0IpfD
zLcDx)6`5&CsSNb6WUl&iHERK9f|y%$oX};PYc80pVY>l-#em3n8Wo(TV~^5a%Ng{8
z0!%H9wc)+7liVksX+Rybrw0|9^U}$6Zct71CmTpJt#Ki3>|Q(Y6KCXH3`k1bhb0f`
z`egJ=m-5EA;PF50-6HwBMe=uV+q7?Uzd%qo3%I!fW|CZ|v($x&>v<MJ!Z)6?aTuuX
zA~jrOAo8$72J#<MoYRx;(Zng#deYXBo@CDv`^XXa4vwd(^`Iv`t*4Vwu|qaGxkyk>
z&<!%*@VH_wSlC~QOPZL_4dvvM86Hy1@a{+93=etftI`}1F<sMb$cU)Z={#;jS9rE8
zXO66H%pmfV&>C&hoVZ?aDIg~7GU550z1t(cLkBL$C22|0LOPNLI+Sx&?>d<n{^P*5
zLn@kpV~CWRmt1EkG$Ae6D4OCMeh|Vda&8u8>Ew1zO=y8Rit8U+qvk4>Z5+NdC>q?>
zYyo=51Bb^d&WTMcVSrJZT?=v(8kS%nMO8#cEmu{VkiCpoFE4!0NVAX3Alo!@)g};|
z8W=#fD=y7F$w6TVF05<UWJsclxSw;?{ILtv+BMDe+BJ%lML4t4;Y;VHv!#QXpe47y
z5_|!f?Vgh88~L?s#QXTRvmw~6BI~3fFCk2%_Nl`NUn(1`yT%<8`Zi^^r1g>f<aEB6
zQ=%iki^fH4$s<DYwqA}at<tj_JV(w~o$?aUD?W1ctp;_IQT1jP8Ed3skEJ+L7@t;C
zR(cgZ5}~0$(I&kpMke-A3o2;yVwTT|@u@>s%#Ds0ONH_Mhfta^R_{n(G671cMtzSR
z8z4y7$V6o{81VYg-b)SnoM$@$H3k==)9}H{qV8iDz~IoKx5bVf)C5C`PIe8rCQhqH
zFD)!kFpZE4!OoqkkrYhhpzg~x4)R5?FSRQ6V|iY~OmUYZThPgQawn?6lug@ryqH~$
zn6{rUs$b4smMdhm^FkFJ@<nhyK?L`C4eVB<n4GU+++5RG)P06vEPQa6=c~FruSJ*V
zZMsY4DEGDKa^I%A+$VL}mP3QTdWeZQb6!tpEY$%8TB2i^^OkPM?0Xb9jt{*t-?05g
zOz4MjW4>N&v~Q2YJWQPmO}&6JfO=6CDG)OtH&`JWCn$i7i#31&FqSQ4C%E=FyA|GE
z!+ENAl86DRcm??!g<6x}gUEvJZW<GU2IQ>RNG5l8g9GUP$y1c4pbuzXR#QmJI+ZUS
z9G^NseV+0~i14IdMpk`DF`O)RBd%YLS6Zu^;#D}WTdd;-O-&H=k@r}KY_Cy=T9Rpi
ze32`GiqMQs94s9GBVy7~@S<gKZ*knAT!m6@$4b1Sw?YRBEibs|9=DhEs%0RaDzj1m
zv}*AruALUD2%;$lg+na`)R`MM|Cm1@p$Bs;V3Qo8Y)1>1SD-1K`1l@&+HDx{*&wud
zCe-sR<#k$mL3k<G^zk!dY`cVOvxV-7zU~Elbo-7&BwSrUx7i02$1m0A4X|S&`g3t6
z$hb2&upBN2#Wc~kL$giM46#l=C+mUz9rTL)$RV@MuqYS4eTcO9gUAIHINR4O4>{|k
z=%s1^Vm2heW)zqWt9qY}$d=hQJB3<$qYSu$_{R77X(AB^z*K%J2-V(tagOCJOBzn1
z+y=-HJTN4Qa?oCu(>RoEmE?&Qadk|tw~^bOi0sHB{aoGYknDx>Rv~Id@frX)nX;9W
zr%g#ZD)+z?;Jlmh)ROpXx=fm4U461p;xv`ZOm?_dQi#LY{U#vgw&qQ=kLuN`X+Ysl
zQ=|9ODC+#w#9@>l0XISUm|W9aq#6`(TohAU)*BwmiGkc7P-H4R1Z{(E^>|r~Pb|Qb
zvH%APovgvOt>Z02nws8n4S>ypWUFFU9jTtywBz{;ZuD{?tdFvfVVVX(zm5xZ&$AY6
zWiYn98YuTt{zmUf+Ve{%=0>xn>|7zAFKwLVRk7<HI#nRD(4nI237wP}pyn?XwxQ@q
z3G6gV6yzfvM*00L!7~L=qCnF?^#?F#@S(@bkJE<k>%?v?MKiWQn0teA!mA&N`4@^L
z=3bES(PP3f!6L|E`N1s7YoKi*KTj=K_Ua?U%s55=_VY0s;)a=6!m<<ol|PNkx}h#3
z88(a@dl)b(R|+9En}$)x9Lm8S79np3bLOhL=Ue3>@-=v5m^3$$EtbYdP6C?>gWWK@
zhVbo#VZ$HCW!dnTZA7gKPxzRZu${_Q75bQMIgz@Z!n9x-)+3}D;F2cW&!uRH8|F?4
z%T9Px{xmLUhPsSo$uM&4VZf8Z-|^Toj5%gX4%D#l*LJYxq+>5Qj|^*~@;amYPXcqI
zL2j5iLwI(=p5c$<GHCeAbk$k#6xnnXEpe!qF(0orZKvXX)#&MCj{k+f<MF?WG<XGY
zz=nmtwnaGW^YfNJdFdl0pJ`F4lOUqWKsPR>L%4P%sKZ~!meq=mqs6rfOa3`0w53Ne
z<+f@dM05)Phvf$%`+}@tKn|i_x;n{*>#qR|l`~kj4AY<wEz@IOlX;i8>Qeej?s^ms
z4oe<VydjQiyTh+6)5Ezc`Ba^TiHjjnpS_I6atvWsg)FGsYt+4y*#30a1ZJ)7uVFT#
z{$Lz-8qOCVewfJsjV9mWjAAkjG!9LIK_AA0K?bY|FxW!{jKHlxy9(73Wr#PAc)OD8
zj9AUouA~N769Q96PmV6fssGFi!GLXoLBM4kGJ$r)mO9~k2wu@*5-)f`xJT3h?^b@S
zJ>thY==Ipb1&VQECNG+Pz}JplUE^zTd8SXSs+5y)2`<+%q=Z~s#L`bNZJ23?WAiA^
zXV2JFnG}hZsOI2<cw8FzE>p?N_@*sH6px?)8A#mF^(D*5NSzU|3oYaZ*6*;~vj$$U
zb02@<iG;Y0Gj-z1v_bh&xJTPPzPKSn`8{FTrX;c<fH~ip(+xva{E<{*pv+Bj-Mecf
z(~NEy7=`2z{1au>*|{&6xU%lED*yzFW#AbY16q>nTmu6u*N7j}SwA}i27$`U10e&)
zB-P+Wp&vBlOg9YEkkDdW!()JWgF{u?m4hUqWWI!9k*NVes*31DK{`pQ(~D#A>rhkk
zO}CFIC6J|b8|bd9uYum(wt-tfU9K<D4Tk6^@Bz>;DBnT(GqglE5Iz7JRNXKrR52L^
z$yhe45?j|j59l;x2Hm8YdYPvEVKK@qQ90~^l)xKi`Q>uBEH}{BG@z}4!@vepT0(v+
zr$<A$ke71Z8~7><vCi}+ck>S46{levBtH{WqD}n$xIJzg<|-r|DmKHupSftZsa-&F
zViT8s>6=UjBn4!`{{6UDp{_Wq`bM)vp*B%-zhL4Vxjn2jduSq&ODbGa-V$^8Qp_i6
zhGC%0QF^&-*8P6PRC)00J#P4G%fsod&5GWrQedFhcVM4Xr$>G{o>i+?as6Y@^gzyr
zJjk&C=vgrRL!Rl5U>I7~#r5hdrimg<tBvx~+6%#S!(KWY@rDf!gDLo%){_vvrMoVz
z@@-By3wf0IjZj%P=6tJWIt@RQT<8BB9vDoWD|#wHfEmr!<@hbQ(hbY2SM@cK;|M{;
zU7QeTj=&>|DI|<XpW*GTVf&~!sI(fAxRJ(w^E4qnJE_Wl0sS{{Dyo`h9VGcdf^L)?
z+C-J5JwWfekur{YBf10)cTRCPySf1e&=Ex<0T|XOH`2y%-@%WDGf8p$O_A*dG9)=L
zy#6S4I1G~fXThEpf50RNffOJ|H5=LKSC%lrxmcWReoHGa)*Kw0!5TM}!HvaG&T1fh
zghg=GMA`tZ1|*!i65TZGwQF9}uv~b+()~pb4kKHy<Ali=d*VnxI$p>Gr7e?#ef-OV
z`N>>HOZJuxvHs;cN(NEPA1aLCgLEHC8&F>{NGZ(h^fZF39W965`!A@k7)KGhSB_8P
ztVG(2th$z<Q407`*{RhX&(snJa}$%~*`iskX^Fx#{oAeAw8Us`Klu~;{%VN?&U1<D
z#;Y=;@>x+?cmkOWxw;Q2z0CW}lFWN>uOlUzNfG8iqu?{4C?Xm-_;e!q4v?5vMa$vt
z1kO>Wzb6ezyM9oo<=VM4f~4LGI=iEyEWC-wcc`}vNt%N~?766)Za~UYGfrDHt98@$
z5|(ZG2l4Nr?HH99J*?NNxIsost`lBqrsbC@Z&47fi<WCl>#o0sYI4xRyzKK-s$IBK
zIF?C(8H6=WjPJi<a$<K>v#K?}TC46(&s%nSwN|ZKHpz%b%g~R`O^oj^WDAGeL8w~9
zHYqSHR4yc1pr|*RUzTMh0G3^Gz?xpeTpbjB4kyQ+q~DC&6$iq_Q^RR2m|qz=Stke0
zY7Ksrg8eAM5+}zG6tc)!zj(M<%1zE4&Q4CujZcl`Gcn*XFym9jQg&h@SAbu!CC@@e
zTjO}8Ro_Y!1#oH%spyJ{V4=RHG!($85u`#gCW52p{8l0;fKww##db^tNAPyAl}Ls_
zsuAV4B~=JBUo#P|!eDuhv*jrr9Z`M(hLKe3z;`Wk*@SEKGJJv)WhjIvCcPG;n1xVf
zmM>WdQm*mk4Fm(sI)xtO1`kF@--SwN!u=7S<xmN$<a+c>(6mPjrXP$@>{o03y^xlg
z4tgCmxGXzyh)xk-h@J*2hd740xYO*<$hdSlF8CUeLkMeXxmw*{qk~43$k+(T?6w#K
z=YSq0FA{MmE?M;m1US1{h!;b;MU9o1ps&Shv2bt5*~>t5_hdM+g+S2a1z#AuZlYl1
z>}AV!Y;<Ih!eAlqc%~2L&5Gl4YlXp>%3Y4H9+3W+>=m+sYy4XcXcBO~5<5Tt{8uWx
zC93i0(=1J@aS$6XDM^FEVu>omX-{n94b1?im|m}&Hp;%Vth-{-sif3r6ph63p;~AO
ziMPV@$ZfG<f-IQ+NW=4;8Yxzb(jP^3pPv}z$Qy44Q1I^zAg@ITZ6_$Ok`X0vx{#lQ
zhZzC_C5VMfuNiM9ge4Tg#D#o5=%6hZ^8*TVG5;2Gu>hTC<1N9a(=`=|&0}XuH@Cn#
zSY%xI`GV<_^%7F9+lf+i(V=J}>K;+8TCQa(;=`QY$touYd8)E#=~N2-pPc18rx{7D
zhjkq=jmtRVOsz<Vh~7ORnQ42rYlXEYjV*%|DH4e^3tmsaX=F5UGjG_2xv}k>aFS9R
zq3?p^DdY)CpW?fqXJ)ujubb}hY!Cds>a5`3x$M7vB0mKH&dvZ$cYUj(<5I&oVWiZ6
z&p@DVvFhq;s%jv?A`Ou=25sm@No;G(6oCYm?%}u|3QqSxwon=$%Z`-tg~Pyc0UuB;
zEVzwsZ5NLrZ-op$eBP=tg0pBclxW&dbZb$wY{GgZ%O<)6s_CoZ(*!1ziH_^EW!Q^>
z`$AUcLmkPAeW*`a#~0!68#+Iu?Mn@vpBm&FHS8h{T^6Bv=Vf}e^HRH0g8=?_Nb8eQ
zQ>pWfik)IzK7=VU7Y>-$fI%$wwglEtbWu9CNgzIC?olZaZ~$addXE|IIamsC6$}kY
z%2g-$%hS3UT13K9&;sMy+ffH04%!5=(XfX4kT3$t^%l%HbJ1)QpcKEb;mDyvAvaZ`
z*@)pArFwzOkEQ)uJ&lCe1(C`JN$JZm1YP#Mq4D$uhj|kB&z<<8QW3&Wi$1H(>$YvW
zMPGM)ppBZoS@unX$0O8zKd@}ew{&FXuf<bo=}J(HGX$TF+!Dq}f-4mr;zhyj>%smU
zA^KFpZK$1a6QrMQu5bm;1i9x_4er%mNhBg)hjDw<DK8=G^SP?`87;XlT9jsZdp0h7
zAj(FzA*q$PsKtp5UmW^TTC+j}$jBN%WcK6Gwu7oYUSh8CjxBi23aIqSIhQ3yR>Q`g
z87(16`Z}Sg=HW`BVM7Tf6UP8iWQsLX$_jYI0#pf4idY4zjL{2P&IHd7eHJP-Gh#Qh
z!F><4q|pT9WFe*`%ERS07+&s?+}BbYdV=+0v7XdpsJ9j(AMn=I(AJ1gbfL$*iyP%A
zPH0QLakeO=*+;R6nD%|k*V4w<P={Q&MT``GzBgzNr9ZMv*xdS8vH!M99cihkIZQa2
zZH(b13Sz2zd`%!aThi*7a+u<Rheh%*hp52~OaUEnW(S}JqNXIJNX+!4IupiM?ITV<
z_{In`e}tQSbh6>#*)mma(6g0AIJ)t%Vx}k4LtJ}Yuw+sb2~N9!uwOFQkaq+6j`KR2
znE_`9?=vq3N4itHAW^Ba1%AOj2<~VYkR=l$-%BbPu&+Y)$e^E$BmtC5ayby&w9}nC
zv6(F6yA2cmHSe1GQnWz8jnO@nya)`(Ho=8~i-u^dpy`h=uT{Nx>6=-?U4GiTX*AG;
zv%nRY#SbT(1)(~63keq7!$w*mgS%wqRly<8bhEZ`z;zn+G1sX<Da4H?vUYpOKv;E9
z!8qiSGFQsajU3F4T!MKYg<Esa1Un)EDV&Gk;sA_5bHBv_B{Z}NTLB<p<b^VkKQK2o
zK9QT7%1-7ooRJHngWB;l<vt9|UKB*w=2>+X(#dt93z;X{S$!j?rKM)4MviyHiolET
z9IM?O21FW$UE?$k;&iSsIbOudP)ji8s#yj*UjSav>zgJR(4!jnVJka{xzPPZu(D{n
zCh;jk7x*+Q5GkMTnSPP^(V&ZKHuJollKSX~6KDG6GzYrHoSof%GU!&q<4Rq}F|ue^
zL8F>UuFKd79s-2j&Cr?;3gk!C%9ghR<{cnx2C{IId<KG>nzDok;HqtJwa=L-MgU*f
zoA6O>$*^27P?z3Gvi;bx(D*tM&Kvg_P~F9E{O+DCKo%UhU-wKSZ;#uauUD)1yueck
zyRt?%Z_hH1+!n&+J`#6^;n2PyPkzX=mJ4^ZK{8-nF_31PWwRXEDItxMhX;Y2><`h%
z#?vg?$rVuV?1p841<L>zUU(r*Bv}SMC=F!~bri){OahUiWNcUl>0Bf?e7At!VZUuu
zA;k}9EMrM$7Kp{=lH_2^SC!*T3SxOUdEgq7)K1+`UtMvXg*5je|9dKkoeGu{SA>qg
z9&6K~bhnNACz_epuA5a?Z#Nzpyl0jhuH~<#Yr5x~ZfeO~Q-Ven@tS}shJqJ3WiQM0
z5;Ua+el=?GZo0%C-Iy<uI^x<$A(t(UPaOb-+@*)c3%OA+I$p?)l=6k~TyZ-z8I?jD
zUxh^5HlbLHm4x%OZm0*8;bmJOR}uS`7p-N}*q$C%9CvAZAd`}vv0*DjpyW`}S_*c?
zcM*PcolSbWPEy0g&5b6GIAp1Pbf3jczZ~~0wh6WgE!XYsj;-D8?IyI4x3@dCs<*cr
zZi#o+5j&=%lYnXaD6=N0>2+Xv02ibsQ3`rJhh9tS4Elx-+Cl3FJ;evGU0O!lMLm{j
z-5{dF)1uk%5vrKQg;HRH7WV%^@w~cgC*Xg^EBK*8uTnW*b57Zcvs5Bv7j0$Y4m%iI
zHtK*L4>#s%EFXJ>vqx}3QrVrz!3fS`)ma#E>T9@6dnmkzSky(@RGo!M=5Q`h2aYs&
zwMUp-wb3_pClUas>0DYHb?I4*>zc&Yl%4t-3a>P6-@{I5B#O#+fMI&RWn-^O*l?s~
zga(fqhYI?k=&_LZj$@di%3<U#8Bix|tQ*%*$sMi=m~CA{Yay}OtAhcoI$|W6T6z~?
zwW^z18jf7P?ttq;eIbK!;^&#Cs8+-PDvfFt60B}<`lU?48HN%~B13SR)%YTAi1r(R
zq0)oBx>>d=Ryj<fdW9#^$t4iIFo;c!b|0vQUe|r!bZxljd+mmQk{JY5G65)=Kgxd0
z5ZM)v6fwV5QKiCsCk1M_l_wSqIW)5EkilVLN<;(_*K*jcWiKERn72o8YgB)2YowuY
zoW$iX`A$53#z?KVh#HtwNJlJqWL|R&Wl2iz-jC6Pv7$s@QNcmQ)6|;=e6`6<BeX%(
zmdTyDa)hxtIQ}K8z{qe!JRi5?x>y@?z~P9N@u1_<ylb_pWiJuh1u@VG@?x{Z$54um
zd0Yo_Pb-VLXcZAYWdxqbB_l&O1vVJ)T1ck$=4_FdL*N8ppglOgU}4xyj#pnRHX);z
zS%uCXoG7Pigx6FHlYGD~MKbAPxdogIA+Ag#2tu(&e$CsP7HJB0**e*_G0uWN+**hf
zj08aR9YuQ}VVg&L@k-ZkD+x=gGYdD{nBMxl=TsZM@@xkAP<1xLJ)k#Is16Sek`)|D
z?@|;>4!#e46CSqMn&Kqhxzh7i&=w!MP<02_^Xb{R&CwViG3n_zlx&UmLK_?d`pOa*
z7}GKu=vlA3mhFS&P_u{hTtwA+;~vYmqVL_P?`}}So=H4q6YvaNFg>Tb+~U$o#RUeA
zagwJxj>&ohH#{xlk({bQBCa%`34hRg#Nb+jV6BQNLTV0LgQS&;?QjD{geGA*N?g<l
z3Gx!?$nv%D)5m><ITVSr=@xUt)z}s%fV$vhB32oT@FoqzL!>Qw1>Ok0=u@t-<)D}}
zbr>QpA}zQas0=}&V*MzKV+$2QZ8z!_S9!2V`XYSPd!@x0`a*KVi*$;@dnwCiYk4?B
zB(>4aP`I-+tq47v#xp!cm7`ZA98e<0ryanERj@}R8`Eq@hOjU`k8_8&O?hpz)kXXl
z$pRZS-FYM*0%SrfE(Vx`P;PAm3{H<oi}f6GtGJx}+(E}#0-<~oYJiectAe&jL0R=v
z4Of+Kg#O@_Y1Ngb@$vqa4tBRa%^p%QzsE}tr*@^&J$)gN%yo%u9^RtvnnucY3^Qe6
z8@yG=V+%P8g{j6AbK(RsBZ8a7!HqKrCR$4&$EOIA$!JE<U5%!2WT2RF5C~d$36jin
zbuQ($xcqsPBm6m4#~YyX+!XIUIBPxm9VbhTb4;P*n^xl;cwuus#jJ-}>b7%G&!Nm-
z28z%Q_9v3l54Ix9YMQwpAS0ma`eMTJ{ETWRQ|)5Bl}4{~wug2B*Jy+YhZHj3X+Wc$
zYb3h~k-!9_b~#*V!w79llIX;bfjTiv7xE*yVsU)xK;Rb%@?&7Ske|*KN{7MN_yqN4
zKs5v{oI{K2HYD-Gt`aECJ1!v?#GE=6kPMQyc1Sw(Ws1%ap&|J-q$_eNiCS6QP{%m?
zv&Q|Z?3n00>W)>{UORVk&q(%Ryk?-#wd{r*tU?dX5W(QY9B-+%K2HNh1Vyk2g9S?O
z-y-{*6@?}8hC*U(kuG2?(vVc5*}@m~0VIdHO!$_EvZ0!`FH2iV5(p#}+IBqGH63m%
z_`jhUhCguqM@_IW$u+$mJ(qNav0LC|O|OfAx!f94a{#*~<~81S6HI?(WuH5YiVUiS
zWIg|*48s9TXN7t*9-^o{$4r)B*(?_+z8>$F{svac3=R);Okp&o{hB3KRSu!W8d%Xi
zakFZ_7LXAa6FFoMLU_PqBl0#VA+wRfs#9|swvUg$kv6vkk2!|KSsDYJXOim_9K@5_
zANvDmIm_q0{h2p4D@ly+3<wCxXvS6y8<gVv4U7)7$>jDJ@zqvPUQ-!vI1QT77N<u^
z_W=06z7U;=btIS=wuu{-i}&zgpcepn7Z-rAKOmk40|q4T@}OA^b3BOQsLcUP2+Q;_
z>6#9gfKy+~Gn@PtJ4&c|p3sn5`Q#Un6EmVYkS5md2E?u`WbI=6Gr285>D{Wj4;L~@
zs|uJ=7ulWy)3jt17rl9T8-F`XWJ?R9INp%^WY|n5eL!q|;#X2iCo-pSHYb>$jdXR|
zjaNG(6RHhip>+S)qR(sc69RD}#)PH{$Mm8b0r8GAI4e`3Uw{apQW1;nHb=NGtUH$N
zlUfq&>IwEDScPg*N5SgFlPr7~wq{Y~WYlt%_c>=rt0(Lbj7i9&uG-1S?%UqL#-TJq
zZ(2G=D*i2aOjH8u2pq|84XrVgm4*<c@Ld$g$dcQF@&-$R636vKz7>g|k@BFuaT)i7
zNZPbWYIR=R(25NCVujQBcDy1V;bjncdmD@Qr?I2iByq{w;w2Eep4F1;duig}O)m|4
z-J)6^!O>5>M1(vNkFRB-*th6tH?nt;GvLPeud0kln)h8Ck}G&c=)zmK+%~x6fOrTG
zEj@W?aTj8UNm`05sh3@?C0L-tbG#Eeyc*ovR=X;zJ#kqwvM4WC;=wf&O^8mtUqfB0
zyh+0}+5|3PpHl&cD9=qVtO0HU36-n(Nk)VCmm+4`j|}F7pF-P($WTEwrAhpJcjt^I
z-2sf`rw@bVI)&NfZT_)2Nd<E<TN*)yYB}IBnW7zvT&N`&$xoGXQzbRVs;S-*;B*2l
zd)ZksA=ivGYy>gZ3^FBPw^9k9ZgHJVYgqS==i?iDj$4|}lk2emF=T{orUJ>)+IFte
zXd(^ikqTDZafW=yVlkm;tl1DTl|d<+0~>gzJ9P`y=2A$gK!EACK?M|-7sIKq5h+EZ
zpJk>EW;2w8QV=}S9jL(FVa`^`uuv<7tt!9<*L%gQBR)eSdWwGsSFJMeb~mn4`*;_x
zY`B3Xm+&S{bInp)^C_=GX|5F;hQQ{Mr0rnMMqYG9U2r`H^!$h$HO|hx1vhAcWucwp
znK+;rzHRh}@g8R*47|O`q9-wtk~3KROExX?Vv=>w#1r2=5ii@<y=sqD$o7a+M#x})
z5^o~OL}UDv2OpvQB)$H_1D<r2%}Ax9Bd2@RHu4H!zwVhfb86YN9f9_<AwydtSRM>5
zp~50Nl#*ePROZ;w9c+8DrcQNoNnw|7X+?d#ts#INZ{yhlM#E7%0bb!-WD@MNLF<`%
zXq2cMFrtOiP{<(J*EFarOsHtgRD!<~IKEk{3-KA;$Lf}CaiQUBliWQ{8_f!K+Cr;B
zuSLa6=}Oj4jcUKQONhXoJ@h0{fuwhBRUoPThJ4Q^^OxnqIdeK0ROc$o6Z*j8M;{Qk
z$H%S~pws}mLCLjh0H?OP#9YJo#~xTPZ4(z7Zy<llMROJG*$ooDYt<%MV_E9Z7jRpS
zNC~#AyF$_#?sKPVFwmJ~?}f>A9$=HpzttD<)!c+>FZhe}?2}yY=HE8?&unug=!}y)
zC|j`%un7hhd^rBlI+SEhsW3hXCbPv-u5d~2a4-czZwx!Wr{TfjJ-eI13BFth(c=%j
z!l_~Af)*j2An#fWmd#HR<SqCeoZ~vG3El>#cvtUMS|BK@ohVInFb&`ZalWL83;06z
ztC@xZTN%y3h924`+4)vBO=#$tO1-5U)vDII=^<owp&wuyOq)*x!<hy&YGP~inaUic
z0gbnzVPAFZeW7sW>qL(ae6qNQ^MdxyH=Nd8(+-+*sx>}$E7fZ0XwSQJ;iG-DmkJka
zzGwokF)w7-V+%;i$=X5*Qy2|9R(NA=*kX8di}OiqY~=`HEQrYTXvtpsyMo}1ItqPN
z4031wIP+n>TNPF;^MW|<(L`%CVG_(vXDamh$(kaWP*@mI*jwS3*UAS^?P>=C-xfe3
z^Mzx!4$zW<rwzl2^c{<&Mn}G6t&ipEdElJCIy~KVgTSvg7_WH1l7`%dv7-HV+TCDp
z%+-vG&kscz@TG`3drwObw9Vtsd!;c{XCfibZp8><iQt&{haA;g7-{6Ydf%bm++;)w
zA9jh46{e~7CkLWswUN{9y`MqcY#u@K7vfXOrWj9d1RCkt4Ud_Zk2J43=emlSe*hF^
zn~3j#l|`$(NL^0novKyF0*s`fM?R-1P9cgimB80Xf!Zbm34^ZzjsHC`iUb(6Gl#I2
z8#06x4^K{vPhHZXErj*?Ki3Mvgf`*Icv2%stP>>^pRl!rghty7>&Jkh1w<KJaLoLO
zW7~L1;*fb+AaN-v1VxaB-b;>~_JV_3lbCY!1O?1<&0Kwc-tueL2rco$$!p}sG|jTm
z*wB3)o&-XWO~Vpfq9>`cG|CXtG8r-&#=O;snBdG}gC8zBo<CmCptKE8-EYiSt@1(m
zaJo-w#=aB}pIcgFfGXJqvtHH9Cb)=_bGZK^G(uy3xc?$LA@Em7uVE-IE?UQ9X%2(l
z5vNvnJQJ`ur9d~PBhfBOvJbdp6msPWa(0N)GP%yrZc~x?fRR`WFxNuOFf$^WyLh04
znZ=|73>yBEV9qQ0Ky+lmI5MtogCM2n$;OXgPHj+R6MfQgqzkhhf{6Vdkr|dnz@u)q
zkq;D*Oz1cd4VS(MuC-257hyEURAu0>(-8>o1>CbGD#SX-T|^Swbds=$B-&A@1X?m5
zLurcONH&|HXu<S3?U+lI6HF%j8y~6?fX|y1q0xua5GfOH(M&rbtsyeUPMCrnW*&k|
z$SUi;<4(Iy#j0BNLe#88BG1=uL^M;(1xLDBh1q6Pxotv-#7%GmIh)5bl!*u1@<?Dk
z<O#8$PLRLF+enfZPBy5Hqb*Nr5Jw@|ix<lD(*B59+3@jFNbCaph)n8&`Z!7XTo6%C
zVj35zzehp#7Gb;TB()NV70QQ2-y@UYCGJf8Psy#qYa(J^6@IQlpFXN`sR$R%jH+9d
zM#b8WEGpdqZ_ysxKy=#(Du-}82(bV_cD=-0!yFq&V~npCcB&Y%e14s%hLO8I<`>CG
z^gls8+`O(5TThvx(8B5oGcg5KS5?YMz=R<kqrH+Lcc1|+fG6l1a?7@=hy1~Yw2(v7
zquEl9)Rzs^5ODc;=^(fycNk=+MghVgj`3SYX`{gl;^xtIOee)~u8>8+=h4#j5#JM}
z6js<x3Efag*%_<OLeZ*L*MK%@`iqVMlIvrKrbec+lew9}S$uZKUq@E%Wv@fotkI(g
zuNf(j-mFw0cP^WUJX3I~VJ}d%I5{)6ft_L0S(y#w_)a5y49iU)NvEa5AN>)*ZiBHC
z@rf`<Ww}6UxS=-NS(z_{o?Jn#1(s2z&q0ujvsDo{#zR>C3z$fcP?tjKHi->cO<)dc
znmgThf(~EqwlkzU>wu>6+UVeMHmwoC2_U0%3yA7jb~aN%Y__dt6HZ*iJFT@Gc;HKj
ztp}KZ`Kr;m;Gz0qOK%|bpEdzDWPee`*M#Mn6k@|2EabaQRnGMIGssai=A^~TpftmS
z=3Q;@NdVOfs+zotFI?b7X&&O<p;+qyo#YgA#JNLeqqYtm8z}*U*-cph2GK){fE>p~
zq%}-N#bzQ=u9~`isGeu_79vA}<%TUhGw^bVp|^&BYCuyx<HB`AXtWL3mA}}K20Jp5
z%T9qq({R}WxU@QS*a%_KxzgI++<|-wwPY{+7o4->@Q&IJW5>ZAlVsKM;!9b@l>9S*
zYG+WJ1SZ6It?szKZu>yng?>Q3YM??K5QU1h(7*%rfbN>agS}BF%4e_u`BjeL@ThV6
zV(ZPcy(+E{=8=*hN^{*7y^}L6?tMZZef;aAPw1lmV{}mxZz|-=<!%C6j$8~mkrdL7
zr4a^C#7xJPcut10Dj=y=TBRmY%4=}_kx}1>M9fEvIS;<ym@b<ZFH)?k8LiSrX|OE0
zjU*iugp*D@(uENY8EM6s+p6ADdvXMIHlyXn0<Bhdl`D$8Zs&Kr0qvH$7l)syG~0M?
z$5Q*vYqi|Pa3{lhTqv?Q{oRIC*GOFy08UUyLW|mlGcAq9?0c1vqF=NYQQ+hnhsC{z
zU9ih$Vm%T-*x#l`U%7cT6D%XuPRpfo{|aogih&H9%mIFCedTG>WSB)uZm9;5I=
z2zgTj6i?^tt{*stFcB+<J(RMAl2CaFS^iDiX#Z{C(*h4A6S-1u6ci7QjO2>Nu|pFR
zhc%o<$MP+`YQ2cNY4c1!TZh9$f6dkPhG*th&2j_7Wv_{_wJrakS*@F{r*6+RAR-*C
zON#%vU2&iQRe!8*i{UJo{<P~Djk2%)Hh9n46RSdGdumHTZc@6%5f{5AlLG?pnaug4
ziN2WR<~<v{XRkRoO~dkh*P2HtD8C=&8mIuQy1KGs%dxL;^-!P8E!14Kd@zXfDCBIf
z;hG+(nZAy#6_$tf6(cc`KQOmHcQAX|c)l=~9UYyU%$2ekEjc!kJur7zOE7=3P;oy=
zZ@_+>QDFh1mKjvhL)G(k?gV1B&s~}^pIUTkrlvU0$3LDc_W^?rAfvU&0|BWdJVc*~
z-XGKpGF;ftGYz15$JWUxn#Yo?*JGSZZ|DM(!%g1OPYOao%o|XbLyfA?xCvfpX`G0%
zUu?h*6V-;ZmPE5!z_8pDq!x7)dy+CNm%@*1h&LD9RLPfg^1|hEWe3_gGu5&N=4PUL
zVurME&hhCq4c54(IxHPGIad@^pj;8q6YYK6iA#Mt%>|?Yty?tzh3Q8t#B<^u)bVZu
zmQB}#(i+Va*WfbzJd}FIvdKP08f3J6sln8s5O$=m%5Bb*+t5m0<MyaiUNYT`29<}g
z>_{nJI6QY*u24k!L->P?z>5TXEiiCIEyXwzm1V5qT~o8u(^zPwQt6awFUyLnQ#JVJ
zqRGSb%e<W9YTvapeMVVcPhRg=j!$<+DN)8towr0}%f=(*i9Z=AA{gqOw-q#MMGn+H
zy58U!T3%x$eXzW&@MCU-_yLC>eju+k@hPjkKhp4gr$)3&$;D@bW!}ehi|D`nM20K~
zNUu9!`f!o^PT8pjp#mgI(QzS$SJbK_^zUifR1#3uW($~894;e*IXN-D|BA_p-N=a$
z3=FIyU)G*<x@fw~ri=cu%4V8jHq(=|dS=rXQ9wN)!uy*~1`Lkj`pH^G3o0n@MirEO
z7YrDnM<dmfacq=HrZ7O2r=wo20^P@|xaqZ|V>W2E)s!rU``8RUcf}%PA2D;ogGe1z
zP2GT-Da!5W>L|trcy+x@5*Vpb<m!?u8c@xJ?z74!98Wv0ABUe|vn}Uk$MrYQ$BygA
z<YBN8CZ;&@M62nmrA61&4KD`iCWFRXO+bdnrl}Z=Xd7uMqDyo?NKenSje@Crjy=8T
z>Yf>cszv#et){Jv)22x*1KdVJD{<%O?V446)ihwwBa6Blhl>mHCtFQ#8K+ItTL!q*
z^o}dUqXx!_ab*)hkmGrcXeZC>r47?v>u_SZZ?<V>gC4eOY6FOm@Z5%n7M@(GP4w)B
z8sdHDP~E_}rMOrR91z0DgE#YpXZkJo?UptO_<=mJ5bR+g)F^JuP3veK)?swG4yT^b
zONo9^X62NLjSQz1lOlB0{dc34f(VIVBQhesLj_IPu>n|i#X)bQP8h<-c@jyNk^=SG
z-LdkG;}J9*b0oo#2;EWakpM~=e}teaW02ypY@m1ue9M%kxXkNwdQhlZ41u-fJdAuC
zc#S5`*Bl4d^i@E0!!2UO&|pJX<T5eZhbu{6Y?LomfI<Z9h&{s)Wgg{$Z-Pr@g-YPn
zcB*I;%c?a@xtNC3Xj^zVLSO8Vn?qXs7O`{`2_(*rq*OZwkNR+<eBJ_H3tD%?_>o=6
z{IBk96DvVhL4}pj?vN0*64WZPv=Zb-+p-cOH0%ynLg;+8MJpkS1ky@~q*S|=5cT0k
zS3(PTEoj}*N{H-2UJ2^nHop=AbzQX-qK{Q=)`EPbP%nm{)po9i(1~PY%YmcC)~<&z
z71RqtL9Li8BK+khmxK~vD~fMqQ7AfzSQT=A8($Wl6rCe1irlL2>LciV+~uG$flF(_
z44`iH2~}x4?~waB^tOucd5|Kf%d}|6-%|USgF6Y=7vYr?Mm2JRI$A6;T(U$MWd5qE
z!&QMmb87=G2D%0a@R-ZM6uydD0r>59m}<lxHoOLGv+VfpRxbl_*bys2qD|a|A$}Hb
z;6j$bmcZ1U3WN-Tk{m?*6QgJ>-&}=u^a2ZEsha<e)9pn-pXFCdIoL&1Irq$}X9B=^
zxpy*#BVnq5(729hkIcwe=|5u641FXTIH_--C`&>rCTFM*8Squ1TCBejr(ye{{3Wa9
zYQr!`&5GWr`ovBwM3h<?EqQLl&YS_!(v0I?G=*|M#A9vE^b~wtfkL#`0vRv_E&vv|
zFeC6k8cI`xug*EAuaEN<=EEg`@=jWH2d*V8=AIrb4=%_{fQd)M-65mMiRAidZY+Cf
zqBNI9KIC)L`9i5leRHE*7fQ6{>@13!Qe~c#XuIKCmJZw*xaBDAZd!6ZcSWg?og2wd
zjg22bD~iZCl~Ca(hh%mWe5M|up>1|p$`u}{7m~hAmi9=%z$$e)bSX!jZAxqP(7FzI
zI?4rRTD+s!t86r>Fdd)UMpx&W?u)oXJTF2tov#Ef8(X;!p0E5swn_0Cz|df`)i>(%
z;?Pi&bLi}5cTkYZRCSeQ#=4Ty#M6!QFj0WzE=WMM<43g5Nj!n2zI)*j56wPv`xAXS
zB=kd;bI{hqqMfHl=Oa>pSZ~WwEzPy6nF^UkL0jjBc1{+Z4^;tTz3p0{`jOg3c0|+E
zBjrqAp`nJa#M}BEY<RE&jL>M+rj{eo#uhkUX~2@lqVEJ68WhgvYT2w4U%LKaaf1Hv
zok)MkHVjYCtq7_<MMwKd#v`K|YD=d<65G<_rRzxf>)~ZrkCsj^^aM=;v4t8+VnS{$
zlL>vJUV8GUGCecek)9|{?m43VIH0@mwaggg^ONVp8D%?De<cd87Ji>N+yW}j23E2$
z=bk^fcMuKZ{K4~waQH1dS-{6+F@!V}m5<5R9zBfcGe?vPqgG5*D$Kt4D$IGEsw8S1
zriDt<QiqAqM?@ti?5xw$3xaILzV0_j3WALss1&j1TX&FBD7aye)ZacnSaLSwz><K-
z?8Vc&qH=pj9q0_<v>Nd-JL2-+XCjYyiomr(X^ymnt>%iQZ0S%j<KZ+I!8u8eb<B>$
z`HTydk2r*A$#si`XYgc`#?)HjZKqPU6>U*-+ksjaOC^e@OC*3$NS$*@Lpnk~chp<d
zm*MUpNL?sdSzw9ff$YW8RKjv5knu|P>iQ!fWS@`-XK$xOh_K_u<#9@R&2}`hI0J4Z
zd%aVu>n?RR^U0x5*xVCk)W(bsRH#_4r#K&m`HpWk<roTYrm|xjN=SQJv?HMQMpzKe
zjbQ$LOph-wI*w<8MQdTv<b4kLTON-OKuw7@$p`{8H88N?1E{L1$JHdE$}PS(uW9+c
zqU?EazOXzxB+Hhl-_Lze(w86uhz+CxBRNzQ(LhbaJwoc;yr!X7VdwJ>e`VHRc5Kfw
zOn0lgB}YrNnp%sH^)M5*-Zc7RY<f{J!@D4dB7Q(Nbjd_mD9ue~uP7ZX<g%m1@H=E&
zRN59>i3PZ`=cYyrxoj~%HGQy<E#|_Y3%QBx6}eIPY~*0Jpy-^mxb#r2a9D04O^9BO
zF(Hbzy!jc41R9<a4oUnVJEEGB>`3&KWJfkQCE1ZyQxdjtM=ow@iS&c;@>Z=PX`v~W
z;)d7RBR#E8th7g&=zEl}GkO7ojUT)+6qIwvdQc+J4^U3Vl7p2fWqG%))4!vXtT^gZ
zYbC6WVimRn@FznKstsFLbgP=!@Ueg#4Ypg8$BLW8rTpPuakdWb<~WBPzQHyr>+~md
zIN;9X-N5r57hMMVa^SJ4mpRodL;^N*O_Ju)QssHU{izwS_3aY12*kS(R~`{UqzJgJ
zt!X22No*z7>f?xjHeZegh{^w=RDXOXBufr0E8)Y)GeOjs-TcAE@_=Xh{lIoss9Xb+
z;#DF$-C#g8FA%1<GUKp(Ol/Mn+lp>0I7V0sj<6=glIQ8O_samPH%1BFt*L@C?x
zA+^E>nI}#lj|aWzkyce76PgjfyY1IK)5zOXj-9=_j`l5C^|6CjTb74~LR0ya@fRFh
zsVoF0`N(^Ks62HX35XqM2t;WXYSrNp)h<Fi=}E<MjZa*q#4pIYht&3pWgDPSLdV$b
zNT8x6;ERHvwT)~!(yMxF6?Ky6mGS>z#JU)y*2e|YN0lziXeBun*b3SC!4t;yz__mT
zXyoac?Cq6Ef6h=Jr}InGA}>)<KWn*+Ssf8Up)d?Gi<HZ7ihbP!I#QVsZ*pnXRBA*w
znAF`Ra`WTiD|g5Nx^xxS5mWFdD-gL{6+%5U{7%;~nt!3k?eL<F+=Q)ocae`%4QMM!
z^XSq<=#R>SQjMw7k(yf%%#FCkdf%<OWT9s!{-6+jI*7Cwb-19~AiLnJk!`baZ~3O(
zlAMDo3_TJqfkGmL`){c<b}JT8uj7#GL`xVOVWX2zV5;>*Y7Pr<Xbs!XSFk*nH6HAt
z7ZFNH_s5WWj&!8t9+ifa+#A+_rozh3|1fPPbn9Pd*ZnGOW@9=~ShEZ?A#Ms(%FvW>
zOlzeNae1i3R)`PBp!OZ;DV(_xs^2F;^KPR_g9sHIO|`gCl+ISl)foHi*h+=$NP*<M
z5o`n0cumn?)O|6J8wLDW(G^dMs;G3ai;kjF9M-|(R;#L5eC%Wl-DtsAGjd5^GT~V~
zNE;0-+jl4zqdgv;Y@T4z*eu$S7wF@cMZp$oZ9u$2i+2_nRMZf~lDkmi#Is@gx>fb!
ziEebr2azV_;M$-gPF3$>TRg2Xr|z+@Xa@?8%6>zPjE_w%M~pFkq%|FW89lK-Y*2*}
zr*zx)h{v(rth0@wr6NQ&fRHl82@;|aoj>#h$8S(0dV=FO%kf}~jB1^)9#O3d-Km5W
zC{DQ&lrE-N=^hAUxNZ7XX#d<|COMgmuoVpONGWN!(6-~2s@}FMVjB?8h9ep5Jg+*v
zRmFNZSX-UyUJ$@C&O{EECW;Y4H&o(yDqqSCgYgC1LBSuTi6XzU8#oe)=KJagHOH_j
zYe-qdw*WXdnC}47*5|7x1dsxG*IKY_<h}~&lv=H!P&rRuHVt6eIF;B;1YKrD*;Se-
z&W+@!rg9^td|@tk#dxt)%p})w4bG;}G|DF-2=?<#ACysHD&RY{vhEWM!Gz`crfr5Z
zH+iN{-)$KeR~f(<Oe{1G@vv-&ugbW_;9@$y4JF%=x~=M-hwmRc>^6N-nSQ&iD<*^~
zbsnm_5q`!k(g{tB7fZRRTtS^zC^Q!l?x)Q}H_#2E4Pz#B!ziIwn0^7rZVxwxDMlC&
z3YbA<5kH)1ZOUOF`HTekL}}Sbc0{iIes9UD*9D;i57Y{PifA0=T5Yq9Nu%RoNvY}z
zrMXgmawJ=tJ6I}B7de?UmEAv)8-?(2jrEQ*(zOLGrh$dMgfqSZ&OE}&U5<`*lP0ZN
ztyPKhe4aksULP!($%xOOIzFCxNUP)E+3QwY!&H-ca|PKmf{hJP6Yh2Wkk1Kg!adNW
z^s*O#h0{YR^_Y$L39uEV!ke9-$i@~cab=`P*Z|W9;S`0Ec;k<9esU`rHQ!dN=wno4
z4@k%o4p|kMoF33!lX(+HWe(U1N=i6oM_Nwnw#;hiEOzqk-RemphuD)kF`^A!6bVX6
zCr5bTe3MF<*)|xYn{&n$*#HW^(B{NPqN4Od=u=EIbUz~I#BfavN87$bC1<bLB4R~^
zR&|5CU0qYtsh_$vhi&4Na${&S$%_1iNCv_18lZSZu}ROfRy4r_-5mEInuK<SfF{|I
z_B7#mDj>}HLkhz19x9Il!iby#M4MQ|y0RTgAM6VsO`Xoy8iOsfQ+D&D<6YU<g%-C>
zNakZ@v`Oc>Bfb`kI5MKwy^%(jzQ_Y(sAON6cajoDs5oK3p(@p@lRswK^+ty}$+CO0
zbAgb?HX>j36}9S^RSm^auj0pEMm0<oNw{a8({Rh?nD9oiL1r|_`I_*WC^qob`Gmx>
zI+5Y(h*K<6c+gkWswuqdrviDSRy^WC34DkdtVmrX9z;2TB7>_^fZ~DVGJ3NUS4R}%
ztIjjBsWtHqK*_XgrJ-kfVuKBp?4`gXmHQ5Whw9Txz!m3$&Y^Q9QYrY2Og;xV%mMjB
zrCgySE^wWOZ@L@<D6?s|0fG=ol{rjW8_{Bcqhgz}QA;~YM&l`i4Q;7K->(NJ`xLfg
z8$>}@l(YzAr2&omwYX%}F*;06wyXX?8^$~JV;g?aEF;OSO&9V|Y>rPI0F&bf3fa<l
zehTErz!j4dU~GIMSJdK<grhGN=o-+tUxiW~+}755e4N@5e|(MkV2G{*rI}?fke!T}
z1(OW34G$46XEH?cYiNkmaq5q7dRDB8JayNso3;U_a+lAIW=q+*(eVOspptD>Sg*kH
zP^w|yS~k(83Hn&tLX*7&)~Kb>_;~nKVZd)iSD{{P=CZ0LiiklcHL)W>-O&25W{eG<
zk+xu@J<RY1UN|IX3a0l!Qb)6L)VO3@4EZoH=Lrc=q!$A_9fS^?QPyoBTDZ5$upQFG
z#LF*^bAWh{uQID5y0p+(J0OtCK-~88C<BPf+$b3CTeAy0?X+SUsKFAgm9AWPOlu}+
zwnXlfb;vVAcX-4dXiZk%ovJZSUMUOv+2)G;UNC&GMO0}B@aF>N8C%M|GLJI3yLgp?
z)`TRf3g8{zSga`v)HxNj2q-O4MQZZ9qC{OJ8^HCosM`xBns7BRQe)f}c|pksT(*RQ
zS+81UU2%uI(fQ}*cMqAxEv5f9(LPug7wgM<zK*Vi9&Kwv=rO=EBX*^Jfz(6wE40&P
zP{l63b8P&|z#WZ$jFa}Dr|7YWN|1tIF{}8Bx@Ujx!1&bqSTU0yD`vDKn$}#eIBu_%
z*?oa^;ndg#);XEoeG6V=zBdih{n|xZf70q}4w2hyafCsC3Q4df{Z$-S93$kNq&zwr
z2^efmjw_;yK9iB;lZpu&9WVI;80=C^fZWQV5YH`}L;h#pHT5OoX(**e03qNGHb8|B
zoq##|kQofCo=Puj!$86qu^)p6w2L&L0m%hZC|MVhFp3g&e1$qTerb)UbX@vFmq(Z|
zp(=dwW~#N6JQ5;EWT`hHwU&&Wa*Ao)G8xyiGhkPEB4{S*_6W-mLHscsI~F|#j`QTK
zW$Kh*QQWs_rr|_uzV55fwP1S{20{TcYRr^P{w#v6`TSy}XB7CVjf!z`_Ok3;ei|O3
zi!pVKW+FjThZ8W=*edO&rtQ0-tyI|ZgiX}f-38MpZ`9kTYO8LwO}E;jTkMY^q(*gL
zAGO>}LWLAMgp66P=jY&n(Mp5A(9?y4FKUic;i}v7;)U^sg1J|87h4MOR9YS|YjyaG
z4QhHF)qO-@XX#O`LJk|uXfnsIfbprZJbw^vU2e5ip;n9-Z4n>_cgzsKZvvl&?U_E{
z0CL6xATTi1V?+)}_L|Fj^)lVHkRzuiH_*fx=u5=uHQ?f=D6qJxglm*vcnTT@nkc;t
z5I*3^pin-gfypi8fe|&HO|C+-6NSmNT6_uT))pcJB@qzy7Nt@VVQUFWSY!*O@v-bk
zDPK4|cc_>vB*YC*BDvf;D0-kgFN**ok1-0hG_=!jgiyGt1Ab~-4q=zbHoL?D@CTcd
zhkUV=EtKXa@*~-axk7GwVtgc9%D0&b^*3}r!bjJbqgfM6o(KnF;@6_O-E*o2_g3C$
zY;&c>Tc>KME&^?HWlZt7rq}sDjR0=D8$)@EjJ{=5x6cF{TT7!chmr;~@vp$n&m-Q>
zPRzC4Qfohvi(}&xxfsT94vUmiHPF9?IISAm0Y*a)1@pLqS5yS(7#Hrwfjm;(KX9*F
z&|ORR!Yz2bl0(}rUM>>WaKUs&ojz=li;&4t+JX|7G0uP*lPsO~9(w}FN>wmJc;U;_
zp%4w5Vg`x}#|*Z)5_K8H%a~4>A&hnOJVa4vtC)csLwh7P%nWTVpTetSL)TEsMHaq~
zQZ(z6z-N?KQNqFzsoL@?tJ#KLRH@4gh(Z00?@`k3&>^<%WtMU(;8$TD1S?jxN{^`X
zx`*PXJYTO?O;^+q$ES*=?8HQ_z>H;Aj!(~(4o~M)`-`+?YRUEN^faD}R4T1r4d`RR
zkRl!fwWDPtbk(Rqco)=HjH6nM&ILftR{ax#38&(95g_@#1FqmsCo#EVO27|JH{atH
zaYbAf?4YB#_$xt5WS;F%j@R@$6lUnZg2;yYpGs6SWvQmu)wS5**%=+@k(Ifo*F*Mb
zaoQ*KddRxa@=(R8b+TC}03iz&nWY%CkQEZ!1ZsMnj6$?dv@rtEJ5f{=&UMW)WI4B{
z`~A}2z)G2cVTK+VqJq#8D2Zmxw0&SZhMBSqIoBhJ|EA4M158-93G{hq*+dKz@f~SD
z<rwC;5$QK6J(CX$mT`%>mWkn&L&u4|Jr;G?EuF&%mybY|-zI;L%^@6i!x0hQ1|OVO
zQZv$}qyq;L(G=}1>aJ;|Ap68MMPqgdZcq5JgJWR9HS0jT$})ySxg}k5!CWo+u4ONv
zq971Zs7`@v)~kBiESal*M(f_mOKbLGj!og*qT?(9RH2-~#^Qi$9^;xF9a3?Z00(B%
z6;;-4FmD3A;X5_mx5|38x&{o>H{F_Ln+8!494xoX4cCRsc+v5ETd$eGapA|F>4OGx
zqJoWz2eXCT=-gC(G&eUs3QT+1avd8j|7Bt-OM%j&>6%#H0NXST979vDT4l?xt^u!Z
zmaWPfuzUa;rZmoAhjc+WZY5p(b_BuJ3eH_`+^#s2rswGk#A4A-4I0T$PUnj`stV!4
zj^Snpa}$%1>XL4dA#@`-iuTME-2)4zZNkmKz)@7jd@4vM)9*4%4HAFIoqtguKvT(O
zogua8D`?fXB89Mf#Knk&3_$2ILj3}|n?|o<q0*&6C)2J|!DZDI^R#4At5=;i8?`*_
zav4>;;cOzpmZLmggdUc;L<p_!Vd2j*wh$vBCA?JL8<N(Fo7C_X9p+!p^bhJe>`{t^
zMBAu=jY;0{1hx^t@@*z3f>VnW<&8!(D}j-VzqZlKu32-Ikwz66n>??Vml}0+_6P@C
z1Q%(oNLisue+wFw>tLW>30lM7Sl3vjU`1|Bx2jk;mYw<<yIHC*Q@`+Cu$R=p01sXP
z4--Rz*ur(Hh%a6w3=GG_DkCnPN8RXrhfos90NfQn6LV$P)O~Y5YLl-_I1BJsc)pK2
zA2<qO!dZYV=&4QQV$(0DakF$4w@a;3h9E#(-)avc*eRmmn3alI_N`^}kY~CX)r$kJ
z(;z14ZQfW!T(so+#bf9ahCeijScTefF>c|`M|1nz;a8aM06p06Tq!>{axgb?NmBzY
zusl%6ADZUcih3~Qv7%G)CoFp@Ya1ho!-&Z!SR-@_uL#`glj{OfP4N-xU5FRmXjg<8
zJL?f_vde&ZH#|~NV8$L|XoWU63{)C~v}|!Gnk-X-Tde{*5X6=&uJmEFWC&VvzX~BT
z!4C9<pm?kaieO497i`N4is(kgg_zOtw`gT36+Z?WIm=_eAWW?2U6)4*e@2MbZc!;e
z3@(HD0Az+H0%<umF?&ro3%IMg-tf%as#$JeGKJe=oRH4NLB7m%J<G8pfT$Z|NS?2|
zK8yQN0}$Jg@2HA<n3%vKK9!qk!T8OBc}>G|O=Hv|88X!47uu2D*J@SEUZNDY%!u#9
z?MVMleXZ@sQX^tkb(YPxUrLSem%eM&CUws@-Al|h^>;!O(jT7rX?FBLTp!V`vaJAz
zY$z?iCvAl9IJ<VsZ@G5D_jLWX{FtqN)T&W8bl(iPC;D?$OES+@Q@0P*^HqafgS46P
zsOB=X7Ly<~qWs1gX`{G}Yl6R08)(#@tJ{)2$~M}paJ~f+UZiA-^&&G-(=EH}i68lg
zBly78Wj9@3)Lmat)Y8bjlV*m@gJ!h`=LV@nvHBPs930%YcQ5*PaBxumclVxsd%A}9
z4i4?xy?6JX!J)3f-Fwd6H`oORw|(?oU0n^hEp!cTx-WTfkC7iXt-}fALTNP0{xI()
zn7|%9Sda{Z^s?@zow}dCy5c$uJf9>&yUH*Yoq8Sr(ha5@-vq-TdGXj>A)hY=eg)_z
zd)}lbVQkkx2}F^tf~h3v+MBqA6ITSm=>QoiLf|3J(Or=H<!~1S>6%^#-lEf}8t`+=
zrWa@Cs$Q#C&0!UQi~?_><zgj^9IrCOs(~Mp7J;>czBc_bd1vUpF1>`0$lDdiU6S7V
zH43(hrmMVYEt`hasOl_u%2vVbX1F%ui7CS!o&rS4FxAb3;i4g_+i^n^@KU!X7(z`6
z?OBf&_IuQ@o@4{dgl3C>8J;8lEjKe>qh5DhUwBQPB^0WQFc}@tid}?@vkJsAs{uQZ
z2Q|~zMK<ytX_5P=`ssZCFQPD_l(!hWk9Pb2(7t{0{y#Xh=ZXFQWc+lWou0Ss^t|pZ
zCK5P83?)PD?ORV!E1C~C^UPqP8%*k}pk&odr-6%nqL>_yxxs)J@7Xsvn4q59tFURl
z;g8!mc*n~mhZ2+eYJosZ_V%h;rH2MVUtgjdT&`QlO$ChZN6Dw)`5h#@s%h52p20-J
z_N^+I0ou`W!>xh=4-7aUNd7#q0<<0Li@sl<E8{}`@b}?#dT94~sln7>YH0ZU!Si>g
zapIb^UboWALuq{BlwLITs=s&?o40lk4r*Zbf&_9MLe2ybGs|8;$nlmDhULJ(06>V+
zRzri7S_x_oOs*5sHc>r=<a$7wCYYT~0Ip^g>NU9XL7k-Vn^nsPLkVIPb2-wI-_IEW
zC>1!S+t6SF`SK7l?jB5F?+AVr2)bziuK^`%rBSV}rBW%&2IIEngAvE}bqnRw!Jig=
z2WPF|%cF!^r&1{`kzDu6u2uIvd?P93Wm*KD@6-v*+$tup0tUJ>4WMK+wK|&C>vhQ5
zS|VVvOmcSuaypRkAP0AdLvo0$f=u#-2|7<Ca*`BB+PM=9Q~=bh(x&S=E^qO~*arz{
zh#MB!4^0E4QYrP=;2D?9B{jy19S?^4Y0HL+IRhY#w$Zv{+5Uhu13MD{a6$ki*8}1;
z6XZ5g9wQu}Z9-Pj-L>}P8%$KJM_TGV@k4)N?Eh6~!Qmeazz3<iy%4vL*8BgSp`oF3
z<^6wX@VqDX|C90a^69Aqrzf71=<4b^ef;2Pp{wgjS9Eoqa>3J1>+0${<$+({-qqFh
zl!feMwyW#5>wn`H`l(%AU7&ohFxl1hqMcn`$Nx`P*U!7Ux{iOhtE(~C)%E?OU0uUB
zc6I%3{ic7o^un&LuG8i(IWXGwYxuvv_|RKl)73R(jE`nZt6%%!eJj3k`D-8g<&Qpm
z=+(pT_n!LF`#$$u2W}cZc=e(2`}W;<(<e_HfBi$JoOR>J2Y>TtXI3Vj`-gk~kN(Ne
zKKc67cRu^pk3Qx1?=8Ic%D=q#`A468-TB{nVEH?LG2M9R;RCn--bc=Q?$_Q`e5?P1
zhYnw|blV4?wesi9nO(p1ANc$4JX_PQeXjStb84Ubuiq=qxC8Gy{`wp5I?+7so?9v(
zeoy(~u7_`Y`0F>`bz0@x&p)YheDc)4e$v22@BP*}r@sB7Q=fgx9jDA(`>GQ=Uv~Ow
zOZOdq@~@uqvvTFr#S_n3+4uY3`}g0u_k%C~%+DVDmk%$WDF4gze(TezS7f?=>(kd2
z-*aU6L+{%0k@T(a(SP#K$6oNc&wTcN^Te^EXWja{gS9(<{q217v=9C1=Xbp1mS5j-
z<`qxA@U&k&`<^#F{rax!zxk`bD_?)zb(cNwLl3<2KmX~Thw`KE9XaKa(d8@G-?o@c
ze%U`(d4ZMr?5%G){-)zk{+mDeo4-Ht^%MVfPq}&4y~n?N;<rzH>-=XN{pSZB_{i_S
z=en=I{@<(K8*l&Xm(Did@Vzr`xcRS-@6gg0ANc$8KXF&(Pk#R4%JLt-{^rDU57frq
z{@~MYeel`Nd)=dZZol(YOV72R{E<(Nzvs>$-th6-XD+(UNj?a2hC6-Yj2pi5rLWH2
z`0ZQnU#LH=^48)0_kL~S%X_{uW*)k@_O7p7_Km0C^jiDK%e?b$dBKHO^w(aQx#+j7
zBZ(`t|NOOg^^g8<U(x;I+&Awz=dNEQZ~g6SKX&|%d&)~)Z#pr1;;uIz`O&|hcl68u
z@{Hx5I@f0gf6MAmT%qlM_?ffs`lnZ~KY#51efA%&?Y{QZFIC?DZ~5Op<$)*LD{sAN
z_$@d6$N&D^&n~*{@*mtW`i7gH^tywuxjOyKD_@=b>b>7Q|6^Z&n&0L9&A`N07C!d5
zuO=?McF(^(@MlMVv2(}lo+G{2-+9)JfAsOce8#0W?EK<Ysi{j2UU!;v=l$oNc=?wq
zZ~w2gTYqrV*FO7Clh^(FjAM({{$Kv^+|NAx{!g5B;~#zL&t5Q{d&9^7>g#WL-%tMg
zbx(ik<)_?y;_UD40dL+_|MQO>|ET%eT`xW71M9aBUiIej?|$r1@?*n4f5qSb$I!j+
zddrtTH@JGv?O%O+^HUGr`;u3E^4gwj-+14DUpjotRo}d9_WkZx|9J0%Cq|RcJ+=Ra
z-@Nk5t6ul!H>dCHefILc+kg4?%E!;T{59UyOSjvNhkm1Q_Zgpi)5kvH?s)LTsPV6T
zM_+DCEWB;u+TZ`oT|e9Njo<m(5AE-M&Z+NS`GvOf5%+JV|KWuX9v?O4VXKe-)qmdo
zp)23{?N^<cIiBmiV)C@^6SrUY>rdU6K6BTfUUuhMfAU8Yzj<o^4deEIy!I2X|NCd1
z^Xvz+uYAqh&YbCf&1Wj#7{2Kz$M3%AFIS59pYrlgz5CJ=XT1K+ulv&%UHRMJD!uZd
z=X~%vH=emZ@!m_Gd(V@8@qfR0?>El-&E=n3>rcI5{NhtCG0ymY??cbkKY8!9?=Rka
z&Fp)>efBq=ddtrr%KY?#KYY=}U;DkQj8{Woqr*S{jrYCs-%daJqf@6&b8ovd`O(tx
zH(u+!$o$1yUz$1RzwVhf&VbFH@~nrRHS_8Zo_X`p=Z#(e<Tu_m_T$fd@k_t1ed~^a
z_y6<H->`K1OJ4V><X;@$arZZdA6|cO`8#)2e)ayNPyNfu{cpT9@y|baU~bR-ufBHw
zk6v@zQ<K`~^QT<$=IqU1yL{rxyQU^S`>WHwb^GF*rmy|siMKrPy|3JJ$FDy5(LK)H
z)z=+-Y2m~f)<r#YSKYL)@%9hhb?Y-uIq?5J_`-Mm>Ycy-<!2xM!aE;Io@(Fu%cZCP
z?&;6^`5m7;>rejZ7x}w>e#(x!|KxRl`n7@E?s)Rh!+-MSumA6V9(eG^Cyl@Du1~)5
z{+~VP)K4xSt37q!x2m7G=Yhe>>i4g>`sh{bqhG5GKJ&)0+P}Q#Z5RFEy7%01=3H^*
znEBHizCZS|=e_xJe|BE&-+whT_my{?cY5wQfApl+9en9`@1J|!@!vgu{gW>F^wi+9
zPra;o!H-u@zx7$Gzq$JHo4;In=QVe~_3dB&{?GsM@0^2Q{HGhf_r+`SAAQ%pmzw8a
z_aC1f@Bi58ul$e1zI~V7yxUBC;PpE`@OvNbsXTn+o~OR=zfT-H`lB=F9`5o!^|{nT
zhmPKJ-wXe2diJ)z`oas(TE9puyy^IkyStwC)6~tc|NM9U<+g9#@Qt%?yYqd&amx$7
z@UyGFF}3oMC*S|#JumsvZ9Q+d{^3OzzU|!~c=uB7_N$&e{Ozy2!h6@dip%*k-dMip
z$W6^NpFa4l!EZe68%K{0zvkhe{P-Dv_mU44&b;6y=I8(7tl#_Ny~jWOi)*!4|F4^W
znR)n0&pYkwAN#j^U;LN*e|W>!UvuJB54`x?pS|no^%uPJ9o6UExBAm}ylmHPPyO%e
z&2M@42YWtU?f&Y0_kHJ-JO96dz28b+{k|h#Jbvu{YaV#>>EHO>%f9$uKl#`v{<D1B
zQ@iiJ|95U3)xO``c;3>>n@?JO<`>Rbzc79G`9FTjkB?vQl{fr%V&%mzz3sL){Pmm8
zdBwN?;jXF4KmEj8ZaMO=)*Iit@0?G27gjDged;ZDT=J{uUcK~zoi9!N_?(qr|Lu3~
zo_X2uXI}J~>Es!w_TTWdsr%>NFwrx2@Yeh(ZykL8i=Xx9UH04mVAs1R&-vb~Mlx?X
z{kEq*^B@29!=JnF)o=dkYb!TZZlC>0{x9yhWoh@{J?m#r`N9QXc*`e#qzz5{;WHXH
zOnmSDAJ{wYeB+7Fo%-}wWp4S-H^21t?|<OSH=lFj^7&t!b;&KyKJubN#b4h2K!4-&
zXMgjV*A4vb*Q(zd`qH!h@x1?B`0nfjzxwLMjeD=Z{HO1H&MPv{zM=BPPd)GH+Uvh~
z>GyB3Uw-rHzvv!3@4?kuM*iSyGcS3^b3gL5zZ+`IWR86I%vWV@z2|EWzv5m0>(kF&
zncDlU+KDr+Ub^EsjSv0PZ(sN8rBD2F<{gQ*)F1&Te&^QF@4xv?A6d_P4}(v>>}@~1
z?@Nng$3O7V&sg7o;aO+iesATo2gm;L%)8E=`RV*k?zeX@edhZApS|afiy~Q?AfjtJ
zBSst-5zq}}a1|4vARq`LV1n7**=2NhXPued1(9IRc;JZ<!<o+nA|?zNF`{QgC7Bfw
zF@cKV`%TYmAn1Ab-rf8Dxc$9%GBW_AKwH1v)z#Hi)zwwi-2o04j-24c_6b^7HB@M|
z>&Bg@m7&#Tw`Q{*y`unfD1hrW6guTCTx|4m%RcKtR@;njnI6NRynZ!tO3e+AO}_hs
zJkn+)D%V|F8&^8A>ACF=`He<wd{uS(PRlQAe@>XZZu<_Rxp&zhW51pmRof3e2`?T1
zpXrD0P`b1%ykAjrddKD7&*Dv4qxrY*2lrU(S8jB2es0e3<PDjUy+f0lC0%Y#zMI&^
zJSDeXhL_2ht6|I6UU)RXbhY<`ixU?bYm6*P#|=MWW$G9APVlu68u@!l)?SrmL6=K0
z7E0$uS!Q`1^Q#L#7akXuY{)dXN<~=V>}ec3i^w%mYhAOlq8CPH*eP4RKaEbb2tQ#u
zV?1m0`mP^7ERnrztL}FeuNqN$>H5uRm+A9QR=;|?*1XxKIiglWdv2#N3BMY)dhNs1
zz?beB2U|;a-MshdR1x2wdt~x~pqndHs;ftZ5&4CIu1~sk#Eh%vd-RIx`su{=&xPxU
z_&P<fjcudm`DY~K)x}Y3i!vWi9RBd$LgPLm)w_kwTdCg3=f)?l3>|h*+TjX(ro?2y
z-0p{mO?w$r_M~Npn!T0d#nbJg=J~J7$1huUd}8v_s)8S6UXk~C>cVD?4}ILb^`LRr
z_e<2Pj!6?n<iAdYv$Je0jC@b^SY%Ri>RMoncEg_wOS-3UC{+!mfA+|lw%Dlquj+6m
z$0~PeX=KSE)yXR@q{ZvpOuJnCH8^m<V!mV6u`@C4C!c(8TlwhvwZv|{e{sz_>c);(
zpJeT5+~HmOEf0xv<}C)aEblPcwpG6b%Z(+S%6kvAtT}r2%_M&H#lT99uxfDWqt<iw
zm{kYHBIPCK%UUF#I?889{Jg-!DCOL)Bje6KN`1&VIl#EQ6WXzT)Y6l~`e!eg&ARO|
zv#+1!;mYDmZ}RUvKQ!*@$FWX#7mqnR|JB)y_E`^n@JUrut|jdENci1!O3o;;#p$V4
z{M4pH_gu^f9NBLPZ?>wmWLN4@r&-18f6Z^c+J9F>LcBHRyLQX!7N0CK9Iggcxn?a6
zTw9Ev$s9O-^Oi2`9G`(+?3{HQuE+moU9~p%Rm$v2qspbjv!@(CU$N)rWq*9Z`O}?Z
z%RMAjw{i!k%$~g9<X6k`vLn2z&p)lW*e=6s!mr8rE6AxvP|&IM`F`&&<qjOYDRJGT
zS(2TOzaAMS%kF8{d3CeZUEwAz$1UCb<@kDGNqpwZIcLS2hRtO22ghy8$XW5(qhL>y
zN5iIFD7uz)OFlM!(}~c1&D;Bl6l!GU=0xL9sdrYSyb}-7q!#4exlj~$>S%ZNlBJRi
zFLiKD`&oyxdv$lr3N#6MJ}#lz`|4}XpO>u{M&zv)kBi$jDIxXY*A;gn(wv@;OW6Kk
zZNQP&OYfav9f`2rv&4CZ^`0d=tYfoR#LxXWXL~?tq`EqB^nr;jJx_nhyL$a=q~<7V
z$8O@ov)P}K{MTFf6)&!If57hNYwRbsA%BTW&OViI{P@Pfw;`oZhP=BlW7gG`1=WMg
zq+1L2w|w6w-)362iZ`%(`2*jpYH@iD<apaQYTjX=ZjbIykW5|vk>5X|tNWbmm%BVI
zyR~Y1Ky=2HoO##3HmhE2@@~ND4+l=Y&$E7%Kh%BW81dDh+%~bT@A%Cc?NmdQwovgt
zXFTZMWy9<AX+qxxw^tPm(v&nA{lW5mUXuCqaKZ7Ifc!Bf*KU_wYg02|u73wsIGaB`
zLeaV)()il*@T%6DuLZVC7woDi+g-g%d^M@@q0tM+j`=(<XRT@fQF&LdO{?xlo;qsI
zUNXxh?QFB~>tk0-&*UYUsW>&uA3Tv2?faZ}OT9DbK<dCTBg?yQ-<WVNdBu*rvha^a
zGZycy?ohobzLi%mQ!`G=li!O=uC2U$+kETG$cjM0)Wc&Q4Rc#_a8KtNOP>c3H^z6)
z>tivjNrc~$!$%T*w-t1*v7GBHpz6U_5Xs9%cgjZL-7245-#&2M?V_-GMaP_XO*=7v
z_{z-#jlXg-4vj#@<`yq;dOpACn9qig+%~Z-Uwro9JH3Z864Qq(Opkh%Sv0peKjsRL
zAH6l)QdOSQGSal{-Rx&mGmcf1KTn7)|Ki<wg-P1kwO4*Ww%7W23G40kZ4Z~9bPIVh
z(0qRUU12qUNnTXg%bVnmk1aG`kL8AspWk`>nu5E5pB`PEN>yG;RsMPOo4o1qMqBg7
zEcvb9vY7MB=CF=*5mob+T&{fmdh>5#U(B9t88l{2s$8<#gBUvC41ArvWV%V(*(}cC
z-zE*^NfQIoi#wAY@!!^V>Rok{$lN2oc>ex;mx^aLN$pj=W4DT4jvZI_TXm;-Otrla
ziQOh6whS29z1rwW%l79rrz*zwI(A(6Op!OxtZ>5ODUEkuics9XfArV<-tA&Lm~m31
zPi^0oOC^cM*B^xctje|Ny_5_sKWg1CIBTi<TGO)0l1DP9nm%n-b;-d}hHgl*-g7eZ
z*Z^LSSGSD)%7PT9iZ1(Id;4Vjl;Q8fovZ?cF(`Iu)1eQ-(yu{ly<hIW2x9}Q=C^fT
zVEwu|E1cc$qT=qGpp(Td{I_`?>{D2Nc)idUYkq!aPUe%9zhD1cGVMZHkYZ&g?Cufy
z?hT@9?p2?58D2@rUxa?bb7PZ4WkD4!HD6Bzg}vO6S(8@Yx%XR-XYVbhmE2rk_^RSC
zd@t1F&b{$sb2Cosq+dLb7n?ma3A^(!Kdg8AV*}I|QsZZgkH0lV-fNO)Y4E&G((HXo
zarqkW&a+I?oR2)<y*L|@df2>xue8fMSdiD-V&|C6s<7bh=%$aN(l*fBgK2Y;jvdL`
zL9o0B8T-wQ$Ql!9G{J0U@zRfOrIFnQM-u(Y*KCSy&VODq>Rnk_Qi(YaiNe%=$#aXc
ze5`_UQ#Y$WUB3Hf_K~LU&dP0zDyBXt8|!vc<gxH<R#DTbotkv3s5UFk-aD$v=dI&6
z-m{DH4O!)p^&;G9g4xW3)1SiD;Li$5#=p#rOMC1z&UOoWes|%)p2}^9k9R^-yLQi!
zrWCZx*oblu{#IbJuj_RF#Ur<hE_W%b7~efdicau6UHtCngk}f&D7VdM5qIfopF_?I
ztOEj!{Z@`nEx0gke`|Hs#I8?H1gtu<dqL6exv}pAg^5iTHsUNXO^X}*rLy4j{8Jl~
ztOK@fIA)W%Iz4%EcxkX(=n?!lcX#(DpBpbb+pM$guC1Hjo8@w+`K6auq|f>6lau53
zCO9{Bv$!HBWYv+0O~WP4-p8(4*uPCqWXhI<TNb;2Svzxl<r=3fw@XEFn)H#j0e;4Q
zE0;uAC`Xm{K5}4u_MYbxxw2)m9mbVwe)}?M-9Y8GC6`h|gw=i8EHFuPP7j-~Z*Pm3
zZW(d8j@ys(JKMe;&?zS}McSpDxAV>QV`e*=g-d!@?n}lqEv0euox7TGP{Fk=j{;3b
zu*OLs)f7>6@7Jp@?&?(zUunFrpj$T+Zh)_`-^%2J*{0@ZoXlRTuN6V-v5@i!-fJ#I
zt=FW-O=(&glj~R$o_e^KdN<p_Hp(~TnQe9XoZo#9yo@(*ynSg|RQUw&2|lX+-He7L
z?B3ULujUt4&6$eOjm7OUHlBN*lDo~gnM_svCXD;Mq;pP4ip3s0_Nzpb(5Qd=jEf`F
z9*$U0wB6^3U6k*&Xuic3A!+Jlnq~*9<0+^+h9f%`wtXF^=2v>Z2+Q72fnC!sV`FUi
zo-H?$&oo6=oeVV3nc|t>c&`7}$@_OECoWr;lXLg}M&$go%((X3Y|J>QWxj8&v2mYq
zt;TiB2}ntw{P}hJiu~cFo0E_U_wH4vw?%DP;aA&rm@x99^_fnC#;$AAzVd2R*vt6L
zxc0Zv_G^q1hQF|0^wXW@Y3j6`EvFTs8z;2O*k~7?d@$E;X3d&o7S-E@)poCgn{!`o
zpWez;)0h+DlkOp`?j6jh;J)rVw#mh2;rC~gvbXyR;^!Y8^<e3%64R5$e&usMWM<a1
z+h$?LL0PlYS>^4YzFw6S*)n}V{|-5UDa$5?Ud~ll8lRBgzLFLmTweY%|8zy@M$2{?
zJ>LlYPRDlK-6Z_J@$QYLnKkWhhoUasOe&g^AG&5_2u7#3&IwGJ5|o=-p7l^!`tzVL
z&FTxjGEup!xB5nq=EKO<p@Xc0=6$%CdP_6}WwF9jV-;OnmRmf1J+|;!H%`^FSL?(x
zK0L~OJSeQhDYMjk=K|+OW}I_-laE%cc-+<Rz{_`IeGa&(*RtE5zUP+P-DG@1Z)M^A
z3mx{IstD=nY{oga?^M+ZciuST?*7|Ffu|H9;$LINtXgVaxF+2E@n-+XpK=0IuC&YO
z`Cuwf8MAHyrhJliuVUJ(g7NeHe_1aqanFY`Jc8z#NuCyTJ=foib8bfnf9%Sjerv3*
z-^<sSXiimxh<}ZEk*V1lFzkt_YrC9b09w{&e>v(>-YC~(=>g)}<KbJgd$WI!S-Gq6
zt`_0<E0cqlC0|PM56Mj}cO2u8Y~!DMr}3x9X}5MZc_+y6ah`GdYKOu^(~WTNg4W?9
z@*ewawu|zWgl<1-kpW$KbnAWsQEusdA~R>&9Fy^%>}M2-G`4M0P13}pdH0mib<tdx
z(C%O3%PqZ!Ony@{t;S@0!mg8r1s?NfZcMVijdV5JYj$8yzfZ+GLUZ=}Np>DqTsS$i
zS$M2d@>5$)*|;I+IA)x4d#sXf8r|w<s!+cf^gP7t{`NJ*q8TMk7tY)kH7tsIM>)#T
z&)Cm#+voGit{I=3X643r4a7QClr_t4y}?JMRG8m1Kd{Gm&U6ZGyC~mYu}2ZhpUSwK
z-pzg%)Ad|`O-17&9;|^;Q!j2gRWY(>J2TF?jXixQG``q!vV2ZXk!&o5``x|sh9%vY
z#v8bO)2t7faqXIV8~Zt)tBlQEXn*VRi2m0PwM#kU5a-s#yrS2|gmA88Um{g&WNzxh
zJ+X}h?7X6v+eV+s6KZVRtm&7X)L!UW)ImcHOuLMp+aDYCxT$e}AKz!$&aGz@K|S|Q
z+ciK_9oM8?M$)p=3`VQl9*Y|_JxjXo!fv;$?98}!+br_BL;ktvR~@`bck8kLs(zXd
z_mc0$6sBLI3UraW%>1}!e_xx(g!!&rmih<hre5^LT}_+4Y1|{@P6n4Mv+Pvr$kll!
z;}axfk8;mmuw`dbkd|9tn-(#RcdSD}=bT|Fha7r`XC%4I+88irfL|}_ySu+lL6@2R
zT}JPm*ouQ%Ry=SIY<%crJ16ymqF;TQu)<UOO8hr<*ke-J;<@X910L$d?02bCvggNc
zwdi+;)AUW=&pt9%c&bN!yQnd9{Z?hZ%6I!Zcus%6H_F{cfo6xMY(I#$NE1^mw0Kst
z@Tf6~)&Y;!+w|F%BX2@}7+pCi>k@miU6gN!Y!kWhu70fO&r6+`nio5iS6EJ*lzMno
zz@nlJ01I#K^&vOCx~Ry;>zy}5ja~BalE<m;p6uVLE*!Yl=IPb;ME6BSYkiJbpRxVv
ze$3Xc5>|MsFI929$xV03gUnTJxAog#GV^_LVE@9)+kHk+NIzbmT<qg<G4d6AQGQdx
z5*B{+=-Fu#COg;lO;pJ(#X4^1jZI^RFMk>Dd2CM44R055BgC2J5Sx7|z}U|*k6XZ5
zaxf=BvaxBz))l>mWt~VJ`4Q<6(Qab;sOc*bBpW+f51O03D7jCRuj{jAv&4(dWA8Sd
z7+3XlkqtVu?}@`NmK`#S=+AGHZjvTWUa`pR5NVn9Q<vrQon5O(L)}Zyx8I)rGnCpF
zbfKyoHCx*zr*F!~X6gx1H?m`Qi+?dm6aU^3{?c1v+KimL*T*U=Vj6Fp@wHbWpxc87
zn8;cw@0~jN*_wa#=MIs-rxP;ux(kcpqb};j>>jpJzKw6&W^k`$dx8RZEZ#V-@u5#0
ze=38}l&$SDdJ={4{eF75TR5XA?Uw~1qH5b<{+jS&Zd5K_(luvT%1`Ywdd4l>IcRIE
z7anb{2smixc`0to+dh45wH#Z>j9K5=vzmv;!JAd#SH1eTy4Z|-l`=nTfO-yS{&CEh
zB9oaPx5sq%H1=CLY~`3f_5-gx+P@?6`6^+xZJX&PY2y6ZzyE$|M8>iCPfVOB1l;m1
zb1SCpI{L9{f7K)#&AFbGERBuK#tWmyue<Q_nPvI1MLs7pyVkUoSXB3}j4A)(MM>?B
zF##{ySI$dwn|l1$3j(fs277&WwWiDa9y6PUKR7V3P0p~CpmrHOR~2@*xjsbm;O9@*
zr;aV};621Iw|T!`qKp^Jq41e+k|s_SEpDqYJ$dq?zp<YqCMM%ry0<%PcHmRY#Qq%_
zAWOO?Hfr)#o!YJCX3w?OZ|;oQe6dGimzj5e8)cbXw86)gV#*t3PdDVw9<;2)MwJ*_
zZs|SUsioPFbkFxu3$hytt`6@xfKpmhdB?g<-}y2+p!9um@W^IG*4HkUH;LMBv`k%@
zQxxA{y_mh;Hp;hGiw+;Ved3)s>|4N6ACCAn$-0wtj;WK$_)jCOLUU6u2Ir=h;|lYk
zrsMh^cUOz|{^r!wIxFp$Lr;v%%@0joxw&vaknN-;BY|S(>^9qxGHBV_yEoIicA&b`
zCd+i1smb^RdFt}2+*E2xx%k_dcauwhAGECG!omllYTGsoKOE1UJ}B(iDrH{8JTQ6g
z==x#goDw6;($`tJBTDxy+1t|3Q98Ngs$H(bpr1b%7ap|Q*|=Z+@QoA;Ncuhy%`Wj;
zo@Azsskwf;<}@|oJ;J$hUDU(3KJSw7BuIlTU(&&=^GuU8@y#IE`$p#7Ci`1HZ<6(J
zZbAHffA{LoNg~tn@!T`rh5K#WtTagzue`T7WbDh<C&sN7Jy~0_K5u4fr*50p9EKM(
z+3#`EG`YxvnUb#s2i}@q(xL35gd-3Sem)?xrrio#iT~;F5eG_IRWD8+{c>^97N2NV
zcq-~S>-EQO&5Atxwhzp1>F0Q=m3eYY@|8pBzDa@n=X1f#jhd*<D`VCzcsb8H{l(|g
zQ_FeYy=LC-G_zk~rCntg(SF<DR+RBkkzmni?5I^8)sis*Tk<MG#9`UX4plW0B;6cj
zy=KSz_gu<KGB@L#JG_3*@K#30T7}==+S7N$!lEr_cMVT1L<enc%L>*Uvm18dPC@+q
z>oZK!#3i>Ya#gvr2ep^1vfe$g;_B&-v8le#-}hO3!FYV`r$N?dF7CM8V^Ps|ACIRN
z)17DSE!&=CV>*6-G$ZEmMLYA;6(J8dtt>iJeJ{$-BrS%08td5m?W{ZR!!}aP6;d!D
zbwHANKUee8E2nnYsMoUj>FGlcT=F*V?kWu^=XsZT8~d$1u^06<d%%iv9@W(8d4+BD
z#d$^B&*qoeYF@TD+%mf9D7I<~mT_gvgUK6F3T8*n+t{+^rh$z(S&be%EI2a1oHL{C
z)*~Jr&ySy7)R{8ps5M1OX`sobB<m{s7`ZgDdPl*L`G><_gmKcR-_A)=j$P#5XZwTD
zZi}q~C<M+7T90ji5Z1cFp-1la5KT8D?vkNbR}P$ar#y74lZ%^ZN9PF>ireIb0mzT<
ztNSR4TvnWoB=P9RV?RyYFf^qpQGWT*So^qs_WY<7{rbP#E~@SwjIqM6jvBgOo>P)O
zEy=n~hSQ>l2PiatF4APp8sv6QvOBnR<#Az&2W5S`nQ_qGx7HloGu@#{|E?Jqk2bB^
zmE6Z-QU|}zH&1MzvN`8X<I>zD<mRC*$L1Do_i4@wze@JbcNui{&6PG$2eU_v@0b&o
z@+9^0<msKTCJ`s^Ndgb{VAdelB0`@QHTuMAa?s}Tv?!@6?cLDz&TFhU-Cx-AUQzA^
zleA7w?_1B4FDlv%z^*Rb-Ke6)xJTK^+~lI)&SqIR_1h}vbiVrXnsc`+zq?=E(Jo`7
z@9hV<my;&uvTK&VIyx&%{jzn=*pw~YXZ#AZXZJ=Y5+V;pmZOg{sWsuRN!9`Ax+`M?
zJdU)B>8ac{#Bafo1mDQOt^4<SsfXvk;0}r_b<_xcnG@IejEGsd?c8|&i2JfeJg1_C
zt-_N%h1Gqoj;t8K%F3FyVw&H(DQ4XkS%HP=%|U@^zxVuU=BCT0c$>T&e?4q<XKE?C
zATDRij3Zs#9hBS5i#~j~vghc}HofLLQ(`u;{r)b~wwo+Njf+>hJ)d8++j;l6WVKVV
zZ^7kw^X^+m9qgq(2CSZtu@U7(vk8aFpweJ|)~PSQWsNK3t1n-jn)bGRl}pxQ6T)QK
zm<RbEwojQdOjylnv&tmR`N)fklY<8S^ilQNMDp^Pt;JYjHRsZXtm{Q-et37I5zWS(
zpUgWM&}G5=bxGDIRHu*re*N>^+_uyF9vv@U5TPkwvuR$(3l8~>hjcG`d*GzTe8G{s
zqWzq!P1<F68J$%8x{p8lX~d4$*`Gb7iLXivJp8IuRhsUzZ_i1JRoQBqz7NQZ>wvan
zg|l;`)@ynOTx+JR*zI}nbj<7Zr;nVzomrDsUiP%l#l|&VPP~jYQ!YCh*tl7|pu;e+
zxfv&=+tk8D^MoF-Mq_>!UcK~!wKN?^dUVgh&aKH0?vdFu*1U2A^tRXj2f3T97Dig+
zU@1d?O|sr|vhvxZkr(-m%U&%Pxj7B!zsV(R@oh8IaoeLq4mEL6L%W^-Tzu_qzgw!E
zTTfMt-I!t<HLw54L1E9-ny;1_2U|XB>G)ne?BLj(!xv^gv$a?}Vqs#V4%gQgstb>q
z6?S7BNv}B*c8+V*{MNR@Atwjip1_+~yw+#spka}>#yRyf4-ejw+UM%<k4ugV?cQGK
z!CsPVl6E$$`MVu4y#qdUt`v7WZ{2aXALql}D*V=tf+H6ms_wL(^(^f|e8=)ds@@+C
z<RprsBVy&{#onD$Ow!J-joRpWAkyc(yo=H1=||i$Kjrj0@3FqRcWQIN<5Z#Fq)D$6
zGOCT`D%%y)zh1d^K8mUb{CD=@oJH=dTa6pLB{k0I$?{ic@`HO=<Rq@>f5*?`phuNY
zF)ZnBEV;R@yhU>Q!0ShZW3`??q9f;R(Y%^OqjyspIa<8u_~JvKv^V=KJKt=~n6iu3
zk9V6681bHHymp`Er!F(bAK9N*5xFttndi8Nv73%H;`R7c93I%usGKNX*{-VQ`1<wL
z{8Zl^Z_fXEFuR>YO*>^&`uWYdr*D)MY|5;$KuK0O`?6?VQ1R+1A62C{1!*4V7xKH>
zW5>KRYnGkayA|6OyC7Rs6<c~%kapDU$)uA-Gwx)Le`sbKHSh3G+Y6h1=^Hh^+X72z
z&q$1~TB}xm5ML6X>#o`vzUJYQsdHAuo4M~x-gHYa^;I$XFu9<5kk~OOw@s|E=XldK
zo5$VD-@mO}vtWLn&AfO~<f<D9m8}+!KHEmH+qNgVQoZ8#G2^^jnQz_mHNS-(`*g3O
z$BS6&*X*aBV;_2#J>^$mJ)anFxpnX@R`|Jl?+JFhd++iQm6*@lkacW%64$)OqO2b=
z%X4kqyLiu8xJOG*i*t=GMa?_xGh_TF^T}V?%D{BL?ovr4=KESozO_)flWiyR-#vWw
zP!;ucX!^<al}7o}_Pe~)6!YY7{RmY=nz&v+`1)SdSGZ^5&5;!=I@GxOeCCvo6`a0U
zvglR&(hR|}lDTjCb_onSbF>wE$s&`qvm-h_wcBL%tm<XI1mmD>#D~vGeBsoL4acPF
z^0*%NxMlo{6VE;Rdh_A{&le@f)|~0a^Lf?11&4oQ(yBHo7q4{Yq%4c_jeLb19QXQV
z?sN7pkuNL9?;bVK?Rv<BZZ#8pI(GYf`orw_cIC3N{hl@5`+nK({Al;=1@W!U9JOFC
zp;*`NdPGHnwdAYu>aOcQ*(y6#JW2lWzFU}u`QG;)RxDG$ox$?HXBHCEoThbrUZHs9
z{5i4lf=#PLC9P7<4PV^Ed%~~NhLkL-_|geFbHBv3bkXwk5+Qes=9jc*KR<0Aj(<2Y
zb<@g$*A`+US9M#|dY2_xo!Gf#0Pa^_)5CGav!IBS@%Aq+Z!YfV;YKW2!EL;GXvY&r
zCF;)ZHD5mr*7T3L7jKpMa^7L*7mw~wI5_or&BgL-xvfvdp2)aaG|=qEf-qk9>pQld
z<pt%oxotKnG2_gWFSn=Pee<EGgM0hvdG-s7F3Hxfc(K1U-Msis?yTya^Wr1LPdLw>
z_wBu`V2gc?QAXHCSf;ApJ^I>tw>b;?3>B5MO*uDWQifNrLBkHZ-{pL;DdlhTIJ#gx
ztMLA|!~p@<B3o7evj6l^{_9VIk2%tncb|29Vl=GnlN2bo<9oNfyw8Q97lwBcmRO{4
zf^yrefVyp}IG9!-O&VyE?|<{!&4a|WP9>e6mL2I+6`%6;+4bN#*}qR&Ze2B?v?y26
zdd?D)lE9*Yj-#Gl8@r9&*2~yWY@({FE^jr}IHv97NcJ|9u$-D$yJ!44%^vN{e7WfQ
z>ZuXcd$)zWSR^^T_D+|r4w@&L(k-aV=bH5usry7ftr)}#XSdz4p^(_x>FdxJ7f%#m
zWxGy)wut$7!#T6xoI}Ik6?Y9)NAp!r+CH$&ICeb7B}4PDN8ifl&W}!ddS4>v`#YO)
zQj7!_JcbFUHVq&8>E}?h3ZnXr&*#+Pym&G+>{#(n+n40G_ZYge;z_}(OXWv$kDvNl
zt}5;AGqC@a&_f<o9&OJ3S}^b-d&P~2iUEzY_(nyiT15oiT}^Jvi7eeV-sO5xj%!uY
zo?RQp73O7FUMx1{^s2aXSXxHB&pE!Uxa73uT%XZ)QS%yIzg-gFyx_^UOJbMvm+v-S
z*L>>Y>wc!E2kgAOGHSt;Wh1b2`#I+MCaghL>D^*y<s_0BSE}z8n6^H*XXuAqi*q}Y
z@yjWaPkoe)7iCqiHl36-IPX|M*)2u)>PxrQPN*s{U9}_amt{6<k}vtBibo2oj^%b}
zo0xvXX;bd*9-p^bHk&_lOOkc4dHUy~IZ5%IV@wylS>9ygG1Bc`@$*X08P9)fpNPjq
z_zs?AL;e!?*ksGfS1s2yEAXgVzQ)=tVRlVl(^*Fcp0Zr%;}n$JX4{hdFKf(l2b#S6
zHFL<#Ypy0UDiT(R9+fN#t%%f2IX3+!;r_*<*^(7bo4ftIynXHjGme?$jODGh_VeFZ
zRVG^6zV&DqXV1Pg#Mp0Rvf#q3zCTZGlvQndO|<w)UzwT0bad&b!h8D_3tOt*xyBdt
zZr(xuVCbY(0~T%IX5I=}wR4Kuq8jYr>7rxlqqlz*6khu(E<Zlkxvd!|MezLT^EF7{
z0Zpnjr}}9sPIojN-EZ9D8tYsayQ5PM1Wi0-6(jhVv*n;uUa7NFT-(awQ7x}@j+0#$
zEy_vUIpk57?W{hoXDk=`WR1*iGcRi7%lrG%3a{@Msas~pr*vLn`XKj6a`nCDrRpuQ
zQ%VMD?6T&V@XKDVTxql4=!wt5mM5nqnQrwcmcPB6A9sA9o8z9(HMiDeI%a(x%3ieN
z_klgV94Ea(#;2`K8`$l=yK+qVtMZvIa<Su>y1c_l?6=X^`pwC)`8v7(?oXkU@9ag-
zwVwB(X_SqLjmfYp2NoNxy)^B4(&eaUp{9P>#4#TZE1cb0H6g-3I#Xm{<6hahGx4hC
z&25wZCjCp5ZMQ`(+x%>2+MO|D<cA%HJSubg*je#nv@~(?v?sntHm$s~#y9zaL%-7#
zr%g;OMRFGwJSg-P<v!Y0W7B8slDoSSE`_$xlz6Y4XOiY)8vT-=AJG59PiNwy%T*DV
zr3>$r-)vl}m{U?(D66RcxnN2qcj-ixA0j3n-f;@M@nY+mklnq<Ogb?tOFX-iQ*gD%
zMfXz+MM-UQTbfHouG+LxW?YR19wZW$o?jN$Vej(s8(Z5(&2yf6dYLNVT)?HZ$e9x3
zVW%xGH}cu$vF8q}f0M%J6|Ib0t+@T5H1J^7?@?{@AODu6n#w8q_;lqWQLAG$XDmEw
z@b`-Y_pG=k-8*8%RmUPux<cYKd6oQ(EUH!Bla+T9a*aEhn>0(>c74Ft&i9&Z7=JG}
z-93{1u6qlz+NG#j6ZWFv#(o>8ad@gnc-rcTX`f6pR-Z}mlZP!deXf}*Z{#{MuJFK(
zSMu3%)1gTYm6P*+yKXX87}IiphlQ?D^ZSK3Y>tpOp4d41_ST}U@~VUVeqLN8gW78n
zUgTTsIFUW$LfrOD^PcRl0mgnCjk!G4rOOdt;w7K3&d(1lokDzx>s9_NVy8GS%qcNp
zr}38y>0h0~pT@gaMR`3;ocOqvZOZI@8?QTAPg6Jzm_NDA?et5j7Q0QxJ*kNFk1s!e
z@BX@dQ9q$UtZ;UVU0LJ$@7?z%=Sa5#o2r<eD{ZDND7=QX>@Zw&+H&FC{sYZ8DZcBD
z6uNY~{I2J`&n+_MmhbA5`gNPhxE536SHHcr{m}5cqE<d$6PBB#o$dL1aisIfDz_N7
zg4?+le!r|t>s#5eGSOq_gr7H_^XxO_W7)nVv*wm}j(1<+@3?^X;_MS?HpkiTOX?l?
zWZW6cCH@Cm42mrK(&FT<PMo*Nd6qxVE$>RTKk@g_S+}{|bI*?#n{m7rlxD3n*+IUy
ztbB8PSFwts5}z_9da7Ta-cs<3hlK01@Yama{E6nnCdJ=;xWq(b{A9*g*}Cm7j~1A=
zNg2N($vV~eMZDje@QQV(QZ?}5rtUwTJ#D${@H$rZ_zM1r^k!}SUUqtV)%X%SVqKDT
zYL5j8H`h#BaYN0Scf{1))P3f;#IF7wLZ=N(icArdnC7Uqu1hcQ-s5HL*K>y8W8CXf
zn`uYRl)kf#c42K%|5SB(@>g%`M~_2`;_q-q^_<Zz!^=_Tdr-Rao_UwUH!l_smoFOK
z=i}|&`$v{e(C|#YhPu4V2~$rR*e8W^ZO#s#w$c3dV<5MZHWQG_4yDn1k9bD6>~B`s
z^2?HTJge-y+4Jw<gEw}fWFaN_izQL*(Po3uzJ+(HT26VR6!ulRWv~wP-Z{GFT8mX{
z#(a3(Wva#QKI|oPP11apls$dEMlr9O+0mb}u1yO`ig-%g+oX(g%Fk{YHa&9uwmUCJ
zzk91#<YC`>o@e)s?0{YI-VT}9s~jHKM|CQAmTMB#c;)RW145&mDxv(P+iKc3RlBX(
z)#>TY(aqSGMi~2fec5{C*!E3j&&oSoSZi{#g}P04Ms_RK*r2=nC%ROwJK5s#+e07T
zJ>CZo%DX-Htdnijyt70Zr~Q+I)_J1U(aPr8r(c<09hdidp-HvrG2%drPZGa_eRn=w
z+i^_7tec_p&aT~<WX<MBzpAd<FD~v8xBT{(+`+j`B~`;GuAk(ZeS0UTylZ69t8B~n
zJ5MfZyx*u=(BHk_MviNh5tE#pzHj4o7wcsYrJK=1b0Y9YXI?e73A%fQ>}B6=dE>pO
zET6yWXui*Q?6#eo4q1GX%vm+9pK{IcBG*<Hal?eIMtSw>ZpLYS+j_xpk2JS7oJ)(g
z+=$>lY~}huxo}2q2O}b>NHg`tP;SzVH?1FZ%xGGW@nDii<;Ihy?up8)IcM@dO~@)d
zbMxk2!J5(6LQl7!^45l(<7MpUHNEfa`=`%YW{s6TSyDL8?QWN;nA6>puRNOHZ9CO1
zqiCy#Wc8WE%Toi4?`$>8?4K=4XzsK2mCJB$|3yKoW=;7xX~|aypAUkQH}CB*y;*wn
z(8Om;7Kh0mbWdA)wV-;K*B(D(Kd)cI3v!&-UcTLq<K{AX)%`0Ihc>%Xc18HJ>E#(7
z-F6vu&2uPBpT8n(@)?INgtY6_=G7^`IXMbe%5v`A5Dbd&`uFGMwJ{~4+<2}LSyjz3
z*?ih^&RqW~&jy8IeXAg^*O}(fo|9&|gKgg~IJ>LU;KUuira`%>L*YSf;(lT~K6|#<
z8Ex`$RxdW2?RdOh1_iCxa+9>VbLXCI6q4Jfb?eqEqFCW<Hk;kn-`LN~%L^pj&7C{f
z-`<SVx^?T6rkj(j|Lc`&z8ZOtDu>$Uzi~D)GO{MU!$~nrA_DptA|pq8hrV0~2d<<2
zDEqzwCl`UEOCNiCfxZ2hrw7;9svyV2s3f+21qTPZ!blbSg^`hwk+1g%uU$i;rvI-u
zv;6z})4w0s|Ao`%R>=_sN$_NtXwsi;;}7<K+dDZs)Y<>#;NtB1@BXiU;wPq$Sx|_;
zc`aN>0m~5qq{IkPiX+5i8Q4>-#0ZpP1p(MXO$hi5oA87vset7uPlU<&%-<{sQqw21
z3820_C!RA)j7kxL6hK5Y?C9bua22_V+z_G2O=2%{a)DjNlD-aZ?rwcWVmFbC1LElD
zDsggvoyAU$_K3ZUlhDc4(O%@@?B?p|?uPUgy0di0SPLMwqrIa&*S;^;-jPyG&W-{X
z7oMAodtVo~KK3pGCwn&Qe@)>3=f6KI|37@_lfmzg<loVu?)gs+E-wGd|3C7pE&mYI
zpa!TX(#%mSe@-nxkO)(VQE=Fl0el`ppZ)!>r2a2{KOp}EB2wWf8OxQUBr2uvBl%Nm
z;1A^A!O6wB-uW*s|DONykNm8xputL56pcXss0dLI2*jML3OVxZSyoosLsK*w4G#td
zc^EF`%jm)c-{05Mdqjvg*O6z>BV$MwRV73ejmTlG&Y&;wMhPflaDYEJb)H3l0;9D$
zMeP8p1*#DomdPMJn?Zz1E{E}07W1zF3SoHBun?-CkHw<?mS8yD7_6iZf?^KgAaPhU
z2@ylWSo&PAZ?H6dC_WhtlQsmTgmF@bd^94HLqIrq0NDV2`wEOi2+%UB5Tj~Ttb%2b
z=V)(&rH9VwR*_nJEE)CWIog}+Xz$?0b$9C9mp&HD3i4HmDZCM?ebFRXia?<_3ZQGE
zQBia)^lMRpfRs3<M#YGj2e1|J`S+7HLsO?hVoWp%!RcrEL{4zbF(MA4TL{HbfwoFR
z$NB-h!a(bQ0@{%!Xwrz(2%rHZL}ZvkN<bu5s}*LP2?4|&-~l<<^Bj2gY%N$Xgg%Ld
z>H;5t0bj)W*8*r1)r#k6Z*aW~0j?xKAPE|S=x!l{WlB^*UxEjra*Ak}1X4&*MGUwT
zj6OW(-wCFH-w)`2a3USSmBF|a`Frd?=X&;^v!lzu`v0H!84R=lto7*Q0~swvnf?et
z>U5SIkpp{=?K%wA9xg9Zsss?*nK>LEm7@(5cd)Np-ko}!NMFCrl#h{9D#DdH8$3oH
zLlu+$yMp^$e?Kn&azu=(<bOp0{IUEy)|G!(2giTq|DX8%MfrEGE6<MKm4ElT#a+K8
z{?4_;-}PVd|C@h5F8_oamdXC6`M;k0J3Id?|NqGEpOOED&4oXff9HSY|8M^Nfc!JB
z^d39DCs+snx6c1}aB!{X|8a41_*ee_i65*`V5HtfA%aOn3S`y`CShtl&4QJvp{E8`
zDs_(z4!piRdseN*I^Yf9uLz<UCS;^P2Z9w4CY*?fNG^R~I;MbS;8bz2WS7GVSPB9R
z%!QATZD6q1kbn?7`aVcl0U>f_G)$lbgef2-hC~zuDnw-{84J!_#}p7j!U{2riwUj>
zlPhH?tPmkQRx~C@^zLbmM#D33JY%?&&q75M*4h$=o@<yO5R%{%BrKX#i~Ui#)Zmc|
z3UD19>|-1p+;~cblr;&7)nK?71k?;1>G}s2SJ!zK7oxvuk1j_s1&a%bWGaG0aByu2
z?Y{uf5IKy>1bU|iF~|U87Q{I3hcG^OeR)KTqoP4#grLC5Dd|@5B)G0Ztq-hv5dhts
zz||2-ijvVPp`nLg`!APvH*pQ>*NGnduX+C8pZ@ok^gnG8{_q6wef{t3YVT}cNB=w9
zJN>Kw|B;`S6*NqS31J!J1;mzdpDJM-mLnvB6D%t$C`g9D1j3=cyks;?(vDwnR|BR-
za2yrWm;2YP%z;paNTw2_3Mph5Y2+|hN2_r9JaZL6*O$_$(05>1SwWu6E#<HpMrE*2
zrYrFcWCiq_U_^=%Bu>u_;7yQ9CJRACI6_h#V$o2*l{Y%B7C>?FEGr1A4MG6PW3_*e
zfaQq3gaJqacnd*XgTj7DEd5niiy$!^mLi@qm>?*yAqLMNrogCegNc*rAfrF2GB_g9
z&sLNMrnN0l#JEls8^|gNO9?*JX8?+}@wHuJ>Y`YkERXtNSP(?QQtgb-6(d3vR&X8c
zxwr!h`0+!SYu;f!ae^=zDvD(>Zhmk<0C3*h43=r&Si%NEB~1TFSPG#8WFvz~gdlA=
z;ND_z7d=(nS26-4gK&gE6r>FePDcd+pFc?@L~sQ{A_Nb`_+m^%@KpqYbEPU&jPOAN
z1m8-DBV46QCPNicF8vNbqBuZ@ssJ)<if$=TNgFE$H`&7q2*z<Z7Q!U;IDyAdgMNbK
zDuRTBz`#)f7<3ArE^a~1w1g6-ES1{*A{y=(2@{hDzD{<yN=(ev*#dm3Cv@kyN*q<g
zB*N8>HDB9XE6`sZ-%>BW$G6(<fRP|^6+#VKET)1q;8q$LItc-%%_9h9mEmx$U>v4^
zm^*o_tRP<!B2~D8fQAeX@d1K4VsL;jBu0cPsg%+Wr~;Cs3RH{;4QTN_dxI&>1q~B?
zD+)XpQ*eba5zW=XWkGZs0tnp6P6sGSoNAH8K#UIsBcsz}1_q);C6iG@1d)hbNiip6
z3v`~=C<9}NBS1TXv9zNE%?kV($iNfSX%Sqf@MEpfz_hPx0c3$lAxaupf`)34`mDxe
zDmfB_;Bu5;;%}bOutG{}T1=xra5}n)KuSu#5F}Ftl4B|b3GN4=5Dr!;1{0wKf(s-B
zxE7UazCLgk1Tl#mT1qo|QtL@*Na-}JcJyq(XdNMK3o{|Z@2Q&qy0ZCisvAZGYpWa@
zKW$5YLEZdyh4c5T99@s=shvMkJWMRyki+%Ce@{$7A~B4H9)XdF0CY|ijcF8Go~G7U
zkOY&7DKmk9#F&E7R5T0*1P|A8Hw}!^OA3qx5QK;f)6^Fu-XDMni$)ZX?j6-O!&_iL
zwbl*9hE*iSrVON7eFXZ2r0?($MQboHY&2lQ9+4PC)fZFZE=LuJm@=X8UQ$XvIgpB=
zl#K|J%VC9>5I|9=7~-m;1mNFc&{RmIA|bAr4Y47v#4(BnPa{O(i!hkVVkxK+l?*KB
z1C@v(BpQ{FOd>)wOhAN4M6b}rv6SSB02Zj2fNUv3+H0>rfn_pGgNW^zSuO%oL2@`2
z(!jKap{+lZ_%pQj(4woL`YA*e^pry(LpP$t#PtT7QBWR0KY_6(qUEDOqdZZx923_r
zp`A19fMFDxPAx+AK*fgwkPs{*5nMsd6@(}n5vybf&Vdk~ln1dX18@?XSI><5rqsb=
zN)=MNkIVQ23<OcGl98xVhH!Q5&~~1czF|s|==moI6W14?|5*BUX*41lB51z>YUw5h
z%7S1)5HpboAP0MU%6>GUC3vI97+0er1R5+7QB%@?j<EhcL4)SPG-y7HdBHT*;B-bQ
z8)|;WB=kVz2rQ0;kQkHz_uViMAO<9lGMm5$nzw<}i&26CO3+y=DiWhiB~jg~x{I}e
zz|cOL`oqXfdOtuE5vC9!O0b5fs_-eI=*EtD$5ImDN<DhQFtnEFYt;z|$7Bf51R=FZ
zMHSIrZB6_ALV{Sh5EeB6&A`XiAca+c2dGk!Dq5i`VS><LxR`mXeFXPe!D@uL#+(p9
z4ti6Sh*gN9aZG`!2%rQ}5|U$LL;zt54unZ09B`RCiA2Imr7TwWq`^^=)(YSPvj!~k
z2K<MBzI}PFd|ag<Q8~h;S&XZJWxQxoF0&dI>d6fo?9cW09_{T<p{+;G6W}I*Y%qz0
zS=bE4F*!X^tK>r3K#Qu?(I`laNPxnJg_s)Q(34B83S=}!Fw1l>n?%EEq!vvKJ&iP1
z2afU<P!_rfxPvJJVnA*BvLLE~5Iqn*;q7S{!Fr&OC#|e%CE-y_%%hZ~c0K|9pu|I~
z$PDp<09VpCTpK_E3JsFSMjE_h1VguE21--MH;}E0K*W%Snv|pTV@D|)3Zp3P6s7wX
zWmiw4{*14aFO*?Iz8u_s&JXq;>=oe6lZ&lrfmTSlFjwpN<pQ%2Q*b3HPLNz&rGRXy
zb(8`lksfv|D}$v0(>o$aD-3n}Oo4)I!Hld@A~<-Y>@ie^ND+dveN{|{ss8@WeI;nM
z$0ef?E{<U&S34H9I?Jj*7<!*`-Tvvs{(pxqm{|>m<Xc0bV?5djGngGH+m<S<eMMWl
z0__)&RSLAf0W|s>1QQTU=cb|xf<$03CFfL2pb3Q<#W4j4pQvFRrF1IGiW+e(l0#8h
z0~#HI^+AY#h~>XWQEkAf9z}uOD@O6Z0Z9sn+8EH6TsPoH1DD8BC=AxF$0!?IEN1*3
z4GjYDoesrt-F?0E=#x0?tx$sp{eFv~fr0c3h_)025L*c2Y??^=I=a80vEu<YI)j9=
z>LjQ%09I;O6EyoV$WcfUwV{oMal$iz@lP;|O|26LCB;Gr#-+sHM0CS}_XVvD#-&7U
zTwq9~B1lXQrelNbZp4r|NE}uWun2sXVbXsL-7r`NE;Fvft6Bq-o|z0f!<YxP3mCX;
zXb~5qB2u?}gXM_K6ZqY!<pTvQj!i_vI3gaRl1LDoU<)9&i@klo5OzFZOlIYQsu9Yn
ziN#dZd=4p9B=t9L=xU;{fK&>wl8i<m`i5Uh#^^hv>rwGrhL4E$&+`eAGGpu5K*0W~
zOFd7+{?{WPi0q0HaeX=tCbR~RP(?!2{0|C7>aT|eE5W+8{(vOC8>R&Hk|(Z1kiWuF
zR$%4JWu_Q{OJZCh!j)mL7!h+NI40+U2Dum+jo@4|8diX5h`CPJ01$;yT~c~8#G*)A
zpAls!2%M<MXhcD3t*URbCs@EK=(xR78W}Bwc}$a9Z<+uSW580PP5Qc}{*d|f#lOpV
zkW%U+gllsNG?fbiDD=I;u#EmciK_?_ypP5RQui7Z0&nURkjLut4PpskB02PR<T<#y
z^Xz%{d`D+UE_R`(N1Y}GzK!pRH*GnOsviye2FHWtMg1<atZIYSVIcSeguW#(x(`&<
zI?x#H&fI`&$OV-8K`{l417{;sfZ1<B*{3iGf$19(Vi@@&qpk%}cf=V%F}R49Mv5n{
zC37q-vLQ4aI?g7Kjila2(!hB{v;dmQ1mGa%I%^_Y`+~l#)(e9OOpcJzs6xtPH$>AP
z=<GMgx)zRgajrvr+UWbCHX&O|rGYIiIu9WM5r~37DS{h@TI}lJM-74o!zV$o3<IGR
z1B4*3QK=ye>!QvWsI?~LI@7OiSpoQ3Yx<HHgv1~s70E<}>o6Si0yunhPqhtdtsfi`
zYX!&Px^WP)z{L9PK(rH-(n?Ys79sSF)qlz{LJ^Bn%LHGE(f{FFX`!N+f{RJG)CZa;
z4L%H`+6zK(6caPImkS^#+8^leH8`lA!eGh7u(Dy-2QCvpHa5WBh^rBtc~D|Fsr?g2
zBxsDbkV>L|pp=@|2<-!^5Z8LpIZXrrIE;&;BVm%nb<Ke{5|ol<?K@F4LRqEYfs_%3
zi-%gP6WVQ6yO+#c0qqwE!U#$a8WtyGl~j+Ze*{`zfo~9Sb&0f30%!!LKy(CfadvWK
z)s8d+rw1lRf-sz9ylYzf&>w@vLtq)K5Ft1nYSfl9M1lChpsS8an92lKfsho#pbDw>
z9p8$A$ffY15Y|UqwHOK*?1Sh%dJwFLrB)9p!{!EQc#L~p4#xtmz<AbpkT=yw5X%9k
zqBcm#)3#-p$p^*78$@pFQpAu5l=z?upv7enrl92Jzep4<WMJ}eg$x3E>c|Yx@(p4*
zhQbxnBTMI={XzeKz?Uu(Aq2rSa2z$@Qy0lFm6*%yqr|DTDx!g9GQJg#5G0O@NG=0L
zg5jV~+AeAR$qjcc1oR;oR!9*h=FSECAi@7A(}Rf-!#D}i%MUs@A%oS3En!C~JL(^5
z(!f+Con*~03#NdGXgQN<4Rqd+SctJ7nNTZ$rSpM{>DY`CBM4L|i-mycX%K*7Y<L1p
zDWD}NiZ4dgd?H#NMR7}%t8+jU?WzJ{4Kf<I55_W$p#-5q#@jYvEi;q83>D%q9;;hh
z^Fa-Q@9f}e2T;`lG(h>=K=p+T|71Wqxw<&paVTK4Oo>3!f)M!FAVh(wq|p#6sWYF^
zfpnP+k%1|cTAM{9uo|VO6qYVxB+yG(ls=5a=yjS>B(6fhUm&6m!H@#cK%`tL(T2LH
zZ#W{y)J%8*L<;o7tCQ`z0Tg{shQ5s`5W#}n+}t4jcu^K7m|#8i+h9R;U?yNn?bcyb
zA;oY+Oi?4MeiTmEDU^Vsz)TRO#SAn`N5pC)*^m<_h|V*h78*3UASMS2qLZMktRP>B
z*1^rGl`utne)}7~8o-oi!mDg9yP+y<HisE~UF=00tORmS^$=A^8CaB|O1sx>K@gc1
zBs<DxVwzE?WHJt<!0I&x;=2$^&~6+8AvusJ8p8-W0;GebZxz9L5M(P=I#Q!FI4p#t
z%VCD-#RUWn^Yi9VpP*iJ_?3i3lR%D%QcFpCo^60X2J3SG==5rF1LUW~%~J-Wawgtx
zK>VQ5p1N!TZ4!YFq7ac_IHF}@U=0fqNQkKvVl8_i%$$r85Yn*b=0F6-0dqFvALHm!
z6o3IsCk#@=;RQ1}HW&`^K!Ukm&uYD?pc~p*mTF!Jlk{%+I#>c(q;LVA77&gA(E-})
zB1R<=1lOg1)lJ1CbRr4B1i@r<gYH5DJP4Igx2Dl1C+MZ0)(j-3!v&=}t~T^168h8x
zOo2c_qXEryQ4{S1tiy~@32D4+YycW{5)av2Hf1e<c`N`EYq$Dvp<o0Shv6uR1S-Hp
zMxav=0pvamZNRvo*i)qx!z2<y;xLIwW9y{+Q?nUKb%@eaAPtiw=n0K5{8Zn+_+wT&
zrR#A_27=xM1CBsQz7>rWm!Ppi5rS14O@Yqv48}luPAK@S&8afzKma`v*UE%t(X+Ea
zn|UHeI1nt6PzpAd1Cf{vp>1G-LobMM6vI(6Rzy)A(t3etCksYN1A$7x5dTS=tCqdZ
zr@??oH)U<|t*HMJhzzjYe;2a0uUuFm=E4dR<!ayjciW++Dv|)L7!Z{!L`aw`L10pa
zBmYr@R7={y;VN+ikt>;KDAj%lLp#Qd)^?G3G(ZS=;UP!{3lW*t=&o;uD>1RZVF@KB
z9$dc=gN?z=Wy8dTy>&i$gKR(TC!jcW+K_SX`x;L81jDWRSc4ej>bxP^Z`x!%NT?!W
zg;<RKJ(ETxfX3R0F&hqKqpNE}b-tknL2!beh4f3D`l2=3Al*=xjtk(?UqCcWOXME|
z))1K55Fi2-BO(|lw4P%nCN`j7t#A!^qb*;LjIo#sXL8>Zx|B5oO6tGY`4rSp`X5t(
zT0QEUf*`{axp1;}JIs+<G}XZ(6LN5Lat5lK!C5~Nfrfed4KCd2X$59dEt$+GdMVGW
zCuz-DXI)!++1`L64WYDt9X$$Wf`8TMziRX!QlkxOsi{mJ>NoTvouXP#Ez+<5Kr4Pz
zThYSs-_d-Au>Mti|Doao8tFgKd)nMz;7%biW=U4dTMCAYNpd3Uu84KpQEIR38d_Fs
zLq~{iyS{FtKApY>HsQ1WRN}e_lPgsqdz*2%fn3g7#{twn3_!cL-_gZ2fH~b!siGe3
z<#d{aSX|4iNn&)=4y=TgGAtGm>rWe?+M*;1Q`8k{7UNcA*oHBCXxeJCB&k)^2*YA}
zz&t2WA&Z5471Xi}90MnjpwucIqW#@W%Ax|()c3V8E^pmJj)5)5#E1-ZN2!#>^5}eT
z#yJ40aDX3`5-);|^MKrR45!wBG&CkS3lyF~jvmuhW^JYyQ@mCHfIxr0N)Yf6Q4FH9
z-Y^A&1;rs8!?FN21x^WUM+G9H2Sb8ma^Qld$wY&(t&1!qMyRE=HX#ou?exxOnGDl-
z$I#wgEo%ZOs02b{C>BRSB0tz{Kxn4|3VGmFQb-M4Dsk})$r!o>VIar@lMsv}x}6J#
z18hU+cQWW#$DoQFCPmR&uO_vc#Zj1cEMN+R0Sl-N_8VfDm>vcWa5>-z%p9@jHH2}L
z4N;MF>=2bB1P9U}Oxijq!-VeW0YfRCBr&EJ43TL>bjX4ok<77qAhkn7`#Q8K@QeqX
z!bnFmuxo+(n`)FmY5_Cck@+1OK}0lgeZn#VAgmoB83;lkVxGZ7;9YAH`1V-pbTyzj
zGd1gVG>(CsGaMuqh-;Pgj!{z5sNFV1SKvZ%laN>esK<dYC1o5?wu7&NLwk}aovsBp
zJ|4_;-$YI8qR?wfI<bj%c+#e$3{@ivO3o<O!4X)Df+r=836URiOZ;f6xwav$t`RQX
z2;a(}GI(Rh(iRS)o*Q!QQ8p9`%e)X79BUYI1T%+W7}9}yM{zBtB6TlaSP&$EQJD%y
zMn&TY5sk^j0>~A3jQ|rHymer)bQu3RbX@)(Z0ME6DF2Z9VO5ghJ?+#$6=IZqgPHuG
ztif!p-GEHTUTp}v6;v4w5@`|O5)>f>gu`@=XqeVYw5;0z=Nnxv1VHcvRSCUA7Br|$
z)}v}Ni2y)$b-{fA62VDSLZ1Q3f@(c#Ge&98008N!{|s^~7(<DwHI#Y$W_dp(wr(9i
zB(~vdgTK`h@EU7R9&KRq(I+5*QQ?P#`0F&JFji|+Fivtg1RHi3fdAnPe5xrfWrSm5
zg3djo`{X%T*Ckzls5gdrl5nl=1tV&0%Ar3>kYFE!Ob?{CW|1Q#j*19M9bq`NcDAx&
zG4C4QMPhKs5^Y}^1k4+Xiq~EYF~=w=aj@P%R6rjQA{?fw*--3e(_j%Mk)W@GyBl4g
ze(aUOBLGvNjDBwbeaIkeU28q2-Khdpu>g|OQ1nYF5DQjQ)`F8gv)>V-@g7C11xiUU
z6QC!Z_!*?@L9mLRTZM==Lh&ER8R%+16lnNnN~s9L5scvLDb3YRTvl}Ms&=U9%?@A$
zS%xD+_3O_Q+JMY9x=pI1fN?-sOcPZEsqHHP;VKzrDJbcV!D3iR(xOIUbdnZGqtWdL
z4S**h5J53EWy)X*g2Z8zF?awdtzF9Gei~%DX&Ferx0EU`&^}RfJS;;fHuO<R5rYjQ
z{;*VE2u$p_08&aL4K{>C%3x_61K)!k7pLEn&2C@|H5=kV@$p<n4B7DzA98ZFw}%FR
zZ9=++B$TP(AUAv^)7dcwt4#t?BRFtfP!=UhZw}IZuP2?ldbJKlGThxlG2@T*p|0f*
z)0^dmu~dDE4n1i;j*n+krK2$wZcEtl>fo<EKHC78Av%8+Fg>o!68kT1^49j4tJ9mh
z?cVl0_c~`xxVzWeH(lqb2I$}2({*=GdjUmhm}SJ|(=%f6ebuJHF%?265SebIBDEuB
zMS)aExe7$16)~<Fg}JbH^BXwi9r#B;g8};4kV0E2jTGzldeE;RXtD|cCk2Lh`+Iwi
zg2X&A44gjD;1ED|4&*sF#2X6p@g6||5WyrY!=$`un9u=>)a`h()m7&}HlBeaMtFOU
zvay3k)v0WNNF;$yF{ow-dHaWWL-vsO2rmi)>T9GhmP80>XmDV_H-JE3pBWDJo&($!
z7)h~?t&LXD?QJ-a?!ke2&=S|ij;*7Gyf(cId|?J}sGo`e{x-J%;33}r>^dK7DId0>
z>8Zt+U8@0oAHUViu)(3jyuaT}2s))+GZYB`T(;Ky`pzaAuup}VdKd$%Ax&Xr1rZ4H
zry18Es?OE#(rM8D3Dw#s!@SbEB!h-UdWQ!E29NR%j`Z>k89c<_JJQR0=-^QQQIP@O
zqk?@sL$qYl?&hH^Gd8OZRIpBE5)B&Ip#5J^G4;1-L*Lod-hdHOcW?H80jIyXG^Q=X
zzr3P{pn7ZT`penxENB~E(l)%P{noPf8w*<qs=v_we}dcp`h2o~e}C`qKRN%8zQ%<&
zk-!w+ZQ~Ele|2`PcmA^r_0PZO|NR5MI2Hu4d(tDx7C>w!SVWB}ml<CSm-6X9t=Jr@
zI2o%%sIv5luJk)4POW@N6d~9GC=RF-cKsdRx^D(h2yiqOfI`1VNg4Ps7;NNM5eTmT
zD8X<!+dw16bLuvw-AD4Ln$lJJ<A(I%xrSOWAPHT(K3Twf%Gj#)=G$1-!L)t~Ed{Dp
zVFTQ2y~h!S7{NgkGE{6pRvIPnE&x@q1&~8SU*H%vumKwQ7OFr=3a<W`ZwQKK8UCxK
zpU(I7Bh=INT6exku&%nUkbwb875z?dw87E+!=cjE{>E_CLHc{Jz&AQ@TJQb$8Q^>4
z`p08io0tIr0dQsuLXh<f)?x(vZ+!;b;Arpc{*3}!mIyFl2}sWfy3!)0>VHTJ&!Eu%
z5+UrrRX|G!c^x{i8v6TNLZkE5{D{~z#N7s>r1$%HAta2-h(A_Wj4App5fEaS41pEj
zP+3e!#-QPEsw+JmI0m}X@F1FRp@1q#L|Rv+=}@3EWpprpNLxmuVlkqqFTcR}VKYml
zI?Swu$!MxQg8}1fY4<0_yWS3r|75E9D`WR9n$#Ura6q3vrK&cNx{CR~a`@yQ%`aM)
z?>|g1y+ZkBT<8awzIKmT)c@oE<`vjqvj4RnEP_8GaFlllkBlL|*T(nle+PRPr@HsQ
zxj4H0d;jM@^6TB3Io%r)f-N&30Y?)}UxSG-_dTKnBt)1qyy?uX-o05Y!*dZ}g+31k
z5kqPert_A*7382kG64?yh)YO<$z+&@YQ$><?ee7)Xf!ApjVkC!6_aiUcKJX*7(n60
z#p%L&JYA{?^?^`}cnm}yeY6C<2Zj$e!5HLAvEt&m5GsLqqv>_8fp*t!jf3Lj{{&9J
z-Sy`YW0It5<Ao?d<60bHg&49`U?gOVOx7V>e<7wvj%{ZL*<yGDW$T_g2HDbwx!3NQ
zia@+;9caadcy@LGrBN6pW%eKIjs}omxIx<xu2L|gNvlaHC@^Hyuwd_y$iZF#z9S-o
z28V=%1qOS0^t7F%5+Wi}20${$VsW|p45x2V^P59L=)xroBXTi_TJ}<NxCc9qCx%Jb
zfEv2PSaj!u#j~NQVC%iBGsNYJ5fLUv>}rk4Hwo}9oV3R&&=`G>JpZ2v^IdvSL||A}
z7jf1_25?nf;n(I>)4kSqjVkwpqQ&G8a=Ex1;&Mqc7UH7R6GG{E(!*v1qDF9=AEOYL
z4$ghEY4BA`Brc**d$5Cs=|`sCV6h=XDb-3`t*kw*Lb0QzxZyIjvM=oz-NWV5vFjg>
zj?<L#0D%ce&$bYk%M1d<<w8ngvJB#K!3jD)7_sJt0*ZcH_fTcTP#vXO{~$PqN55MD
zpe>`zY6}>4Mfn3W5T!f+mO-IUrVc?BBBV}!GD>K@`}LBA>7?MlGKAU<uCO)_RWEfQ
z;k4H2Q1t9lS6h8kQ0ZJ&6-j6l=@|&M&UvXP#e_gNFX>X;*xIu=*g86D(?-B~6!G!3
z6yAtHFYid-pgL*}Y|Z&W8Lq9oP!f?7W9`TD2ofe$1P>OAamr=^@0f>pwp~3Gf&zm_
z)j{H~G*2iI5nw&go^~@qJX^Pm_XkJbPHSzTl7^>ctx~3n+d)u#yn$k3H>{Z$Mlh84
zo(%aRE*FrZr;Zl?kEERDG4Q<>qZyug@?B=r9e*o_V<8frgg`JPK{SvYRj9OAyVpBJ
z#WzTs{H?v4hNoM|g@GJ&kWUJ@3`n*BvZ*ywt3^M^L7E@r37cAi6XG2_+SjuI+4<py
ze^lLb^`+wCsL2Nh3w>KuAx2^#t)LmE8}d+QKZd;>7+oIqA7(V!@mlfwVebB`%&jMp
zmcM^sx$^&??{&GOf1qKtOhI*yE5UFLjEjGaGYGYa|AXA|#}pO(0MUE>BMjl-=*F|>
z+4CI!9}V)4n=o~jf(;N!4a-n5Od>QkR84NZ;`A;oo(9Ghs6tBcaQc*lQLt3cO|((0
ztJ_mc{LwUg6jONPIEE9Dz@r{uwXO`oQ`e=6ZWswRWGhBRB*Z3|HD!aNZoq4HR0|-J
zg$?zz`*z0=fEiDvl;W@$(KpCL<Vy1Y*n9W)wryombpN{aSKugJCw6MR{7iIq*1n4E
zrv8@gcw0`o)=7IUh=e566u}at9X0O#+wX?~K!Q(Evi!)7`F(9<5|6=PFc=KxF^jsr
zP7S4w)*LE$M$uSv`hRTIPNnCL`oGHwaXjMlX5ba40-Tfouia^<^?$pa-S)Ho?;)PA
zUt6!xHJx_B8E-@#BKC;4Q-Kz1Lb~Wx>#x6RqEzkhi>JbKN%fr4-vfCxYpPsB+2<$L
zsa&ItxBvt~k_Ps$v&2U#BheMQMS&l>7TVo{pLE)Xpogg5h#M0;Pc8P=t6Ch`T=gNd
zZT%5qhmI(*5%xTpiJ<lik*!1dK=dI7!qJdeIOGI;{?I=o(>A4%q{Oi~7}<l9t;}8s
zr>nK03`wZ8mk{#ZBi4F3W?~Me2W0Fg>C9hInZg2<FedgI{l^b5tnS<DlVZRbi5#+(
zgsc$5ns~b~fSym?V1(*_=Z(LMEi2KQ>~|3|DgON}QjZMQkwZkwPwNj+7CNK$+Wc8q
zpHH=OH0T909s^XD!>!+ih|Knur5i~s=OhSyslCLW=QGczKnzi~Z0T4o)jl%E&KxG0
z)FwskBv=C{(`(}Iv#BSjsQ!<)o#u9<y@CF-)7)#c>!`VpJq(GlDd9~)fU1?|dm3oK
zM0<6WM4P$1b=?_~0C(z%^F*qr|99aI;&`CVtJh!}e671EM5<bW^42MeE3DF=BFqsa
zb5UzWmI8fQIcA|?y^y7tOGEzF<G2Mc8FA>T|5!)$%Zj8|L?`mXIh)=UJSoctp!Ceq
z8ug8Yv|^nm1oNi;YL?gjH$^q{_qa}g$Jv77<t+-BN@p2y&Yy`hMVrk|2l3DY^_E;1
zQDh#OqC$EU1q^;l>-#935p^N|fr`F|xWzoOQ5%K<QjNa>TG(uM+Q?>vyDtOX8KS`k
z;tbso@MVLLwo}iM3FU#k(oqBG+F@gAHETVGGwpi+G63gaj5u}24v@ZP;tu|Erkx6v
zn-pZTbCuP3JZA=LQwfTr`@o!!&190|zhZNcBzd;}&bvUNWwq0j3lrBcx{o+vc_&Gt
zn%}CqhRq)C)OsbBYbM)KYeXhMin0WittI`_P#NTGPzu#K^>Xe-jgc=^KY_<weL`-P
zbe~mwFzfo*wR?^?!KdLAb=u2KLM5~>jqPQzya0A9V)a3=nMi_G1+%6swIG&_s*9mH
zuVN9N^We+HbYa1J!?nI{FU4<sC%+)&8p^_jC^xECIQA07WGNb|&|D>)m{YYNevGP+
zA9qoDgGzHTlLm0f-Ng^)>?NjLSvqW`frlgnm4<9qm^)mp-}e%w7Z|E`bdD0jl?^-c
zA6;}s7+UXzRzy^9J}*xcEnY9#7ONcelmH(~?J`SqWY?-pSiRVAw-k@rK<iZn{eqec
ziT=fH%smVgRee4lJRc7p{dkan($?146;Ir%_}m2<smSV4#EW=B5{)dhHq$i=S7g*Z
zT*m}OeLpYE=Y{!r3-f*223B6`mMiT{E7VG2Ml!7~${ki6tp%P_y%BYjn<sLlO6H?6
z)!&@f3)`4`_g$Si`XP+sCJG4&i^xqSB`%+u9FuQjh74Qsx%jPsOn`Xd@nLNVEuDV!
zVB=gS<qBgclQT9~X637B1;5NV^jb*<D2|gA%Il|6;1h`?PjXjJezM8j`;r6!7u3rm
z<dmj8QFApUtx=Vq19Ksqnb|Vu;Vw6`=6uxUSF3<IUGY9pm{~Qlk16(y6{8d8lqW+i
zm8L`sWw>QNT5JA99m1RM9X3RDnI<$v)%ErKQgLe8`g+b;FPVTf`kqO`I*-biU(70Q
z3;k2}qw{_)LZQiwo%xiRpVf0dX%^J0K%1gwLk(xOi@E@1YJ*r1UujNW4HG%LbS|j+
zXtBt2sygOG8feu{tV>|D=qPj`v-2In@h1{O)eynBbN&sa5jwB_sAmY+hgWfkfQIhr
z7*TSBFc2w9rr&jIO2IuQRjS8f$-aJ-)}UWwV^C9cH6$~6EHt7D791S&N)%~-yv0YA
zTXF7ql5G?Nym(s`hc+MM=~LD-_8$xTxhy*s98UWy&AIb1L$vM78j=q-(5+tXxg0xI
zm^YQT9{EBn<c%*W7tPL;!Fj>SB6116MSp}W(AMX5dni7<EvRU8D$UR%&qIyxz==|O
zCf+53W`n^$cf`x0t^$YelgL<~bLWc8=9K*>naSeu+|^NIV%p$WGJO9UThFfot#`tb
zn3H?NRQ;>r6|f|x;zg2h8PP#`>&1pafZxxkF+wfo1vx1%Tfx+8H6yu=*yuNOd#kGC
z6i*hdc2F@Tnq=zOQdN?X|MD9aTuQ`^MycA;9DhcmD0mk60}R+os;wvLrIl3Kth>L~
zf34RueZ>p4YCAb<)Y8#tswq{Xniq$0IJe@4OOaL7LKb7o;jJ8di{fy>@tWu?L~)r$
zc~Ml~8OaY%mX*g<intQa=i0>QF(XPQ42iPfe}o{-wW7Vma{$~rT0@bCllU_l1r8?7
zfHi{&k*|{eOn?1V%3<T?Q<EReJaWXNFm9-+gUTl`14nTArKx&F=|!AVWlhz&MFIOa
zo;vIKwX=fZA{N|6cHub}7DmBp*4zKtX?C_3GOCWK64kNiY0K@+GPC!nWEG=!0UC7(
zWNOncfQY)V`Kbf)lyE_5GBc+o3XU+HV}PA@JdAEJRb${O2>x}sU$6)HIpTM@LUyu~
zrek9-q24=z%rFV1$=!SLxVPdK1BVy4cte8;3j^b2J&R3I@OMUCRR7hj8$}yNn4qX^
zTKn{?`>A*Q@vx6R^^T7YdKX6@PP@Ola22Sl+`^1kpeE%bsZy<QAx@n|<3<g1G(uvQ
znxXF?s%-m%34vfw$Y$=#KuJauqVlLEa=(hY3y@tgMHnm86#M};E%~n*ft99SFiVyS
zeP?~W__NF^wJyUV#Q=7r;cp<L9B{6Gvk+O3Sp*#OhAfz%fi6A(I0r_Z0a7X8I9Mgo
zsftFRVtc9lObDaUrGJD3-N?}UaghDvgWj2}a>5|#-iV1N=jB~eNnm8|C4dJKFWs3g
z&iZFYkQ8+OuD5U8Na)uAV~Y>~EY^a__PD36{gN?W{2{i~hs^B7bvBSu4zO4NG0hB(
zx`_EU@n!z}K17wcVg6OgWRxZ7m7YeBnKugkuim{7lf-=bCw0g29VNWFO-;!j=`mY(
zR^sWDE>nGzY%jY><~TW(Zj}mC*|JO0^2Ko<HDqp1@zV_Z!&#JW=2KelwFpteeo;Ww
zrs^U=)mcqj6yYdE<3<x3sIVH)YR)i$lfy7oI^0YP2y=8p97m?ig}hT{#yjvx=8&)x
z`T*q}9Zv$&$g;VBVHgf3Q35OCOONMr;U!Yp=*E2=jJlqe5>JdiDsdB`#MLONXOu{h
z3h6f5g^N@yqBw8;omX)-OONzQW&5i%T2MNb57^8excH!rM1%J??)}~(liW*Ab9I<X
zw1SI)dwyII)br!q3t#{s&Qy5Uq2#obx5yqlgu(N3hv$y*KO%dP<_u4ZB7n@v|FPNL
zP3QmE-QL}Mj{orxj}iLtNf_azLM-N+;((MAi;rD&-Kkws*Y3tP7_})0u#E%Ut)cj~
zuu@FLgjtiB5%OzJJR$kD$ph@#SjL~aMJ{!1;s$72>Y=`-jqg&4?qw;Q$b4TA!fCD^
zFWb1G$3yG+z$q1(M3+{<Rw4!13aXWD_LOZAx<v|v&9sHWJh}mhQ!RJZ<*U3){^5$u
zHgxVv!$2O8RjGN1GbWlrw}`v=idfQP>8+U)Gw;ed-jC-mkP^I^<rczO)}T$ID{fGt
zs;oxT&30yF`qyJ~tmkKy&mH&wlyPb!S00$N|97@FQ}MsHIy;-s`~QPHhSs1+01$K9
zv|F!=H}^xswmG$d=bAmQ-{bb3Z!Z0v?&DyxJ$FhKe=pr^qFq2XSxN#DAg1C!RoJAP
ztJ!&<H>ky*JM#aenRY(=pUeMub~+jU-`RcU{}1t0;Q!LIwL#p#pFv`#hBT802J)3p
zHuxWo_^&zs^Dkq2NZ8V+c7=S8gL^&JnXU@o)oxI>50p-=oKn~whSbIW>>%1#6dU(&
zFxfyq$i(O|AOHFl(tybC=&!$Ej(*VHlR$mAMZ?`~;#!9NWdTQ@zoAv3(Z3ej=o-nL
zE<v%X9cgs}v{BN`)83Wt$p3Zv|582R9RA<l+uly`|8{5lIsWg1JUO?9+N3{i^sL`o
zArIK}M0q`}l4ToSQHqs(KWtiKNMcvJfWdN-2vf|abTaZeY1#a*X#MkRtM~?BuKd^8
zPV4{ocDJ9`|3f^f<&j?dMXS3n15Pb3j;W4Tvc%2BTY1H!$64l){c8Sl)`7f?A*Gw+
z9<jtQgPEsXpbFa1$v#jb>zI)iFt<W7ZO(dOVKbl0(V61biFc*I<yB9h2^=!IfG_Rt
zH3<UGARO_CQeE_>^LkIc2(UjU!5O?xmFL7Ef}_nLwJ8p)$ua!Sr8b0o=8!Iu(Wt)x
z5wG;QBmYmvw=UQL=H35pZM9SUe{Xy1IsfZ}JSk?GoAyr7wq*N>EOv>Vp@{7lM>Pit
zZ`u9hyAlmG$M=}sH+UFA2CM33x3r3EZCCcEQgX?5UZ9@iup30(Aq!pG$T`auM>g1V
z{GxdF3_rw#qff<jigCS>&!)+4Q#jF21~;Z}&jQI6yQmK76>CY~pyD<2#dD}dgD7DZ
z*YG7>jG{DKG5A?2zjD)&2BNc>>?S38EQ_>d2&=Q5^;VNxCuH=m<pQWF&-2-o1QQZ+
z#4R6tWDenh2=I;X#gFmaasSU+buX^}>Fn&L_5bay&Cc`w{}4}#ml<vlsiR-gv9QdR
zzZuI5XM)klf=Xt1-tZUM@O^qs9Wo|%7mcvP1<#Zg^wG)arKR<3FZCN4`7Zi1@=pz<
zpTWL^=`{KZ-bx45kBj^4cVY#^7H=ku2TJCPArLQ*&i0cp&W;Y^7k=pW_(x9E?&61n
z>AyS)d2lYioHF;EF@TVhW9o)q66K&w&z-^d&{Hn)*m>`>(Bt_{O7P)YBHA1pXiD8K
z>eS-h?MoN!?(A&s)DRkRXm3@``2^b^TxTW*2G<ia9+0U<$<y7K?#ln8ZCaqP-~c#}
z|8H++&VRe@=lkCWd6v-s$8&xz=Da{vIAtykm`~kt(_%hhz!6)K0`V--$nx7l=Ay0u
zO4rC=TQj8Z+#o`$+H0x+hHaaQ{Q)~thK_3+*NbKP#BXa;tBMxEP88^4gYP%yP=}<9
zAL4@tv?I%V4qDSVT}M9{z`p+Gu5DNL+>!r_^IVzh2R!rmf2XsT;{Q9_yF1VP{~?|f
z_b}X;V=4ZeIV8c`p_KL}mPuBk6o1bWeiddY*-{qZ<oQeRJM2*<_@d8-KXd&zDWVe2
zLf<0rHGM3jL>Idz{t$|UoTO@kGAWjEE6>&U$u9rLJuBe<L+aW>%v<{Ye{*v;E&sQl
z^*;~uROSEg<Rm|D1FPKzm_yFVNDS53Y8OVB-Xlt;q{c(YgaBx5poA4i&$3wP1~q*x
z0X;{#pXY?2MzM(iPc+vwbKj-TTW0>~=v4N+jXc70NB%E$jlBE_FpvN5ZKwJF?q>Vh
z{_8=WuO(rNlW9<z#pe04$TQ2Y!t$lr)&~#&5t7L0Ge-*-!;{J8tKy9PkyAFx0~(E|
zzP_Gzn{Mcz4V{rGeZ7;(!DwWbZRQ&8XRNp4&gS+}sp*1@vWE6C(W_BrJ_PwGbSn*1
zub;xeafz2gRKC<btfyfXMUuc4SDp`BwGb_L=KrweW3}ZkrT=g5ZttY!|DEk;{r`hJ
zrfFz_92bQKOSo|52zzB4L_*LsH;TJ+{sp(1Z)Kx+7;$(t>t9{=EVuqQH}^W3^}qML
z{vYI7;{H#~`H7nI<?jFbiAM58$9X5uyyaW~Wcl^qLUmVsPgr#X`S*lXoCykBD1hag
zyIG9vWr%Bo^JjEf=;iqVRL41W1L9ws=BN5i6}rjR&KP4>149}>UeGCFVGvhNysiRJ
zK|2Yka?DaA!_e$iLB1j<>1we`Gv#L$(W;-j?*DPn`vzF`=Ba|p_y4WE&CYJd{&Vly
z|KmZPYDeoTo*qT{4-9kAzADnsRTkAN+T{bC)mO0jW^7TQWmORs`S_<Jqb=!w_(<M|
z1!Kl};8ij}(tEGkYfcw&0-X?SJA`wvp9I3=iG9qZMu78NmAc<uCeKwt4@dQ75O3nv
zq}mZwJWj&PVqpS)ZTeQ2pcYK9$L!;By3R9#%5Nygmo~KsDs=!djG~?#VTfB3Vuud#
zPmOydA@vxqCDSOXQO^oEMXN5G-_!tnw@_e{C~=uhvQ9qc+dSW%oVrO=Rg)Rj`W=m^
zOM{s)AL>nU*HNA2yA7B_{4^yPFN-@jYcA7&K>R6np@H{4w#XUrDL5N2*EV4(E0*9j
z6&sw37iEC6FIjR@KMnMoED(D#X@hhVsB~+p%p&0Asq#!{%<reGz5JaErI8X<QU&=E
z`1r`B!M;pzMSPxAtrun>faq0uDY+5}T%z74Q|SzmQF6pztjUzwk@8dDqR2y_31EtS
zJqc*@GC-`Ogb$$HvLGrJ)NP3U%<$F&j##{>736A7Y;jRDg0V{fp9FQ6<$IOIlb0L%
z$;hnA1}<63FpbO6k;Ih@hsF86lSrqEO}a-mP-{rt7N4ZvHmonHH@6vI)WRfrnZ=r_
zL;gT(C}4d^t%lZ0(3)l=k$(<aUq^Ku2CSa##hS1i7Y(S58sVS||Gr1J$O;2Ubc*Vz
zG1?rM^JxMPDgV!8{I4AF^K%)>E=%}d4ESGvbu017W#LOtyLhHoHuY7u)p>2U#BxGq
zx9d<k5q%lr9<5gd8e(`B!wPE}?X}zA0<a_M+EtoCjj33wUNAu&)R^Kg`nTatzA*R=
zQL7;@&1E>$uST9-<71P%*y9rx)Dy2A#)BV6EOhNUx<$V}%34L}3--rcEuhBv++|yN
zNoHDJ>FTVy@=8CXHr<7H%c8~8I7fSXd#GiT>lU9(7X&G12hQopLy$IECSZA0m|9tW
zf5dH|0!b|neAy<jYD!xIx?;AvE7@wUV3f|<U8UvwpUJ{gN6}1_R51N}%f-2}X`3f!
z$<|H;<IcpQSWsfp!fr~!6;HIgbe9kmcsMMrs=lWy77$nZ<d$J$MWf2{CSz2&+^ZS{
zC7et5?c<w<nXat_j)=|WHe^^qRcx<pIhPN%nrb8OD5_LvURs%vS2nHqx)U&-PZ=yE
zoq{?ppZSzjAk3?t>EFs6Z0CDj<|;VR{6l2LBcrL~%bXBnHD3<)9`<Oss4568$7k=t
zRf&6@KDo-NeRp(m+B-SAJUD#!@qKF9!3BhxMc>8#Ooc>3b%<_IPfd<ZhT%B><R15T
z_Mw0A{`|22-^Z7qJ{*5MIlMeLI?wO7UV$^$=XG-S;r!zA^yA69!;)U+gs!TWamz}3
zMg-XVgWg525Y1V;-UA%q1L_xHwSb|g@o;&5cy@fW4_TcrPd*$R7N8=!VXN5G$9@r3
zD;V5{%4Aup+zW?ipgQD4+d}_Dow+2I0QIcb@Bi}Q{NVDZqvN9C7ws*|*`YPZ%s5LX
zd4g^wDDwdPDG>opKN7Zol9_TRN<ZZcT-H9#W8wO_BD3y11M8(|a{u^a|KjlcvUhfN
zdD=TEn3RHBLF`4pllxjhXD2=A>*o*sixMWc$QD=J$y}CGXmc+aPWfUm@{w0}1W2fz
zOB@XHzzR7z{6cv^-Er&^vcBS_8vj`BI?Z@IEV)QC@IB!bni+G|Gr;_#!NSwJ;@Q08
zBz^;PcL$F8-^Z7Sr@eQ_hnE+}{rRHYjPN?DyR4pj@T;~XS2!vf&|Mt&FVD^oe>yzB
z>>r+gIy}GJKRWyQ@O)`tJ)ew--zWYx@%O1W5$CV!@}~f2|M2{xggECYdn#-Ss-J%z
z{(Jdu@^wl%Q;|wST@eMnB_Zn-prE>z!OS#W5!mzNC80e(UJTUC>r?<z6Ue~w8gX}N
z)uBFEpDh+CHwR}9y(TW<{LE*=0{u{;ND^A|CAPVVfy=qoM1?n-NZoE`UY6Y<**L&M
z4Clp+*dQAekRfk;Nx4t3JwuI;MKV(Up#jv<_E3CyTTsyeLf&0v?hi~}R=TJV=Z<(;
z)K!8xh{9K7Hm7W~!eh#-qs9bvHuswCX1m!@w~y5+#~|c_`<)e_{Z3dEb9RrItedxa
zE5c-!Q>Z+62gJd%JnN$5ip?pVZqO?<R7y7G<(nzVCy=K8^IJ(4OgF<r%Oad#Onky8
z%&|)vN*7HxHNw;heNv^VbkW5XaDtlY96p&W^Kgu^ff^*Ad*-T3Od$6q2&rJ(yNi-!
z3OjeA$y8g*5@o8HJ5Xh+r8|*js;wpHvg|HvnRC^=gF>a75`C^(LS}pXyQy#S)~{q(
zE6KbZea_9fT!EHSsgp}4F7M)vxg!nm0ux#=@>Guh`g(<&`dREGbK6JXvuW>R-wM-2
zXaUqMi?JmSOmj&79&c0QNY`By_#s(_d&GC9pA5#BS1Z?aJX^E)o-S+rpN4}|n^;(1
z?k?$*lWMBSAt%oRA{Eg+2VW(dLbVM+a{A=P6YHdw&|Brq^Eb4d%kh_4$x(p)Bm&D-
zepbfT@J{%<uZ>`#O<*ZRm>?{Jka=vcf+b1?^7qLfA@zxk>OJ*It81t`Mi<9@WVVec
zk89jahzlhsM+&}r=ESRO%8QdZGf*%LovERVzE(k8C0VUNPK&xq;A~248cw_DgiM(~
zOQMthNsj5123^#7Pb<>78BHcfo=eA@k(MlZ<?;rU6#ACMU3$Oa>B93iC|=~Um*_n7
zY#fk&;NyUdXA<j~^p43wMs~+o>qh=S^>ZS_w$;ljMmY1C<4||}5sGw?8#+!6<?fn^
z*kn1<_uP4sU0%mING`M&xsKM5_NqkL$;>z<njK}FSml#)&y5>WS<J7<Yy<rOJGzm?
zJT3?&qBQ2RTp91myfB>{5yEg3Jz;iw%a`Ef4lJ&c1WpEF$h+&vA@11fDWU)PBP2Y1
zEad_7wdGds8HfH!@_WsdpHy>Tepb(9Tlo4M)Zy`-)y02UHvaR@-p=M$I{s6q{T%<{
zL7oSR>`<8R9a8AtS2WOMni1KRvs{jqZ#u$*8u}9o@z8ndGS9=rmQWd_zlq=y5v;jV
zm?E)6kcq62oZmyP{8Z5T+{hD)_xFuQpisD}5P~A_ypmVD`Xpt+C<#MR(!CLgV)?G;
zhN36|AQ_Be2^gNEQB(xy5u;Je2h%W)RfO>zkK#EV#dAE0=Xew=^h17*NAdK5eU3-*
z9FL-O<&}PTjz{qvk7E8l@Enige@;A#Z{9TR+c5h3UIS8;97dB>mQgmBG+t`PbhoiA
z9nfNa{R{-p5iOo0TBO$PJx8=yeXxlK37e7L$Re-=U$BQgA$QLi{N>T<(Z#{L%ij6>
zVsFmU4i<}WF$d&duya8DszCqJJ1)d#3D~NWI{{9ir7X$k&b$D(zkhyocF~8>8<nCa
z6!)+Qgi(lq#h@(nxXyvHsF#XF@B|~VWVm=i2E$^ER*l^vH^}GUEziMQjAvEBTTH!{
z5q2bzr(xz=6Q8*(<oj$or2(q5(Wt&Y4}<-GpYH#B{^9h)$NuI1hm(_|ixMg?$`O(2
zyW*ZLHtPfgYCh-hVP^MkIPJ#}M7b*N7_;d<<KvW1^K*!q=MXc==RQNsWDv3N#&rLi
z(Q_P|dyHdKcHdJLJ0gRZgLj2wGr#dW$#tMbIdrdci<N6<a+Nbtdxk1zy{fxg8IIx@
zLB|KZv-zjvY}}nhlIv=#Em37YfC4fVAZYHM2TgMb093VQaY(P$t~iu0aQc^U@Be&Q
zVXu~OTN9GMH>Z&oICD?n8i2ysPxVd?yK(KRSUW%b>F8e-@#d2e{jxCTKK@j>2Of@$
z9x8V5uGc@jJUFe^gWwAXr&VEpcXWDCy=m&&*`_rYlycY93uf6`aSHjl%rF7jH?UzO
za^T;APWy+w^ZlPMdlwg#nFsc*$t4bg${a-X@zc@qMRgVhy^N?6ROeJ5&yTCM9{Ntf
zeo%Qkcn%r&95U`XWZa5F#uZ43pRmvOPcqjTSx(%DeXn!*aLk2`(DbQZaw5t-hqikT
zZTB47?m4ubiOJ{CcF&>hvdic>wB2)PyCu!y3L@Ir%(^0egSde|^B8r5hP?WPC^ujE
zWP|_Vi2s`7KmRfU-pE3I%cowz<B&GFpNr%|E93#2LVpb|i>AmmVXjsT=n|r90>ErE
zm^olJ<birQXmje8!~FdQrCacN;IYFoe)|#O9^JI`f11(mw-AS|3avg|SVhwgcEPZO
zg;ke}OQ@P#NnpZsTU8?yra>ZsPp#4bY^sPc#yO_4y3NJ?G!r%Fd1n@k<i1Q<i`vgM
zX{~0^DoXvJ5BI41)`(Vj<Ra$V#76;B!RPcmpcxC1ONcE#agSJZG(#9g&8+2Hw!t^U
zf@AEkA$FRH17y1VdVO)F2#kqyXUc3CQlza_W2>XOO}Q9QzK*%rU}fP`dM*z-=w0+K
z`yW1@?;n;M-FQBAgAuAv7!TgYCvb7he*1SDg`D_r|IU#bs`?2E0r^uL_y5iTg9W~V
z>cqajUT8C;^%m<fN^^_Gx`u+b5(<XgIV-bEFmd+r{Ae!9B5Za4Znyr<|0~8(HFU&l
zA{zEm>g0-2o;kd;UcdjSHXvzW^5A$PH+svYGD?tAnHf+nkfthc&Ze*THA7dvD%*|R
zw(n-gu~J?6BnZ6s>A0u}c~Y=SzXip<sM5%8^z#)m8W$_n73Md&ta>KDwL55O@*BL9
zvL?UD$JZr31|h9d!&lJeT}f$m8oz=TS3*qB$u0iJX;bvnN(JJHIuDd<8S~a+as-)U
zbqS={AM-ByTyH4tUGtBS__K!K2=xtAS8BOL&k#Md{@eWFmfTSna+S;t^_$M?y<&zK
zuZ<;qEwhy?`CMkkT9g&wThQ#}s0W@S>_62A`xV&plS?!4L~fO;-6$<Jt4WX+pUpWJ
zO$%KzEjzI}Fg)jdC|**l&HIp5O3zDPkXNHh_JTzBrV1{tHLfh6%oR?ST2iW+B^J{Y
z$)S;h;<8K(iEqlS4iYcqLZ7_Vis}ZR;)D%dfS@q_LSY{;W8&p$!cGzWkaOt(N-yPN
zTJdtOO3n|n>3R4oPE2ABP^m|s^I1ISvq0Z)5{tX$f4H`y5buQvAj<PUv^(wHb~gXR
z=5zjshj`5V57!-?%|S*_ULcc0an%3S<Z_swZ6Ol{{=ri(XtpS`80<Tt5T}mLYGU(K
zzq{y^xullRVw76gdy5&=2iPBzK<YR$?U^YJO6H<4f5G-Q$K0Nuxz7stzfZ7Tocw1#
z|KHl(+DY;M-Oa7NXa4^XPv$NtH!zVj*HAI_4d&Q=i!6p6!mU`)Q@K!O;e-qumB{(l
zNcD0t^GJo}AtOw>U3i&p@R(uy9d@v52}WF@X(w4B-AU?mS$BO9Q_qDsTm@xLQPnaK
z5(U%1M0-(%-lM%L(_Q=}-To=FiP&^1H1F!7>DHqUqVfBYN(7@?iA3_PrGuiQ+|^qZ
ztOQhf4HZ~5%oCBs@zY%HCcNU1Ua)l6$REjib+bTS9n6#KGtpV9y+WKp{G)lD&0X*r
zXw0vbMAcmU7xq_qGUkjkVj9LEV@3k?4Y}4pZ>mtD$HnB{6$!owWtKt2v7#0<|49rb
zTkLC5lCY&EY82(z0#5nBnuNQ{f2E=yJoDtgot?D&x3jhREdM>ovxsD;jmhszv`e+W
zQrRxm_5%ucB|SfcbeHOW<>Fnc{YRAVo<+N7(e7Ea`$j~&?@O{%*;5~Tv(I^!lK+|$
z;!Nq-Wj?9W#~k^uz0*m{e_MNdJJ0gpLp(3g84d#CyBq}!$vKs_EyIvHHg(6y!`2lZ
z6W*-7Ko=9r5f43B?1)c@<Djv_hB8Akb;ldXCk_tiH30)~<2`om+6&~8v9usulhFZ*
zE$_eo*Lo9uaGe=qF4PntA&>aTp)P6Gng{*Me!zTEdx7?038GK?ePmOg*P3G*wBY{|
z{91GPr{9AA>lc%8OZ-p&$*<j3+|UqPSD}Z%f~@wc$#1;ctL6}2)m}A&saJdT|J7cg
zPuQm{<ml+&kk^`?&weLXP-{|~;Fc`sv)`ZM`kwbJwf@f!dj}_n&8c0jkJ9zOxw*5m
znOXmxt?lRa{}9g$q(XD||NFRB`yBuA+u9@uJl<`!Zf<T&2T<mZTkD8&gk8jjVjVQ(
zl4mY<Vh7VHcJY`@#b(H7JRnoF_Tl{C-AR94E_m!BGW8~yQ;wL6z>1aAA$4dl1F?m<
zNK5LxVX>*_P$3aDYqg)4kACiLAkQJ9Cr$|Z98ADC&toy%V;W4tp^&j7(|bkAflo+F
z?#Ve;`Hcx)uhm|>Ko`gV=it0n8w>^(b2)QJ?FS@wKIjKw+eWG~(p}2-o9eaMwXRBC
z9$?2o)0w~;z@LRcbO{g~xq;8@&=Sb4)qwdz7ih>>zylw99AT6@YdND=|2CABY~0^E
zvWe%g8O#=QMU(#whs1YDK)7tO+iG1!ubPytYY7pBTx=4-grLtq6K5JjAjaF|lXbm;
zD3b7-wc0y{H;FG~VHXVv3c215pnL3jJZ|kuy@3&}qY?8>pasDg6vswLz=HN=`_$FY
z@+LB{IKdnZ32{+CcpzP+Z<v22VK{w%bowuJ<O&q=4KM_4s1a<SkrNU(u%X{GpG`?H
zAt4ZQz&z1C;N#st&(4!0@O)-BDQm4aVSdki0tTg=287pY4HTmtb()>cA8QRckWKLi
z5_B*A+G@5NLlWRE@%`)*@_cqp#c7)OdUF<I7BGaaO?+o2rii*DAM?NutswM?qA#FE
zJ%NC(+69ZKRJ@d^0+fh9HPwRm^dKhVK{s!uEI{rTqAwZ$NzE)bcoU#@LQDi{0#qZ_
zS;7;J0b;rd`h13cJSAfOe_MOuMSrX#PGD^zhw^|!Gx1jxOmLuSQ@2WNWQV>)Ck#z?
zQ>*<0y?S*)y;rZg=$P^ViBYQ|bG1eWfD+M_T-_gCnumWe0ipiXvWY_i0-sH68^oWB
zcvUT~kwvmkrtF$<q$k=$Et`7GC2qjcFbvSyr~Q{4Va}OFaiAAzOdN8`9H?s0NE3!)
z3?RRqG9nUd#tIzWh<9zFMugY5>CuTfIAsA5lW-tvXvE5nZ>STu6j2{+SqO7<Lma1x
z&J>jrWZ^IXp>Ie=LMpZyOnab~ZbT;%t0U$(>;^i-Lx*sKq#}wOItltxY{DS&7@fg{
zP(PySYpE`()oxMti6F`OmRJ5x&jFEc0%Fmu_$h_;Kw+Y+e(kog*t2N)$9(Pz>uv28
z4OBP}2%K_G#*_#CY*0KO@1Zz40C@o&iCV~4)$TIWtAB3Mz@<*%Q0CV+uu~fBWDxgg
ztlK!O3cDu0Pi?}{AgA*Bs>ZwE=<XXkIu%epc62<30_;SU|7T%`Br+Kdl08B)CN@I4
zkoG<bn7|fDw*~^WvmH-hFxA05Vej5)M>`$n(+;+$)Qu2OKtWLx4^Bb%gdL@%K4X56
zZaaY;kn~NQ=-W2&;jz|}3G2OJ$1qY%6VEL=k3RzA$)_FD&e3}$>RBarqHt-F8Swm8
z(>r>!mn-fgxUi7V5q1&wef*f4{4E-M{%wHPY(_YEgJIj2QQ?pmI*tMvwAS({L~P_S
zo9jt5v19t{6yrO>jw+5UQC?~qX5z?d#RqM{vLEwV3GK-EdHy^(Q1@u?ou@1cO6*7-
zSCg`3aFoD~$2bkx9Q@>92PB@S_}rpFRtK{Hnhfj&cwD7o4t4_kxC^N8xkZDo7rplo
z_3y7Gh{wQA9GP-a+5ryd$)J``>bXUOqtPh~&V0g&n-Nat*H2=nbhpwy_Eq%Cqb&1(
zVvpv^%Whf*b|B^aeDucHp(7;I)Jt6v;u97+HX0JdNvYc8!Jb<*fb9Cq?plBy!Bsyf
zIc{!4x2PY0t~OxE!+t=q<IIp215u78S!|RdFR2ih4XlCg(DR8$q;f8y2VaHYxRM=R
z52F%>Ozen?%VFkWo|Rxn`s$w%e@eL!;-bhDdF|e!Lm5z)x-^L6N2yDJi8RQPEg~;&
zGP;ex0Y*0U!HQ^x)`S#k!Ck=3g!m+JV{!FboJe$l-~s4=2P5@|TFy2DesaV7t1Pvx
zWMyTsQz9SUqN5~QWbH-*6Hi1)T!}PTjGY|$usU`gUr02h!6|jAO@@o%s1!T7@?mxC
zJid@9umiV@OD?Ta?BvRa)v@#VLgFnN^qd<!D;40%>gQvpFn0O?-6DvgesloGa=}DX
z?0F4r*GAZayE@JV@1!pJ;1Rb!p`!pXABEILp?l@B8+QW<)+A$~)NvTF`s$QGw`kB_
ze#cVSNkwHVZ|@fUjIZV1q9siT;Ye&y>VSzG+*=cDgZA0IM%UPX6ghe&dzP6|x`H&Q
zcJ$+e-dSWP@id<mVyE~TBGqGsI|;yCd>ipt&q}00oiVpkGq-Z+AJ31`kc_G8N(&HJ
zY9r=PWpkhTZ{1dF!g%nxD~Rj2)(~@IyPyB-GY$fu4#R-__W8d)bBlTKL*@bg?YG~4
zy9=Ypz`82z$b{-uPN7F<;;8Er&IN;Y6(tGm$i)T?HJ1iyh0p4+<K^7W<o5`U25vYV
z5?|Xf8E6p;%wn!fELdxg`mB(4AgO&N4Tj_~P>l~XyAcTLKM9J7pVeU}aH`2nF?Ko;
zW-gBVh`5$NyB8~*<)0O<EN~5|L_4v5N9$&ow0jg{BJd$85Hf$Njlm91MWG>e?WI9o
z;#uL!3P%fL2YXK%IV;_>qCEa{v|l~FC5sV*p9;cbOkJMBk=o{E!%IVWmuKbJk#a{#
zgSTKetA;E~YxV;qBW)q&_aA{;a2QO88|bU|2YgnC9U-k9oK{&`=Zpn<tq6J0q!4{F
z1qz~%&7fC^9qQWEuyb%Kq(2zHW+nlXBF__hR*RiWFKx?|*P}kqCkf>#B5Ebr$q6Y|
zb_!KzbfebN-QV-Gk~6xAosiEtY~@%tJ=sT%?Q-s*it4AaGk0y3*?v8>M`Nb~!^p3n
z#ty^|Qsd7(THK;jbpRd7Kto)wu_t$pF0j+Nv*t8`otbM*eCD!{@3ZNY=2%sVbCyvI
zykuyArpzWy)N>qmLu_>!*F^*74mLy=Qx=d*?0L@2`1{7E0TF*Y%)*Yk&ts#}igY};
zcWf+!9XFiz<B{hOkx4rd(ZEG0T#HZeHA&#kY#g1kfOOG51Xe*qg2q0<fxJj{%V>DX
zv;Ru8?j}@XcGd4woTt&a)v<n&Q5232P4tnIQRu)<kL_#hTEtFlZJY!Fb;l331aHw`
zI=eLBTo6@&ovJEj)#H-3?oD+BfwB|Km6|NTO4`06vxE_N<j>lOnd;4iS`$RIXP+T=
z<@q1TqYVv21)GjW#8<wgQDL#DbCTfbj$k!JMihAl>dE>BCCqCpe<uXaVl*fu(fpRc
z4hW=6<Df<mb3xjaxR%#olp`X3;po~(TYjue8@Cd<(!j3zmGLAndo1xOkbcKv?sKVv
zN>eVA2&k)YYhg~}51P_s2iomreL=k4qDvpUHk+bO8$1HB1<b|qCfE(9#HW@rzPYS|
zos4hJ9PEJLv}OU97PId%w-FC$5j@?CJ-sour3ffZJC#msDeOF1v2xY4lks}X>oLy{
z?rA<N<~ssA2ekBblfe$MsgFj?v7g@A?G_DkqG1fs8W$V5+#E1RX5N%2LF9TY8^~<O
z6>m3s?hHW{MBHoYGZ(@)Tw|X~C+Zms(G3`~I`oQ2J5H|REXYlr*$=aMDSwpZ>zmm5
zgnhn$Qdx4sNG7F2C)hI+lsz5Ht$1Y}LFTxgKQ89+iIpWY%_)3fe;iIBcEMA5?gcx)
zV5gY*B(Ninp>Wy&g`<yMj#bnP_Sp7yX!Y1h<iRZRgF6r1fKG{CS8*_hJB;Igo)u%q
z%wk$dJGxK_n%3lvqC8Se#hHxx`5{>D)vIzf*vaI#EtPk`EKwc|jeNRGgK&?J#12|h
z#^X|^H-TQCV^1islb_<ZkaptqsZo#^Gr&nAi!g-TLu*n)^dZl)J2flvyqle_^<{Rl
zmC#OZ0^p)HbFrgan1iMVKBBM4!_>?GJFl%<bU<NW!v0JwF14wvw6seDaxc#cvGcLo
z1xfZ48Zbn@5Gz!{m74qy2NsCTZ~T~eTOoEToX=6otttoaI7)0p-31YTZ_nyi)>2$K
zwY;)iIJtP2VzJANZspjSZ~3g!GXrW;Xp!z-O6|;v%PGXRrS6FNQx(ZpVlETJuyBr;
zzcg}Jf*muLLItaNBQBf@(GNl1mxkf~o?A4CB9t$E=bQ+kGQY=kG?u6P+@itG_SWXo
z#FM~|4yr!KULl8eqC^l+>sjf_GO|dN@f|bKLh2e!wX`%iD}HX#;Ok!lv{t~F=AQ8q
z*h%JZDBQDBNm%G8LJF`S%F)2gl<<gK`buf1D4#^i|F);xEntJfK0#R7D8K~`zqSN|
zO#G~3pv#R;Me?~D?N}3HhYs=c@8Huto*Et~SFbsWs-ra)OtkfZ(pNlcoUGN*&SWa{
z^jC3)i)`$4hJ5YDE?7{@Cf6-KnZh43M7BIsIQW{Z@pW{@>^1&i7`sJ-zz>%;u}fpe
znoOBpjw8?wA{;2kQc(fz?d@q|itw{0lL^>@FO@|W5Nt}C39cS#E5VL=pHtmF)2OAQ
z8=rmJUlxx0c~*}dWx%rUU^>mWu{-nGHMI#ux7X$_gEQSmAjweH-vD}gIE79I)>UXu
z^X>wRwO`^Z=!->BIef`^@Dr2<bMHbc*H2@Ihr=@5z$r8w#sNbVyHWUwaP~A1b&Ce|
z`d#lr6WEy-pzjvgOJ4=%+m8bC84|NX)#E=aUs>3)2<IovE;4zM*y%wrB+5Nm+(>Eg
zoM8JGp9bWEYmo&n)w8ri|C|@+$fTWf@<&K`@I*0miw3XX(^b;Wypw456siK|-(eK@
z^{7+m^7Z9?Rx0OWxvXqr2fV!yw$-&KhI9fdjGIq59M(8m^NDK{f8le^U7wX;N2T+0
znN9jC2VQB+2*GS*GCZIikBL!pI+o@rYet#{+47^EwN{B8JQ|79!JLq(x2UJeJ$($V
z5<3BNh(C8}-J*-A+*8NTN^HM0?NsDDCm8Yw;UxRPcI3p(100Z1=y3ALSXw3RNJ5ye
z-%;36bn`?JqhMVfc06WR*taUsj>l~N1aPx*>>ST0pK{uHGKf*It`IvuWe`+NoSh1l
zsJG}$l~ac-!%2r=YXa=~iQs1?=PZRCupB*dX|S&&$>mWIXx*vGbeIf0_v8p^m3tOo
zN9wLlSm+j*@+7dM&QqYZcyhS8H|&((_NB4&1o5I_T^)8fwTXpums6t0o^1<UXbdG6
zmcq{R5UuiADRwHEV%$mxWSvJ48{UbDD^bCvPvo7=qdlwS%GHbwO0W~z8axHepnJlO
zRci85f}N=1Q$f#a?m``WO)4rd7Smur%a3<iyb@_pVyBt{V{r|}BVuTU*r}$#SVn{K
zX!u#lo~3A~k^*Bv4F-QyG_8<!swpt4YcL)cF$&g|VW*k`V<`>BV=b-KVyA)vV^Iyp
zqwZR(#7-pz#^M@`$KA75CGS*I0N6k$zhK-+gYgJlc~yH>H3h~UG#C$0ME8T8@*A7Q
zH5iY`l~;wGY6^_+PlKVbQ_YuT5e-IPG`u`;cYapLl`DEnRMlWSHfGTMV5eMxQC)-a
z1kkfW>{PVNy+yxFh%{+uNS2daH;&Y2+Uh>)vl5HkfcR7D!lB^3k1cXWe9G)Tv6yRT
zm^AqIi4PG2b_ua1M^^0+G#1Us40w<EtSH*9GDE7;&Mn$M``9`mQ|8Yi119843pw6$
z=#)Mg$Lm`p;q0Qp=FaX39c&2T;jebCF?PDX^sz~1mYU-UplscBE!fh@mnUI@n|fB`
zCy~O=h`;w)Sm0EAi{PV~iYv~-^~9cAH0ZS3%ZHTB#g37cEU(9Op0X#4oK;~5_VS)(
ziSyDNM-pRYN!bs}YTA`ryNasTR4h!_nSuFb7_cc0s0GPfWlR(4g_D9I5tWdWCEdJM
z66HG=vf>_dBBmzs^kkmZ#LuVK#3h`c`D{4X2k9350#VIoER>PWFiO-{M!Kq%r2$*X
zvl6cClHi8<S29uLeC()|b!ygHegyaVtR^3H0z2RXd-x?FzKe6H@)jL1_hkSQ4)qDL
z94bx`phpEpt<rFTzWI@#`=FgK;y^$H!CttBEy5Ewq_?PN`s;%#S{IPPW@L3|hB&;2
z7}v5PH1gS0hg){X(lgn|qY<@`r4x~B59QTh=k9vtB;TPf4JdXFh=XT2r-@qxU(k?@
zm`@^}gFIk5lp|R`cx;{{VclxqseTqaUfC&2^!PKoL2MKdh%f08AF?9Cp$ic7gq~Z}
zSv7V7IwdR&iqHdRbl1R!D9;fKpU_UOpIfwZxB6M^j4*XVpIl6Q!Y9m0Z(g_Pgt~MZ
zP6hiFQZ_``QI%qsB+uC0ML{ZkY(zO?BRmR-k0$sU#HG-(2(gL1a_`w&w0pPuS?mC?
zoG*qQRcStYRKZc`BvGW$w%X?wb?#PQYA~=(tBQlSD#ooL4JPY9A#rdeJ9-K`<(pP&
z&x-0k#Z7A^d?$sS@=fcz+p|*GDc`idyFDv~o$^iVyW6u;*eTz%zPmjuaCqf3^zj+}
z;<z6jlAdTf`jwo~1$I22jELWdgxCAjn-timr0%mqPE=-1QST)Olvz+6$rgz#PM<!G
zgF1n-6%O_<@B0wHn)@t=H!b1^bOb4R%EMI}IRV^kLM0<srM&Pm+r7g$mwQ&C8`RkO
zi8^FX78|(FiU$l~lOciclYCYZLq%ifpJX;4K}qafk=YZ*&`Pnh->X19w`jkYOFm6>
zG!i@2HMNPoVa5!BYl%cUt&8J+tKUCX{D-6AOy8!e{Mu85%|*Fvj=Q@pECV~fQ)ywL
zTO`VvxkqpUS?A<hCz&{={BgIjm0)K|0-stHclBG;53nB~Ea+q^cCU~l@<nXuPwu{N
zB|EytP9^KF?>2()9J?mnV?V$FwG3M(=A%>QN@KVQ!L}og?5fd6y_Z;x_gac}N+T2{
zY))}1P?2gWUTKeOV0nuMUkwJ(q^!j)AA6*W>OxGcZ=}8osJp2Crt^BQ{?{NMJEgI5
z^J3)s#HKt#&C`jPdmprO!dx0Kzko^0oW8+?g1MKH)B~o|p!5@M$ar8e_hugPv3UP5
z&wX%Zjh)yg+4L?+tSs$G0tW~qjy-2-H0flbHsuz(hU5BhW+LuBp4G&`$j44}hdD_0
z_`y@Si3-G7KMRTIQJ(u;S=0@Pf1SQdzeRmuY)F3w8CjXx$hf8kMd++hJXuGuBOtQ-
zeeM%GazqzWk2;8ZRM=4p)<uw`syq;GR*ao^cRLTAqMMr}R~Ag!SWd|n_#-pr)pF$&
zcJ9WN(};Quw!BiVoWf2KSB{zS&4l<_f{Bcn`9xctXbZsyer~1W5>JT%H0H=~jw-KT
zf*oIsHRnF-Gko}MZ4v|?@3vY=anoiNH(s?I91tF~61m1&*b%3CcYFy=wbr$EULtV=
zSrcMi$*9$Gd4e7iPd#TbWyWfPs3`Q%DISxiPsWr7eo;_^M5>lUePlQiRgtc`JUpv?
zZqdMI))n!alr4P>O=HJnT<lu;_$kBAQ&SP%qCq+~cSD~6E4e*nu@m5N`60a+I{|(Q
zNmQdpaOI2M`^(eb$>B2GIR`mj=s41ZaADFBRgw2(j8JdU;AnKpf-|3R;?7U+l&PPO
z9C>9^;BeiC6m&BaA@aWF(M?R#j}`{kY(}KjJhp8_vv3D2j(hAeTc-m_V8;r1z@{hi
zuVQm$L)?)yBGtuHdsZqcn~A_n6sLzJ3BF^`>sZrVAx%^2JX66Rs@M<8RKh)tXT^Gy
z3LZaYo<2_vKP&O{(b%bEJ^kHTP3L2$z!2@bvp~zoPJtoXcV~f?kDUTTwC~OWEgw4t
zhG^fN1)9cACF|+$&T6^<JNcW|x3y=jkndEop8jt4tV-6?-|e1N$$I*`-LooLPk(oN
zR_NI{ApO9{0U6JaMf(woBd*FnA+=Ka5y$Xg28JK!%yFnYmax|=D&%AqFYYy^+PzA2
z6SOaH(9W2R`ud#yG`+u9az^)u*s6@42s`J@A&|~i{CG!QTP%<@<qmGk>&E_>SX(#D
zzj~~!7I(x>t)^9uGTtTj@stRLAme8V7BXlwI0?`dnZ1RpoX;E4&))_J`{NLlO#wrL
z32~-~x;(&+Giaipn6K}9HfpuOU?4aUb4cw6WR^tJS;Hp|!JMF9YY55y;=8Xi%=r!T
z?YB~;=&3(9;t~fqz(dT*+v%)ftKZNRLfOQe0+3qmVnPrevTMN>r&GvU4BE;GF*Vc!
zU2PDB)6m_+fRhjnnudzfnIRgeyD*M0ir{kbl-OusfI4W_YCQ)65ePQ!%r+24|L&a}
zgI%$_)8#Ntl<+tctik2=v~hj+t8I|c%|tYzFs-N5nqWUzYJM6c)pv7-r%oYu|AAh;
zx}e^xS6%dP76MS(JwqEYd^XzoZO!;&y;ghi0_~eOjj#+AH1dT_0!$q)ioQUf72`yo
z`sipn4Fk|X26${-Z`#b_O$Bb#V$)U}a<MgGH;sU`Lf0lf53p-DeA!?_w9zn1uGeZu
zU~s_$pSfdahI}IEhqx-upBN=gfPkngZGG(!f<>4b+9tY~P>zVpL8h6p&{xWGSW=N{
z-I`!`oQ`HgNAaz3fX8440y~F|ZfGz`#J-c)54GAmi2!K=pyw1Lm)uC2kSz#Q(tw*$
zDd|WRyCyytqfj|#r<l5NxedhW*abUpS3}J=5c84cQ-B*?hmK2pJfsc{1T}+SN>k3`
zS&SqrGyN0h(?3N=4&oLTvm+KU<qB}>T25%gN*hRGYQ#7Px*EvUBy9m^iYiA`tb8_2
ztRd!8;s$a;y&{-k+*1$xlrvXH?exhwbg-{Mko`7OYk+bIi6Cf#ZH-F3FqkW5s-YF>
zDl(twvnv*tnABRse60`eT?Cs!?Z^C&;$$pWX9Jyv(;@Li&k+8PNAdrPx`1Nmx)AE5
zI!S%r)cy2HfcVU{CO&gn$br|=08N=q3VVu+??dS>s<Y9kp6)TPm|M>dFp6vlY!nE8
zf`zPXfK>s<ZaD47HR7SRQ*afP>qICiw*EK!PWcqXbDQ}P&+7#<R*5r%b)pCk7Rg3L
z_L><F8V!w~0U9}YEVD=3LLd;|-3W~?6N`(wl1Uj`WX!LcsONB&?W1%#GT-daScH7S
zZd|!VEB3GtcYgFw!JbqC62TZ`B+tm?9oVg&5n?A-ZLQXmxx@qJA%|QO2aN1|P}Shb
z0-6nfCsv>gIBhZ#$Faz_5PA_i?~nx(m39dLk)b$YSG5W8h_7xb>7UTI?g{%O)sfMh
z<f+Lf!5~`<%%<1W4#m`}jRVVArvl>vL+qOPKDCJ{Ay79t-1HDRlj|b4UnNVhQ9%S=
z4rO7p$qBQ{Q7ei_%N1=Xa4fOy2&iwcThO;WvI^EX^GMW=q+nRYE|CnH6WK!472G&S
z;3zx*Cnwk94MvvO-Nh~@&={c#@E|5fO`d`^nLtO-Ya$?RG=%_EfUkt?MJ!@N1XVF5
zr4yh@TW;`Xj%m5i!lE`7NVbGD^8;X`%}_5vu4H=*(iYYC^8p^mg3%-#HkJL55R3er
zRQ4?)$F$bXGl5|V6Rp{#KxveD`>*D|oBwy9iPrOcCJq}wz?_K}VzGk2#1I4TT&T;X
z!dbINu8<W2))b2ywU9TyoD8x2OK=sAFjouz1ba$O0FhSW2f9^W)Ib}0p~|&$Ghxzy
z&DicmvqDU_ZOH+Z0fH3J8LC6KtrTeWh+&E&qCj4hv|k}ZiX_S)6T-*Kd-w==Em;_{
z7zo2bR14-`1tbH2^&}azB7LH>$BZ<g7*&$PHyE=)1@Ukb;<`Z-(x$+sR<NNeT6jvF
zeay)QBF%9VeXa8e_KE#26ib%ZyQsd?ZlAoX|JAJ3j@&3px<Ujeh=H{|kD-^-NdjqK
zC<D5w1BAe!l!nFXoaD_aS5rYbvYAWJa3<OcqCqBVM6D+1{*(no^HHi;L4q3xH<JHQ
z2A0VHzoKS{SFL;0X~P|c#eo6>rAdNjNvCx!EDll>H>lN)Mt~R_qSr|V%k+8BAn(Gd
z29gvs20=76Wmv=)^k)!)fq%Uy1oGh|G?2h3*yHsf-Zt%4*}AA*Oc*Ds=AtXZwy8UA
z3Dn<+1BaSIjjZH2O>QO+50^Ie2MQE=t!7m1u`8RP;zhU!8G}vG62z=$NHn`7EvM*M
zk@1nd9uq7SqmfVeL>|~(i%4b5XMOgJ2`}D+#xxN7kl29q_M`r7$i1l%qj6pBVoBjA
zloCb6n7QRsPcnB}3|bQ%xrq6;iirM&SYe=|NXYsiw9U{o<bj-aDO6I>q{q4xG-8fu
zWFX00!A#u1pLvYBK|{b`51aNtN?c^7g)57>Je+Fdt7uB*v+C416VxpF>dOx)UMx8A
zz3|lt$&wZoSaYZ`0qH7PE0RpmF91vP48)1cDXewsj+j4Hr9x{0ti~5&oT$%*+^5xi
zJm(yh7>SO`5f4M@8&yn8ScDv0Q-!=aX!6NmL;UlHGXTyDKbzw}2WoLiCB49!iU1>L
z`{KA?t6d!Tqku4qru0?3mbQUHhY>H2&>uLwIWV_&sVoGYrF7d@Dk3Q-kC=d8d`KSC
zwC{vsMv>mcBfc}!X$C}xCa5NCU2!f>#Kq~FVQ*BGCOVKjRk~<O#ka1Q6BMPpeE1VV
zcAA6prrAdn0ijzE|DmX&8Fiyu7+fP&zh(&3-CFGx`ic5H*w7wO@<a;bfwd@y5eIPr
zX4I{L9^BCGia)QyA+Z8Sx1?Gb6PNhZO5maqIJ}|0HyUEYYlwE=Hd~@p)ADm)i$SGc
zV^LPaA_j9YA?`-Bgz~5>A9k5e=#2PN%3&30vUv-t5K+XSrR2*joxH6VjJBSrq$f`n
z7eh&YH|AFrxgxWAJY4bPACj91nii}4Q+ga-Qz%mxO+1#o;(~~otV_xtYZ2E<(iR7|
z93DvRZWA3yCpzpR<~GJmApA4sJS4fh@l_O!!Tbs3d246y&F0oR^2r$ca61+kNkA(G
zE2daXH5-*h$CsQHc3Z_a2ASC&$mAtF^a&!@#GeHd(YKH!;oL{Qc*F{bt$C+P$rK63
zpg1T_zT}54tR}^vK)o)rbeglX24@%Sn(b)oUFIW)jmH8geRN%qw+x#J5#X9)$%EsJ
zQIda}dtaYUJ!hsAP)fRq?1iyqF^P302OEJi;!=X;H{ot)hNn*L1su^+heN61sL6l2
zHH0)w;&%h?tGdv80|c*zcmebbf101-w`Y+XNEh{-8$9Fi4G!F0_^BHfuc8)X$j>0&
zL1%MoJ0EDRwyc3R<_SU#t6mVGa%+$xfZU6j7u^wpNT*c7nHUw~RR1|v6c;$_t;_8>
zs_oh!bD}laXy0^R@2%_12BKvygiWbJpz&%k)PSlTA(~jsapY$>=@??~)oZR*eM%bP
z022J7Q|e%lH|0@Ch+V^2Ao;AeG}Gr)`7|d^G`Sqfa7r|O4jndZNeULyH(W_eCq>nl
zS-KJPspf3ztSj*>Lc2Oy#ID9EZxg_UvG4^w{t*(N3dx~QB!c$EOuyvGtDuw@B+LVx
z0GvQ$M(MgxVidWUxbay?xJ#T!?R2TDzmO;4hD&Z53hKr+#SPq$2!>60UHTj_P<g_2
zs$!WRC7&KUY>1uMiv*4hP~2hy`Y(uE#Kk^kd;{GOG{rM{wUXS<1D{A8GV#RG)3vB*
zN-U3Dn}i=5iRZ`sQnzVChTQ5uA|&TQS|I(H+wN^yySaTN3PlaZUCyad^75(IxX!DQ
z^YXg(V-8w=%;GBZs+KncX_#(vUWtmv{t#8{hr@=YY2Y^XYExBQuE#W~qAd9)#u$-a
zWPuV)#Nq&0I2sa%-Kb?EBs_H?M&wnxA81l;qMzA~kbE`}4~MF92YAUQEJA%XqB2y7
zp9W?yM>oWAlBy4oO7hy%ZC$zSCcOt6=i?0_)QBU#+}eP%$eTgX`RX&Gd=;(9=+sgm
z{0lr8`m-F9pn&i|{8!VEcbW@U*sNM1w^(F(WDh&@V8|_7(0!sTkjv31bt9|!X&`2;
zp{9+xV$0%$Z{*tiNQ`I9g)BBDx+(>;7MqSn)C!%TiFz)=u_{V=14yG%efMT6N~AE5
z-a7=<$w}7pDoa#Fep%@(u0ZK@gJ&BV=(Iu^Ut{XP0fV}r!%{{V(E@<25S_)@5bsHg
z$phw-jNO@y1FVIESRUd?iD-kIOS%E_a4^y1h$PZxtriU;P)AO*?_fHW5+2+hiS<p0
zC#5y$+VUCa#@)W5$rGHw)n<<Zeed@VH&E}F{surir7jinRkNlgq0eU#z5TZKA|}3d
z#AW^*#jB+DNTTA?K9Y%KY|3Gp%nX;&Q4Tvk!M2h*0C4IeYTgo$Fm-@ZXRf8r!LB`=
zDRTyp#vDhPrSJ_c2f?y{kinwPXN%eSr{lS^EalSIdz(8W(y{mKtu`5w*Y+FS*(Gl}
zdpmY}XS9dyH=Da{>&;f{O>?(plOe@!<4wzFEEw^YLx%>{^T~_jozCmV@y^cfx>j>W
zOj_zv7?;S{K%O-4f+#P63@Ivb@P{K008=<1NCWVs?Is#gm-2}^L?;tO!IiW+ovWNd
z+PoTUVk0V!SP=S*bxC0HPB?~>01gBU4gms7pJ9_psl+)po&rOD*Re_h%&&M0+k*VW
zDWIVaCoP*;4)#ey0nm`3zK{+(jTs9YLo%lBx};vg(TcKYMS<azV$J~ey3^c2|6BaC
zYp5_le;$OsD|Ykbcv6~hrP(|n?#zq;6U8u;dho8H11Ii?`4%xTe~BIEQl`~b2d${7
zZpyq<tN&CFX4n~haaDIo&>WHgH<Q>-;_>a*U+XG|)35ce_=7WPqWNpR`)l18*RS=z
z{!->yzlcpJi4TS3jYz|-88ze;mDK&az$uXI&i2-(nglqHcs{Wx*T~q&o5e)7ueVZp
ztaw_SF%Sw#3`U{}=tQL@k(mLkNW5yw%|{k8A}x6ip2a6%76x7zfNt9K#Zc=-F1iC{
z!(tI38U{CnxG1~(=*uwIMxPIW{h$v5ffPH1HXfJJwxM>RTCD*pgj56BZX%0Rt;RP^
z-!wP!Fy{!nGxK9^T!IZn&sw6OW0(2Fmg)?cko;%{s&g5)D#(Fb;lwBC>_h+J{rO@4
z@?-z-d?Wtz;GOZuS+C#!<-_@b@#^UG=;GkrW$*lbKl}EV-tocFIpF;4{Xy@d*F-&a
z4d#=nig}z5Iv9URQ*KKu?usV0sb-~c(m|=?HpE6DFrikiqUuP0418A1iyyjCW@8}l
zv?5ksK1m~Dl?2(;IZMex>SNXApDS;^_O-MzXrdlmXbg!<Ml_I>C{NqY@>ty@piz=x
z95iA`#8UUM6@axJ>{eVXb8#NBwVIZ>CJ(kL4}3ZdrKAM#O|Wk#B2n<b$5d=KU|96Q
zBW`~}M}fe!U?$Ov4LHk)vlO9ludj5lFvVJ14PdFfx3N0bnSsG`;Lqg9rG8~5X3$cn
zqi)U>MxjppZ5@XJt8Wy9-;k_qgHNVXwrg6GDYKJbrB>%ap1qWvH%RFv>-|Xbg`a$;
zji$7{*><ztY;P#_p~pC<%5p2RZZ?h@d8;!^=kExoLLN(9P`czsSB@i6$=d`x)(}W3
zMwz+fTgriC7+IJ=1B!~L(xrn@H)x`Fm`l_8jiLsGTqwBTP*Q?XTQx80(g01cwi6NT
zeP|fBzy_EOvh`N8<63Mo*J(F*YsoXt0rlUu1Sl<UEdHsPGBLn%hJ%SJqV><{qc`@k
zO=`8H;3Y>c5qk|5#K|I40%=g9E=Z$WZgm^1oOa<p*hQgi&A5VzFCis&6ZlE^Ay8M^
z9{Sj|+0>aCJ8INd6P=SOfs<_!T*^vQaiKx>u&A!i%^fLn%t>By6FrW^*;vX*L(C`I
z|3weh@PFap*kK&Il$%kZ&(deTdHnZrw9ovOsFVlr+t25RXU9kTy^Es{r*S>)TqA`+
zQ}XBGkOwr-)+?TaEiwU{6pk))VYrk6?`3{Zm+|t|h#vxrk8c73KUCRIl~9v#&~cfN
z7l8ub2!;X5W8e;&j~Ge`%n`P+r{p}j8^HIU#WYA+D!C;H8Bd%n&(T(Uvr~FFljr%C
z7dlQ$6o%^(9H1$|>gs=pt*aZcRe(cBK*2d>rteI~A@;Ew5K>4vaw8YK9{<jKJ-}wI
z*5e4nF&X<TbZz4jkT^t5Rcx6c1o2Vm2%1<+xZhcrTi7N_YL#~SAf)Q`CY!U@br^zZ
zmFD|;DK0IIMKF@fQ-C>g*bNwCsJ#Nah&gsNV{5OQ|7!kgy~I<@SQl9h1!^>OORt-q
zcC)jseIh;>oq!t?kftBHLXyhq&f&Gw-pQfV!~RYD?4R}a5C3+4`01#B^x^bxAI}bY
z7l#LV+G_LpTmPbW@v)E4-}Zm*onIus_0G=Fr^9p6p23L!rq4&{Z`!N*Z=3DScBB2e
z(cVU#t?t&F?#^~|@AcO9>-OgBUG!tS-EO0g7yEzHanSx2H`h>@_*<vbd@WW<d^Q^c
zL$S@Frl0e}-od{SLV6hDP5+{Iej$GM-X9up8%l{r8zIzbN$}4lk`Y2i^n<-!uBS!_
zpa#<y6eVMUf`qj81}H*InlvR4%NJ88XU=pZr6f{2^nK=c(Z{p*=e>hN^i%KX`0${s
z_gxPM)&$jaM^%>`>x#NIWJwT9sZWBg`9~9b9xtp9(K=u;bYTnXibXS|woTk_EETiF
zLKWrU@I9i$u@hFHFZC7m%MJ8WM^$?%x$euPJNrvm$s^sH#{EIeC5%4vPx6YR80EMe
zZHj%M+`-q3dgVw`tS0iaQjA*9E?8km2)VoP>_6D@p1-)a@)!5^X1D#i+1_k#z215K
zdV9{|e$(tUH}%q182d%~)m+iYl2;2}%#JK&gyd_InYq5yowRhvWUh3iD<lZfY5^Ch
ziEsJy+-S!${WMro=Z#`XXCR1efPkTW`hp1ygM!@>+^V#b&YFo-fozZ2>#+DD^bX+=
z&#sk~M5216&(Q%b@fcG#7L^7jtq-(kIS4_or4V%HlM(%*PuI*>dC{XLsE<6K1<YcO
zG(ccr0tBCrctAnxbWL3CL7<KOlb42ZyV}m4lOXgq&=g-0B*k{7SX!hO_Q?nmwd*6C
zJC=@jXs_83p!aM$QoR7nJ3i>0B@gzxJPZ|NH+6ata*)H=Rp>=N>&gLbh&chkX~5AK
zj?!y_0j+PuV#jqyX=j1CuN_3U66?yXOkPP~4voNh{FAKvPb#D?=A-wY{@IjXR$8ul
z|LLDdDkgML6r7U(hCadK><I#ItY~<tPJC>Ht|_^Jn@=Uzi9M>WroXN<@tStj<|!5}
zbnP}kNN=J;>^qc1Vj~=J0C!u+rZ&iTX5b`+MvM9Kz^S|x#gUU!*CJ?0h>HY~fiOLV
zEfcm7X$p4aq8wpa5N<+J?(A*8?nt7>9#!ZZMAu}-GSXqxImq$)=oc_i(c`V_&HxSw
zp-bY0f<5{Yu9tjb$ynh&;h`fv&)vLvkpAlz87UhL!>Om;&S71psCT!y)7;CPJ~k3}
zqK*T~i$uCM1u47(J1J$etv$_^nlj;q2er=PElz*zv^P*k-l%sr1=Z<RH=8?6bR-o9
zFmGby5P~P?YTPuS0Vy3g#V{NhKO0u9fqv)Ag&$+WxcvA#;9@8DBqnk3>XmY&*H^d(
zHaZ>CS>625e)TGLZwF`kKt~0zBmFfD++{K*f{F^D4~_Bg9O_>2F8Zvg^XBHpyzgcH
zxP^x-3|cO^;jPZ=H`}fF+*hISx>S<StuZ1v2z@feflt3w=^|NSU0+N9l`6dfPvUJu
zotKqM1*n&Jz<fLgDR7EqjEPXPNU;q7(nK}sM6Wak?pSX&hEIYx7(+w@B4lZ$>P(_q
zi0%si4jc32?a(j80egUycG{5KqRZu4KO9QiK4tO`@M=+cI72sr`-mQwxjYrEPeIAY
zL!|^(sMd)R;X-_=ds*3LtuJ=XP(|Jt5n>Oqb%kQr0OIri#|Roys~w&G^Z}u_Z~uW_
zy^^l{siguNEqe8;78U#?P83)<A1Eg>>LNoY^9m978eL<bH=9NekxNyo3mrD5nJAt1
ziUl`5sT>HTJv4eR6>l=UN2+$pgSL9jgUHG!%|5ky(gui=we}5PRr8uC*3%h<kC{}s
zBwe184T8UjY;7teLv=YPHdLcjKVY7hgf-dBt5?~{)OX?kOHAv03V8LZhS2BEZ|JAq
zMen$a;>bVBHQ5JS8@0tbYFCsVx~k^E;YIIARK3s!8L{?SY_hROn@ru3bqW_djuZ@(
z7AxIfLKWBPG`E_{%t$+ugODwFit_N8(y_0dP5>kji$IcdY*P<L^ufenIM|KdzO{95
zph6EM%!5Be=gKaml=s4|zZLpEaf4Q*lxt3csq;dr4~|aXH$ENp8fWhhKAxQQj*r(3
znDu2u!pt^t2N0dJqWQChsG)Cg^`JM9I4nqo6#;7=xR`KFOenkBZMpqkn0F*f^oXzT
zimn6=n|@7nFd99FgHF4-*K9ZZ-PihJTYnM&@;om+hmENvn{k;<n!n3y3(O~~g`9{#
z67cADG2zdbxltWxM5r(`%Jy(WypC)SBUiDc4bZ^gNz#+J3E|U~{dMH?XUfenfMS(l
z`<g2ACar&<(<!kj4u~@ovhc~-hx3cx=|vYsUemBzwA*w>k!otMUE??<>PF6h#!O_e
z7ujW@55a`^H&ib(Ace6`cLjU5ye$$uAV-0pd%+AA{ZlWPi8GH%Bi2+&v`Bu9-tqB=
zUoH<%&My8Pwf%Ocat1_-_?Y_S5gBMui>X5gyI1CAjy4rDgJZ#czBCKHCJyri6tR=U
zma#M<nF-KKgTy7Hz8i`od<e?z69?Gi2Err3t^;*V$Q<IENkG$4Mm%QoX6;Cs>d2Eh
zcBRCj?#K<cqe6j<LdTI=kSE0P1WJ^04=~P#1a?DR>VtAtl|0}DdM8dZu$xIi7<?ZA
z>R>jA4+1`sapJ@|O7*LUrY^c<7?S9v^frtKT;5iqpwXQ99$GZ9Ti#@{q|s*LgJOl7
z(Mcp?1A47RJbKV>{;T<~0UG+)m5CGw9e9)2myFvYX+X^b;(_O21ATxyD|JOF!>&Mn
zqP0Q)@ch%!{vl+(8OW1C6xeTV@ZtC%W?}1k?HZc8SQM7GE145e;(jb(>h?^TbgO>U
z-=`lg4*SjEi^}(x08~fd(RXjdS#&Fsuk{lQgkM`)*?6SxW!B`aEFgG2+L@vlGg)oD
zPdu$4Dv1VI6#lOv<U4H}rF-+3jn?!b#lQy)G#(flq_vHM^&;~%@`YHaK?4N(NVvMy
zH%j8z>9Fw_#0qmW7kfBJxDlO2J4v+B%LB03fJE`ZhEiJL0Nq5{;;iHdqejxik%nD0
ziW(DS5+Q1QjH;r8-bL?SudlxR1GR#w*AhpQ&}&9W?t$H=AG)bHmd4tUfgq=Fu?n`X
z5%H-zz?c?!aujm2D_j!F%1!22l(F$de-Qo%&Yl6C5~Z+^2hK=t1O#*Xrwnoj^CTdS
z9EapEVT$52tsz;d*oJzv(dicA3lMpMnM62TJr-j3Kl8Dhm4iW|08>4~>C#~qHm^N5
zRD6dRb@5b~qVZZH0HG8ZBSx?uD|WRYq7jh5qP{JN(P~Y|6vtM2z_GNUOv3bIM13BZ
zyc4*lA&Ubln{!YZDf8dHK(^1k7?K2z|BqQtt;FgjLr#43v441;EdhQB$Y&0T3uqSy
zh5ncCjxJ7nCr4la7*X)cL^ESwU>WYOeR@qDGA7_+oe!fxUl}+Bwb+f4o{YMJ(*EPy
zdBm|}gy9(4_}%igzSwvjsgPq$i$z;vtunV4XJiLw$oxLq?RI;2dmH|3x7+D|+nue=
z|LAPDJG-0Pn_KP9f3!DucQ?2G1GOIl0ih6k|D%29zS4vHMxM+(c54V^gC?J}CX8Km
z(M!)K4J9dTi0!1Iq>h)VqKz9u$CIFoUN$-}zokX+9Y4#if2G-I7@p9Deav0|JMHxP
zZ*T2Bum6X5UZ7(l#WWqcQ0f{?V^AER{Uafjax@I7V{>^&&I1(+ATJUdb<LpS&1Y`#
zM4x5XKc7scy>&x*^V!9$VBY#~Z*3>n|5m%RxA(mMAL5Ce48*>l3QYajusuKb|17os
zWkkgD!`{KkVRLHF>tpWzzqys#|F<_g&+Gp|o_*%ckWQcAXKtLaYqyx66O38s#Rz1O
zOBLv9ioNHp{+oL4u>Mux-}!7{-umC$PRsv0TYJyv{|9+0MwY&7IB6@%X7YndH)|IV
zv^E(hn!3NsaAhe*Bdv$9ZAY=8Ny&NS@ghT?fRfuCMVS&l7n(33xt5lTOYtHxU>OZ;
zJ~O_<`Y(=%oZ<=d*8g@prT^RNZ0)t5*Z)I2|IS~a$}B4x#+dnW6l2K)bl_|36CG*W
zMs}R8Kwe1<84L7<tIk@rz^YhsIZ(sYu7M$Jo(>VdZulNIAA1HK_gQNFD@!36M95**
zRe2xt*8kR4TK?bJeAfRx%#$=g*P&45tw0SK>!ceQ<*Hy>X5u~dyN0y=K^L`~yUop-
zO~-@>UBoANb7!}^x82@*y|wvf$KGmpMz-DAeLcb>dx-JgZrdiCdw96BJ#3FgTf4)Z
z&eqQBH+Tnc?sRtAdz-`8uXk#ZpLrM6r5D$mM!R#-+3Rk%yY0>9-kY8Fo88XqH~+W(
zd=9Dd+<pC*s{Y}bd;Z_v$*ljK&hz?zh$p%J<6y`U2S_aGFU>FTYC*Q}*n@n23ZJFc
ze}4AA!amB^|Mt%AcIN(nb94K7{XfL>;stsy<9e#7JTeTG;j{7L1<Ly879?&-SKd&b
zb!k_(jZ|h4ZDt*X7<EDd8H1%SfDzhrTncPgzBwmj$^#V^D2f6vb3=#$snDZ>-^Enj
zMPL7_z0hIfbrW4Qo$24FcuL|DMw4B5E0||o_@87Zzecr`H`u;|ITy|LjlaQ_uP`W>
zHtKxw0{LVVv)syg{=}GNjC_#k^w3mY%2JYEjtwY60Umczr_+4XY&TRu%TBxDcWMZ|
zc!By+TEbM+efil;^YT)L;eUzfC{A98C`T`46pEJ{h&Y_cNVE*SJQ|&{;LInSxWP-=
zT!e-Ez>y&*eq$U`o3v!o!PX1UCk-!@8KC7mXh~3jks!eAO7`?24(lIfUUU)meLNFK
z+B79J6*g4xB%NbwirrAA1_1jvI}^;YnHpDVM9gUIG(2X<sjR`tS7k=<e0q%o($I6=
z(xZI=<BjN6yeOkvJsfEh>xV>48W=Hx1*EjpWZ<7D)0de!m!vm}L^L`IAZ#W_?|S{8
zVPT&3PL7aGhM~->L0yP5Ym=dYi!x6@Rk{Hk^VSQ|e1o}-A?A}t)NT#QKJ=xgSVaB6
zSN5Ks*yvzpB0grQ@U*>u><zF6Ja3Ar8`(N*!)Z})T`aU0$n+8Drg{`@R_skSmUcRT
z25Txko0;gu472^>MK&H?SEnQe(^@cHR7x4;)t88%CLQ7fhR$`=x~__gC%Vrzp1nTS
zX*ra{n8$ST*-lIbit7v^>?`~|ht;f{*{qV?s3n+WIYv&B<=D;g4Cnq?PBh{S+nL9B
zB+p1txJsE8%#ezgC=2N*x&&E}URtMK2Y*JH!cXU_15Q;ClTkLNyxI-dlLf*$$|io9
z5Z4GO39gSp<mRNM8>B)&g8QB^MwxP08gyHe8);-O8#YH2FeK{RV!2PjjYJUP|At^2
zQC3!IPS3k&KyB0r2VMC0J-S6!7@&q-M|IQ~Z4PAf5+Lw4Q;<3{(dsC4z|kNIq-jQ{
zuq>4;S_Q)tP*9trHG#;sc2reK^48TZ_iq+L9L~riPY0P?JcOo-EHR|6+;RjkvJ;Ql
znaNH>(3CD?r7<=Y`KFpt3@u`ds4assLX%NkeQCLGhYs;oR@}M}0I%xJj2O2_=<9eP
zPD3Z4o<kZ@KT^(n5qB(BlH7mJn4MidcV7J(G4P6f384QRY$fyBBOPG1i#qMLkRJ_P
z!kZXk={ME0EU_is9pL!Aa>;67*>tO>UZ}2ew==<P;`D<$P`#0cP(rJk1RqW1M=NL>
zR=qNolb$((f`zDLrK_rRjm(7wBQ-MFX;hnD1*BNawTK62cu}P#kP^+EdROzfCq^wd
z3{zU#hc{gMWC%{sPoPQ^IhP7S>5+8SKdbpeY~{3Ogayc>ix5aa6uJy0Kh-`T>aG4$
zEJ_DolXDf0t&28eNtMrBYvMDP$+#L*8lWk&Nf$A91F_L)L&X!g#GdEOqQB$~GWZ`c
z3p+Uid6CEZo91rI58Z%HiO$7zgB|I%{{G{B<CorX<M{B?;jsWa25ui<>!O#;RmYm2
zwEJ3|5oC}U=RgH5wxxgAMw}@>svsj2sUTX8Bb~5Jlo)fMX!^s&VOPlKaU|S-B+*+#
zqJw_iNQ`%N{5v<|J?yI#Vk!r`3>^xIFh9n-35-K54$a1rAtMA$QV^PqR)C$M>Fm;Y
zr<O&W2}iI@!^us?@DW?GaW^kmjr8_a8&vddu%1~@i|2+=Im@C;@E1D!Y6Ca4Cs6~0
zM!2W<dC>4f7p;j?l*<D0zt(GJMtmK7NXMV;rpFB4RBNywhaU0aPs8hpj-Uh_EhxY5
zu`1JvMlc}|#k`^CA~D!nb~3uL3tDP?(W-wuaA9A~h62t^MMQW~1WTo;6@~RHDeHFi
z7xC!?cz+^R38ZKR!xy-3HzGEPo{D19*ItMj*FgS6og98{1i^SHk}t!kPWY3-s1B8K
z4?qeSGU2$pC{K$9vAG2ZJ$)Jz61Z(Etw(NR08u=V>=$M~@bRI04S&S9EkAwuAYULU
zCv;JLi2b@mQd}qcg+Bi#lelPc#7N<-q#a3q3OEQvlx*!2_WAya(oU$OrdHw5z#by(
zkNG_z-JJL%=&k2N$g0HYUfG~Pes-OIEEU8(@UhFWr30Tl7`VS+N03UIRudLj=3ta`
zkg`cL0+_=Rx2Y9Ghc`SW&OT_}#o<9T_O;F@*eCY8a5N%5uXj;>r`<kzSN{tLGe5Pw
z7Y6y3y`c-|$jSfD-nTc!Z9I$quTRlO>s(lZ1PeCK*?Ty3F%XCHivnWbTS*FLSF^hc
zT8*O7f;Wcy*-uT+L!-yO0Aq)&>i2V4X&yZ@J>5M${ZQt18+kaQ$}G-`)Wb6&#Fj)L
z6o1OIw{MTXGJVD>uriN(Tnjv%Q3itlW5ILnvW>y%s<mcJ$y)tPD7)6;gxtvl3D3Qr
zHYW5k=5?qijS2HS+T259LN6PT7}=0^t;-t{5S6F$P)(MY(kdd#v^Hdv4QQNcscIs6
z;_)q(5kM_dZztEKwRIF7<-lDkH52(P`|)Xr2TA{z4k=;@+<16>BHi*yB>$hKBc9>=
z0ppo@jfL<{slae-e7J{Wjv`X)KeznW4hC`E*m@4b;Duz5hLYN$A8WU_l$_71cVQDS
zUdAM;4AE&6n>G-%X8<&5!<Y}EYN<6v-BrLf8w&*a30X{1R5hvsI(+UZ29jC!eDkcj
zZlb*6lMP1;d(P3op2~LQE!%K>F5aHY#(h3$!;QLrgT{Ysbi#Op5A+M#9WZbYSf0q(
zcMDvm#7~TzTnHYMF>Tyv0&dwes9vD{!u%>qh@~Z*V{Rv+R$)rYQ&d`ODPzvnC#(tz
zN~BAN5+S&iklwo2X_nv<YmOP?NW}0S#{vjgIsw8m=t>?&xV07>0?VD0(=LkxZW0W|
zlm;>cFRDNVRqCgtOYwqbE+v~$iwNiiS>_uFlmBcqbgLnYJ=XIuL^k52_2ISX@0g|`
z3r;0;ZP=FDz-l06Q9BAqQma}TrBNGJR#4fPUeQ$jNHF)f{1c;0>q4Vm{zDM8gZKJJ
z7zc$PMrVTg)G0~3gL9H)sp$^i^g^+h^}FtX3aJ!-WD&Oy4~5f-R9Y2Bsou7wUf`H<
zK?m*P**Fm+7XN8$UBS^YD!RJ*R~z25n3@TA@qByBDc&=q(t`!`n5CK0t!er2EhE7z
z5|Oy8;)1=`<!li6oL8;}NmOO-<!KM~yN!lu(G&0pfb+Xn4PjeBf2<rUNIbTajps=L
zxl*nV$yi1$mwGiH4#gOWaf8rTgud>}Y61-z@_XCzjM$SPwvP!}%VM!_9&l20%P8`A
z9R)x>JCOy}(Xql90W0Ld$}rS3#y^K99fSOMmg1;Jqu!0!DDaf?ODfK)^qNG`MkA#>
zOT%vFsb+dC#WCq2X>D@-&`xm-Cm0z{-ne_v+VtiBgy^Aeh)J4NqS>wTrXY6WKRP5n
zW=~Ye!eZcqAq?pdGf_1f@G1{FDcP(}IV&~bfxMYf(f7v6k0rl;QZhV88jn4}#YRA{
zHuzvDvt{l)e|I5ORd}h94N!gXo9Yas?A03VE2bZXos^_wbGBAddpDl9cA7f)5jJRn
zJh{=lko~7>a(m~+^X9r}OztU@u^PiD#cb3cK-ep>e|e1_MKnU5CeCI9O0Gi5Qk;Uj
zwAx`8`6W^{uc*vmHWI=(28zmtNl#yN$skZecBL*C@SY%FUbDB$YVzD7Bk$t^@2}wH
z%a@R^mykH2kjzi*7ZvGCC+-X5K1*pJX5*rI2WJKqa=4Hg7&K(qsk{#>0$HcTspc$J
z7EmBfpc)N0>S+b{dcj;uYJUIAe)Zp~yt-U<J-4ok>*|=f=H^9TRpLGuBMjrdYD);J
zQoX)vd37~~5Tm+@M^Us6F{^YXv&Mv6s&P2Y)}cFK%y^yYO=)_isSmK)PqxG=VWwrw
zV@%Qj<lzF~^&6Rl8UB~Ne9cJr5-m)uByn}uC_*&PEdYijCVd*zOuyJ}m^ND7wp){b
z{Bhsd5@-_w)1t~qWwJ&}KfMkc#eqgIm0}EUlj|w>Iwq&@6;oJQArkZS7ygN|uwg0q
zm}Wkwvs#;q!_Zvz3}dzFRA)sfaW4v3P}73f5i$iBu9S&DYNVHfAs#nd(xm3ARTo-t
z*r@_b={5~z$e4j86a&Aq^@%(;OkgpE<Bu}xslGMQ4A?-%M;!^*$_j!}GCOoVS4a!U
z$KJ7kDq{=}PACaJrC~-t#K_2a_&06CPp`uo;X<HiG22loO|+e$Ng82hT*nKxK2`OL
z^GWG~)~77OD{m`p#YRH{<#7pBNV!u4vuy;=6Nbh)zshi!%A(2|z&pu^3wE%M<j!qv
zcM{M%Hto6{m{w*sNz#y|VK(lHna^EHQOUx@Zs1`bmv}*$s~~T0$Y$`KTS%K54NQZs
zLbE<>%X+LHi35+sS?K9E58F?M`CPFVYf`-q&4{P61>CDc(UV>rFG(pKCh9iS4r{B#
zXgx&r(*g*!@E}teYN5L-h9@j|YnMn^uvaalps_gDin<ft%Z~|F^!#WU>=}br)Z)u8
zc%!5Nov*RFW{NEU4+GjIsmXtnu)t8{(v=6k(dE_8{Muv8MyawMi;dA2Xaj5ed+F10
zodKOHAWmR;S73D~z7+crj}aX4pa!k2?dM4T6wG+lB5m_*OZVEtuN9Cww;htlVRa^x
z)TeYdEFOJph|#GGY+ay5NKKcdXi175j}#r6>p{!xSbxF|Z;=5cA4m4tqq_eC<{8Co
zW%GANeB5E5^Y_Z0u?@ei1Z-s;R!rTMKQz56bvT3Y$$j-OMAU9;Nki{RLy@@MgM?~B
zTp6W<sS{E`d5O!V(|MK;sKz&>c+jdl<?fpV7dmO0mB|Q$Sr5aKpgYrwyvv5k2u-P#
z{tFE&%`fT1Bm0nGNd-_FwqESK3-L`i8Ht~pLus`T1O+9d%mbkgrYi5DX<qbI4GW8M
zztZw4v{74M&aF0C6o;JmcCox+A3ns<7>;6bO5%{Ef}n{*Gf4HbvLB4ubyfADG|=W;
zrP>~{fJQi+B#FkpG`?16b(uw9#;C#6$|nDsO0*|iQ+K5@BXw>vr-rJIO8GWT3l=)4
zun`DiC>V<s6aqumiwTsX2%AeXJC%_PD?{S3Qg+H_R?EObK*dQ{+sCC@GuQn_5xYM8
zES0SqHL;bj2lTT*@er-*(ej^bt|EX(B~RS9G#p=U)s(4uIc9k0LNb-)NQFGN7I=l{
zZUy;a6|2Zhg-XdN4wq?2)^%ui)vSpU-)Ah4%doBj#1oa~@ZgowTfG`(@+vPJQoat?
zRN0VY8J(VA#&cJ>MdT>dBuhXHu;`v>hlIbDst0Y4t`yP&A~R>`LZEVLQceqv+3t~3
z=17N+$NVH6YE~%1I{_N_79%(;FoDTyX=pXhxZ?6TjZPVwfTeiP9~8<Seon-0)IL12
zf(KtN>9~#c)>TRXA%+~q>nf~k8-CNx{c($&ZX#$}V~|ryX=fz$k5USa!Ydk!eI|1*
zks!ohNy<8OE-k^lcHg=q&vfF+PBt1=Wqi|gbm3$1yH3-lV$2-Sh>YzUK;#_utzb*M
z6IjbenR)rb0nDsDO6l1krF_7mpba~y#6cvs-nJaaK)e_@FTM^m@{n@&_OyD-nJL`U
ztU(k~#J<+79?M$XT6+V_tI!oLdkK>P+O<-Zfs#W?icz@aUSC07m@IdSE$m}ep6f@k
zLv1@JYO0HJ+`H!T8=ItQ7WTp}$xx`Xe`*6xDIH^z`}t=ybx?wmsP(h@IkEg3Ixg3F
zL&x>i_9pd&N?dh;71S`F+#U#5W#jbpt)Y;eu@)+n&Uy&M9xygPw>`Y*$`j%_3%E1|
zlVjT7Gea`t5pQg>MN$~v3BA%5fNw*dp;JMWH&Uc5Lz<;wmkV;lQgIA#G#vG=R#Tn}
zCrZ4uuCMFvsEfxcM@qj*iU$!oLUP2rDG}9HL?0`)Mbx$af3|*lDGO9@LKPhESR5+y
zUbAz+x<oFV?6lViQsOoYWh+uf5#R7;_DTo~+ndVw5G34Zk}3!qq4?jvG{ZbLBRCmJ
z){059@xI{RT7Ow>F17ze1J5o?DdQXYOnaJdHKZk}UTW!jAk#?ND<j6W_(WUNykZ<i
zWgJ5xF#S2=nI0>LbQB3eA&~<k0ZB5Gs~b(G(5S`uX1=pidv{sPvy_BN-od7{SgI^B
z?L<WifpR}jQNFEz2^LQxD$wwkQJ-4w8*fQJFNAzOZ9~#Ox7;(%Bhvq(+TV4*e97IT
z-5Pgh7ks$A_0%qOZ(#$rcQ!ZSztMNZbkq})LThNhii{Xz9X2_=qA4mtgg_ZePaX5U
zvO7&ZnFc43CWW@Ii9p8r#!wdgiF91=j75Dh56>hX-`={S^ni`hRo?VV@Q;Q=BF<`7
zV>UR8HZ0dwov`odaIHt|8M0|yuQ&alO7R|k`l;f>Tnd{2OHbyqC-VUkO55f~S+}cg
zF`cwsr))%dOe3>W=X#|YqRF_A;SE(=-c?9EqCL@sbRg9u*x|dJ849qI{&`?LFXStL
zzeZGGhkJVX_Hh3U0zV+A^MSonoc49t-#a~oPrn?#7Y%etMk3bt2ZWo(&W-=ks;RyX
zEBhbbzdzhRTWP{ssj>ygIS>D~sx{&8?dc(G!r}V^0fG1mKc9SfH=#P9zgLPL;0Sfh
zFcsJ8ir(UzE9+o>w8RfRtt(B}%)+oZQ<f6UdLy0@M@5_acJI~UTetMFKz3YP=G5@I
zg$~5%&O76b@=4vi-uw0S;q-1!#T1pg5mSKex=IN-$&m$pMHItPQdJ#&Xf%LRx-hz0
zH``wBDO0QTgo3Y%dZqP{$FI*1|L^gKle5E<^Mj+)y;pA!&kqiN-uw0K+4;M}vy-F!
zQ$0o6qejSMu2X6i52xy~zs5!S0SHUgNgAfOmDh+KW$)+*fa#9sVJQ#Z`4|sSIZ#(c
z@+qg-`g3gkNp{j%cEV{EpnAIgPGI}G@xSht|3$u$O5zQa&8J0xTRi^z&i3<V{I^GW
zN&>SuaraR+Jc@fMkqK`{DRoE^e$;UwuUZaCl8>cGuQmtTgSXPo6Mmu55D-I<Kwy9p
z9h}5uEAP<kn$lRyqo6`bf|XTWIcm$>3e+lf#t>$lMm^sdupu>9E7#Z8g&>qp*cBjY
zT4{d@*mW!|iXzr$+<0;gNqXrgao@S5V@!YDc03&s(^DCu9WRg5<Uwx~qc-31^dKA^
zBnmG+J)lDpMs4fj^#53pIH1^?3IXR7f^eE^A8(o)nw&JJ6o7Z;`rm*5&rAU~Gydy#
zIsWU;&gL@y`=dOKhB*Z)Y?HCtFlW08>d_g){?W$%0c4CtTp5%w!Kf(r9VN1Tlv0*#
z#6t{O#(n+%p9k3gnhf%d^Daq9Cyc@@q}<OEMGt1||5j_KRnGtLavA^iah@+<HrC)O
z9JcZPw--h<8z*#kD5j-5plw*&xV?2mDd&V{qf{ziNRp&1NkfbyVI%_;*hO$?alZ2%
zRo7E`VsItK_yshvD&$SM;Hj!%4>%oO(R7~;6OvMJ|EuM<o_m`v`1^J{Z$=%eYWuIl
zOv9wxNzyRRz(vnkyzSh$YISHvT6tF(2(VP1B#9_#6^et(-;2yoD6JpnoE%;HJDi!^
z<IBJN2@jstYBh89tr33t6rP8r|1?cmYEgdq%%J~UTU%xNzqzydVoCoW<5__IpAAy<
znZrd^UNe{oT%6}ryd%sVtUZoZ&^u-4g9?2WUkuCnj`J((G?6|$yCP8-;7RmQbg;Pz
z?Ohc<JSUEMA?~Ylhv+z>J~rvXY7llaaPiw4I(ETLNH*{@=4+@nH(hXLWF_;*d%WXu
zdm)VitfFE-ZEm_vL%}K#w!RjGtpy-#83-$&sNJZtwVUR76%u<`+=bOB<XPQ{RHvXR
zdPDuC3(uM$n4t*<XaXpp<+@5QQSJ>q9UR#+VFZ1==?B)cN(0AICV&Al+jR`<i>DQd
zdSM3Fn9432r0iOvs*n9DD8bXZ-9mrI1n*B(p~=j7)|85s0I0(jE|BF<7RKPZ;8$nC
zR17ieW=(xxL#Hmr{UiRXghSO<9V3itPTRZS{vIFiot}RBaB^@8hbJc=PS7Y=?nj;J
zPbK|Qx5#GyTAQ5O!LEPcZlO;U33|n@s{^<}y{9$QrF`(spNHlD%1d%V{=fZVyUhPz
zEcL&S^W5$HCr&pe{RY~e)vzCh4EP@xRzY$bnO%di%mx3W<d2&FWdkZpgDVqsXqGaG
z8W(#od^)xAbqEURn?8O0$u6wzA!>{3k9mcR^h>40n;XcO=41K!%vb43EK-@j^^3Vm
zR2iraVRu3en*!I7Qj0RXKk$tocw5lzV%z2M<M3vlZ`Jy%EG$R3W(F)}Oo^7jQ}Dtv
zqbOmAkw7LQNNauax2<N5KDv<nJr6Dwpt88R^<Jz#f_IBo$CH;j#cT_OwX-Z<%<|Rr
zunRK8UGc47yW+)PPN8c#s6sXMC3z%3!XB&&p?_7%XLd79T#srlog$=#j<FYQ0`TPv
zT4fdBD1fn)EM`9s%m1at-h%wU)oPXV|8Bn6UgrOMlxG3{{{a#g?dZl>ndG5L<bqEm
zstO-;aY<20lK4f76|<kqtOAYv{M-W58PI6x^MS;`DOK>hs#EPx=K+>9L?5S+|J9aP
zAymB1xL8ByC#YqY(oR_WGq6}`#(kd9uCKkKeal}*Mt!>K7E8>UTdRTlPw%2rwIr|q
z^ygvezeK1K`JZ|I+kF1KO#ioEzFgA($9NW?|A(Iw6`)N<X;KEJhzyf8W;TuS@*)@v
zOS*MPYNADTJJp#uRi&f23p?BRXE;2?z?a~9)k`J`qzY~?jfPApS7j6fgaamo=!|pF
zB@df50L4(M$0|>psR{#;f9qSe8?^2xT?+1xF1Y9J-3LX?#K|Obe~m~K_Cgv6Azh}}
za6VDlI+o8w9|Cd?9oi*=4{<i6U~zJsBGf8#^jAT5b(xeC9b;G3R2{rW+i%QekkD?^
zcaD06)OWexoHh4hW&&^Fyvs}mqbO3)PM`DK`@%j_D?BNu#WQ6l7MN?^?TgN5vC;_4
zjjtA*W;$dmMb>FxExcVAz%mvVT9f@Qf^18b?7#1MSpLtIGfz<hn8E+ITQ6Rg`Txro
zTTA}`7|#Oy|22(iiiz!{f=`n0{0_HrywKPnX}G#=EatzdR{|HyfUD@QAZwC*x!?}R
z=Fjp4<gs<#SZd0H!}1I5sODR7Bc)emDSHpsu4k6PEA+!F8f$q%B`pJWM~N&iG#PvB
zFrX}^KKvNQJvKF2iP~scN~z9FQnc1=Xc$!*Au;62Y}r?=`Dmq)C&GyFKEfVcQ<W}^
zUeT09<#BVtP;C3I;=SsDSYP{6^=v@RXC0i|xLGO(VT^M-Nen0=P=zh8)}LoBr%ly+
zQ_E6Pf~c9GLesm@C7I^ilM7oinkQq+lo7YwECN_xKWF8xDqb%NmN(%g9nZA~FX{MR
zTM+Auf6)+OxzE58Q(teqV0-zALVEjP)!EpNQ*BU3G|=7!AA7U0xCYnq%ZTDfQTZK7
z5`8;mRQ;mST?pfVex6q6ndyD<Wm6T4b)BUs`5iwGEdR+^!;8s(t=3LO|MT+sQvQ3C
zXYu=g`vSNaz`c(BD1^Ykqxm(j6<4pG{a6L&H3lekWoXhfI{-G4Qmb*l@UiCR-mAa5
zuT;~H*wr3)r&pRvPs3iRu>zG}rGMc$zEGrDy3W-kxf&b)clUSKzT-yK!kl%Hz)yf|
z;%Jsk;QM<Xmi}i+q=Yt`1I(cRn>(B3^M7l*wX>xEkMS%-|Kk92RjP1JrD$m;BhTc+
zNRA#Uwv{skd|l59@KxoIKZy%eyC_j`F}x!#Xqu4Qr77;nqI<GnmPGoCK13EwO$wwk
zud=G@+(5?u9~nl?`r6--ZOX&$|4|lJ%|B+!e>=}B{vXe`m;3)wo(1;*G5URlu?z~J
z;|TX@21IKk5c{W50Er;#B;2Q&+V@H^QSy24;-b@odW&^D{c=vaFrj11w<FbRrFxjL
zzcVJ|#<<D^PKLDs8KFxyaC^J^Z1r-~q1`OP$x&0|d3gZXFJG$0{3dWJ+}>gVRqyr|
zJO+Pq77L=d>wfVAk`Z5&K#<_}_SS_P%mTRc96T?eT^7)0jqd2xD2xIf;zwT4Nwo@*
zH-IzOtuzO6(ey$L$0m2WJ9{NcO<9(f_yyH%Nfc&cLAdw>Jwk-EtA=gW7$pf!_X(#z
zSE{0&X2mYD+($ttGO4xP6mn9DRlqOcLvxZrr1AhccPF><xSZi(>A&s#lyiaU^na`M
zykh^++F8nfkMk@*|3Avb)q2@^9r|Qsh<z6Kq)Xpq|2IXG@8z6l_11dW-ljO()%g4s
zUF>uyjk0T9VQ%V%P~%=#T!yl59gebIEnQZ-YpCPC4%=E$yJPbCwxI3&ugG}2x!9TJ
zYjt-^wgz04lQH?~`{mGA*BZeF&sa)>LdS-$a8E530-*T7to~)Of({;o;?;NIPUKrP
zi>$M-RlWa|mAwg}QaFU%+hf!>3vIAhiwhcY6_>QIr+67QMO9PU?fSSkb-T|V)MWS9
zAxT3LbaM2XwI>Ub#&Umrzx$(z#zo&)T!=l4Kv@*=d>g;Zb<m-;&=g7@*@w=b;*&vg
zrAVmk$WqTG-GIPutHF9jstVqm(yNeO%lpeX3sZ$VtOqMU@D+Kdi8q;YF2n{jqbfMU
zR;0wjcz0n{-OpKo<pO495_WaPX&yN^PP>@t(j0=sCbP~+rbwS=`_fJLV`V)G{>z#m
z6~y&QPYa#4tomgzcFpp@nLLx)VX<Wd(BI?VW390Hf&U)6RRe+vr$oOweXVrgvVC0t
z3bnMNeh0APc|zR!f$u&Og>@8fnc&JtTRwv<`Cn$%D#M?td@mAoMRD^8U&d4ao<yGe
zWn#`J9qtuPUx0d732Ob7dx4-L_0ke6Nh!=nKNk@Ksw1vA^P>w~i8h&v#e4VW<Z?0^
zX>mX5B|J7h`=wKFeswjWS%vMYp}d{aj?*2TFqXZORdrc3k)6cVQ^vAiIZf->yPu<i
z#oc8^PgJz{`~+}vc=Pjl_1jeF%|sRGqjFfBG;2Y}A90#C3zvT-*cO?ldiiJS1l7&W
zednicZt_+Ogl{HdSyAmPxLb!<dGYxW%W8gM+{){Im1(RS%j~I~gSwUu9F^l`4Ny6W
zEuR3Ux$jQpA6A-)ufRgA{0sAP5kBfD2Mr9HU12N7_hlp2h!^H1*r@^#Jb1-eL`htb
z$93`}s~c^bNqAlvljCJR97yXn9VC1KW>r78mN;FqDyvb4TTN(PN7<gR(4gA+^R*-k
zmzvO<|Janb3B>GHFX`C4<;P~b*MVtm+=U>vsnJa6txgUXnH@2Xv`SfYe>Eb<v$AaQ
z>^?$7Uaoc_%9MKAx=qwuSlL%<DD!=2at#z^5vdLfD#kt4_U7bV^I^hVGc%iiJ<Lo^
z<72fap-1Oo(|Ok3=yMo_BsKB5#ZfDu-7uhnup`aYnW{ipd?_%eF|F#>9C7MvGc`3J
zV=?Wqo~OS}V@wn6iSdF+**fQWwXVZ#5XK5>&4Ws$cp__<K7yhxaY?+JU>H|h%Ic>i
z|0tW|nYGaJ_y+zOv5ekHY^g;7tsqFl{y?b*R8q2n3G`w(P-cS)59Yj}p530sQ{+4u
z4a`08v)sv~oo3-fF3VWUp$+a=%S&p(Qj#sysy2(mDcK{=)yJX@KM=AgifxT>L4?uL
z&b={3H&ooXwF@<Eebj)8+pV$`DjCWH&ZKsfs0e8bPUr+dPahr3Awi}Bntn?776SX+
zBl;?&ATRnWr)gZ$&rKo+C}vjo*%T}Ud&eXdsjO&ZS68W8vd9bUdKHdR-{ZrRg@S(K
zPIRGoruYXVaqW2SN2=;{OEbt;U5j%z^RQH|PH}YyLRWhd{0C#n#4*jllnGdols31G
z3e(E{%i<qAto_$DN#ii?mrQ_X`hRU!?7v!D%lto&@+@Hg^+_%+kPaJVD&Tv{q6pK4
zlm0ZbUxOE_{2A#_3IBS+ST;=nu5HcsnL_=S@l0^FE3XSyK-Z><OIeQIdIKr#)6YML
zaR9ED{{DOL<Fgw+AX_hX+O7;)`DyRu{n7i^Z8*tC4*|_+SDedNzkIR#f!o`*cq7W(
z-ZsrOa4dKXx=_gY<vdGS+>Zo%5W}Q#Afxb*D;5UT*+$a>0!hjOX^ah4W=-EgmuKVg
z9I!4g<V4G}kZlauwU@Dt5&CvyBn~{)izj;Vtdfr9yYR1}k5B!10Q&C_XfzD_F-vKE
zAG7?wUTp1@^S`}#vAv}KkMT6%m}D7Er89?IMH%+LGYTV2?U9h~CB{Z}8ZsjzA0-J(
zGY)(}qX>^!fMF=ZxW5i5jYt+=DSN2=J&6OS0Ws}Mz4~gB(q8ykDKg<dnm&ApqcN};
zYYLDcp(#XROnt{cI6XhjSW2A+?90@VANNlo2vhF({V?0We<k>i-}yV;z<>3NL4QO1
zqkr<Ncq4D9L%Nrv1bH8K)_i`QIBR}~TsmuhHcXtg|L-*5BS}Lx;&60u$Q?gP*`KtV
zIer*WvLVZ*>`%wP;$0TdjeihDe1QFba=3T!?$93wllqvx|93XGUY7j7wqCs4T<-rz
zc^W$9sNM}aaVv(pbDTZ+4O6%lUjMPGB?}#oSLU2%N!aBZkt}+yu%sc%G#AhQ>Nt%C
zoW1?u2Pckmad9yw!^jC}A_Swj8&Y+6EhI`6XFDtZ>1Y45KJF=DEDr*sI<bW!ow)Vl
z;sSf@5I%68fdC&&$72{J0m-N-g>aR!<6eew&{m1E-;u-_(u@QoBW;uCbz(4HD|nHR
zvvjTDSZ6W+g+>vBPb`fBR|3&!z)_qTLC|rmw7Dw33kRa-+yr2fX>2)M55n#Mx+FHC
zbnuSsibgDfm|m;(P$DQ|LuLJ&nn{2Rm7MyH^Qy3%g$|J7|Mq6op(IIo-rA*lgUit@
zr4vM{UN(<ES<gx?jN))N8u5&#I&m<5mD4aF96AEWGRiXycm)|tL=(ShFs+!F$GK2_
zGK#ZsNQ)o}q1zAHMiW+Fy*WN<`fz|yg7{^8B1ah;;zixr+f(RLK~Tf4I3}+Pyzk>l
zN{oob0yV`?F<wl>LlUE(Q2XFGrFbjK!;Esr@oaEgerxMT$CKmT5<h^Y^4GS%>2+vE
zwttkZkdzFmm?D8B6nZR**tI-SbRvpZ{v7pG8ac=n2_yWb48+yuR#<~ZFkO~VG$0Sc
zUXP-|EvH=#{Ms6NHm<EX&W!*H^M(X87SlmfnDN}eL7rE7R^e~?+`!@IL>>T-;$)P4
zYk0ombK~523qN<L@@<}f450UaZk!vqsDx?0n6dgWEe^DxJR?rwqAon{jFunxxq%D+
zLZzP9K^UIsQ(Z_cMogLV8<;<=^kWXD2GD=;LgKEPzHx5U+~8(Rq7gUY&cCzgU$v0V
z+8XA?T1q}o=UGZVPvo)bter$~DxtlBY6d(Z2w^^hJQd>Oq2pvgFYc6U@nRh~rSRL4
zuJ*@j1Iwh0WldwlAmjgx(r+vl$e~sj(#jV%VL9s-a&{`i#~xZ`A-`5y#K#rOCp^e7
zWg4p`!+bK&l3_lP$ELHTq<)jhhoQ5RGY38@Hcov0RR@#GLRuLFp8&)B_bjBdwx;55
zFFEFud6pdWi99x;Erh0@CT`ae+Cq%|N5sUbk2#s#F_OPNY98lb|5$BUWxt=}CKB4S
zM0&R@4<}FOS(4f(^4O%d9RGbHwH2gxo_O|;i<7m0UMwCX|6)Cl9cW?}0w1tZ6o8x=
z>A$0gxt?cgOKEpR<18BM%H4uIeevu9Sc-!7gAY}Z+I^CcP8fw*xTLmE=vh+RC-T_T
zwrlNG-^vV`+e0cMQ4nlNB1GFXMB@WfvSjY}t)#twlLleJLWVKAn^#wHfrZp<e7n*8
zn-<bpTl<(t+F5eVC-W@1<`a2rVml*JwoPp3h{FC&@l!p;Gs;|f7W{a=pzaqs5F?se
zU?eP(Qeb%=>lnI(W9alTe!`qK>y{ZiT!&F)LZ}0Q0lU^_`c^t4A5JNS-#*$|82(so
z=&TGljwZ}l$YOM}3o}1<^kr3Kavlvh${<BHD^90;K*V8<rYTF2w~{Eb1JQq#g?yNd
z6&Lf(={I?1Eo3>Y^M#zBPXkPtB+ta5c8j^tKIW?0MIkoEn2q$=dxV%8qPL}<g_<C$
z0*?hs+!-ItLYi%-W8d;hq_1b+g$2l+pBW2T7xMH1ZlsTpO(1B@N9k8tjC+l)vXE9B
z$egB53HWl6BcjUnzzz9Cs@g@&>`;vC1!5c+L^sTo+ZzWKt2np<lX0>H9$OJ%Wb@iB
zK+fvIV@EkwMVVL%u}|k&3b9Y*u_<j$5SDs2as#sh$2>Yh);~9JVJu%S{&AMD3q43_
z4+YO!(%Gl;Ea~hMd2Bk1k|p;?Nk1h4%|+O<t^jU?U^-Qh<@xbghIqNA_(ryk6j};$
zJ{<MnBA2BlrMM7+qmhG!c!<4agOptZiIog2WI%k+GnOEgRG<S<r)*nUQ0Sn1*3=)Y
zlcssqYQjI@1cP+;*DPEbwLhU}NoJqOW0TpMv~!chS(8RvhuecIl7<*0qncCun_hrT
zPSE|G(#tzO)rBmj@T(i{4a}X;{u>Ob0BBhQbf@(A|AZx%M(xshZ^<#A%(LW}Pvj{W
zwaaZfJ7&xcyw+E5<(M&wOg|nbPJIlatt2$7F}W<|9C1|)mG@*wPe;98_!&8_`LlST
zN#VD{Lj6Bh8@fTRQgwY*B~#r(UefWbKqF=$6??p--^cxP>ABZJn!HVzTkyMBt!YEW
zz;34r?S>?R5E%*Y4(O0@@udMqg_%byOqI7@+X2YN32h6g!?^DN1Uc_)YZpIV+)7a{
zBL{>WBGx4t4IBXanGBPNwjsb;e#jih3cNU@tCKulHi-i(nu6W3zGIF1Vf@)~GSZ*b
ztZXMEeY=^K-`eq8UO+n`iM`gQm+ovkPBMz3V-|(onXuwy_r^eE^T(#5Nq&HG<jP)j
zO~!l$!d?!Cn6nj`t$Sr%CMDoB!{SH1_bfY3DW`F^BH>YzP!14DQ!;h{!i>u74bvgj
zNgSdva1C@U8xa)PfUo-T9Veijku|FwnGd2e0}^DsE)09}QV{PDqwtc7FJjNo&sj<!
zjC(8{%8<V@;wQJ)LMDk2D7+V=Bu?TkRgHCM+i4i=vk|LN2<cfwi-wry35(nSYn8#C
zaHj!s=n5hgShE3^gHpbMRH~4f^Q2Q}$ns#hH~ID?U_vEFIf<d0*DMr#Jz!jB>CXYo
z;3JDhLt1ngTZf~bMlsiO*TL@QJ;ow+T@}qS2)TfhLogN-+Lh5mdC1~0?iV0-J=bwa
zw@W#H#{xPF+&wG_Ll)$jP$t4%=;(x!;8PlA^aCyc5C5Lo*=hJUU7&}bUWbk&_`$4p
zk4ZLAN%-_a28EVP0NH8itWifUdZVx$a$Xx?O>Aib8h|r^KsPYJw$-h{*&?$tSc{Qo
zXAII#fU8-YmeTC84#%qTOFDi>k|d0gY82X1?@fGP*`_-3T+*?W1nWWxijQGD2?z;4
z>tG1(X>%<@?HW)UU<2C#Fp6<eNave*L&tI^*VYc@Xa!Uwj!xE}l-3**{{p8m4>8m^
z?nJcyumjd&h6V}uI&e0mkcC6aMFZC)#x2<wwKFE#Po=X>!Z;5*QJ9Tozj#SHpkd0(
zb0O%pUfTxbSy<Fe;d{^X>Vp%jIk|geVo(trBo`t{GJjRMfFBa_*NB=3$N5@(`C`dw
z$^_>IIy=v4+%?&mZf~8!po1jJN9_B)N*YGvtG3CBs-s08@1350`fze!CHqFD$<HYp
zwjEo#l2iGHj!$T>_+`p;*#{$&k!g}7T9!Ubd76q{UefW@9#M2%utSymO)CbmS22H1
zLz^&}X)W!i;?|$KmjqQR*Z^W&;16eqr+)T16FW;3)9I2cc82X;J*r9erJI{o3)A;S
z^_T|G+uU@UCdX5q3FAEdwHD~FrTUvQ|M|=Wx%aWi#P!8BIqC^Q)MIH^uuH~`J*rAH
zi<f+YRN-YFrILb?h^86G_3E;ivxw>t=}3a32t#bcaIBJac|!ImE!D2;u9s$W*L4xs
zS4u@!s@Ab4gANG-SgG&encm{(q6s0Y4k!jdCvo7zS)QY<J4#cj!H-6??U?;WKPN2B
zz-ngq+3Mw}L%Ugom30<*RKoIvbg7A=nqvca4F2RS7U1o=UwlF9d<ze6T|w9gr#sKV
z^8(ss0c|>U6VbZUM6~RQXg$nCw7$YbwCX29N4I~^WO(xKfW&>u9q0YV-ajbC#`0M{
X%V+s~m(TwM00960BE3)z0Ky9ZWKy3o
literal 0
HcmV?d00001
diff --git a/assets/index.yaml b/assets/index.yaml
index f844847fa..793fff2d4 100644
--- a/assets/index.yaml
+++ b/assets/index.yaml
@@ -68,6 +68,36 @@ entries:
- assets/artifactory-ha/artifactory-ha-3.0.1400.tgz
version: 3.0.1400
artifactory-jcr:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/release-name: artifactory-jcr
+ apiVersion: v1
+ appVersion: 7.12.5
+ created: "2021-02-26T18:58:09.545552572Z"
+ dependencies:
+ - name: artifactory
+ repository: https://charts.jfrog.io/
+ version: 11.7.4
+ description: JFrog Container Registry
+ digest: 148af8042991b7d031770887a8d64e034268c2e1e3eb03f55e13310a40cb2a60
+ home: https://jfrog.com/container-registry/
+ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-jcr/logo/jcr-logo.png
+ keywords:
+ - artifactory
+ - jfrog
+ - container
+ - registry
+ - devops
+ - jfrog-container-registry
+ maintainers:
+ - email: helm@jfrog.com
+ name: Chart Maintainers at JFrog
+ name: artifactory-jcr
+ sources:
+ - https://github.com/jfrog/charts
+ urls:
+ - assets/artifactory-jcr/artifactory-jcr-3.4.000.tgz
+ version: 3.4.000
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-jcr
@@ -579,4 +609,4 @@ entries:
urls:
- assets/sysdig/sysdig-1.9.200.tgz
version: 1.9.200
-generated: "2021-02-26T18:55:48.743664584Z"
+generated: "2021-02-26T18:58:09.533084638Z"
diff --git a/charts/artifactory-jcr/CHANGELOG.md b/charts/artifactory-jcr/CHANGELOG.md
index 3a5fb161c..f56a5d644 100644
--- a/charts/artifactory-jcr/CHANGELOG.md
+++ b/charts/artifactory-jcr/CHANGELOG.md
@@ -1,6 +1,37 @@
# JFrog Container Registry Chart Changelog
All changes to this chart will be documented in this file.
+## [3.4.0] - Jan 4, 2020
+* Update dependency Artifactory chart version to 11.7.4 (Artifactory 7.12.5)
+
+## [3.3.1] - Dec 1, 2020
+* Update dependency Artifactory chart version to 11.5.4 (Artifactory 7.11.5)
+
+## [3.3.0] - Nov 23, 2020
+* Update dependency Artifactory chart version to 11.5.2 (Artifactory 7.11.2)
+
+## [3.2.2] - Nov 9, 2020
+* Update dependency Artifactory chart version to 11.4.5 (Artifactory 7.10.6)
+
+## [3.2.1] - Nov 2, 2020
+* Update dependency Artifactory chart version to 11.4.4 (Artifactory 7.10.5)
+
+## [3.2.0] - Oct 19, 2020
+* Update dependency Artifactory chart version to 11.4.0 (Artifactory 7.10.2)
+
+## [3.1.0] - Sep 30, 2020
+* Update dependency Artifactory chart version to 11.1.0 (Artifactory 7.9.0)
+
+## [3.0.2] - Sep 23, 2020
+* Updates readme
+
+## [3.0.1] - Sep 15, 2020
+* Update dependency Artifactory chart version to 11.0.1 (Artifactory 7.7.8)
+
+## [3.0.0] - Sep 14, 2020
+* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images
+* Update dependency Artifactory chart version to 11.0.0 (Artifactory 7.7.3)
+
## [2.5.1] - Jul 29, 2020
* Update dependency Artifactory chart version to 10.0.12 (Artifactory 7.6.3)
diff --git a/charts/artifactory-jcr/Chart.yaml b/charts/artifactory-jcr/Chart.yaml
index 69277215b..4fc8d1cd5 100644
--- a/charts/artifactory-jcr/Chart.yaml
+++ b/charts/artifactory-jcr/Chart.yaml
@@ -1,5 +1,5 @@
apiVersion: v1
-appVersion: 7.6.3
+appVersion: 7.12.5
description: JFrog Container Registry
home: https://jfrog.com/container-registry/
icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-jcr/logo/jcr-logo.png
@@ -11,22 +11,12 @@ keywords:
- devops
- jfrog-container-registry
maintainers:
-- email: amithk@jfrog.com
- name: amithins
-- email: daniele@jfrog.com
- name: danielezer
-- email: eldada@jfrog.com
- name: eldada
-- email: ramc@jfrog.com
- name: chukka
-- email: rimasm@jfrog.com
- name: rimusz
-- email: vinaya@jfrog.com
- name: vinaya
+- email: helm@jfrog.com
+ name: Chart Maintainers at JFrog
name: artifactory-jcr
sources:
- https://github.com/jfrog/charts
-version: 2.5.100
+version: 3.4.000
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-jcr
diff --git a/charts/artifactory-jcr/README.md b/charts/artifactory-jcr/README.md
index f043782da..f573c93fe 100644
--- a/charts/artifactory-jcr/README.md
+++ b/charts/artifactory-jcr/README.md
@@ -2,6 +2,8 @@
JFrog Container Registry is a free Artifactory edition with Docker and Helm repositories support.
+**Heads up: Our Helm Chart docs are moving to our main documentation site. For Artifactory installers, see [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory).**
+
## Prerequisites Details
* Kubernetes 1.12+
@@ -28,7 +30,7 @@ helm repo update
### Install Chart
To install the chart with the release name `jfrog-container-registry`:
```bash
-helm upgrade --install jfrog-container-registry --set postgresql.postgresqlPassword=<postgres_password> --namespace artifactory-jcr center/jfrog/artifactory-jcr
+helm upgrade --install jfrog-container-registry --set artifactory.postgresql.postgresqlPassword=<postgres_password> --namespace artifactory-jcr center/jfrog/artifactory-jcr
```
### Accessing JFrog Container Registry
@@ -40,6 +42,24 @@ Once you have a new chart version, you can upgrade your deployment with
helm upgrade jfrog-container-registry center/jfrog/artifactory-jcr
```
+### Special Upgrade Notes
+#### Artifactory upgrade from 6.x to 7.x (App Version)
+Arifactory 6.x to 7.x upgrade requires a one time migration process. This is done automatically on pod startup if needed.
+It's possible to configure the migration timeout with the following configuration in extreme cases. The provided default should be more than enough for completion of the migration.
+```yaml
+artifactory:
+ artifactory:
+ # Migration support from 6.x to 7.x
+ migration:
+ enabled: true
+ timeoutSeconds: 3600
+```
+* Note: If you are upgrading from 1.x to 3.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart.
+```bash
+kubectl delete statefulsets <OLD_RELEASE_NAME>-postgresql
+```
+* For more details about artifactory chart upgrades refer [here](https://github.com/jfrog/charts/blob/master/stable/artifactory/UPGRADE_NOTES.md)
+
### Deleting JFrog Container Registry
On helm v2:
@@ -61,29 +81,7 @@ kubectl delete pv ...
## Database
The JFrog Container Registry chart comes with PostgreSQL deployed by default.<br>
-For details on the PostgreSQL configuration or customising the database, Look at the options described in the [Artifactory helm chart](https://github.com/jfrog/charts/tree/master/stable/artifactory).
-
-## Configuration
-The following table lists the **basic** configurable parameters of the JFrog Container Registry chart and their default values.
-
-**NOTE:** All supported parameters are documented in the main [artifactory helm chart](https://github.com/jfrog/charts/tree/master/stable/artifactory).
-
-| Parameter | Description | Default |
-|------------------------------------------------|-----------------------------------|---------------------------------------------------|
-| `artifactory.artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-jcr` |
-| `artifactory.artifactory.image.version` | Container tag | `.Chart.AppVersion` |
-| `artifactory.artifactory.resources` | Artifactory container resources | `{}` |
-| `artifactory.artifactory.javaOpts` | Artifactory Java options | `{}` |
-| `artifactory.nginx.enabled` | Deploy nginx server | `true` |
-| `artifactory.nginx.service.type` | Nginx service type | `LoadBalancer` |
-| `artifactory.nginx.tlsSecretName` | TLS secret for Nginx pod | `` |
-| `artifactory.ingress.enabled` | Enable Ingress (should come with `artifactory.nginx.enabled=false`) | `false` |
-| `artifactory.ingress.tls` | Ingress TLS configuration (YAML) | `[]` |
-| `artifactory.postgresql.enabled` | Use the Artifactory PostgreSQL sub chart | `true` |
-| `artifactory.database` | Custom database configuration (if not using bundled PostgreSQL sub-chart) | |
-| `postgresql.enabled` | Enable the Artifactory PostgreSQL sub chart | `true` |
-
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+For details on the PostgreSQL configuration or customising the database, Look at the options described in the [Artifactory helm chart](https://github.com/jfrog/charts/tree/master/stable/artifactory).
### Ingress and TLS
To get Helm to create an ingress object with a hostname, add these two lines to your Helm command:
diff --git a/charts/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/artifactory-jcr/charts/artifactory/CHANGELOG.md
index ae2651280..9a35fa0e6 100644
--- a/charts/artifactory-jcr/charts/artifactory/CHANGELOG.md
+++ b/charts/artifactory-jcr/charts/artifactory/CHANGELOG.md
@@ -1,6 +1,156 @@
# JFrog Artifactory Chart Changelog
All changes to this chart will be documented in this file.
+## [11.7.4] - Jan 04, 2020
+* Fixed gid support for statefulset
+
+## [11.7.3] - Dec 31, 2020
+* Added gid support for statefulset
+* Add setSecurityContext flag to allow securityContext block to be removed from artifactory statefulset
+
+## [11.7.2] - Dec 29, 2020
+* **Important:** Removed `.Values.metrics` and `.Values.fluentd` (Fluentd and Prometheus integrations)
+* Add support for creating additional kubernetes resources - [refer here](https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-values.yaml)
+* Updated Artifactory version to 7.12.5
+
+## [11.7.1] - Dec 21, 2020
+* Updated Artifactory version to 7.12.3
+
+## [11.7.0] - Dec 18, 2020
+* Updated Artifactory version to 7.12.2
+* Added `.Values.artifactory.openMetrics.enabled`
+
+## [11.6.1] - Dec 11, 2020
+* Added configurable `.Values.global.versions.artifactory` in values.yaml
+
+## [11.6.0] - Dec 10, 2020
+* Update postgresql tag version to `12.5.0-debian-10-r25`
+* Fixed `artifactory.persistence.googleStorage.endpoint` from `storage.googleapis.com` to `commondatastorage.googleapis.com`
+* Updated chart maintainers email
+
+## [11.5.5] - Dec 4, 2020
+* **Important:** Renamed `.Values.systemYaml` to `.Values.systemYamlOverride`
+
+## [11.5.4] - Dec 1, 2020
+* Improve error message returned when attempting helm upgrade command
+
+## [11.5.3] - Nov 30, 2020
+* Updated Artifactory version to 7.11.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11)
+
+## [11.5.2] - Nov 23, 2020
+* Updated Artifactory version to 7.11.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.11)
+* Updated port namings on services and pods to allow for istio protocol discovery
+* Change semverCompare checks to support hosted Kubernetes
+* Add flag to disable creation of ServiceMonitor when enabling prometheus metrics
+* Prevent the PostHook command to be executed if the user did not specify a command in the values file
+* Fix issue with tls file generation when nginx.https.enabled is false
+
+## [11.5.1] - Nov 19, 2020
+* Updated Artifactory version to 7.11.2
+* Bugfix - access.config.import.xml override Access Federation configurations
+
+## [11.5.0] - Nov 17, 2020
+* Updated Artifactory version to 7.11.1
+* Update alpine tag version to `3.12.1`
+
+## [11.4.6] - Nov 10, 2020
+* Pass system.yaml via external secret for advanced usecases
+* Added support for custom ingress
+* Bugfix - stateful set not picking up changes to database secrets
+
+## [11.4.5] - Nov 9, 2020
+* Updated Artifactory version to 7.10.6 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.6)
+
+## [11.4.4] - Nov 2, 2020
+* Add enablePathStyleAccess property for aws-s3-v3 binary provider template
+
+## [11.4.3] - Nov 2, 2020
+* Updated Artifactory version to 7.10.5 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.5)
+
+## [11.4.2] - Oct 22, 2020
+* Chown bug fix where Linux capability cannot chown all files causing log line warnings
+* Fix Frontend timeout linting issue
+
+## [11.4.1] - Oct 20, 2020
+* Add flag to disable prepare-custom-persistent-volume init container
+
+## [11.4.0] - Oct 19, 2020
+* Updated Artifactory version to 7.10.2 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.10.2)
+
+## [11.3.2] - Oct 15, 2020
+* Add support to specify priorityClassName for nginx deployment
+
+## [11.3.1] - Oct 9, 2020
+* Add support for customInitContainersBegin
+
+## [11.3.0] - Oct 7, 2020
+* Updated Artifactory version to 7.9.1
+* **Breaking change:** Fix `storageClass` to correct `storageClassName` in values.yaml
+
+## [11.2.0] - Oct 5, 2020
+* Expose Prometheus metrics via a ServiceMonitor
+* Parse log files for metric data with Fluentd
+
+## [11.1.0] - Sep 30, 2020
+* Updated Artifactory version to 7.9.0 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.9)
+* Added support for resources in init container
+
+## [11.0.11] - Sep 25, 2020
+* Update to use linux capability CAP_CHOWN instead of root base init container to avoid any use of root containers to pass Redhat security requirements
+
+## [11.0.10] - Sep 28, 2020
+* Setting chart coordinates in migitation yaml
+
+## [11.0.9] - Sep 25, 2020
+* Update filebeat version to `7.9.2`
+
+## [11.0.8] - Sep 24, 2020
+* Fixed broken issue - when setting `waitForDatabase: false` container startup still waits for DB
+
+## [11.0.7] - Sep 22, 2020
+* Readme updates
+
+## [11.0.6] - Sep 22, 2020
+* Fix lint issue in migitation yaml
+
+## [11.0.5] - Sep 22, 2020
+* Fix broken migitation yaml
+
+## [11.0.4] - Sep 21, 2020
+* Added mitigation yaml for Artifactory - [More info](https://github.com/jfrog/chartcenter/blob/master/docs/securitymitigationspec.md)
+
+## [11.0.3] - Sep 17, 2020
+* Added configurable session(UI) timeout in frontend microservice
+
+## [11.0.2] - Sep 17, 2020
+* Added proper required text to be shown while postgres upgrades
+
+## [11.0.1] - Sep 14, 2020
+* Updated Artifactory version to 7.7.8 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7.8)
+
+## [11.0.0] - Sep 2, 2020
+* **Breaking change:** Changed `imagePullSecrets`values from string to list.
+* **Breaking change:** Added `image.registry` and changed `image.version` to `image.tag` for docker images
+* Added support for global values
+* Updated maintainers in chart.yaml
+* Update postgresql tag version to `12.3.0-debian-10-r71`
+* Update postgresql chart version to `9.3.4` in requirements.yaml - [9.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#900)
+* **IMPORTANT**
+* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**!
+* If this is an upgrade and you are using the default PostgreSQL (`postgresql.enabled=true`), you need to pass previous 9.x/10.x's postgresql.image.tag and databaseUpgradeReady=true
+
+## [10.1.0] - Aug 13, 2020
+* Updated Artifactory version to 7.7.3 - [Release Notes](https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes#ArtifactoryReleaseNotes-Artifactory7.7)
+
+## [10.0.15] - Aug 10, 2020
+* Added enableSignedUrlRedirect for persistent storage type aws-s3-v3.
+
+## [10.0.14] - Jul 31, 2020
+* Update the README section on Nginx SSL termination to reflect the actual YAML structure.
+
+## [10.0.13] - Jul 30, 2020
+* Added condition to disable the migration scripts.
+
## [10.0.12] - Jul 28, 2020
* Document Artifactory node affinity.
diff --git a/charts/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/artifactory-jcr/charts/artifactory/Chart.yaml
index 2a3ddf048..4f98e28e3 100644
--- a/charts/artifactory-jcr/charts/artifactory/Chart.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/Chart.yaml
@@ -1,5 +1,5 @@
apiVersion: v1
-appVersion: 7.6.3
+appVersion: 7.12.5
description: Universal Repository Manager supporting all major packaging formats,
build tools and CI servers.
home: https://www.jfrog.com/artifactory/
@@ -9,18 +9,10 @@ keywords:
- jfrog
- devops
maintainers:
-- email: amithk@jfrog.com
- name: amithins
-- email: daniele@jfrog.com
- name: danielezer
-- email: eldada@jfrog.com
- name: eldada
-- email: ramc@jfrog.com
- name: chukka
-- email: rimasm@jfrog.com
- name: rimusz
+- email: installers@jfrog.com
+ name: Chart Maintainers at JFrog
name: artifactory
sources:
- https://bintray.com/jfrog/product/JFrog-Artifactory-Pro/view
- https://github.com/jfrog/charts
-version: 10.0.12
+version: 11.7.4
diff --git a/charts/artifactory-jcr/charts/artifactory/README.md b/charts/artifactory-jcr/charts/artifactory/README.md
index 25fadc7f4..9c7551c92 100644
--- a/charts/artifactory-jcr/charts/artifactory/README.md
+++ b/charts/artifactory-jcr/charts/artifactory/README.md
@@ -1,5 +1,7 @@
# JFrog Artifactory Helm Chart
+**Heads up: Our Helm Chart docs are moving to our main documentation site. For Artifactory installers, see [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory).**
+
## Prerequisites Details
* Kubernetes 1.12+
@@ -78,8 +80,13 @@ It's possible to configure the migration timeout with the following configuratio
artifactory:
# Migration support from 6.x to 7.x
migration:
+ enabled: true
timeoutSeconds: 3600
```
+* Note: If you are upgrading from 8.x to 11.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart.
+```bash
+kubectl delete statefulsets <OLD_RELEASE_NAME>-postgresql
+```
### Artifactory memory and CPU resources
The Artifactory Helm chart comes with support for configured resource requests and limits to Artifactory, Nginx and PostgreSQL. By default, these settings are commented out.
@@ -227,6 +234,13 @@ Use this template if you want to attach an IAM role to the Artifactory pod direc
...
```
+To enable [Direct Cloud Storage Download](https://www.jfrog.com/confluence/display/JFROG/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-1.ConfiguretheArtifactoryFilestore)
+```bash
+...
+--set artifactory.persistence.awsS3V3.enableSignedUrlRedirect=true \
+...
+```
+
#### Microsoft Azure Blob Storage
To use Azure Blob Storage as the cluster's filestore. See [Azure Blob Storage Binary Provider](https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AzureBlobStorageClusterBinaryProvider)
- Pass Azure Blob Storage parameters to `helm install` and `helm upgrade`
@@ -926,16 +940,16 @@ and use it with you helm install/upgrade:
helm upgrade --install artifactory -f filebeat.yaml --namespace artifactory center/jfrog/artifactory
```
-### Install Artifactory HA with Nginx and Terminate SSL in Nginx Service(LoadBalancer).
+### Install Artifactory with Nginx and Terminate SSL in Nginx Service(LoadBalancer).
To install the helm chart with performing SSL offload in the LoadBalancer layer of Nginx
For Ex: Using AWS ACM certificates to do SSL offload in the loadbalancer layer.
In order to do that, simply add the following to a `artifactory-ssl-values.yaml` file:
```yaml
nginx:
- ssloffload: true
https:
enabled: false
service:
+ ssloffload: true
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx:xxxxxxxx:certificate/xxxxxxxxxxxxx"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
@@ -1097,17 +1111,16 @@ artifactory:
secretName: <CUSTOM_SECRET>
```
-
### Ingress behind another load balancer
If you are running a load balancer, that is used to offload the TLS, in front of Nginx Ingress Controller, or if you are setting **X-Forwarded-*** headers, you might want to enable **'use-forwarded-headers=true'** option. Otherwise nginx will be filling those headers with the request information it receives from the external load balancer.
To enable it with `helm install`
```bash
-helm upgrade --install nginx-ingress --namespace nginx-ingress stable/nginx-ingress --set-string controller.config.use-forwarded-headers=true
+helm upgrade --install nginx-ingress --namespace nginx-ingress center/kubernetes-ingress-nginx/ingress-nginx --set-string controller.config.use-forwarded-headers=true
```
or `helm upgrade`
```bash
-helm upgrade nginx-ingress --set-string controller.config.use-forwarded-headers=true stable/nginx-ingress
+helm upgrade nginx-ingress --set-string controller.config.use-forwarded-headers=true center/kubernetes-ingress-nginx/ingress-nginx
```
or create a values.yaml file with the following content:
```yaml
@@ -1117,315 +1130,22 @@ controller:
```
Then install nginx-ingress with the values file you created:
```bash
-helm upgrade --install nginx-ingress --namespace nginx-ingress stable/nginx-ingress -f values.yaml
+helm upgrade --install nginx-ingress --namespace nginx-ingress center/kubernetes-ingress-nginx/ingress-nginx -f values.yaml
```
This will start sending your Artifactory logs to the log aggregator of your choice, based on your configuration in the `filebeatYml`
+### Log Analytics
-## Configuration
-The following table lists the configurable parameters of the artifactory chart and their default values.
+#### FluentD, Prometheus and Grafana
-| Parameter | Description | Default |
-|---------------------------|-----------------------------------|----------------------------------------------------------|
-| `imagePullSecrets` | Docker registry pull secret | |
-| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
-| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template |
-| `serviceAccount.annotations` | Artifactory service account annotations | `` |
-| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
-| `rbac.role.rules` | Rules to create | `[]` |
-| `logger.image.repository` | repository for logger image | `busybox` |
-| `logger.image.tag` | tag for logger image | `1.30` |
-| `artifactory.name` | Artifactory name | `artifactory` |
-| `artifactory.replicaCount` | Replica count for Artifactory deployment| `1` |
-| `artifactory.image.pullPolicy` | Container pull policy | `IfNotPresent` |
-| `artifactory.image.repository` | Container image | `docker.bintray.io/jfrog/artifactory-pro` |
-| `artifactory.image.version` | Container tag | `.Chart.AppVersion` |
-| `artifactory.labels` | Artifactory labels | `{}` |
-| `artifactory.priorityClass.create` | Create a PriorityClass object | `false` |
-| `artifactory.priorityClass.value` | Priority Class value | `1000000000` |
-| `artifactory.priorityClass.name` | Priority Class name | `{{ template "artifactory.fullname" . }}` |
-| `artifactory.priorityClass.existingPriorityClass` | Use existing priority class | `` |
-| `artifactory.loggers` | Artifactory loggers (see values.yaml for possible values) | `[]` |
-| `artifactory.loggersResources.requests.memory` | Artifactory loggers initial memory request | |
-| `artifactory.loggersResources.requests.cpu` | Artifactory loggers initial cpu request | |
-| `artifactory.loggersResources.limits.memory` | Artifactory loggers memory limit | |
-| `artifactory.loggersResources.limits.cpu` | Artifactory loggers cpu limit | |
-| `artifactory.catalinaLoggers` | Artifactory Tomcat loggers (see values.yaml for possible values) | `[]` |
-| `artifactory.catalinaLoggersResources.requests.memory` | Artifactory Tomcat loggers initial memory request | |
-| `artifactory.catalinaLoggersResources.requests.cpu` | Artifactory Tomcat loggers initial cpu request | |
-| `artifactory.catalinaLoggersResources.limits.memory` | Artifactory Tomcat loggers memory limit | |
-| `artifactory.catalinaLoggersResources.limits.cpu` | Artifactory Tomcat loggers cpu limit | |
-| `artifactory.customInitContainers`| Custom init containers | |
-| `artifactory.customSidecarContainers`| Custom sidecar containers | |
-| `artifactory.customVolumes` | Custom volumes | |
-| `artifactory.customVolumeMounts` | Custom Artifactory volumeMounts | |
-| `artifactory.customSecrets` | Custom secrets | |
-| `artifactory.customPersistentPodVolumeClaim` | Custom PVC spec to create and attach a unique PVC for each pod on startup with the volumeClaimTemplates feature in StatefulSet | |
-| `artifactory.customPersistentVolumeClaim` | Custom PVC spec to be mounted to the all artifactory containers using a volume | |
-| `artifactory.userPluginSecrets` | Array of secret names for Artifactory user plugins | |
-| `artifactory.license.licenseKey` | Artifactory license key. Providing the license key as a parameter will cause a secret containing the license key to be created as part of the release. Use either this setting or the license.secret and license.dataKey. If you use both, the latter will be used. | |
-| `artifactory.configMaps` | configMaps to be created as volume by the name `artifactory-configmaps`. In order to use these configMaps, you will need to add `customVolumeMounts` to point to the created volume and mount it onto a container | |
-| `artifactory.license.secret` | Artifactory license secret name | |
-| `artifactory.license.dataKey`| Artifactory license secret data key | |
-| `artifactory.service.name`| Artifactory service name to be set in Nginx configuration | `artifactory` |
-| `artifactory.service.type`| Artifactory service type | `ClusterIP` |
-| `artifactory.service.loadBalancerSourceRanges`| Artifactory service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | |
-| `artifactory.service.annotations` | Artifactory service annotations | `{}` |
-| `artifactory.externalPort` | Artifactory router service external port | `8082` |
-| `artifactory.internalPort` | Artifactory router service internal port (**DO NOT** use port lower than 1024) | `8082` |
-| `artifactory.internalArtifactoryPort` | Artifactory service internal port (**DO NOT** use port lower than 1024) | `8081` |
-| `artifactory.externalArtifactoryPort` | Artifactory service external port | `8081` |
-| `artifactory.livenessProbe.enabled` | Enable liveness probe | `true` |
-| `artifactory.livenessProbe.path` | Liveness probe HTTP Get path | `/router/api/v1/system/health` |
-| `artifactory.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 |
-| `artifactory.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `artifactory.livenessProbe.timeoutSeconds` | When the probe times out | 10 |
-| `artifactory.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
-| `artifactory.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
-| `artifactory.masterKey` | Artifactory Master Key. A 128-Bit key size (hexadecimal encoded) string (32 hex characters). Can be generated with `openssl rand -hex 32`. NOTE: This key is generated only once and cannot be updated once created | `` |
-| `artifactory.masterKeySecretName` | Artifactory Master Key secret name | |
-| `artifactory.joinKey` | Join Key to connect other services to Artifactory. Can be generated with `openssl rand -hex 32` | `` |
-| `artifactory.joinKeySecretName` | Artifactory join Key secret name | |
-| `artifactory.admin.ip` | Artifactory admin ip to be set upon startup, can use (*) for 0.0.0.0| `127.0.0.1` |
-| `artifactory.admin.username` | Artifactory admin username to be set upon startup| `admin` |
-| `artifactory.admin.password` | Artifactory admin password to be set upon startup| |
-| `artifactory.admin.secret` | Artifactory admin secret name | |
-| `artifactory.admin.dataKey` | Artifactory admin secret data key | |
-| `artifactory.preStartCommand` | Command to run before entrypoint starts | |
-| `artifactory.postStartCommand` | Command to run after container starts. Supports templating with `tpl` | |
-| `artifactory.extraEnvironmentVariables` | Extra environment variables to pass to Artifactory. Supports evaluating strings as templates via the [`tpl`](https://helm.sh/docs/charts_tips_and_tricks/#using-the-tpl-function) function. See [documentation](https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker#InstallingwithDocker-SupportedEnvironmentVariables) | |
-| `artifactory.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
-| `artifactory.readinessProbe.path` | Readiness probe HTTP Get path | `/router/api/v1/system/health` |
-| `artifactory.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 |
-| `artifactory.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `artifactory.readinessProbe.timeoutSeconds` | When the probe times out | 10 |
-| `artifactory.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
-| `artifactory.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
-| `artifactory.deleteDBPropertiesOnStartup` | Whether to delete the ARTIFACTORY_HOME/etc/db.properties file on startup. Disabling this will remove the ability for the db.properties to be updated with any DB-related environment variables change (e.g. DB_HOST, DB_URL) | `true` |
-| `artifactory.database.maxOpenConnections` | Maximum amount of open connections from Artifactory to the DB | `80` |
-| `artifactory.copyOnEveryStartup` | List of files to copy on startup from source (which is absolute) to target (which is relative to ARTIFACTORY_HOME | |
-| `artifactory.migration.timeoutSeconds` | Artifactory migration Maximum Timeout in seconds| `3600` |
-| `artifactory.migration.enabled` | Artifactory migration enabled or disabled | `true` |
-| `artifactory.persistence.mountPath` | Artifactory persistence volume mount path | `"/var/opt/jfrog/artifactory"` |
-| `artifactory.persistence.enabled` | Artifactory persistence volume enabled | `true` |
-| `artifactory.persistence.existingClaim` | Artifactory persistence volume claim name | |
-| `artifactory.persistence.accessMode` | Artifactory persistence volume access mode | `ReadWriteOnce` |
-| `artifactory.persistence.size` | Artifactory persistence or local volume size | `20Gi` |
-| `artifactory.persistence.binarystore.enabled` | whether you want to mount the binarystore.xml file from a secret created by the chart. If `false` you will need need to get the binarystore.xml file into the file-system from either an `initContainer` or using a `preStartCommand` | `true` |
-| `artifactory.persistence.binarystoreXml` | Artifactory binarystore.xml template | See `values.yaml` |
-| `artifactory.persistence.customBinarystoreXmlSecret` | A custom Secret for binarystore.xml | `` |
-| `artifactory.persistence.maxCacheSize` | The maximum storage allocated for the cache in bytes. | `50000000000` |
-| `artifactory.persistence.cacheProviderDir` | the root folder of binaries for the filestore cache. If the value specified starts with a forward slash ("/") it is considered the fully qualified path to the filestore folder. Otherwise, it is considered relative to the *baseDataDir*. | `cache` |
-| `artifactory.persistence.type` | Artifactory HA storage type | `file-system` |
-| `artifactory.persistence.redundancy` | Artifactory HA storage redundancy | `3` |
-| `artifactory.persistence.nfs.ip` | NFS server IP | |
-| `artifactory.persistence.nfs.haDataMount` | NFS data directory | `/data` |
-| `artifactory.persistence.nfs.haBackupMount` | NFS backup directory | `/backup` |
-| `artifactory.persistence.nfs.dataDir` | HA data directory | `/var/opt/jfrog/artifactory` |
-| `artifactory.persistence.nfs.backupDir` | HA backup directory | `/var/opt/jfrog/artifactory-backup` |
-| `artifactory.persistence.nfs.capacity` | NFS PVC size | `200Gi` |
-| `artifactory.persistence.fileSystem.cache.enabled` | Enable Artifactory cache when using the file-system persistence type | `false` |
-| `artifactory.persistence.eventual.numberOfThreads` | Eventual number of threads | `10` |
-| `artifactory.persistence.googleStorage.endpoint` | Google Storage API endpoint| `storage.googleapis.com` |
-| `artifactory.persistence.googleStorage.httpsOnly` | Google Storage API has to be consumed https only| `false` |
-| `artifactory.persistence.googleStorage.bucketName` | Google Storage bucket name | `artifactory` |
-| `artifactory.persistence.googleStorage.identity` | Google Storage service account id | |
-| `artifactory.persistence.googleStorage.credential` | Google Storage service account key | |
-| `artifactory.persistence.googleStorage.path` | Google Storage path in bucket | `artifactory/filestore` |
-| `artifactory.persistence.googleStorage.bucketExists`| Google Storage bucket exists therefore does not need to be created.| `false` |
-| `artifactory.persistence.awsS3.bucketName` | AWS S3 bucket name | `artifactory-aws` |
-| `artifactory.persistence.awsS3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html |
-| `artifactory.persistence.awsS3.region` | AWS S3 bucket region | |
-| `artifactory.persistence.awsS3.roleName` | AWS S3 IAM role name | |
-| `artifactory.persistence.awsS3.identity` | AWS S3 AWS_ACCESS_KEY_ID | |
-| `artifactory.persistence.awsS3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | |
-| `artifactory.persistence.awsS3.properties` | AWS S3 additional properties | |
-| `artifactory.persistence.awsS3.path` | AWS S3 path in bucket | `artifactory/filestore` |
-| `artifactory.persistence.awsS3.refreshCredentials` | AWS S3 renew credentials on expiration | `true` (When roleName is used, this parameter will be set to true) |
-| `artifactory.persistence.awsS3.httpsOnly` | AWS S3 https access to the bucket only | `true` |
-| `artifactory.persistence.awsS3.testConnection` | AWS S3 test connection on start up | `false` |
-| `artifactory.persistence.awsS3.s3AwsVersion` | AWS S3 signature version | `AWS4-HMAC-SHA256` |
-| `artifactory.persistence.awsS3V3.testConnection` | AWS S3 test connection on start up | `false` |
-| `artifactory.persistence.awsS3V3.identity` | AWS S3 AWS_ACCESS_KEY_ID | |
-| `artifactory.persistence.awsS3V3.credential` | AWS S3 AWS_SECRET_ACCESS_KEY | |
-| `artifactory.persistence.awsS3V3.region` | AWS S3 bucket region | |
-| `artifactory.persistence.awsS3V3.bucketName` | AWS S3 bucket name | `artifactory-aws` |
-| `artifactory.persistence.awsS3V3.path` | AWS S3 path in bucket | `artifactory/filestore` |
-| `artifactory.persistence.awsS3V3.endpoint` | AWS S3 bucket endpoint | See https://docs.aws.amazon.com/general/latest/gr/rande.html |
-| `artifactory.persistence.awsS3V3.maxConnections` | AWS S3 bucket maxConnections | `50` |
-| `artifactory.persistence.awsS3V3.kmsServerSideEncryptionKeyId` | AWS S3 encryption key ID or alias | |
-| `artifactory.persistence.awsS3V3.kmsKeyRegion` | AWS S3 KMS Key region | |
-| `artifactory.persistence.awsS3V3.kmsCryptoMode` | AWS S3 KMS encryption mode | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-AmazonS3OfficialSDKTemplate |
-| `artifactory.persistence.awsS3V3.useInstanceCredentials` | AWS S3 Use default authentication mechanism | See https://www.jfrog.com/confluence/display/RTF/Configuring+the+Filestore#ConfiguringtheFilestore-authentication |
-| `artifactory.persistence.awsS3V3.usePresigning` | AWS S3 Use URL signing | `false` |
-| `artifactory.persistence.awsS3V3.signatureExpirySeconds` | AWS S3 Validity period in seconds for signed URLs | `300` |
-| `artifactory.persistence.awsS3V3.cloudFrontDomainName` | AWS CloudFront domain name | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
-| `artifactory.persistence.awsS3V3.cloudFrontKeyPairId` | AWS CloudFront key pair ID | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
-| `artifactory.persistence.awsS3V3.cloudFrontPrivateKey` | AWS CloudFront private key | See https://www.jfrog.com/confluence/display/RTF/Direct+Cloud+Storage+Download#DirectCloudStorageDownload-UsingCloudFront(Optional)|
-| `artifactory.persistence.azureBlob.accountName` | Azure Blob Storage account name | `` |
-| `artifactory.persistence.azureBlob.accountKey` | Azure Blob Storage account key | `` |
-| `artifactory.persistence.azureBlob.endpoint` | Azure Blob Storage endpoint | `` |
-| `artifactory.persistence.azureBlob.containerName` | Azure Blob Storage container name | `` |
-| `artifactory.persistence.azureBlob.testConnection` | Azure Blob Storage test connection | `false` |
-| `artifactory.resources.requests.memory` | Artifactory initial memory request | |
-| `artifactory.resources.requests.cpu` | Artifactory initial cpu request | |
-| `artifactory.resources.limits.memory` | Artifactory memory limit | |
-| `artifactory.resources.limits.cpu` | Artifactory cpu limit | |
-| `artifactory.javaOpts.xms` | Artifactory java Xms size | |
-| `artifactory.javaOpts.xmx` | Artifactory java Xms size | |
-| `artifactory.javaOpts.corePoolSize` | The number of async processes that can run in parallel - https://jfrog.com/knowledge-base/how-do-i-tune-artifactory-for-heavy-loads/ | `8` |
-| `artifactory.javaOpts.jmx.enabled` | Enable JMX monitoring | `false` |
-| `artifactory.javaOpts.jmx.port` | JMX Port number | `9010` |
-| `artifactory.javaOpts.jmx.host` | JMX hostname (parsed as a helm template) | `{{ template "artifactory.fullname" $ }}` |
-| `artifactory.javaOpts.jmx.ssl` | Enable SSL | `false` |
-| `artifactory.javaOpts.jmx.authenticate` | Enable JMX authentication | `false` |
-| `artifactory.javaOpts.jmx.accessFile` | The path to the JMX access file, when JMX authentication is enabled | |
-| `artifactory.javaOpts.jmx.passwordFile` | The path to the JMX password file, when JMX authentication is enabled | |
-| `artifactory.javaOpts.other` | Artifactory additional java options | |
-| `artifactory.replicator.enabled` | Enable the Replicator service (relevant for Enterprise+ only) | `false` |
-| `artifactory.ssh.enabled` | Enable Artifactory SSH access | |
-| `artifactory.ssh.internalPort` | Artifactory SSH internal port | `1339` |
-| `artifactory.ssh.externalPort` | Artifactory SSH external port | `1339` |
-| `artifactory.terminationGracePeriodSeconds` | Termination grace period (seconds) | `30s` |
-| `artifactory.tomcat.connector.maxThreads` | The max number of connections to Artifactory connector | `200` |
-| `artifactory.tomcat.connector.extraConfig` | The max queue length for incoming connections to Artifactory connector | `'acceptCount="100"'` |
-| `artifactory.systemYaml` | Artifactory system configuration (`system.yaml`) as described here - https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML | `see values.yaml` |
-| `artifactory.affinity` | Artifactory node affinity | `{}` |
-| `access.database.maxOpenConnections` | Maximum amount of open connections from Access to the DB | `80` |
-| `access.tomcat.connector.maxThreads` | The max number of connections to Aceess connector | `50` |
-| `access.tomcat.connector.extraConfig` | The max queue length for incoming connections to Access connector | `'acceptCount="100"'` |
-| `ingress.enabled` | If true, Artifactory Ingress will be created | `false` |
-| `ingress.annotations` | Artifactory Ingress annotations | `{}` |
-| `ingress.labels` | Artifactory Ingress labels | `{}` |
-| `ingress.hosts` | Artifactory Ingress hostnames | `[]` |
-| `ingress.routerPath` | Router Ingress path | `/` |
-| `ingress.artifactoryPath` | Artifactory Ingress path | `/` |
-| `ingress.tls` | Artifactory Ingress TLS configuration (YAML) | `[]` |
-| `ingress.defaultBackend.enabled` | If true, the default `backend` will be added using serviceName and servicePort | `true` |
-| `ingress.annotations` | Ingress annotations, which are written out if annotations section exists in values. Everything inside of the annotations section will appear verbatim inside the resulting manifest. See `Ingress annotations` section below for examples of how to leverage the annotations, specifically for how to enable docker authentication. | |
-| `ingress.additionalRules` | Ingress additional rules to be added to the Artifactory ingress. | `[]` |
-| `metadata.database.maxOpenConnections` | Maximum amount of open connections from metadata to the DB | `80` |
-| `nginx.name` | Nginx name | `nginx` |
-| `nginx.enabled` | Deploy nginx server | `true` |
-| `nginx.kind` | Nginx object kind, for example `DaemonSet`, `Deployment` or `StatefulSet` | `Deployment` |
-| `nginx.name` | Nginx name | `nginx` |
-| `nginx.replicaCount` | Nginx replica count | `1` |
-| `nginx.uid` | Nginx User Id | `104` |
-| `nginx.gid` | Nginx Group Id | `107` |
-| `nginx.image.repository` | Container image | `docker.bintray.io/jfrog/nginx-artifactory-pro` |
-| `nginx.image.version` | Container tag | `.Chart.AppVersion` |
-| `nginx.image.pullPolicy` | Container pull policy | `IfNotPresent` |
-| `nginx.labels` | Nginx deployment labels | `{}` |
-| `nginx.loggers` | Nginx loggers (see values.yaml for possible values) | `[]` |
-| `nginx.loggersResources.requests.memory` | Nginx logger initial memory request | |
-| `nginx.loggersResources.requests.cpu` | Nginx logger initial cpu request | |
-| `nginx.loggersResources.limits.memory` | Nginx logger memory limit | |
-| `nginx.loggersResources.limits.cpu` | Nginx logger cpu limit | |
-| `nginx.logs.stderr` | Send nginx logs to stderr | false |
-| `nginx.logs.level` | Nginx log level: debug, info, notice, warn, error, crit, alert, or emerg | warn |
-| `nginx.mainConf` | Content of the Artifactory nginx main nginx.conf config file | `see values.yaml` |
-| `nginx.artifactoryConf` | Content of Artifactory nginx artifactory.conf config file | `see values.yaml` |
-| `nginx.service.type`| Nginx service type | `LoadBalancer` |
-| `nginx.service.loadBalancerSourceRanges`| Nginx service array of IP CIDR ranges to whitelist (only when service type is LoadBalancer) | |
-| `nginx.service.externalTrafficPolicy`| Nginx service desires to route external traffic to node-local or cluster-wide endpoints. | `Cluster` |
-| `nginx.service.ssloffload` | Nginx service SSL offload | false |
-| `nginx.loadBalancerIP` | Provide Static IP to configure with Nginx | |
-| `nginx.http.enabled` | Nginx http service enabled/disabled | true |
-| `nginx.http.externalPort` | Nginx service external port | `80` |
-| `nginx.http.internalPort` | Nginx service internal port | `80` |
-| `nginx.https.enabled` | Nginx http service enabled/disabled | true |
-| `nginx.https.externalPort` | Nginx service external port | `443` |
-| `nginx.https.internalPort` | Nginx service internal port | `443` |
-| `nginx.ssh.internalPort` | Nginx SSH internal port | `22` |
-| `nginx.ssh.externalPort` | Nginx SSH external port | `22` |
-| `nginx.externalPortHttp` | DEPRECATED: Nginx service external port | `80` |
-| `nginx.internalPortHttp` | DEPRECATED:Nginx service internal port | `80` |
-| `nginx.externalPortHttps` | DEPRECATED: Nginx service external port | `443` |
-| `nginx.internalPortHttps` | DEPRECATED: Nginx service internal port | `443` |
-| `nginx.livenessProbe.enabled` | Enable liveness probe | `true` |
-| `nginx.livenessProbe.path` | Liveness probe HTTP Get path | `/router/api/v1/system/health` |
-| `nginx.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 60 |
-| `nginx.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `nginx.livenessProbe.timeoutSeconds` | When the probe times out | 10 |
-| `nginx.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 10 |
-| `nginx.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 1|
-| `nginx.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
-| `nginx.readinessProbe.path` | Readiness probe HTTP Get path | `/artifactory/webapp/#/login` |
-| `nginx.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 60 |
-| `nginx.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `nginx.readinessProbe.timeoutSeconds` | When the probe times out | 10 |
-| `nginx.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 10 |
-| `nginx.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 1 |
-| `nginx.tlsSecretName` | SSL secret that will be used by the Nginx pod | |
-| `nginx.customConfigMap` | Nginx CustomeConfigMap name for `nginx.conf` | ` ` |
-| `nginx.customArtifactoryConfigMap`| Nginx CustomeConfigMap name for `artifactory.conf` | ` ` |
-| `nginx.persistence.mountPath` | Nginx persistence volume mount path | `"/var/opt/jfrog/nginx"` |
-| `nginx.persistence.enabled` | Nginx persistence volume enabled | `false` |
-| `nginx.persistence.accessMode` | Nginx persistence volume access mode | `ReadWriteOnce` |
-| `nginx.persistence.size` | Nginx persistence volume size | `5Gi` |
-| `nginx.resources.requests.memory` | Nginx initial memory request | |
-| `nginx.resources.requests.cpu` | Nginx initial cpu request | |
-| `nginx.resources.limits.memory` | Nginx memory limit | |
-| `nginx.resources.limits.cpu` | Nginx cpu limit | |
-| `waitForDatabase` | Wait for database (using wait-for-db init container) | `true` |
-| `postgresql.enabled` | Use enclosed PostgreSQL as database | `true` |
-| `postgresql.image.registry` | PostgreSQL image registry | `docker.bintray.io` |
-| `postgresql.image.repository` | PostgreSQL image repository | `bitnami/postgresql` |
-| `postgresql.image.tag` | PostgreSQL image tag | `9.6.18-debian-10-r7` |
-| `postgresql.postgresqlDatabase` | PostgreSQL database name | `artifactory` |
-| `postgresql.postgresqlUsername` | PostgreSQL database user | `artifactory` |
-| `postgresql.postgresqlPassword` | PostgreSQL database password | |
-| `postgresql.postgresqlExtendedConf.listenAddresses` | PostgreSQL listen address | `"'*'"` |
-| `postgresql.postgresqlExtendedConf.maxConnections` | PostgreSQL max_connections parameter | `1500` |
-| `postgresql.persistence.enabled` | PostgreSQL use persistent storage | `true` |
-| `postgresql.persistence.size` | PostgreSQL persistent storage size | `50Gi` |
-| `postgresql.service.port` | PostgreSQL database port | `5432` |
-| `postgresql.resources.requests.memory` | PostgreSQL initial memory request | |
-| `postgresql.resources.requests.cpu` | PostgreSQL initial cpu request | |
-| `postgresql.resources.limits.memory` | PostgreSQL memory limit | |
-| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | |
-| `postgresql.master.nodeSelector` | PostgreSQL master node selector | `{}` |
-| `postgresql.master.affinity` | PostgreSQL master node affinity | `{}` |
-| `postgresql.master.tolerations` | PostgreSQL master node tolerations | `[]` |
-| `postgresql.slave.nodeSelector` | PostgreSQL slave node selector | `{}` |
-| `postgresql.slave.affinity` | PostgreSQL slave node affinity | `{}` |
-| `postgresql.slave.tolerations` | PostgreSQL slave node tolerations | `[]` |
-| `database.type` | External database type (`postgresql`, `mysql`, `oracle` or `mssql`) | |
-| `database.driver` | External database driver e.g. `org.postgresql.Driver` | |
-| `database.url` | External database connection URL | |
-| `database.user` | External database username | |
-| `database.password` | External database password | |
-| `database.secrets.user.name` | External database username `Secret` name | |
-| `database.secrets.user.key` | External database username `Secret` key | |
-| `database.secrets.password.name` | External database password `Secret` name | |
-| `database.secrets.password.key` | External database password `Secret` key | |
-| `database.secrets.url.name ` | External database url `Secret` name | |
-| `database.secrets.url.key` | External database url `Secret` key | |
-| `networkpolicy.name` | Becomes part of the NetworkPolicy object name | `artifactory` |
-| `networkpolicy.podselector` | Contains the YAML that specifies how to match pods. Usually using matchLabels. | |
-| `networkpolicy.ingress` | YAML snippet containing to & from rules applied to incoming traffic | `- {}` (open to all inbound traffic) |
-| `networkpolicy.egress` | YAML snippet containing to & from rules applied to outgoing traffic | `- {}` (open to all outbound traffic) |
-| `filebeat.enabled` | Enable a filebeat container to send your logs to a log management solution like ELK | `false` |
-| `filebeat.name` | filebeat container name | `artifactory-filebeat` |
-| `filebeat.image.repository` | filebeat Docker image repository | `docker.elastic.co/beats/filebeat` |
-| `filebeat.image.version` | filebeat Docker image version | `7.5.1` |
-| `filebeat.logstashUrl` | The URL to the central Logstash service, if you have one | `logstash:5044` |
-| `filebeat.livenessProbe.exec.command` | liveness probe exec command | see [values.yaml](stable/artifactory/values.yaml) |
-| `filebeat.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
-| `filebeat.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 180 |
-| `filebeat.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `filebeat.readinessProbe.exec.command` | readiness probe exec command | see [values.yaml](stable/artifactory/values.yaml) |
-| `filebeat.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 10 |
-| `filebeat.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 180 |
-| `filebeat.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
-| `filebeat.resources.requests.memory` | Filebeat initial memory request | |
-| `filebeat.resources.requests.cpu` | Filebeat initial cpu request | |
-| `filebeat.resources.limits.memory` | Filebeat memory limit | |
-| `filebeat.resources.limits.cpu` | Filebeat cpu limit | |
-| `filebeat.filebeatYml` | Filebeat yaml configuration file | see [values.yaml](stable/artifactory/values.yaml) |
+To configure Prometheus and Grafana to gather metrics from Artifactory through the use of FluentD, please refer to the log analytics repo:
+
+https://github.com/jfrog/log-analytics-prometheus
+
+That repo contains a file `artifactory-values.yaml` that can be used to deploy Prometheus, Service Monitor, and Grafana with this chart.
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
## Useful links
-https://www.jfrog.com
-https://www.jfrog.com/confluence/
+- https://www.jfrog.com/confluence/display/EP/Getting+Started
+- https://www.jfrog.com/confluence/display/RTF/Installing+Artifactory
+- https://www.jfrog.com/confluence/
diff --git a/charts/artifactory-jcr/charts/artifactory/UPGRADE_NOTES.md b/charts/artifactory-jcr/charts/artifactory/UPGRADE_NOTES.md
index 8917634f4..4ba17d0c9 100644
--- a/charts/artifactory-jcr/charts/artifactory/UPGRADE_NOTES.md
+++ b/charts/artifactory-jcr/charts/artifactory/UPGRADE_NOTES.md
@@ -1,10 +1,14 @@
# JFrog Artifactory Chart Upgrade Notes
This file describes special upgrade notes needed at specific versions
-## Upgrade from 8.X to 9.X (Chart Versions)
+## Upgrade from 8.X to 9.X and above (Chart Versions)
* If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you!**
* To upgrade from a version prior to 8.x, you first need to upgrade to latest version of 8.x as described in https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md.
+* Note: If you are upgrading from 8.x to 11.x and above chart versions, please delete the existing statefulset of postgresql before upgrading the chart due to breaking changes in postgresql subchart.
+```bash
+kubectl delete statefulsets <OLD_RELEASE_NAME>-postgresql
+```
## Upgrade from 7.X to 8.X (Chart Versions)
**DOWNTIME IS REQUIRED FOR AN UPGRADE!**
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/Chart.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/Chart.yaml
index a61a09ff7..9bed0aa83 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/Chart.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/Chart.yaml
@@ -1,5 +1,7 @@
+annotations:
+ category: Database
apiVersion: v1
-appVersion: 11.7.0
+appVersion: 11.9.0
description: Chart for PostgreSQL, an object-relational database management system
(ORDBMS) with an emphasis on extensibility and on standards-compliance.
home: https://www.postgresql.org/
@@ -19,4 +21,4 @@ maintainers:
name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
-version: 8.7.3
+version: 9.3.4
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/README.md b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/README.md
index c2b848af1..319291bc6 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/README.md
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/README.md
@@ -4,7 +4,7 @@
For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
-## TL;DR;
+## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
@@ -20,7 +20,7 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment
## Prerequisites
- Kubernetes 1.12+
-- Helm 2.11+ or Helm 3.0-beta3+
+- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
@@ -42,7 +42,15 @@ To uninstall/delete the `my-release` deployment:
$ helm delete my-release
```
-The command removes all the Kubernetes components associated with the chart and deletes the release.
+The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
+
+To delete the PVC's associated with `my-release`:
+
+```console
+$ kubectl delete pvc -l release=my-release
+```
+
+> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
@@ -95,10 +103,10 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
-| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
-| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) | _random 10 character alphanumeric string_ |
-| `postgresqlUsername` | PostgreSQL admin user | `postgres` |
-| `postgresqlPassword` | PostgreSQL admin password | _random 10 character alphanumeric string_ |
+| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
+| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ |
+| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` |
+| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ |
| `postgresqlDatabase` | PostgreSQL database | `nil` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) |
| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` |
@@ -112,7 +120,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` |
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` |
-| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
+| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
@@ -132,6 +140,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` |
| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
+| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` |
| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
@@ -139,7 +148,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` |
| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` |
| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` |
-| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
+| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` |
| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` |
| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` |
@@ -154,7 +163,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` |
| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` |
| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` |
-| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
+| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` |
@@ -162,13 +171,14 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `slave.service.type` | Allows using a different service type for Slave | `nil` |
| `slave.service.nodePort` | Allows using a different nodePort for Slave | `nil` |
| `slave.service.clusterIP` | Allows using a different clusterIP for Slave | `nil` |
+| `slave.persistence.enabled` | Whether to enable slave replicas persistence | `true` |
| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
| `securityContext.enabled` | Enable security context | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1001` |
| `securityContext.runAsUser` | User ID for the container | `1001` |
| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
-| `serviceAcccount.name` | Name of existing service account | `nil` |
+| `serviceAccount.name` | Name of existing service account | `nil` |
| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
@@ -184,6 +194,13 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
+| `tls.enabled` | Enable TLS traffic support | `false` |
+| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
+| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
+| `tls.certFilename` | Certificate filename | `""` |
+| `tls.certKeyFilename` | Certificate key filename | `""` |
+| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. |`nil` |
+| `tls.crlFilename` | File containing a Certificate Revocation List |`nil` |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
@@ -198,12 +215,13 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql |
| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
-| `metrics.image.registry` | PostgreSQL Image registry | `docker.io` |
-| `metrics.image.repository` | PostgreSQL Image name | `bitnami/postgres-exporter` |
-| `metrics.image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
-| `metrics.image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
+| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` |
+| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` |
+| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` |
+| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `metrics.customMetrics` | Additional custom metrics | `nil` |
+| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) |
| `metrics.securityContext.enabled` | Enable security context for metrics | `false` |
| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` |
| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
@@ -218,6 +236,9 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` |
+| `psp.create` | Create Pod Security Policy | `false` |
+| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
+
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
@@ -287,7 +308,7 @@ At the top level, there is a service object which defines the services for both
### Change PostgreSQL version
-To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=12.0.0`
+To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### postgresql.conf / pg_hba.conf files as configMap
@@ -316,6 +337,35 @@ In addition to these options, you can also set an external ConfigMap with all th
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
+### Securing traffic using TLS
+
+TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
+
+- `tls.enabled`: Enable TLS support. Defaults to `false`
+- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
+- `tls.certFilename`: Certificate filename. No defaults.
+- `tls.certKeyFilename`: Certificate key filename. No defaults.
+
+For example:
+
+* First, create the secret with the cetificates files:
+
+ ```console
+ kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
+ ```
+
+* Then, use the following parameters:
+
+ ```console
+ volumePermissions.enabled=true
+ tls.enabled=true
+ tls.certificatesSecret="certificates-tls-secret"
+ tls.certFilename="cert.crt"
+ tls.certKeyFilename="cert.key"
+ ```
+
+ > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `securityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
+
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
@@ -443,6 +493,60 @@ $ helm upgrade my-release stable/postgresql \
> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
+## 9.0.0
+
+In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version.
+
+As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow:
+
+- Deploy an old version (8.X.X)
+```console
+$ helm install postgresql bitnami/postgresql --version 8.10.14
+```
+
+- Old version is up and running
+```console
+$ helm ls
+NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
+postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0
+
+$ kubectl get pods
+NAME READY STATUS RESTARTS AGE
+postgresql-postgresql-0 1/1 Running 0 76s
+```
+
+- The upgrade to the latest one (9.X.X) is going to fail
+```console
+$ helm upgrade postgresql bitnami/postgresql
+Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden
+```
+
+- Delete the statefulset
+```console
+$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql
+statefulset.apps "postgresql-postgresql" deleted
+```
+
+- Now the upgrade works
+```cosnole
+$ helm upgrade postgresql bitnami/postgresql
+$ helm ls
+NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
+postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0
+```
+
+- We can kill the existing pod and the new statefulset is going to create a new one:
+```console
+$ kubectl delete pod postgresql-postgresql-0
+pod "postgresql-postgresql-0" deleted
+
+$ kubectl get pods
+NAME READY STATUS RESTARTS AGE
+postgresql-postgresql-0 1/1 Running 0 19s
+```
+
+Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command
+
## 8.0.0
Prefixes the port names with their protocols to comply with Istio conventions.
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/.helmignore b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/.helmignore
new file mode 100644
index 000000000..50af03172
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/Chart.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/Chart.yaml
new file mode 100644
index 000000000..0044c2232
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/Chart.yaml
@@ -0,0 +1,21 @@
+annotations:
+ category: Infrastructure
+apiVersion: v1
+appVersion: 0.6.2
+description: A Library Helm Chart for grouping common logic between bitnami charts.
+ This chart is not deployable by itself.
+home: http://www.bitnami.com/
+icon: https://bitnami.com/downloads/logos/bitnami-mark.png
+keywords:
+- common
+- helper
+- template
+- function
+- bitnami
+maintainers:
+- email: containers@bitnami.com
+ name: Bitnami
+name: common
+sources:
+- https://github.com/bitnami/charts
+version: 0.6.2
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/README.md b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/README.md
new file mode 100644
index 000000000..e04391a3f
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/README.md
@@ -0,0 +1,274 @@
+# Bitnami Common Library Chart
+
+A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
+
+## TL;DR
+
+```yaml
+dependencies:
+ - name: common
+ version: 0.x.x
+ repository: https://charts.bitnami.com/bitnami
+```
+
+```bash
+$ helm dependency update
+```
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.names.fullname" . }}
+data:
+ myvalue: "Hello World"
+```
+
+## Introduction
+
+This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
+
+## Prerequisites
+
+- Kubernetes 1.12+
+- Helm 2.12+ or Helm 3.0-beta3+
+
+## Parameters
+
+The following table lists the helpers available in the library which are scoped in different sections.
+
+**Names**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
+| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
+| `common.names.chart` | Chart name plus version | `.` Chart context |
+
+**Images**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
+| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
+
+**Labels**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
+| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context |
+
+**Storage**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
+
+**TplValues**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` |
+
+**Capabilities**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
+| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
+
+**Validations**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
+| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
+| `common.validations.values.mariadb.passwords` | When a chart is using `bitnami/mariadb` as subchart you should use this to validate required password are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "context" $` |
+| `common.validations.values.postgresql.passwords` | This helper will ensure required password are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
+
+**Warnings**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
+
+**Errors**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
+
+**Utils**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
+| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
+
+**Secrets**
+
+| Helper identifier | Description | Expected Input |
+|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
+| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
+
+## Special input schemas
+
+### ImageRoot
+
+```yaml
+registry:
+ type: string
+ description: Docker registry where the image is located
+ example: docker.io
+
+repository:
+ type: string
+ description: Repository and image name
+ example: bitnami/nginx
+
+tag:
+ type: string
+ description: image tag
+ example: 1.16.1-debian-10-r63
+
+pullPolicy:
+ type: string
+ description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+
+pullSecrets:
+ type: array
+ items:
+ type: string
+ description: Optionally specify an array of imagePullSecrets.
+
+debug:
+ type: boolean
+ description: Set to true if you would like to see extra information on logs
+ example: false
+
+## An instance would be:
+# registry: docker.io
+# repository: bitnami/nginx
+# tag: 1.16.1-debian-10-r63
+# pullPolicy: IfNotPresent
+# debug: false
+```
+
+### Persistence
+
+```yaml
+enabled:
+ type: boolean
+ description: Whether enable persistence.
+ example: true
+
+storageClass:
+ type: string
+ description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
+ example: "-"
+
+accessMode:
+ type: string
+ description: Access mode for the Persistent Volume Storage.
+ example: ReadWriteOnce
+
+size:
+ type: string
+ description: Size the Persistent Volume Storage.
+ example: 8Gi
+
+path:
+ type: string
+ description: Path to be persisted.
+ example: /bitnami
+
+## An instance would be:
+# enabled: true
+# storageClass: "-"
+# accessMode: ReadWriteOnce
+# size: 8Gi
+# path: /bitnami
+```
+
+### ExistingSecret
+```yaml
+name:
+ type: string
+ description: Name of the existing secret.
+ example: mySecret
+keyMapping:
+ description: Mapping between the expected key name and the name of the key in the existing secret.
+ type: object
+
+## An instance would be:
+# name: mySecret
+# keyMapping:
+# password: myPasswordKey
+```
+
+**Example of use**
+
+When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets.
+
+```yaml
+# templates/secret.yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.names.fullname" . }}
+ labels:
+ app: {{ include "common.names.fullname" . }}
+type: Opaque
+data:
+ password: {{ .Values.password | b64enc | quote }}
+
+# templates/dpl.yaml
+---
+...
+ env:
+ - name: PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
+ key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
+...
+
+# values.yaml
+---
+name: mySecret
+keyMapping:
+ password: myPasswordKey
+```
+
+### ValidateValue
+
+**NOTES.txt**
+
+```
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}}
+
+{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+```
+
+If we force those values to be empty we will see some alerts
+
+```console
+$ helm install test mychart --set path.to.value00="",path.to.value01=""
+ 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
+
+ export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode)
+
+ 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value:
+
+ export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode)
+```
+
+## Notable changes
+
+N/A
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl
new file mode 100644
index 000000000..c0ea2c70c
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_capabilities.tpl
@@ -0,0 +1,22 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the appropriate apiVersion for deployment.
+*/}}
+{{- define "common.capabilities.deployment.apiVersion" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "apps/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress.
+*/}}
+{{- define "common.capabilities.ingress.apiVersion" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl
new file mode 100644
index 000000000..d6d3ec65a
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_errors.tpl
@@ -0,0 +1,20 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Through error when upgrading using empty passwords values that must not be empty.
+
+Usage:
+{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
+{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }}
+
+Required password params:
+ - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error.
+ - context - Context - Required. Parent context.
+*/}}
+{{- define "common.errors.upgrade.passwords.empty" -}}
+ {{- $validationErrors := join "" .validationErrors -}}
+ {{- if and $validationErrors .context.Release.IsUpgrade -}}
+ {{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}}
+ {{- printf $errorString $validationErrors | fail -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl
new file mode 100644
index 000000000..aafde9f3b
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_images.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $tag := .imageRoot.tag | toString -}}
+{{- if .global }}
+ {{- if .global.imageRegistry }}
+ {{- $registryName = .global.imageRegistry -}}
+ {{- end -}}
+{{- end -}}
+{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+ {{- $pullSecrets := list }}
+
+ {{- if .global }}
+ {{- range .global.imagePullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- range .images -}}
+ {{- range .pullSecrets -}}
+ {{- $pullSecrets = append $pullSecrets . -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+ {{- range $pullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl
new file mode 100644
index 000000000..252066c7e
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_labels.tpl
@@ -0,0 +1,18 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Kubernetes standard labels
+*/}}
+{{- define "common.labels.standard" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+helm.sh/chart: {{ include "common.names.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "common.labels.matchLabels" -}}
+app.kubernetes.io/name: {{ include "common.names.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl
new file mode 100644
index 000000000..adf2a74f4
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_names.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "common.names.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "common.names.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "common.names.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl
new file mode 100644
index 000000000..d6165a294
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_secrets.tpl
@@ -0,0 +1,49 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Generate secret name.
+
+Usage:
+{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
+
+Params:
+ - existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
+ - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
+ - context - Dict - Required. The context for the template evaluation.
+*/}}
+{{- define "common.secrets.name" -}}
+{{- $name := (include "common.names.fullname" .context) -}}
+
+{{- if .defaultNameSuffix -}}
+{{- $name = cat $name .defaultNameSuffix -}}
+{{- end -}}
+
+{{- with .existingSecret -}}
+{{- $name = .name -}}
+{{- end -}}
+
+{{- printf "%s" $name -}}
+{{- end -}}
+
+{{/*
+Generate secret key.
+
+Usage:
+{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
+
+Params:
+ - existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
+ to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
+ - key - String - Required. Name of the key in the secret.
+*/}}
+{{- define "common.secrets.key" -}}
+{{- $key := .key -}}
+
+{{- if .existingSecret -}}
+ {{- if .existingSecret.keyMapping -}}
+ {{- $key = index .existingSecret.keyMapping $.key -}}
+ {{- end -}}
+{{- end -}}
+
+{{- printf "%s" $key -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl
new file mode 100644
index 000000000..60e2a844f
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_storage.tpl
@@ -0,0 +1,23 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Return the proper Storage Class
+{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
+*/}}
+{{- define "common.storage.class" -}}
+
+{{- $storageClass := .persistence.storageClass -}}
+{{- if .global -}}
+ {{- if .global.storageClass -}}
+ {{- $storageClass = .global.storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- if $storageClass -}}
+ {{- if (eq "-" $storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" $storageClass -}}
+ {{- end -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl
new file mode 100644
index 000000000..2db166851
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_tplvalues.tpl
@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+ {{- if typeIs "string" .value }}
+ {{- tpl .value .context }}
+ {{- else }}
+ {{- tpl (.value | toYaml) .context }}
+ {{- end }}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl
new file mode 100644
index 000000000..7d02f2ef6
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_utils.tpl
@@ -0,0 +1,26 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Print instructions to get a secret value.
+Usage:
+{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }}
+*/}}
+{{- define "common.utils.secret.getvalue" -}}
+{{- $varname := include "common.utils.fieldToEnvVar" . -}}
+export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode)
+{{- end -}}
+
+{{/*
+Build env var name given a field
+Usage:
+{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }}
+*/}}
+{{- define "common.utils.fieldToEnvVar" -}}
+ {{- $fieldNameSplit := splitList "-" .field -}}
+ {{- $upperCaseFieldNameSplit := list -}}
+
+ {{- range $fieldNameSplit -}}
+ {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}}
+ {{- end -}}
+
+ {{ join "_" $upperCaseFieldNameSplit }}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_validations.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_validations.tpl
new file mode 100644
index 000000000..62635b30e
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_validations.tpl
@@ -0,0 +1,219 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate values must not be empty.
+
+Usage:
+{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}}
+{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}}
+{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.multiple.empty" -}}
+ {{- range .required -}}
+ {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}}
+ {{- end -}}
+{{- end -}}
+
+
+{{/*
+Validate a value must not be empty.
+
+Usage:
+{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }}
+
+Validate value params:
+ - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password"
+ - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret"
+ - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password"
+*/}}
+{{- define "common.validations.values.single.empty" -}}
+ {{- $valueKeyArray := splitList "." .valueKey -}}
+ {{- $value := "" -}}
+ {{- $latestObj := $.context.Values -}}
+ {{- range $valueKeyArray -}}
+ {{- if not $latestObj -}}
+ {{- printf "please review the entire path of '%s' exists in values" $.valueKey | fail -}}
+ {{- end -}}
+
+ {{- $value = ( index $latestObj . ) -}}
+ {{- $latestObj = $value -}}
+ {{- end -}}
+
+ {{- if not $value -}}
+ {{- $varname := "my-value" -}}
+ {{- $getCurrentValue := "" -}}
+ {{- if and .secret .field -}}
+ {{- $varname = include "common.utils.fieldToEnvVar" . -}}
+ {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}}
+ {{- end -}}
+
+ {{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a mariadb required password must not be empty.
+
+Usage:
+{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "context" $) }}
+
+Validate value params:
+ - secret - String - Required. Name of the secret where mysql values are stored, e.g: "mysql-passwords-secret"
+*/}}
+{{- define "common.validations.values.mariadb.passwords" -}}
+ {{- if and (not .context.Values.mariadb.existingSecret) .context.Values.mariadb.enabled -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- if .context.Values.mariadb.secret.requirePasswords -}}
+ {{- $requiredRootMariadbPassword := dict "valueKey" "mariadb.rootUser.password" "secret" .secretName "field" "mariadb-root-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredRootMariadbPassword -}}
+
+ {{- if not (empty .context.Values.mariadb.db.user) -}}
+ {{- $requiredMariadbPassword := dict "valueKey" "mariadb.db.password" "secret" .secretName "field" "mariadb-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredMariadbPassword -}}
+ {{- end -}}
+
+ {{- if .context.Values.mariadb.replication.enabled -}}
+ {{- $requiredReplicationPassword := dict "valueKey" "mariadb.replication.password" "secret" .secretName "field" "mariadb-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Validate a postgresql required password must not be empty.
+
+Usage:
+{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+ - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "mysql-passwords-secret"
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.validations.values.postgresql.passwords" -}}
+ {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
+ {{- $enabled := include "common.postgresql.values.enabled" . -}}
+ {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
+ {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
+ {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
+
+ {{- if and (not $existingSecret) $enabled -}}
+ {{- $requiredPasswords := list -}}
+
+ {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
+
+ {{- if $enabledReplication -}}
+ {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
+ {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
+ {{- end -}}
+
+ {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to decide whether evaluate global values.
+
+Usage:
+{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }}
+Params:
+ - key - String - Required. Field to be evaluated within global, e.g: "existingSecret"
+*/}}
+{{- define "common.postgresql.values.use.global" -}}
+ {{- if .context.Values.global -}}
+ {{- if .context.Values.global.postgresql -}}
+ {{- index .context.Values.global.postgresql .key | quote -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to get the right value for existingSecret.
+
+Usage:
+{{ include "common.postgresql.values.existingSecret" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.existingSecret" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}}
+
+ {{- if .subchart -}}
+ {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}}
+ {{- else -}}
+ {{- default (.context.Values.existingSecret | quote) $globalValue -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to get the right value for enabled postgresql.
+
+Usage:
+{{ include "common.postgresql.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "common.postgresql.values.enabled" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.postgresql.enabled | quote -}}
+ {{- else -}}
+ true
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to get the right value for the key postgressPassword.
+
+Usage:
+{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.postgressPassword" -}}
+ {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}}
+
+ {{- if not $globalValue -}}
+ {{- if .subchart -}}
+ postgresql.postgresqlPassword
+ {{- else -}}
+ postgresqlPassword
+ {{- end -}}
+ {{- else -}}
+ global.postgresql.postgresqlPassword
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to get the right value for enabled.replication.
+
+Usage:
+{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.enabled.replication" -}}
+ {{- if .subchart -}}
+ {{- .context.Values.postgresql.replication.enabled | quote -}}
+ {{- else -}}
+ {{- .context.Values.replication.enabled | quote -}}
+ {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliar function to get the right value for the key replication.password.
+
+Usage:
+{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }}
+Params:
+ - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
+*/}}
+{{- define "common.postgresql.values.key.replicationPassword" -}}
+ {{- if .subchart -}}
+ postgresql.replication.password
+ {{- else -}}
+ replication.password
+ {{- end -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl
new file mode 100644
index 000000000..ae10fa41e
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/templates/_warnings.tpl
@@ -0,0 +1,14 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Warning about using rolling tag.
+Usage:
+{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
+*/}}
+{{- define "common.warnings.rollingTag" -}}
+
+{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- end }}
+
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/values.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/values.yaml
new file mode 100644
index 000000000..9ecdc93f5
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/charts/common/values.yaml
@@ -0,0 +1,3 @@
+## bitnami/common
+## It is required by CI/CD tools and processes.
+exampleValue: common-chart
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml
new file mode 100644
index 000000000..f6977823c
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/ci/commonAnnotations.yaml
@@ -0,0 +1,3 @@
+commonAnnotations:
+ helm.sh/hook: 'pre-install, pre-upgrade'
+ helm.sh/hook-weight: '-1'
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.lock b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.lock
new file mode 100644
index 000000000..72e1642e2
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+ repository: https://charts.bitnami.com/bitnami
+ version: 0.6.2
+digest: sha256:740783295d301fdd168fafdbaa760de27ab54b0ff36b513589a5a2515072b885
+generated: "2020-09-01T17:40:02.795096189Z"
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.yaml
new file mode 100644
index 000000000..2c28bfe14
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+ - name: common
+ version: 0.x.x
+ repository: https://charts.bitnami.com/bitnami
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/NOTES.txt b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/NOTES.txt
index 3b5e6c60d..596e969ce 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/NOTES.txt
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/NOTES.txt
@@ -7,7 +7,7 @@ PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the fo
{{ template "postgresql.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection
{{- end }}
-{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+{{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
To get the password for "postgres" run:
@@ -52,9 +52,8 @@ To connect to your database from outside the cluster execute the following comma
{{- include "postgresql.validateValues" . -}}
-{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+{{- include "common.warnings.rollingTag" .Values.image -}}
-WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
-+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "postgresql.fullname" .) "context" $) -}}
-{{- end }}
+{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/_helpers.tpl b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/_helpers.tpl
index 708434856..68cd0dc0e 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/_helpers.tpl
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/_helpers.tpl
@@ -220,13 +220,20 @@ Get the password secret.
{{- end -}}
{{- end -}}
+{{/*
+Return true if we should use an existingSecret.
+*/}}
+{{- define "postgresql.useExistingSecret" -}}
+{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
{{/*
Return true if a secret object should be created
*/}}
{{- define "postgresql.createSecret" -}}
-{{- if .Values.global.postgresql.existingSecret }}
-{{- else if .Values.existingSecret -}}
-{{- else -}}
+{{- if not (include "postgresql.useExistingSecret" .) -}}
{{- true -}}
{{- end -}}
{{- end -}}
@@ -253,6 +260,15 @@ Get the extended configuration ConfigMap name.
{{- end -}}
{{- end -}}
+{{/*
+Return true if a configmap should be mounted with PostgreSQL configuration
+*/}}
+{{- define "postgresql.mountConfigurationCM" -}}
+{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
+ {{- true -}}
+{{- end -}}
+{{- end -}}
+
{{/*
Get the initialization scripts ConfigMap name.
*/}}
@@ -325,9 +341,9 @@ Get the readiness probe command
{{- define "postgresql.readinessProbeCommand" -}}
- |
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
{{- if contains "bitnami/" .Values.image.repository }}
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
@@ -399,6 +415,8 @@ Compile all warnings into a single message, and call fail.
{{- define "postgresql.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
+{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
+{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
@@ -418,3 +436,66 @@ postgresql: ldap.url, ldap.server
More info at https://www.postgresql.org/docs/current/auth-ldap.html
{{- end -}}
{{- end -}}
+
+{{/*
+Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
+*/}}
+{{- define "postgresql.validateValues.psp" -}}
+{{- if and .Values.psp.create (not .Values.rbac.create) }}
+postgresql: psp.create, rbac.create
+ RBAC should be enabled if PSP is enabled in order for PSP to work.
+ More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for podsecuritypolicy.
+*/}}
+{{- define "podsecuritypolicy.apiVersion" -}}
+{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions
+*/}}
+{{- define "postgresql.validateValues.tls" -}}
+{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
+postgresql: tls.enabled, volumePermissions.enabled
+ When TLS is enabled you must enable volumePermissions as well to ensure certificates files have
+ the right permissions.
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert file.
+*/}}
+{{- define "postgresql.tlsCert" -}}
+{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+
+{{/*
+Return the path to the cert key file.
+*/}}
+{{- define "postgresql.tlsCertKey" -}}
+{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file.
+*/}}
+{{- define "postgresql.tlsCACert" -}}
+{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
+{{- end -}}
+
+{{/*
+Return the path to the CRL file.
+*/}}
+{{- define "postgresql.tlsCRL" -}}
+{{- if .Values.tls.crlFilename -}}
+{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/configmap.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/configmap.yaml
index d2178c077..b29ef6040 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/configmap.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/configmap.yaml
@@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-configuration
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
data:
{{- if (.Files.Glob "files/postgresql.conf") }}
{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml
index 8a4119578..f21a97654 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/extended-config-configmap.yaml
@@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-extended-configuration
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
data:
{{- with .Files.Glob "files/conf.d/*.conf" }}
{{ .AsConfig | indent 2 }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml
index 8eb5e0588..6637867a3 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/initialization-configmap.yaml
@@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-init-scripts
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }}
binaryData:
{{- range $path, $bytes := . }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml
index 524aa2f6a..6b7a3171e 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-configmap.yaml
@@ -4,10 +4,10 @@ kind: ConfigMap
metadata:
name: {{ template "postgresql.metricsCM" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
data:
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml
index c610f09af..b993c9971 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/metrics-svc.yaml
@@ -4,12 +4,12 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-metrics
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
annotations:
-{{ toYaml .Values.metrics.service.annotations | indent 4 }}
+ {{- if .Values.commonAnnotations }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- toYaml .Values.metrics.service.annotations | nindent 4 }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
@@ -20,7 +20,6 @@ spec:
port: 9187
targetPort: http-metrics
selector:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name }}
+ {{- include "common.labels.matchLabels" . | nindent 4 }}
role: master
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml
index ea1fc9b3a..2a7b372fe 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/networkpolicy.yaml
@@ -4,15 +4,14 @@ apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
spec:
podSelector:
matchLabels:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
ingress:
# Allow inbound connections
- ports:
@@ -28,8 +27,7 @@ spec:
{{- end }}
- podSelector:
matchLabels:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 14 }}
role: slave
{{- end }}
# Allow prometheus scrapes
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml
new file mode 100644
index 000000000..da0b3ab11
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/podsecuritypolicy.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.psp.create }}
+apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "postgresql.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+spec:
+ privileged: false
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'persistentVolumeClaim'
+ - 'emptyDir'
+ - 'projected'
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: 'MustRunAsNonRoot'
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: 1
+ max: 65535
+ readOnlyRootFilesystem: false
+{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml
index 44f1242dd..b0c41b1a4 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/prometheusrule.yaml
@@ -7,13 +7,13 @@ metadata:
namespace: {{ . }}
{{- end }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
-{{- with .Values.metrics.prometheusRule.additionalLabels }}
-{{ toYaml . | indent 4 }}
-{{- end }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- with .Values.metrics.prometheusRule.additionalLabels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
spec:
{{- with .Values.metrics.prometheusRule.rules }}
groups:
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/role.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/role.yaml
new file mode 100644
index 000000000..6d3cf50a4
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/role.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "postgresql.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+rules:
+ {{- if .Values.psp.create }}
+ - apiGroups: ["extensions"]
+ resources: ["podsecuritypolicies"]
+ verbs: ["use"]
+ resourceNames:
+ - {{ template "postgresql.fullname" . }}
+ {{- end }}
+{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/rolebinding.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/rolebinding.yaml
new file mode 100644
index 000000000..f7837388d
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "postgresql.fullname" . }}
+ labels:
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+roleRef:
+ kind: Role
+ name: {{ template "postgresql.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/secrets.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/secrets.yaml
index 094d18b49..c93dbe0bd 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/secrets.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/secrets.yaml
@@ -4,10 +4,10 @@ kind: Secret
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
type: Opaque
data:
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml
index 27e5b516e..17f7ff399 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/serviceaccount.yaml
@@ -3,9 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "postgresql.fullname" . }}
-{{- end }}
\ No newline at end of file
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml
index f3a529a96..d57b7fb48 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/servicemonitor.yaml
@@ -7,13 +7,14 @@ metadata:
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
-{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
+ {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+
spec:
endpoints:
- port: http-metrics
@@ -28,6 +29,5 @@ spec:
- {{ .Release.Namespace }}
selector:
matchLabels:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name }}
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset-slaves.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset-slaves.yaml
index b6d607672..54d24099f 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset-slaves.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset-slaves.yaml
@@ -4,33 +4,29 @@ kind: StatefulSet
metadata:
name: "{{ template "postgresql.fullname" . }}-slave"
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.slave.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
-{{- with .Values.slave.annotations }}
annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
+ {{- if .Values.commonAnnotations }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ {{- with .Values.slave.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: {{ .Values.replication.slaveReplicas }}
selector:
matchLabels:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
role: slave
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 8 }}
role: slave
{{- with .Values.slave.podLabels }}
{{ toYaml . | indent 8 }}
@@ -68,7 +64,7 @@ spec:
{{- end }}
{{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
- {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
+ {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -79,10 +75,15 @@ spec:
- /bin/sh
- -cx
- |
- {{ if .Values.persistence.enabled }}
- mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
- chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
- find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if .Values.persistence.enabled }}
+ {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
@@ -92,6 +93,15 @@ spec:
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ template "postgresql.tlsCertKey" . }}
+ {{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
@@ -108,6 +118,12 @@ spec:
- name: dshm
mountPath: /dev/shm
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
{{- end }}
{{- if .Values.slave.extraInitContainers }}
{{ tpl .Values.slave.extraInitContainers . | indent 8 }}
@@ -158,7 +174,7 @@ spec:
value: {{ template "postgresql.fullname" . }}
- name: POSTGRES_MASTER_PORT_NUMBER
value: {{ include "postgresql.port" . | quote }}
- {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+ {{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
@@ -180,6 +196,24 @@ spec:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ template "postgresql.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ template "postgresql.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ template "postgresql.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ template "postgresql.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ template "postgresql.port" . }}
@@ -190,9 +224,9 @@ spec:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
@@ -236,6 +270,11 @@ spec:
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
{{- if .Values.slave.extraVolumeMounts }}
{{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }}
{{- end }}
@@ -258,13 +297,20 @@ spec:
configMap:
name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
{{- end }}
- {{- if not .Values.persistence.enabled }}
+ {{- if or (not .Values.persistence.enabled) (not .Values.slave.persistence.enabled) }}
- name: data
emptyDir: {}
{{- end }}
@@ -276,7 +322,7 @@ spec:
{{- if (eq "Recreate" .Values.updateStrategy.type) }}
rollingUpdate: null
{{- end }}
-{{- if .Values.persistence.enabled }}
+{{- if and .Values.persistence.enabled .Values.slave.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset.yaml
index 66eaa01d1..0e6eefebb 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/statefulset.yaml
@@ -3,15 +3,16 @@ kind: StatefulSet
metadata:
name: {{ template "postgresql.master.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.master.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
{{- with .Values.master.annotations }}
- annotations: {{ toYaml . | nindent 4 }}
+ {{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
@@ -23,20 +24,16 @@ spec:
{{- end }}
selector:
matchLabels:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 6 }}
role: master
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 8 }}
role: master
{{- with .Values.master.podLabels }}
- {{- toYaml . | indent 8 }}
+ {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.master.podAnnotations }}
annotations: {{- toYaml . | nindent 8 }}
@@ -67,7 +64,7 @@ spec:
{{- end }}
{{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
- {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled)) }}
+ {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
@@ -79,9 +76,14 @@ spec:
- -cx
- |
{{- if .Values.persistence.enabled }}
- mkdir -p {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
- chmod 700 {{ .Values.persistence.mountPath }}/conf {{ .Values.persistence.mountPath }}/data
- find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
+ {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+ chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }}
+ {{- else }}
+ chown {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }}
+ {{- end }}
+ mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+ chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
+ find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
@@ -91,6 +93,15 @@ spec:
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
+ {{- if .Values.tls.enabled }}
+ cp /tmp/certs/* /opt/bitnami/postgresql/certs/
+ {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+ chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
+ {{- else }}
+ chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
+ {{- end }}
+ chmod 600 {{ template "postgresql.tlsCertKey" . }}
+ {{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
@@ -107,9 +118,15 @@ spec:
- name: dshm
mountPath: /dev/shm
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ mountPath: /tmp/certs
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ {{- end }}
{{- end }}
{{- if .Values.master.extraInitContainers }}
- {{- tpl .Values.master.extraInitContainers . | nindent 8 }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.master.extraInitContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.master.priorityClassName }}
@@ -177,7 +194,7 @@ spec:
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
{{- end }}
- {{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
+ {{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
@@ -243,6 +260,24 @@ spec:
- name: POSTGRESQL_LDAP_URL
value: {{ .Values.ldap.url }}
{{- end}}
+ - name: POSTGRESQL_ENABLE_TLS
+ value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
+ {{- if .Values.tls.enabled }}
+ - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
+ value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
+ - name: POSTGRESQL_TLS_CERT_FILE
+ value: {{ template "postgresql.tlsCert" . }}
+ - name: POSTGRESQL_TLS_KEY_FILE
+ value: {{ template "postgresql.tlsCertKey" . }}
+ {{- if .Values.tls.certCAFilename }}
+ - name: POSTGRESQL_TLS_CA_FILE
+ value: {{ template "postgresql.tlsCACert" . }}
+ {{- end }}
+ {{- if .Values.tls.crlFilename }}
+ - name: POSTGRESQL_TLS_CRL_FILE
+ value: {{ template "postgresql.tlsCRL" . }}
+ {{- end }}
+ {{- end }}
{{- if .Values.extraEnvVarsCM }}
envFrom:
- configMapRef:
@@ -258,9 +293,9 @@ spec:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d {{ (include "postgresql.database" .) | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- - exec pg_isready -U {{ include "postgresql.username" . | quote }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
+ - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
@@ -299,6 +334,11 @@ spec:
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
@@ -328,8 +368,14 @@ spec:
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
+ {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }}
+ {{- if and .Values.tls.enabled .Values.tls.certCAFilename }}
+ - name: DATA_SOURCE_NAME
+ value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }}
+ {{- else }}
- name: DATA_SOURCE_URI
- value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.port" .)) $database | quote }}
+ value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }}
+ {{- end }}
{{- if .Values.usePasswordFile }}
- name: DATA_SOURCE_PASS_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
@@ -342,6 +388,9 @@ spec:
{{- end }}
- name: DATA_SOURCE_USER
value: {{ template "postgresql.username" . }}
+ {{- if .Values.metrics.extraEnvVars }}
+ {{- include "postgresql.tplValue" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
+ {{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
@@ -369,6 +418,11 @@ spec:
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: postgresql-certificates
+ mountPath: /opt/bitnami/postgresql/certs
+ readOnly: true
+ {{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
@@ -408,6 +462,13 @@ spec:
secret:
secretName: {{ template "postgresql.initdbScriptsSecret" . }}
{{- end }}
+ {{- if .Values.tls.enabled }}
+ - name: raw-certificates
+ secret:
+ secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
+ - name: postgresql-certificates
+ emptyDir: {}
+ {{- end }}
{{- if .Values.master.extraVolumes }}
{{- toYaml .Values.master.extraVolumes | nindent 8 }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-headless.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-headless.yaml
index 5c71f468d..49131578a 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-headless.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-headless.yaml
@@ -3,10 +3,10 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-headless
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
spec:
type: ClusterIP
clusterIP: None
@@ -15,5 +15,4 @@ spec:
port: {{ template "postgresql.port" . }}
targetPort: tcp-postgresql
selector:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 4 }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-read.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-read.yaml
index 92bdda80e..885c7bb04 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-read.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc-read.yaml
@@ -10,12 +10,13 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-read
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
{{- if $serviceAnnotations }}
- annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+ {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
@@ -36,7 +37,6 @@ spec:
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 4 }}
role: slave
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc.yaml
index 299e8d0b7..e9fc50456 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/templates/svc.yaml
@@ -9,12 +9,13 @@ kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
- app: {{ template "postgresql.name" . }}
- chart: {{ template "postgresql.chart" . }}
- release: {{ .Release.Name | quote }}
- heritage: {{ .Release.Service | quote }}
+ {{- include "common.labels.standard" . | nindent 4 }}
+ annotations:
+ {{- if .Values.commonAnnotations }}
+ {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
{{- if $serviceAnnotations }}
- annotations: {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
+ {{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
@@ -35,6 +36,5 @@ spec:
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
- app: {{ template "postgresql.name" . }}
- release: {{ .Release.Name | quote }}
+ {{- include "common.labels.matchLabels" . | nindent 4 }}
role: master
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values-production.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values-production.yaml
index d34e326ee..c08014549 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values-production.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values-production.yaml
@@ -15,7 +15,7 @@ global:
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 11.7.0-debian-10-r65
+ tag: 11.9.0-debian-10-r1
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -94,6 +94,16 @@ serviceAccount:
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+psp:
+ create: false
+
+## Creates role for ServiceAccount
+## Required for PSP
+rbac:
+ create: false
+
replication:
enabled: true
user: repl_user
@@ -101,7 +111,7 @@ replication:
slaveReplicas: 2
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
- synchronousCommit: "on"
+ synchronousCommit: 'on'
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 1
@@ -221,17 +231,17 @@ extraEnv: []
##
ldap:
enabled: false
- url: ""
- server: ""
- port: ""
- prefix: ""
- suffix: ""
- baseDN: ""
- bindDN: ""
+ url: ''
+ server: ''
+ port: ''
+ prefix: ''
+ suffix: ''
+ baseDN: ''
+ bindDN: ''
bind_password:
- search_attr: ""
- search_filter: ""
- scheme: ""
+ search_attr: ''
+ search_filter: ''
+ scheme: ''
tls: false
## PostgreSQL service configuration
@@ -253,7 +263,6 @@ service:
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
-
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
@@ -301,7 +310,7 @@ persistence:
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
- subPath: ""
+ subPath: ''
# storageClass: "-"
accessModes:
@@ -330,7 +339,7 @@ master:
annotations: {}
podLabels: {}
podAnnotations: {}
- priorityClassName: ""
+ priorityClassName: ''
## Additional PostgreSQL Master Volume mounts
##
extraVolumeMounts: []
@@ -372,14 +381,14 @@ slave:
annotations: {}
podLabels: {}
podAnnotations: {}
- priorityClassName: ""
+ priorityClassName: ''
## Extra init containers
## Example
- ##
+ ##
## extraInitContainers:
## - name: do-something
## image: busybox
- ## command: ['do', 'something']
+ ## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Slave Volume mounts
##
@@ -405,6 +414,10 @@ slave:
# type:
# nodePort:
# clusterIP:
+ ## Whether to enable PostgreSQL slave replicas data Persistent
+ ##
+ persistence:
+ enabled: true
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -414,6 +427,10 @@ resources:
memory: 256Mi
cpu: 250m
+## Add annotations to all the deployed resources
+##
+commonAnnotations: {}
+
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
@@ -457,6 +474,33 @@ readinessProbe:
failureThreshold: 6
successThreshold: 1
+##
+## TLS configuration
+##
+tls:
+ # Enable TLS traffic
+ enabled: false
+ #
+ # Whether to use the server's TLS cipher preferences rather than the client's.
+ preferServerCiphers: true
+ #
+ # Name of the Secret that contains the certificates
+ certificatesSecret: ''
+ #
+ # Certificate filename
+ certFilename: ''
+ #
+ # Certificate Key filename
+ certKeyFilename: ''
+ #
+ # CA Certificate filename
+ # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
+ # ref: https://www.postgresql.org/docs/9.6/auth-methods.html
+ certCAFilename:
+ #
+ # File containing a Certificate Revocation List
+ crlFilename:
+
## Configure metrics exporter
##
metrics:
@@ -465,8 +509,8 @@ metrics:
service:
type: ClusterIP
annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "9187"
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9187'
loadBalancerIP:
serviceMonitor:
enabled: false
@@ -480,7 +524,7 @@ metrics:
prometheusRule:
enabled: false
additionalLabels: {}
- namespace: ""
+ namespace: ''
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
@@ -497,7 +541,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/postgres-exporter
- tag: 0.8.0-debian-10-r72
+ tag: 0.8.0-debian-10-r188
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
@@ -517,6 +561,14 @@ metrics:
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
+ ## An array to add extra env vars to configure postgres-exporter
+ ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
+ ## For example:
+ # extraEnvVars:
+ # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
+ # value: "true"
+ extraEnvVars: {}
+
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.schema.json b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.schema.json
index ac2de6e94..7b5e2efc3 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.schema.json
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.schema.json
@@ -72,8 +72,8 @@
"title": "Slave Replicas",
"form": true,
"hidden": {
- "condition": false,
- "value": "replication.enabled"
+ "value": false,
+ "path": "replication/enabled"
}
}
}
diff --git a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.yaml b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.yaml
index e14709a5e..f45c4183d 100644
--- a/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/charts/postgresql/values.yaml
@@ -15,7 +15,7 @@ global:
image:
registry: docker.io
repository: bitnami/postgresql
- tag: 11.7.0-debian-10-r65
+ tag: 11.9.0-debian-10-r1
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
@@ -79,7 +79,6 @@ volumePermissions:
##
# schedulerName:
-
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
@@ -95,6 +94,16 @@ serviceAccount:
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
+## Pod Security Policy
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+psp:
+ create: false
+
+## Creates role for ServiceAccount
+## Required for PSP
+rbac:
+ create: false
+
replication:
enabled: false
user: repl_user
@@ -102,7 +111,7 @@ replication:
slaveReplicas: 1
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
- synchronousCommit: "off"
+ synchronousCommit: 'off'
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 0
@@ -222,17 +231,17 @@ extraEnv: []
##
ldap:
enabled: false
- url: ""
- server: ""
- port: ""
- prefix: ""
- suffix: ""
- baseDN: ""
- bindDN: ""
+ url: ''
+ server: ''
+ port: ''
+ prefix: ''
+ suffix: ''
+ baseDN: ''
+ bindDN: ''
bind_password:
- search_attr: ""
- search_filter: ""
- scheme: ""
+ search_attr: ''
+ search_filter: ''
+ scheme: ''
tls: false
## PostgreSQL service configuration
@@ -254,7 +263,6 @@ service:
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
-
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
@@ -302,7 +310,7 @@ persistence:
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
- subPath: ""
+ subPath: ''
# storageClass: "-"
accessModes:
@@ -331,14 +339,14 @@ master:
annotations: {}
podLabels: {}
podAnnotations: {}
- priorityClassName: ""
+ priorityClassName: ''
## Extra init containers
## Example
- ##
+ ##
## extraInitContainers:
## - name: do-something
## image: busybox
- ## command: ['do', 'something']
+ ## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Master Volume mounts
@@ -382,7 +390,7 @@ slave:
annotations: {}
podLabels: {}
podAnnotations: {}
- priorityClassName: ""
+ priorityClassName: ''
extraInitContainers: |
# - name: do-something
# image: busybox
@@ -411,6 +419,10 @@ slave:
# type:
# nodePort:
# clusterIP:
+ ## Whether to enable PostgreSQL slave replicas data Persistent
+ ##
+ persistence:
+ enabled: true
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -420,6 +432,10 @@ resources:
memory: 256Mi
cpu: 250m
+## Add annotations to all the deployed resources
+##
+commonAnnotations: {}
+
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
@@ -463,6 +479,33 @@ readinessProbe:
failureThreshold: 6
successThreshold: 1
+##
+## TLS configuration
+##
+tls:
+ # Enable TLS traffic
+ enabled: false
+ #
+ # Whether to use the server's TLS cipher preferences rather than the client's.
+ preferServerCiphers: true
+ #
+ # Name of the Secret that contains the certificates
+ certificatesSecret: ''
+ #
+ # Certificate filename
+ certFilename: ''
+ #
+ # Certificate Key filename
+ certKeyFilename: ''
+ #
+ # CA Certificate filename
+ # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
+ # ref: https://www.postgresql.org/docs/9.6/auth-methods.html
+ certCAFilename:
+ #
+ # File containing a Certificate Revocation List
+ crlFilename:
+
## Configure metrics exporter
##
metrics:
@@ -471,8 +514,8 @@ metrics:
service:
type: ClusterIP
annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "9187"
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9187'
loadBalancerIP:
serviceMonitor:
enabled: false
@@ -486,7 +529,7 @@ metrics:
prometheusRule:
enabled: false
additionalLabels: {}
- namespace: ""
+ namespace: ''
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
@@ -503,7 +546,7 @@ metrics:
image:
registry: docker.io
repository: bitnami/postgres-exporter
- tag: 0.8.0-debian-10-r72
+ tag: 0.8.0-debian-10-r188
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
@@ -515,7 +558,7 @@ metrics:
## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
# customMetrics:
# pg_database:
- # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
+ # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
# metrics:
# - name:
# usage: "LABEL"
@@ -523,6 +566,15 @@ metrics:
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
+ #
+ ## An array to add extra env vars to configure postgres-exporter
+ ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
+ ## For example:
+ # extraEnvVars:
+ # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
+ # value: "true"
+ extraEnvVars: {}
+
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
diff --git a/charts/artifactory-jcr/charts/artifactory/ci/access-tls-values.yaml b/charts/artifactory-jcr/charts/artifactory/ci/access-tls-values.yaml
index 21ffa5d6b..4dabc956e 100644
--- a/charts/artifactory-jcr/charts/artifactory/ci/access-tls-values.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/ci/access-tls-values.yaml
@@ -1,5 +1,9 @@
databaseUpgradeReady: true
-
+# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
+postgresql:
+ image:
+ tag: 12.3.0-debian-10-r71
+ postgresqlPassword: password
access:
accessConfig:
security:
diff --git a/charts/artifactory-jcr/charts/artifactory/ci/default-values.yaml b/charts/artifactory-jcr/charts/artifactory/ci/default-values.yaml
index 31e0908c2..a43d84d26 100644
--- a/charts/artifactory-jcr/charts/artifactory/ci/default-values.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/ci/default-values.yaml
@@ -1,2 +1,6 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
databaseUpgradeReady: true
+
+# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
+postgresql:
+ postgresqlPassword: password
diff --git a/charts/artifactory-jcr/charts/artifactory/ci/derby-test-values.yaml b/charts/artifactory-jcr/charts/artifactory/ci/derby-test-values.yaml
new file mode 100644
index 000000000..cb86aaf54
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/ci/derby-test-values.yaml
@@ -0,0 +1,4 @@
+databaseUpgradeReady: true
+
+postgresql:
+ enabled: false
diff --git a/charts/artifactory-jcr/charts/artifactory/ci/global-values.yaml b/charts/artifactory-jcr/charts/artifactory/ci/global-values.yaml
new file mode 100644
index 000000000..8c964a822
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/ci/global-values.yaml
@@ -0,0 +1,47 @@
+databaseUpgradeReady: true
+# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
+postgresql:
+ postgresqlPassword: password
+global:
+ versions:
+ artifactory: 7.11.2
+ masterKey: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+ joinKey: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
+ customInitContainers: |
+ - name: "custom-setup"
+ image: "{{ .Values.initContainerImage }}"
+ imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
+ command:
+ - 'sh'
+ - '-c'
+ - 'touch {{ .Values.artifactory.persistence.mountPath }}/example-custom-setup'
+ volumeMounts:
+ - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
+ name: artifactory-volume
+ # Add custom volumes
+ customVolumes: |
+ - name: custom-script
+ emptyDir:
+ sizeLimit: 100Mi
+ # Add custom volumesMounts
+ customVolumeMounts: |
+ - name: custom-script
+ mountPath: "/scripts"
+ # Add custom sidecar containers
+ customSidecarContainers: |
+ - name: "sidecar-list-etc"
+ image: "{{ .Values.initContainerImage }}"
+ imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
+ securityContext:
+ allowPrivilegeEscalation: false
+ command: ["sh","-c","echo 'Sidecar is running' >> /scripts/sidecar.txt; cat /scripts/sidecar.txt; while true; do sleep 30; done"]
+ volumeMounts:
+ - mountPath: "/scripts"
+ name: custom-script
+ resources:
+ requests:
+ memory: "32Mi"
+ cpu: "50m"
+ limits:
+ memory: "128Mi"
+ cpu: "100m"
diff --git a/charts/artifactory-jcr/charts/artifactory/ci/migration-disabled-values.yaml b/charts/artifactory-jcr/charts/artifactory/ci/migration-disabled-values.yaml
index d3754dfab..f79cbc02f 100644
--- a/charts/artifactory-jcr/charts/artifactory/ci/migration-disabled-values.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/ci/migration-disabled-values.yaml
@@ -1,4 +1,7 @@
databaseUpgradeReady: true
+# To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
+postgresql:
+ postgresqlPassword: password
artifactory:
migration:
enabled: false
diff --git a/charts/artifactory-jcr/charts/artifactory/requirements.lock b/charts/artifactory-jcr/charts/artifactory/requirements.lock
index 380a78039..5d2c91dcb 100644
--- a/charts/artifactory-jcr/charts/artifactory/requirements.lock
+++ b/charts/artifactory-jcr/charts/artifactory/requirements.lock
@@ -1,6 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
- version: 8.7.3
-digest: sha256:7c0ecc958c9d90f0b5c3843621674788b414ea0497ea6053e8c46531545a47d3
-generated: "2020-07-29T12:32:44.070736848Z"
+ version: 9.3.4
+digest: sha256:6c6c7ebc7f0c35a6df917879cd7c51e226f31a4d320e053b3620c5476287e9b8
+generated: "2020-09-02T09:42:55.758957+05:30"
diff --git a/charts/artifactory-jcr/charts/artifactory/requirements.yaml b/charts/artifactory-jcr/charts/artifactory/requirements.yaml
index bedbccf5a..3e98e794a 100644
--- a/charts/artifactory-jcr/charts/artifactory/requirements.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/requirements.yaml
@@ -1,5 +1,5 @@
dependencies:
- name: postgresql
- version: 8.7.3
+ version: 9.3.4
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
diff --git a/charts/artifactory-jcr/charts/artifactory/security-mitigation.yaml b/charts/artifactory-jcr/charts/artifactory/security-mitigation.yaml
new file mode 100644
index 000000000..65479bf05
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/security-mitigation.yaml
@@ -0,0 +1,19 @@
+## Apache License Version 2.0
+## http://www.apache.org/licenses/LICENSE-2.0.txt
+
+## Schema version of this YAML file
+schemaVersion: v1
+
+## Overall mitigation summary
+summary: Security mitigation information for this application is tracked by the security-mitigation.yaml file that's part of this helm chart.
+
+## Mitigation notes for individual CVEs
+mitigations:
+ - cves:
+ - CVE-2017-8399
+ ## Indicates package Uri for which the security mitigation is provided. helm://… || docker://…
+ affectedPackageUri: helm://jfrog/artifactory
+ ## Which chart versions this cve note belongs to
+ affectedVersions: ">= 10.1.0"
+ ## Description / note
+ description: This CVE needs to be fixed in the alpine base image of nginx container.
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/_helpers.tpl b/charts/artifactory-jcr/charts/artifactory/templates/_helpers.tpl
index d683ca231..14b571f91 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/_helpers.tpl
+++ b/charts/artifactory-jcr/charts/artifactory/templates/_helpers.tpl
@@ -83,3 +83,155 @@ Scheme (http/https) based on Access TLS enabled/disabled
{{- printf "%s" "http" -}}
{{- end -}}
{{- end -}}
+
+{{/*
+Resolve joinKey value
+*/}}
+{{- define "artifactory.joinKey" -}}
+{{- if .Values.global.joinKey -}}
+{{- .Values.global.joinKey -}}
+{{- else if .Values.artifactory.joinKey -}}
+{{- .Values.artifactory.joinKey -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve masterKey value
+*/}}
+{{- define "artifactory.masterKey" -}}
+{{- if .Values.global.masterKey -}}
+{{- .Values.global.masterKey -}}
+{{- else if .Values.artifactory.masterKey -}}
+{{- .Values.artifactory.masterKey -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve joinKeySecretName value
+*/}}
+{{- define "artifactory.joinKeySecretName" -}}
+{{- if .Values.global.joinKeySecretName -}}
+{{- .Values.global.joinKeySecretName -}}
+{{- else if .Values.artifactory.joinKeySecretName -}}
+{{- .Values.artifactory.joinKeySecretName -}}
+{{- else -}}
+{{ include "artifactory.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve masterKeySecretName value
+*/}}
+{{- define "artifactory.masterKeySecretName" -}}
+{{- if .Values.global.masterKeySecretName -}}
+{{- .Values.global.masterKeySecretName -}}
+{{- else if .Values.artifactory.masterKeySecretName -}}
+{{- .Values.artifactory.masterKeySecretName -}}
+{{- else -}}
+{{ include "artifactory.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve imagePullSecrets value
+*/}}
+{{- define "artifactory.imagePullSecrets" -}}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- else if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve customInitContainersBegin value
+*/}}
+{{- define "artifactory.customInitContainersBegin" -}}
+{{- if .Values.global.customInitContainersBegin -}}
+{{- .Values.global.customInitContainersBegin -}}
+{{- else if .Values.artifactory.customInitContainersBegin -}}
+{{- .Values.artifactory.customInitContainersBegin -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve customInitContainers value
+*/}}
+{{- define "artifactory.customInitContainers" -}}
+{{- if .Values.global.customInitContainers -}}
+{{- .Values.global.customInitContainers -}}
+{{- else if .Values.artifactory.customInitContainers -}}
+{{- .Values.artifactory.customInitContainers -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve customVolumes value
+*/}}
+{{- define "artifactory.customVolumes" -}}
+{{- if .Values.global.customVolumes -}}
+{{- .Values.global.customVolumes -}}
+{{- else if .Values.artifactory.customVolumes -}}
+{{- .Values.artifactory.customVolumes -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve customVolumeMounts value
+*/}}
+{{- define "artifactory.customVolumeMounts" -}}
+{{- if .Values.global.customVolumeMounts -}}
+{{- .Values.global.customVolumeMounts -}}
+{{- else if .Values.artifactory.customVolumeMounts -}}
+{{- .Values.artifactory.customVolumeMounts -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve customSidecarContainers value
+*/}}
+{{- define "artifactory.customSidecarContainers" -}}
+{{- if .Values.global.customSidecarContainers -}}
+{{- .Values.global.customSidecarContainers -}}
+{{- else if .Values.artifactory.customSidecarContainers -}}
+{{- .Values.artifactory.customSidecarContainers -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper artifactory chart image names
+*/}}
+{{- define "artifactory.getImageInfoByValue" -}}
+{{- $dot := index . 0 }}
+{{- $indexReference := index . 1 }}
+{{- $registryName := index $dot.Values $indexReference "image" "registry" -}}
+{{- $repositoryName := index $dot.Values $indexReference "image" "repository" -}}
+{{- $tag := default $dot.Chart.AppVersion (index $dot.Values $indexReference "image" "tag") | toString -}}
+{{- if $dot.Values.global }}
+ {{- if and $dot.Values.global.versions.artifactory (or (eq $indexReference "artifactory") (eq $indexReference "nginx") ) }}
+ {{- $tag = $dot.Values.global.versions.artifactory | toString -}}
+ {{- end -}}
+ {{- if $dot.Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" $dot.Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper artifactory app version
+*/}}
+{{- define "artifactory.app.version" -}}
+{{- $image := split ":" ((include "artifactory.getImageInfoByValue" (list . "artifactory")) | toString) -}}
+{{- $tag := $image._1 -}}
+{{- printf "%s" $tag -}}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/additional-resources.yaml b/charts/artifactory-jcr/charts/artifactory/templates/additional-resources.yaml
new file mode 100644
index 000000000..c4d06f08a
--- /dev/null
+++ b/charts/artifactory-jcr/charts/artifactory/templates/additional-resources.yaml
@@ -0,0 +1,3 @@
+{{ if .Values.additionalResources }}
+{{ tpl .Values.additionalResources . }}
+{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-access-config.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-access-config.yaml
index 700e65608..304304e4e 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-access-config.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-access-config.yaml
@@ -10,6 +10,6 @@ metadata:
release: {{ .Release.Name }}
type: Opaque
stringData:
- access.config.import.yml: |
+ access.config.patch.yml: |
{{ tpl (toYaml .Values.access.accessConfig) . | indent 4 }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-custom-secrets.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-custom-secrets.yaml
index ab2e8324c..a2e3895f5 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-custom-secrets.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-custom-secrets.yaml
@@ -4,7 +4,7 @@
apiVersion: v1
kind: Secret
metadata:
- name: {{ .name }}
+ name: {{ template "artifactory.fullname" $ }}-{{ .name }}
labels:
app: "{{ template "artifactory.name" $ }}"
chart: "{{ template "artifactory.chart" $ }}"
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-migration-scripts.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-migration-scripts.yaml
index edca83ed3..4b1ba4027 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-migration-scripts.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-migration-scripts.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.artifactory.migration.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
@@ -13,4 +14,5 @@ data:
migrationHelmInfo.yaml: |
{{ .Files.Get "files/migrationHelmInfo.yaml" | indent 4 }}
migrationStatus.sh: |
-{{ .Files.Get "files/migrationStatus.sh" | indent 4 }}
\ No newline at end of file
+{{ .Files.Get "files/migrationStatus.sh" | indent 4 }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-secrets.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-secrets.yaml
index a1d772429..3ac8e3a74 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-secrets.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-secrets.yaml
@@ -9,9 +9,13 @@ metadata:
release: {{ .Release.Name }}
type: Opaque
data:
- {{- if and .Values.artifactory.masterKey (not .Values.artifactory.masterKeySecretName) }}
- master-key: {{ .Values.artifactory.masterKey | b64enc | quote }}
+ {{- if or .Values.artifactory.masterKey .Values.global.masterKey }}
+ {{- if not (or .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName) }}
+ master-key: {{ include "artifactory.masterKey" . | b64enc | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.artifactory.joinKey .Values.global.joinKey }}
+ {{- if not (or .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName) }}
+ join-key: {{ include "artifactory.joinKey" . | b64enc | quote }}
{{- end }}
- {{- if and .Values.artifactory.joinKey (not .Values.artifactory.joinKeySecretName) }}
- join-key: {{ .Values.artifactory.joinKey | b64enc | quote }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-service.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-service.yaml
index f1f2be4a9..27f552979 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-service.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-service.yaml
@@ -25,23 +25,23 @@ spec:
- port: {{ .Values.artifactory.externalPort }}
targetPort: {{ .Values.artifactory.internalPort }}
protocol: TCP
- name: router
+ name: http-router
- port: {{ .Values.artifactory.externalArtifactoryPort }}
targetPort: {{ .Values.artifactory.internalArtifactoryPort }}
protocol: TCP
- name: artifactory
+ name: http-artifactory
{{- if .Values.artifactory.ssh.enabled }}
- port: {{ .Values.artifactory.ssh.externalPort }}
targetPort: {{ .Values.artifactory.ssh.internalPort }}
protocol: TCP
- name: ssh
+ name: tcp-ssh
{{- end }}
{{- with .Values.artifactory.javaOpts.jmx }}
{{- if .enabled }}
- port: {{ .port }}
targetPort: {{ .port }}
protocol: TCP
- name: jmx
+ name: tcp-jmx
{{- end }}
{{- end }}
selector:
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml
index 3680caf0e..524fcbcbf 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml
@@ -12,7 +12,7 @@ metadata:
{{ toYaml . | indent 4 }}
{{- end }}
{{- if and .Release.IsUpgrade .Values.postgresql.enabled }}
- databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md), pass postgresql.image.tag=9.6.18-debian-10-r7 and databaseUpgradeReady=true if you are upgrading from chart version which has postgresql version 9.6.x." .Values.databaseUpgradeReady | quote }}
+ databaseUpgradeReady: {{ required "\n\n*********\nIMPORTANT: UPGRADE STOPPED to prevent data loss!\nReview CHANGELOG.md (https://github.com/jfrog/charts/blob/master/stable/artifactory/CHANGELOG.md) \nNote: This applies only when you are using bundled postgresql (postgresql.enabled=true) \nIf you are upgrading from a chart version (< 11.x) that has postgresql.image.tag of 9.x or 10.x, make sure to pass the current postgresql.image.tag and set databaseUpgradeReady=true \nOR \nIf you are upgrading from a chart version (>= 11.x), just set databaseUpgradeReady=true \n" .Values.databaseUpgradeReady | quote }}
{{- end }}
spec:
serviceName: {{ template "artifactory.name" . }}
@@ -37,6 +37,7 @@ spec:
{{ toYaml . | indent 8 }}
{{- end }}
annotations:
+ checksum/database-secrets: {{ include (print $.Template.BasePath "/artifactory-database-secrets.yaml") . | sha256sum }}
checksum/binarystore: {{ include (print $.Template.BasePath "/artifactory-binarystore-secret.yaml") . | sha256sum }}
checksum/systemyaml: {{ include (print $.Template.BasePath "/artifactory-system-yaml.yaml") . | sha256sum }}
{{- if .Values.access.accessConfig }}
@@ -58,19 +59,25 @@ spec:
{{- end }}
serviceAccountName: {{ template "artifactory.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.artifactory.terminationGracePeriodSeconds }}
- {{- if .Values.imagePullSecrets }}
- imagePullSecrets:
- - name: {{ .Values.imagePullSecrets }}
+ {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
+{{- include "artifactory.imagePullSecrets" . | indent 6 }}
{{- end }}
+ {{- if .Values.artifactory.setSecurityContext }}
securityContext:
runAsUser: {{ .Values.artifactory.uid }}
- fsGroup: {{ .Values.artifactory.uid }}
+ fsGroup: {{ .Values.artifactory.gid }}
+ {{- end }}
initContainers:
+ {{- if or .Values.artifactory.customInitContainersBegin .Values.global.customInitContainersBegin }}
+{{ tpl (include "artifactory.customInitContainersBegin" .) . | indent 6 }}
+ {{- end }}
{{- if .Values.artifactory.persistence.enabled }}
{{- if .Values.artifactory.deleteDBPropertiesOnStartup }}
- name: "delete-db-properties"
image: "{{ .Values.initContainerImage }}"
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
@@ -82,6 +89,8 @@ spec:
- name: "remove-lost-found"
image: "{{ .Values.initContainerImage }}"
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
@@ -94,6 +103,8 @@ spec:
- name: "access-bootstrap-creds"
image: "{{ .Values.initContainerImage }}"
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
@@ -115,21 +126,26 @@ spec:
{{- end }}
- name: 'copy-system-yaml'
image: '{{ .Values.initContainerImage }}'
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- '/bin/sh'
- '-c'
- >
- sleep 30;
echo "Copy system.yaml to {{ .Values.artifactory.persistence.mountPath }}/etc";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access/keys/trusted;
+ {{- if .Values.systemYamlOverride.existingSecret }}
+ cp -fv /tmp/etc/{{ .Values.systemYamlOverride.dataKey }} {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
+ {{- else }}
cp -fv /tmp/etc/system.yaml {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml;
+ {{- end }}
echo "Remove {{ .Values.artifactory.persistence.mountPath }}/lost+found folder if exists";
rm -rfv {{ .Values.artifactory.persistence.mountPath }}/lost+found;
{{- if .Values.access.accessConfig }}
- echo "Copy access.config.latest.yml to {{ .Values.artifactory.persistence.mountPath }}/etc";
+ echo "Copy access.config.patch.yml to {{ .Values.artifactory.persistence.mountPath }}/etc/access";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/access;
- cp -fv /tmp/etc/access.config.import.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.import.yml;
+ cp -fv /tmp/etc/access.config.patch.yml {{ .Values.artifactory.persistence.mountPath }}/etc/access/access.config.patch.yml;
{{- end }}
{{- if .Values.access.resetAccessCAKeys }}
echo "Resetting Access CA Keys";
@@ -142,41 +158,48 @@ spec:
cp -fv /tmp/etc/tls.crt {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.crt;
cp -fv /tmp/etc/tls.key {{ .Values.artifactory.persistence.mountPath }}/bootstrap/etc/access/keys/ca.private.key;
{{- end }}
- {{- if or .Values.artifactory.joinKey .Values.artifactory.joinKeySecretName }}
+ {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }}
echo "Copy joinKey to {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security;
echo -n ${ARTIFACTORY_JOIN_KEY} > {{ .Values.artifactory.persistence.mountPath }}/bootstrap/access/etc/security/join.key;
{{- end }}
- {{- if or .Values.artifactory.masterKey .Values.artifactory.masterKeySecretName }}
+ {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }}
echo "Copy masterKey to {{ .Values.artifactory.persistence.mountPath }}/etc/security";
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/etc/security;
echo -n ${ARTIFACTORY_MASTER_KEY} > {{ .Values.artifactory.persistence.mountPath }}/etc/security/master.key;
{{- end }}
env:
- {{- if or .Values.artifactory.joinKey .Values.artifactory.joinKeySecretName}}
+ {{- if or .Values.artifactory.joinKey .Values.global.joinKey .Values.artifactory.joinKeySecretName .Values.global.joinKeySecretName }}
- name: ARTIFACTORY_JOIN_KEY
valueFrom:
secretKeyRef:
- name: "{{ .Values.artifactory.joinKeySecretName | default (include "artifactory.fullname" .) }}"
+ name: {{ include "artifactory.joinKeySecretName" . }}
key: join-key
{{- end }}
- {{- if or .Values.artifactory.masterKey .Values.artifactory.masterKeySecretName }}
+ {{- if or .Values.artifactory.masterKey .Values.global.masterKey .Values.artifactory.masterKeySecretName .Values.global.masterKeySecretName }}
- name: ARTIFACTORY_MASTER_KEY
valueFrom:
secretKeyRef:
- name: "{{ .Values.artifactory.masterKeySecretName | default (include "artifactory.fullname" .) }}"
+ name: {{ include "artifactory.masterKeySecretName" . }}
key: master-key
{{- end }}
volumeMounts:
- name: artifactory-volume
mountPath: {{ .Values.artifactory.persistence.mountPath | quote }}
+ {{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
+ {{- if .Values.systemYamlOverride.existingSecret }}
+ mountPath: "/tmp/etc/{{.Values.systemYamlOverride.dataKey}}"
+ subPath: {{ .Values.systemYamlOverride.dataKey }}
+ {{- else if .Values.artifactory.systemYaml }}
mountPath: "/tmp/etc/system.yaml"
subPath: system.yaml
+ {{- end }}
+ {{- end }}
{{- if .Values.access.accessConfig }}
- name: access-config
- mountPath: "/tmp/etc/access.config.import.yml"
- subPath: access.config.import.yml
+ mountPath: "/tmp/etc/access.config.patch.yml"
+ subPath: access.config.patch.yml
{{- end }}
{{- if .Values.access.customCertificatesSecretName }}
- name: access-certs
@@ -186,15 +209,17 @@ spec:
mountPath: "/tmp/etc/tls.key"
subPath: tls.key
{{- end }}
- {{- if .Values.artifactory.customPersistentPodVolumeClaim }}
+ {{- if and .Values.artifactory.customPersistentPodVolumeClaim (not .Values.artifactory.customPersistentPodVolumeClaim.skipPrepareContainer) }}
- name: "prepare-custom-persistent-volume"
image: "{{ .Values.initContainerImage }}"
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
- >
- echo "Setting ownership {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} on PVC {{ .Values.artifactory.customPersistentPodVolumeClaim.name }}"
- chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.uid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
+ echo "Setting ownership {{ .Values.artifactory.uid }}:{{ .Values.artifactory.gid }} on PVC {{ .Values.artifactory.customPersistentPodVolumeClaim.name }}"
+ chown -Rv {{ .Values.artifactory.uid }}:{{ .Values.artifactory.gid }} {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
securityContext:
runAsUser: 0
volumeMounts:
@@ -202,9 +227,11 @@ spec:
mountPath: {{ .Values.artifactory.customPersistentPodVolumeClaim.mountPath }}
{{- end }}
{{- if .Values.waitForDatabase }}
- {{- if or .Values.postgresql.enabled }}
+ {{- if .Values.postgresql.enabled }}
- name: "wait-for-db"
image: "{{ .Values.initContainerImage }}"
+ resources:
+{{ toYaml .Values.initContainers.resources | indent 10 }}
command:
- 'sh'
- '-c'
@@ -214,12 +241,12 @@ spec:
done;
{{- end }}
{{- end }}
- {{- if .Values.artifactory.customInitContainers }}
-{{ tpl .Values.artifactory.customInitContainers . | indent 6 }}
+ {{- if or .Values.artifactory.customInitContainers .Values.global.customInitContainers }}
+{{ tpl (include "artifactory.customInitContainers" .) . | indent 6 }}
{{- end }}
{{- if .Values.artifactory.migration.enabled }}
- name: 'migration-artifactory'
- image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
@@ -238,8 +265,12 @@ spec:
cp -fv /tmp/migrationHelmInfo.yaml $scriptsPath/migrationHelmInfo.yaml;
cp -fv /tmp/migrationStatus.sh $scriptsPath/migrationStatus.sh;
mkdir -p {{ .Values.artifactory.persistence.mountPath }}/log;
- bash $scriptsPath/migrationStatus.sh {{ default .Chart.AppVersion .Values.artifactory.image.version }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
+ bash $scriptsPath/migrationStatus.sh {{ include "artifactory.app.version" . }} {{ .Values.artifactory.migration.timeoutSeconds }} > >(tee {{ .Values.artifactory.persistence.mountPath }}/log/helm-migration.log) 2>&1;
env:
+ {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
+ - name: SKIP_WAIT_FOR_EXTERNAL_DB
+ value: "true"
+ {{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@@ -304,13 +335,13 @@ spec:
mountPath: "/artifactory_bootstrap/binarystore.xml"
subPath: binarystore.xml
{{- end }}
- {{- if .Values.artifactory.customVolumeMounts }}
-{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
+ {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
+{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }}
{{- end }}
{{- end }}
containers:
- name: {{ .Values.artifactory.name }}
- image: '{{ .Values.artifactory.image.repository }}:{{ default .Chart.AppVersion .Values.artifactory.image.version }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }}
imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }}
securityContext:
allowPrivilegeEscalation: false
@@ -342,6 +373,7 @@ spec:
{{ tpl .Values.artifactory.preStartCommand . }};
{{- end }}
exec /entrypoint-artifactory.sh
+ {{- with .Values.artifactory.postStartCommand }}
lifecycle:
postStart:
exec:
@@ -349,11 +381,14 @@ spec:
- '/bin/bash'
- '-c'
- >
- echo;
- {{- with .Values.artifactory.postStartCommand }}
+ echo "Running custom postStartCommand command";
{{ tpl . $ }}
- {{- end }}
+ {{- end }}
env:
+ {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }}
+ - name: SKIP_WAIT_FOR_EXTERNAL_DB
+ value: "true"
+ {{- end }}
{{- if or .Values.database.secrets.user .Values.database.user }}
- name: JF_SHARED_DATABASE_USERNAME
valueFrom:
@@ -398,12 +433,16 @@ spec:
{{- end }}
ports:
- containerPort: {{ .Values.artifactory.internalPort }}
+ name: http
- containerPort: {{ .Values.artifactory.internalArtifactoryPort }}
+ name: http-internal
{{- if .Values.artifactory.javaOpts.jmx.enabled }}
- containerPort: {{ .Values.artifactory.javaOpts.jmx.port }}
+ name: tcp-jmx
{{- end }}
{{- if .Values.artifactory.ssh.enabled }}
- containerPort: {{ .Values.artifactory.ssh.internalPort }}
+ name: tcp-ssh
{{- end }}
volumeMounts:
{{- if .Values.artifactory.userPluginSecrets }}
@@ -442,8 +481,8 @@ spec:
- name: installer-info
mountPath: "/artifactory_bootstrap/info/installer-info.json"
subPath: installer-info.json
- {{- if .Values.artifactory.customVolumeMounts }}
-{{ tpl .Values.artifactory.customVolumeMounts . | indent 8 }}
+ {{- if or .Values.artifactory.customVolumeMounts .Values.global.customVolumeMounts }}
+{{ tpl (include "artifactory.customVolumeMounts" .) . | indent 8 }}
{{- end }}
resources:
{{ toYaml .Values.artifactory.resources | indent 10 }}
@@ -471,12 +510,10 @@ spec:
failureThreshold: {{ .Values.artifactory.livenessProbe.failureThreshold }}
successThreshold: {{ .Values.artifactory.livenessProbe.successThreshold }}
{{- end }}
- {{- $image := .Values.logger.image.repository }}
- {{- $tag := .Values.logger.image.tag }}
{{- $mountPath := .Values.artifactory.persistence.mountPath }}
{{- range .Values.artifactory.loggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
- image: '{{ $image }}:{{ $tag }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@@ -493,7 +530,7 @@ spec:
{{ if .Values.artifactory.catalinaLoggers }}
{{- range .Values.artifactory.catalinaLoggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
- image: '{{ $image }}:{{ $tag }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list $ "logger") }}
command:
- 'sh'
- '-c'
@@ -533,8 +570,8 @@ spec:
{{ toYaml .Values.filebeat.resources | indent 10 }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
{{- end }}
- {{- if .Values.artifactory.customSidecarContainers }}
-{{ tpl .Values.artifactory.customSidecarContainers . | indent 6 }}
+ {{- if or .Values.artifactory.customSidecarContainers .Values.global.customSidecarContainers }}
+{{ tpl (include "artifactory.customSidecarContainers" .) . | indent 6 }}
{{- end }}
{{- with .Values.artifactory.nodeSelector }}
nodeSelector:
@@ -624,9 +661,11 @@ spec:
emptyDir:
sizeLimit: {{ .Values.artifactory.persistence.size }}
{{- end }}
+ {{- if or .Values.systemYamlOverride.existingSecret .Values.artifactory.systemYaml }}
- name: systemyaml
secret:
- secretName: {{ template "artifactory.fullname" . }}-systemyaml
+ secretName: {{ default (printf "%s-%s" (include "artifactory.fullname" .) "systemyaml") .Values.systemYamlOverride.existingSecret }}
+ {{- end }}
{{- if .Values.access.accessConfig }}
- name: access-config
secret:
@@ -647,8 +686,8 @@ spec:
configMap:
name: {{ template "artifactory.name" . }}-filebeat-config
{{- end }}
- {{- if .Values.artifactory.customVolumes }}
-{{ tpl .Values.artifactory.customVolumes . | indent 6 }}
+ {{- if or .Values.artifactory.customVolumes .Values.global.customVolumes }}
+{{ tpl (include "artifactory.customVolumes" .) . | indent 6 }}
{{- end }}
{{- if not .Values.artifactory.persistence.enabled }}
- name: volume
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-system-yaml.yaml b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-system-yaml.yaml
index e2fa58e86..f36879218 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/artifactory-system-yaml.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/artifactory-system-yaml.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.systemYamlOverride.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
@@ -11,3 +12,4 @@ type: Opaque
stringData:
system.yaml: |
{{ tpl .Values.artifactory.systemYaml . | indent 4 }}
+{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/ingress.yaml b/charts/artifactory-jcr/charts/artifactory/templates/ingress.yaml
index 47e2f5505..6f6bc11d1 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/ingress.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/ingress.yaml
@@ -3,7 +3,7 @@
{{- $servicePort := .Values.artifactory.externalPort -}}
{{- $artifactoryServicePort := .Values.artifactory.externalArtifactoryPort -}}
{{- $ingressName := default ( include "artifactory.fullname" . ) .Values.ingress.name -}}
-{{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }}
+{{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
@@ -56,7 +56,7 @@ spec:
{{- if .Values.artifactory.replicator.enabled }}
---
{{- $replicatorIngressName := default ( include "artifactory.replicator.fullname" . ) .Values.artifactory.replicator.ingress.name -}}
- {{- if semverCompare ">=v1.14.0" .Capabilities.KubeVersion.GitVersion }}
+ {{- if semverCompare ">=v1.14.0-0" .Capabilities.KubeVersion.GitVersion }}
apiVersion: networking.k8s.io/v1beta1
{{- else }}
apiVersion: extensions/v1beta1
@@ -100,4 +100,8 @@ spec:
{{ toYaml .Values.artifactory.replicator.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
+{{- if .Values.customIngress }}
+---
+{{ .Values.customIngress | toYaml | trimSuffix "\n" }}
+{{- end -}}
{{- end -}}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml b/charts/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml
index fa39459e7..8d6862903 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml
@@ -1,4 +1,4 @@
-{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled }}
+{{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.https.enabled }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml b/charts/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml
index ec0307769..bc53f535b 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml
@@ -39,10 +39,12 @@ spec:
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "artifactory.serviceAccountName" . }}
- {{- if .Values.imagePullSecrets }}
- imagePullSecrets:
- - name: {{ .Values.imagePullSecrets }}
+ {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }}
+{{- include "artifactory.imagePullSecrets" . | indent 6 }}
{{- end }}
+ {{- if .Values.nginx.priorityClassName }}
+ priorityClassName: {{ .Values.nginx.priorityClassName | quote }}
+ {{- end }}
initContainers:
- name: "setup"
image: "{{ .Values.initContainerImage }}"
@@ -61,7 +63,7 @@ spec:
fsGroup: {{ .Values.nginx.gid }}
containers:
- name: {{ .Values.nginx.name }}
- image: '{{ .Values.nginx.image.repository }}:{{ default .Chart.AppVersion .Values.nginx.image.version }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list . "nginx") }}
imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
command:
- 'nginx'
@@ -73,19 +75,24 @@ spec:
{{- if .Values.nginx.http }}
{{- if .Values.nginx.http.enabled }}
- containerPort: {{ .Values.nginx.http.internalPort }}
+ name: http
{{- end }}
{{- else }} # DEPRECATED
- containerPort: {{ .Values.nginx.internalPortHttp }}
+ name: http-internal
{{- end }}
{{- if .Values.nginx.https }}
{{- if .Values.nginx.https.enabled }}
- containerPort: {{ .Values.nginx.https.internalPort }}
+ name: https
{{- end }}
{{- else }} # DEPRECATED
- containerPort: {{ .Values.nginx.internalPortHttps }}
+ name: https-internal
{{- end }}
{{- if .Values.artifactory.ssh.enabled }}
- containerPort: {{ .Values.nginx.ssh.internalPort }}
+ name: tcp-ssh
{{- end }}
volumeMounts:
- name: nginx-conf
@@ -95,8 +102,10 @@ spec:
mountPath: "{{ .Values.nginx.persistence.mountPath }}/conf.d/"
- name: nginx-volume
mountPath: {{ .Values.nginx.persistence.mountPath | quote }}
+ {{- if .Values.nginx.https.enabled }}
- name: ssl-certificates
mountPath: "{{ .Values.nginx.persistence.mountPath }}/ssl"
+ {{- end }}
resources:
{{ toYaml .Values.nginx.resources | indent 10 }}
{{- if .Values.nginx.readinessProbe.enabled }}
@@ -133,12 +142,10 @@ spec:
failureThreshold: {{ .Values.nginx.livenessProbe.failureThreshold }}
successThreshold: {{ .Values.nginx.livenessProbe.successThreshold }}
{{- end }}
- {{- $image := .Values.logger.image.repository }}
- {{- $tag := .Values.logger.image.tag }}
{{- $mountPath := .Values.nginx.persistence.mountPath }}
{{- range .Values.nginx.loggers }}
- name: {{ . | replace "_" "-" | replace "." "-" }}
- image: '{{ $image }}:{{ $tag }}'
+ image: {{ include "artifactory.getImageInfoByValue" (list $ "logger") }}
command:
- tail
args:
@@ -184,6 +191,7 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
+ {{- if .Values.nginx.https.enabled }}
- name: ssl-certificates
secret:
{{- if .Values.nginx.tlsSecretName }}
@@ -191,4 +199,5 @@ spec:
{{- else }}
secretName: {{ template "artifactory.fullname" . }}-nginx-certificate
{{- end }}
+ {{- end }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/nginx-pvc.yaml b/charts/artifactory-jcr/charts/artifactory/templates/nginx-pvc.yaml
index a110d8b24..3394a0ade 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/nginx-pvc.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/nginx-pvc.yaml
@@ -15,11 +15,11 @@ spec:
resources:
requests:
storage: {{ .Values.nginx.persistence.size | quote }}
-{{- if .Values.nginx.persistence.storageClass }}
-{{- if (eq "-" .Values.nginx.persistence.storageClass) }}
+{{- if .Values.nginx.persistence.storageClassName }}
+{{- if (eq "-" .Values.nginx.persistence.storageClassName) }}
storageClassName: ""
{{- else }}
- storageClassName: "{{ .Values.nginx.persistence.storageClass }}"
+ storageClassName: "{{ .Values.nginx.persistence.storageClassName }}"
{{- end }}
{{- end }}
{{- end }}
diff --git a/charts/artifactory-jcr/charts/artifactory/templates/nginx-service.yaml b/charts/artifactory-jcr/charts/artifactory/templates/nginx-service.yaml
index 78d2a6f29..7f4c8fb66 100644
--- a/charts/artifactory-jcr/charts/artifactory/templates/nginx-service.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/templates/nginx-service.yaml
@@ -64,7 +64,7 @@ spec:
- port: {{ .Values.nginx.ssh.externalPort }}
targetPort: {{ .Values.nginx.ssh.internalPort }}
protocol: TCP
- name: ssh
+ name: tcp-ssh
{{- end }}
selector:
app: {{ template "artifactory.name" . }}
diff --git a/charts/artifactory-jcr/charts/artifactory/values.yaml b/charts/artifactory-jcr/charts/artifactory/values.yaml
index 9eee1703c..dcbf72fdb 100644
--- a/charts/artifactory-jcr/charts/artifactory/values.yaml
+++ b/charts/artifactory-jcr/charts/artifactory/values.yaml
@@ -4,8 +4,42 @@
# Beware when changing values here. You should know what you are doing!
# Access the values with {{ .Values.key.subkey }}
-# Common
-initContainerImage: docker.bintray.io/alpine:3.12
+
+global:
+ # imageRegistry: docker.bintray.io
+ # imagePullSecrets:
+ # - myRegistryKeySecretName
+ ## Chart.AppVersion can be overidden using global.versions.artifactory or .Values.artifactory.image.tag
+ ## Note: Order of preference is 1) global.versions 2) .Values.artifactory.image.tag 3) Chart.AppVersion
+ ## This applies also for nginx images (.Values.nginx.image.tag)
+ versions: {}
+ # artifactory:
+ # joinKey:
+ # masterKey:
+ # joinKeySecretName:
+ # masterKeySecretName:
+ # customInitContainersBegin: |
+
+ # customInitContainers: |
+
+ # customVolumes: |
+
+ # customVolumeMounts: |
+
+ # customSidecarContainers: |
+
+
+initContainerImage: docker.bintray.io/alpine:3.12.1
+
+# Init containers
+initContainers:
+ resources: {}
+# requests:
+# memory: "64Mi"
+# cpu: "10m"
+# limits:
+# memory: "128Mi"
+# cpu: "250m"
installer:
type:
@@ -14,7 +48,20 @@ installer:
installerInfo: '{"productId": "Helm_artifactory/{{ .Chart.Version }}", "features": [ { "featureId": "Platform/{{ default "kubernetes" .Values.installer.platform }}"}]}'
# For supporting pulling from private registries
-imagePullSecrets:
+# imagePullSecrets:
+# - myRegistryKeySecretName
+
+## Artifactory systemYaml override
+## This is for advanced usecases where users wants to provide their own systemYaml for configuring artifactory
+## Refer: https://www.jfrog.com/confluence/display/JFROG/Artifactory+System+YAML
+## Note: This will override existing (default) .Values.artifactory.systemYaml in values.yaml
+## Alternatively, systemYaml can be overidden via customInitContainers using external sources like vaults, external repositories etc. Please refer customInitContainer section below for an example.
+## Note: Order of preference is 1) customInitContainers 2) systemYamlOverride existingSecret 3) default systemYaml in values.yaml
+systemYamlOverride:
+## You can use a pre-existing secret by specifying existingSecret
+ existingSecret:
+## The dataKey should be the name of the secret data key created.
+ dataKey:
## Role Based Access Control
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
@@ -72,6 +119,9 @@ ingress:
# Additional ingress rules
additionalRules: []
+## Allows to add custom ingress
+customIngress: |
+
networkpolicy:
# Allows all ingress and egress
- name: artifactory
@@ -95,7 +145,8 @@ networkpolicy:
logger:
image:
- repository: docker.bintray.io/busybox
+ registry: docker.bintray.io
+ repository: busybox
tag: 1.31.1
# Artifactory
@@ -103,8 +154,9 @@ artifactory:
name: artifactory
# Note that by default we use appVersion to get image tag/version
image:
- repository: docker.bintray.io/jfrog/artifactory-pro
- # version:
+ registry: docker.bintray.io
+ repository: jfrog/artifactory-pro
+ # tag:
pullPolicy: IfNotPresent
labels: {}
@@ -128,6 +180,12 @@ artifactory:
maxThreads: 200
extraConfig: 'acceptCount="100"'
+ # Support for open metrics is only available for Artifactory 7.7.x (appVersions) and above.
+ # To enable set `.Values.artifactory.openMetrics.enabled` to `true`
+ # Refer - https://www.jfrog.com/confluence/display/JFROG/Open+Metrics
+ openMetrics:
+ enabled: false
+
# Files to copy to ARTIFACTORY_HOME/ on each Artifactory startup
copyOnEveryStartup:
# # Absolute path
@@ -189,8 +247,8 @@ artifactory:
## Extra pre-start command in migration Init Container to install JDBC driver for MySql/MariaDb/Oracle
# preStartCommand: "mkdir -p /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib; cd /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib && wget -O /opt/jfrog/artifactory/var/bootstrap/artifactory/tomcat/lib/mysql-connector-java-5.1.41.jar https://jcenter.bintray.com/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar"
- ## Add custom init containers
- customInitContainers: |
+ ## Add custom init containers execution before predefined init containers
+ customInitContainersBegin: |
# - name: "custom-setup"
# image: "{{ .Values.initContainerImage }}"
# imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
@@ -202,6 +260,19 @@ artifactory:
# - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
# name: artifactory-volume
+ ## Add custom init containers execution after predefined init containers
+ customInitContainers: |
+ # - name: "custom-systemyaml-setup"
+ # image: "{{ .Values.initContainerImage }}"
+ # imagePullPolicy: "{{ .Values.artifactory.image.pullPolicy }}"
+ # command:
+ # - 'sh'
+ # - '-c'
+ # - 'wget -O {{ .Values.artifactory.persistence.mountPath }}/etc/system.yaml https://<repo-url>/systemyaml'
+ # volumeMounts:
+ # - mountPath: "{{ .Values.artifactory.persistence.mountPath }}"
+ # name: artifactory-volume
+
## Add custom sidecar containers
# - The provided example uses a custom volume (customVolumes)
# - The provided example shows running container as root (id 0)
@@ -249,6 +320,7 @@ artifactory:
# subPath: prehook-start.sh
# Add custom persistent volume mounts - Available for the pod
+ # If skipPrepareContainer is set to true , this will skip the prepare-custom-persistent-volume init container
customPersistentPodVolumeClaim: {}
# name:
# mountPath:
@@ -256,6 +328,7 @@ artifactory:
# - "-"
# size:
# storageClassName:
+ # skipPrepareContainer: false
# Add custom persistent volume mounts - Available to the entire namespace
customPersistentVolumeClaim: {}
@@ -416,12 +489,19 @@ artifactory:
{{- end }}
{{- end }}
artifactory:
+ {{- if .Values.artifactory.openMetrics }}
+ metrics:
+ enabled: {{ .Values.artifactory.openMetrics.enabled }}
+ {{- end }}
database:
maxOpenConnections: {{ .Values.artifactory.database.maxOpenConnections }}
tomcat:
connector:
maxThreads: {{ .Values.artifactory.tomcat.connector.maxThreads }}
extraConfig: {{ .Values.artifactory.tomcat.connector.extraConfig }}
+ frontend:
+ session:
+ timeMinutes: {{ .Values.frontend.session.timeoutMinutes | quote }}
access:
database:
maxOpenConnections: {{ .Values.access.database.maxOpenConnections }}
@@ -474,8 +554,13 @@ artifactory:
externalArtifactoryPort: 8081
internalArtifactoryPort: 8081
uid: 1030
+ gid: 1030
terminationGracePeriodSeconds: 30
+ ## By default, the Artifactory StatefulSet is created with a securityContext that sets the `runAsUser` and the `fsGroup` to the `artifactory.uid` value.
+ ## If you want to disable the securityContext for the Artifactory StatefulSet, set this tag to false
+ setSecurityContext: true
+
## The following settings are to configure the frequency of the liveness and readiness probes
livenessProbe:
enabled: true
@@ -644,6 +729,12 @@ artifactory:
{{- with .cloudFrontPrivateKey }}
<cloudFrontPrivateKey>{{ . }}</cloudFrontPrivateKey>
{{- end }}
+ {{- with .enableSignedUrlRedirect }}
+ <enableSignedUrlRedirect>{{ . }}</enableSignedUrlRedirect>
+ {{- end }}
+ {{- with .enablePathStyleAccess }}
+ <enablePathStyleAccess>{{ . }}</enablePathStyleAccess>
+ {{- end }}
</provider>
{{- end }}
</config>
@@ -743,7 +834,7 @@ artifactory:
## For artifactory.persistence.type google-storage
googleStorage:
- endpoint: storage.googleapis.com
+ endpoint: commondatastorage.googleapis.com
httpsOnly: false
# Set a unique bucket name
bucketName: "artifactory-gcp"
@@ -771,6 +862,8 @@ artifactory:
cloudFrontDomainName:
cloudFrontKeyPairId:
cloudFrontPrivateKey:
+ enableSignedUrlRedirect: false
+ enablePathStyleAccess: false
## For artifactory.persistence.type aws-s3
## IMPORTANT: Make sure S3 `endpoint` and `region` match! See https://docs.aws.amazon.com/general/latest/gr/rande.html
@@ -804,7 +897,7 @@ artifactory:
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
- # storageClass: "-"
+ # storageClassName: "-"
## Annotations for the Persistent Volume Claim
annotations: {}
## Uncomment the following resources definitions or pass them from command line
@@ -844,6 +937,12 @@ artifactory:
internalPort: 1339
externalPort: 1339
+frontend:
+ ## Session settings
+ session:
+ ## Time in minutes after which the frontend token will need to be refreshed
+ timeoutMinutes: '30'
+
access:
## Enable TLS by changing the tls entry (under the security section) in the access.config.yaml file.
## ref: https://www.jfrog.com/confluence/display/JFROG/Managing+TLS+Certificates#ManagingTLSCertificates
@@ -881,10 +980,14 @@ nginx:
gid: 107
# Note that by default we use appVersion to get image tag/version
image:
- repository: docker.bintray.io/jfrog/nginx-artifactory-pro
- # version:
+ registry: docker.bintray.io
+ repository: jfrog/nginx-artifactory-pro
+ # tag:
pullPolicy: IfNotPresent
+ # Priority Class name to be used in deployment if provided
+ priorityClassName:
+
# Sidecar containers for tailing Nginx logs
loggers: []
# - access.log
@@ -1128,7 +1231,7 @@ nginx:
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
- # storageClass: "-"
+ # storageClassName: "-"
resources: {}
# requests:
# memory: "250Mi"
@@ -1153,7 +1256,7 @@ postgresql:
image:
registry: docker.bintray.io
repository: bitnami/postgresql
- tag: 10.13.0-debian-10-r38
+ tag: 12.5.0-debian-10-r25
postgresqlUsername: artifactory
postgresqlPassword: ""
postgresqlDatabase: artifactory
@@ -1212,7 +1315,7 @@ filebeat:
name: artifactory-filebeat
image:
repository: "docker.elastic.co/beats/filebeat"
- version: 7.5.1
+ version: 7.9.2
logstashUrl: "logstash:5044"
livenessProbe:
@@ -1266,3 +1369,8 @@ filebeat:
output:
logstash:
hosts: ["{{ .Values.filebeat.logstashUrl }}"]
+
+## Allows to add additional kubernetes resources
+## Use --- as a separator between multiple resources
+## For an example, refer - https://github.com/jfrog/log-analytics-prometheus/blob/master/artifactory-values.yaml
+additionalResources: |
diff --git a/charts/artifactory-jcr/ci/default-values.yaml b/charts/artifactory-jcr/ci/default-values.yaml
index fc2ba605a..86355d3b3 100644
--- a/charts/artifactory-jcr/ci/default-values.yaml
+++ b/charts/artifactory-jcr/ci/default-values.yaml
@@ -1 +1,7 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
+artifactory:
+ databaseUpgradeReady: true
+
+ # To Fix ct tool --reuse-values - PASSWORDS ERROR: you must provide your current passwords when upgrade the release
+ postgresql:
+ postgresqlPassword: password
diff --git a/charts/artifactory-jcr/requirements.lock b/charts/artifactory-jcr/requirements.lock
index 8191ebbac..299d8cefe 100644
--- a/charts/artifactory-jcr/requirements.lock
+++ b/charts/artifactory-jcr/requirements.lock
@@ -1,6 +1,6 @@
dependencies:
- name: artifactory
repository: https://charts.jfrog.io/
- version: 10.0.12
-digest: sha256:a201c886d1f8e9e58f2b0e1b55d7a03fc225f3774233f1f786523963c57bab33
-generated: "2020-07-29T16:48:47.031129463Z"
+ version: 11.7.4
+digest: sha256:a4c52f49f154be6434a9a37474eee556de8d97a487be9dec923124a64651aac8
+generated: "2021-01-04T14:56:17.66958+05:30"
diff --git a/charts/artifactory-jcr/requirements.yaml b/charts/artifactory-jcr/requirements.yaml
index 1088ea3c0..4ad868b8a 100644
--- a/charts/artifactory-jcr/requirements.yaml
+++ b/charts/artifactory-jcr/requirements.yaml
@@ -1,4 +1,4 @@
dependencies:
- name: artifactory
- version: 10.0.12
+ version: 11.7.4
repository: https://charts.jfrog.io/
diff --git a/charts/artifactory-jcr/values.yaml b/charts/artifactory-jcr/values.yaml
index ffa1b6045..250485d27 100644
--- a/charts/artifactory-jcr/values.yaml
+++ b/charts/artifactory-jcr/values.yaml
@@ -13,10 +13,11 @@ artifactory:
## Artifactory
## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
artifactory:
- ## Default version is from the artifactory sub-chart in the requirements.yaml
+ ## Default tag is from the artifactory sub-chart in the requirements.yaml
image:
- repository: docker.bintray.io/jfrog/artifactory-jcr
- # version:
+ registry: docker.bintray.io
+ repository: jfrog/artifactory-jcr
+ # tag:
## Uncomment the following resources definitions or pass them from command line
## to control the cpu and memory resources allocated by the Kubernetes cluster
diff --git a/index.yaml b/index.yaml
index f844847fa..793fff2d4 100644
--- a/index.yaml
+++ b/index.yaml
@@ -68,6 +68,36 @@ entries:
- assets/artifactory-ha/artifactory-ha-3.0.1400.tgz
version: 3.0.1400
artifactory-jcr:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/release-name: artifactory-jcr
+ apiVersion: v1
+ appVersion: 7.12.5
+ created: "2021-02-26T18:58:09.545552572Z"
+ dependencies:
+ - name: artifactory
+ repository: https://charts.jfrog.io/
+ version: 11.7.4
+ description: JFrog Container Registry
+ digest: 148af8042991b7d031770887a8d64e034268c2e1e3eb03f55e13310a40cb2a60
+ home: https://jfrog.com/container-registry/
+ icon: https://raw.githubusercontent.com/jfrog/charts/master/stable/artifactory-jcr/logo/jcr-logo.png
+ keywords:
+ - artifactory
+ - jfrog
+ - container
+ - registry
+ - devops
+ - jfrog-container-registry
+ maintainers:
+ - email: helm@jfrog.com
+ name: Chart Maintainers at JFrog
+ name: artifactory-jcr
+ sources:
+ - https://github.com/jfrog/charts
+ urls:
+ - assets/artifactory-jcr/artifactory-jcr-3.4.000.tgz
+ version: 3.4.000
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/release-name: artifactory-jcr
@@ -579,4 +609,4 @@ entries:
urls:
- assets/sysdig/sysdig-1.9.200.tgz
version: 1.9.200
-generated: "2021-02-26T18:55:48.743664584Z"
+generated: "2021-02-26T18:58:09.533084638Z"
diff --git a/sha256sum/artifactory-jcr/artifactory-jcr.sum b/sha256sum/artifactory-jcr/artifactory-jcr.sum
index d54d6cbc4..2a968a99e 100644
--- a/sha256sum/artifactory-jcr/artifactory-jcr.sum
+++ b/sha256sum/artifactory-jcr/artifactory-jcr.sum
@@ -1,4 +1,4 @@
-3af577609a7b5598cd24d1067b6476a887df39433c9a0e98113d2351071b6899 packages/artifactory-jcr/artifactory-jcr.patch
+cd02f1da44193aec6236ac31ead3060fb87d26270cc7d4bffd8ef0742b478a1a packages/artifactory-jcr/artifactory-jcr.patch
18f1881126f41c8a08e5bef6acdbc5383edfeb5b53597944abe26d5d91569bd7 packages/artifactory-jcr/overlay/app-readme.md
e92d32409aad3408f146d5955945910e14bb2e70c55c874fb83a5e159b65ddea packages/artifactory-jcr/overlay/questions.yml
-3b92cd36c60c0b8c979ad0b3eed9c15b0e876ab63e7f407457a32073e7057da8 packages/artifactory-jcr/package.yaml
+442bea8f7c786bcbc21fd94c10955f022f2987895618ced5c50326abf364924e packages/artifactory-jcr/package.yaml